kolla-ansible

Prevent docker from manipulating iptables

  1. Series train
  2. Bug #1849275
Bug #1849275 reported by Dincer Celik
28
This bug affects 7 people
Affects Status Importance Assigned to Milestone
kolla-ansible
Fix Released
High
Mark Goddard
Train
Fix Released
High
Mark Goddard

Bug Description

Docker is manipulating iptables by default and this might cause problems. There should be an option to disable this.

Dincer Celik (dincercelik)
Changed in kolla-ansible:
assignee: nobody → Dincer Celik (osmanlicilegi)
Mark Goddard (mgoddard)
Changed in kolla-ansible:
importance: Undecided → Medium
Revision history for this message
Mark Goddard (mgoddard) wrote :

The main problem I've seen with this is that since we started using Docker CE, it modifies the default policy on the FORWARD chain in the filter table to DROP.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (master)

Fix proposed to branch: master
Review: https://review.opendev.org/692052

Mark Goddard (mgoddard)
Changed in kolla-ansible:
importance: Medium → High
OpenStack Infra (hudson-openstack)
Changed in kolla-ansible:
assignee: Dincer Celik (osmanlicilegi) → Mark Goddard (mgoddard)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (master)

Reviewed: https://review.opendev.org/692052
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=fc7ce6cabe3c1379cd6871a699862cf89b727b75
Submitter: Zuul
Branch: master

commit fc7ce6cabe3c1379cd6871a699862cf89b727b75
Author: Dincer Celik <email address hidden>
Date: Wed Oct 30 10:10:34 2019 +0300

    [docker] Added a new flag to disable default iptables rules

    Docker is manipulating iptables rules by default to provide network
    isolation, and this might cause problems if the host already has an
    iptables-based firewall.

    This change introduces docker_disable_default_iptables_rules to
    disable the iptables manipulation by putting "iptables: false" [1] to
    daemon.json

    For better defaults, this feature will be enabled by default in
    Victoria.

    [1] https://docs.docker.com/network/iptables/

    Closes-Bug: #1849275

    Change-Id: I165199fc98fb98f227f2a20284e1bab03ef65b5b

Changed in kolla-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/744919

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/744920

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/ussuri)

Reviewed: https://review.opendev.org/744919
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=12a0acfe3eaca7b8113c2f619b43650ec2450222
Submitter: Zuul
Branch: stable/ussuri

commit 12a0acfe3eaca7b8113c2f619b43650ec2450222
Author: Dincer Celik <email address hidden>
Date: Wed Oct 30 10:10:34 2019 +0300

    [docker] Added a new flag to disable default iptables rules

    Docker is manipulating iptables rules by default to provide network
    isolation, and this might cause problems if the host already has an
    iptables-based firewall.

    This change introduces docker_disable_default_iptables_rules to
    disable the iptables manipulation by putting "iptables: false" [1] to
    daemon.json

    For better defaults, this feature will be enabled by default in
    Victoria.

    [1] https://docs.docker.com/network/iptables/

    Closes-Bug: #1849275

    Change-Id: I165199fc98fb98f227f2a20284e1bab03ef65b5b
    (cherry picked from commit fc7ce6cabe3c1379cd6871a699862cf89b727b75)

tags: added: in-stable-ussuri
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/train)

Reviewed: https://review.opendev.org/744920
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=0c3bd2532f99ef221d09e16c6dc12649813e9e2e
Submitter: Zuul
Branch: stable/train

commit 0c3bd2532f99ef221d09e16c6dc12649813e9e2e
Author: Dincer Celik <email address hidden>
Date: Wed Oct 30 10:10:34 2019 +0300

    [docker] Added a new flag to disable default iptables rules

    Docker is manipulating iptables rules by default to provide network
    isolation, and this might cause problems if the host already has an
    iptables-based firewall.

    This change introduces docker_disable_default_iptables_rules to
    disable the iptables manipulation by putting "iptables: false" [1] to
    daemon.json

    For better defaults, this feature will be enabled by default in
    Victoria.

    [1] https://docs.docker.com/network/iptables/

    Closes-Bug: #1849275

    Change-Id: I165199fc98fb98f227f2a20284e1bab03ef65b5b
    (cherry picked from commit fc7ce6cabe3c1379cd6871a699862cf89b727b75)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to kolla-ansible (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/751795

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 10.2.0

This issue was fixed in the openstack/kolla-ansible 10.2.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 9.3.0

This issue was fixed in the openstack/kolla-ansible 9.3.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to kolla-ansible (stable/victoria)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/781198
Committed: https://opendev.org/openstack/kolla-ansible/commit/0846f4afa368d821058fdc7e266bc1624838c1fa
Submitter: "Zuul (22348)"
Branch: stable/victoria

commit 0846f4afa368d821058fdc7e266bc1624838c1fa
Author: Dincer Celik <email address hidden>
Date: Mon Oct 21 23:02:17 2019 +0300

    [docker] Added a new flag to disable default network

    Docker is using 172.17.0.0/16 by default for bridge networking on
    docker0, and this might cause routing problems for operator networks.

    This change introduces docker_disable_default_network to disable the
    bridge networking by putting "bridge: none"[1] to daemon.json

    Bridge networking does not work without iptables, so we set the default
    for docker_disable_default_network to
    docker_disable_default_iptables_rules.

    For better defaults, this feature will be enabled by default in
    Wallaby.

    [1] https://docs.docker.com/engine/reference/commandline/dockerd/

    Change-Id: Ic745300b27e50132d80d03787fa4abfada2d0173
    Closes-Bug: #1848249
    Related-Bug: #1849275
    (cherry picked from commit 4053a0afdb3d0a230557883453b89b06cf4d7057)

tags: added: in-stable-victoria
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to kolla-ansible (stable/train)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/781201
Committed: https://opendev.org/openstack/kolla-ansible/commit/f63266a072cc5a166550525fcab184f7e8ef632d
Submitter: "Zuul (22348)"
Branch: stable/train

commit f63266a072cc5a166550525fcab184f7e8ef632d
Author: Dincer Celik <email address hidden>
Date: Mon Oct 21 23:02:17 2019 +0300

    [docker] Added a new flag to disable default network

    Docker is using 172.17.0.0/16 by default for bridge networking on
    docker0, and this might cause routing problems for operator networks.

    This change introduces docker_disable_default_network to disable the
    bridge networking by putting "bridge: none"[1] to daemon.json

    Bridge networking does not work without iptables, so we set the default
    for docker_disable_default_network to
    docker_disable_default_iptables_rules.

    For better defaults, this feature will be enabled by default in
    Wallaby.

    [1] https://docs.docker.com/engine/reference/commandline/dockerd/

    Change-Id: Ic745300b27e50132d80d03787fa4abfada2d0173
    Closes-Bug: #1848249
    Related-Bug: #1849275
    (cherry picked from commit 4053a0afdb3d0a230557883453b89b06cf4d7057)

tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to kolla-ansible (stable/ussuri)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/781200
Committed: https://opendev.org/openstack/kolla-ansible/commit/d7fcaca385bbba8c6db13543628f3834fab67873
Submitter: "Zuul (22348)"
Branch: stable/ussuri

commit d7fcaca385bbba8c6db13543628f3834fab67873
Author: Dincer Celik <email address hidden>
Date: Mon Oct 21 23:02:17 2019 +0300

    [docker] Added a new flag to disable default network

    Docker is using 172.17.0.0/16 by default for bridge networking on
    docker0, and this might cause routing problems for operator networks.

    This change introduces docker_disable_default_network to disable the
    bridge networking by putting "bridge: none"[1] to daemon.json

    Bridge networking does not work without iptables, so we set the default
    for docker_disable_default_network to
    docker_disable_default_iptables_rules.

    For better defaults, this feature will be enabled by default in
    Wallaby.

    [1] https://docs.docker.com/engine/reference/commandline/dockerd/

    Change-Id: Ic745300b27e50132d80d03787fa4abfada2d0173
    Closes-Bug: #1848249
    Related-Bug: #1849275
    (cherry picked from commit 4053a0afdb3d0a230557883453b89b06cf4d7057)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.