Docker is configured after startup on Debian/Ubuntu
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kolla-ansible |
Fix Released
|
Medium
|
Michal Nasiadka |
Bug Description
On Debian/Ubuntu, in contrast to RHEL-based distros, it is typical for services to be started automatically following package installation. This means that when docker-ce package is installed, the Docker daemon starts with vanilla configuration. We may then update the configuration, and trigger a restart of the daemon.
This can cause issues with some actions that are not 'undone' when disabled. An example is iptables management. If iptables management is disabled (default in Wallaby), then the rules may be left in place. For example:
# Generated by iptables-save v1.8.4 on Fri Apr 9 14:09:44 2021
*raw
:PREROUTING ACCEPT [126610:13442043]
:OUTPUT ACCEPT [116077:14962578]
COMMIT
# Completed on Fri Apr 9 14:09:44 2021
# Generated by iptables-save v1.8.4 on Fri Apr 9 14:09:44 2021
*nat
:PREROUTING ACCEPT [9058:398640]
:INPUT ACCEPT [7:420]
:OUTPUT ACCEPT [780:53695]
:POSTROUTING ACCEPT [780:53695]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Fri Apr 9 14:09:44 2021
# Generated by iptables-save v1.8.4 on Fri Apr 9 14:09:44 2021
*filter
:INPUT ACCEPT [161876:1105450156]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [145751:17413184]
:DOCKER - [0:0]
:DOCKER-
:DOCKER-
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-
-A DOCKER-
-A DOCKER-
-A DOCKER-
-A DOCKER-USER -j RETURN
COMMIT
The typically problematic rule here being this one:
*filter
:FORWARD DROP [0:0]
Changed in kolla-ansible: | |
importance: | Undecided → Medium |
Changed in kolla-ansible: | |
status: | New → In Progress |
Changed in kolla-ansible: | |
assignee: | nobody → Michal Nasiadka (mnasiadka) |
Reviewed: https:/ /review. opendev. org/c/openstack /kolla- ansible/ +/787701 /opendev. org/openstack/ kolla-ansible/ commit/ bc96179195de171 a693b83405a472d ddda596bff
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit bc96179195de171 a693b83405a472d ddda596bff
Author: Michał Nasiadka <email address hidden>
Date: Fri Apr 23 12:41:43 2021 +0200
baremetal: Don't start Docker after install on Debian/Ubuntu
docker-ce on Debian/Ubuntu gets started just after installation, before
baremetal role configures daemon.json - which results in iptables rules
being implemented - but not removed on docker engine restart.
Closes-Bug: #1923203
Change-Id: Ib1faa092e0b8f0 668d1752490a34d 0c2165d58d2