kolla-ansible

Possible routing issues because of docker networking

  1. Series ussuri
  2. Bug #1848249
Bug #1848249 reported by Dincer Celik
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kolla-ansible
In Progress
Medium
Mark Goddard
Ussuri
Fix Committed
Medium
Dincer Celik
Victoria
Fix Committed
Medium
Mark Goddard

Bug Description

Docker is using 172.17.0.0/16 by default for bridge networking on docker0 and this might cause problems. For example; user might have a subnet which might be included in 172.17.0.0/16, so there will happen routing issues.

As kolla uses host networking, it should be better to disable docker bridge networking.

See original description
Dincer Celik (dincercelik)
description: updated
Revision history for this message
Dincer Celik (dincercelik) wrote :

Cores, if you agree this should be fixed, I can work on it.

Revision history for this message
Radosław Piliszek (yoctozepto) wrote :

+1 go ahead I think.

Also look at: https://bugs.launchpad.net/kolla-ansible/+bug/1846531
looks as if some deployment steps try to use non-host networking.

Revision history for this message
Mark Goddard (mgoddard) wrote :

I think making this optional would be safest. If anyone runs other containers without host networking, they will get broken. I don't know how it would affect image builds, which use bridge networking by default.

Changed in kolla-ansible:
importance: Undecided → Medium
Dincer Celik (dincercelik)
Changed in kolla-ansible:
assignee: nobody → Dincer Celik (osmanlicilegi)
Radosław Piliszek (yoctozepto)
Changed in kolla-ansible:
status: New → In Progress
milestone: none → 9.0.0
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (master)

Fix proposed to branch: master
Review: https://review.opendev.org/689870

Mark Goddard (mgoddard)
no longer affects: kolla-ansible/train
Changed in kolla-ansible:
milestone: 9.0.0 → none
OpenStack Infra (hudson-openstack)
Changed in kolla-ansible:
assignee: Dincer Celik (osmanlicilegi) → Mark Goddard (mgoddard)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to kolla-ansible (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/751795

Mark Goddard (mgoddard)
Changed in kolla-ansible:
milestone: 11.0.0 → none
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 12.0.0.0rc1

This issue was fixed in the openstack/kolla-ansible 12.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/victoria)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/781198
Committed: https://opendev.org/openstack/kolla-ansible/commit/0846f4afa368d821058fdc7e266bc1624838c1fa
Submitter: "Zuul (22348)"
Branch: stable/victoria

commit 0846f4afa368d821058fdc7e266bc1624838c1fa
Author: Dincer Celik <email address hidden>
Date: Mon Oct 21 23:02:17 2019 +0300

    [docker] Added a new flag to disable default network

    Docker is using 172.17.0.0/16 by default for bridge networking on
    docker0, and this might cause routing problems for operator networks.

    This change introduces docker_disable_default_network to disable the
    bridge networking by putting "bridge: none"[1] to daemon.json

    Bridge networking does not work without iptables, so we set the default
    for docker_disable_default_network to
    docker_disable_default_iptables_rules.

    For better defaults, this feature will be enabled by default in
    Wallaby.

    [1] https://docs.docker.com/engine/reference/commandline/dockerd/

    Change-Id: Ic745300b27e50132d80d03787fa4abfada2d0173
    Closes-Bug: #1848249
    Related-Bug: #1849275
    (cherry picked from commit 4053a0afdb3d0a230557883453b89b06cf4d7057)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/train)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/781201
Committed: https://opendev.org/openstack/kolla-ansible/commit/f63266a072cc5a166550525fcab184f7e8ef632d
Submitter: "Zuul (22348)"
Branch: stable/train

commit f63266a072cc5a166550525fcab184f7e8ef632d
Author: Dincer Celik <email address hidden>
Date: Mon Oct 21 23:02:17 2019 +0300

    [docker] Added a new flag to disable default network

    Docker is using 172.17.0.0/16 by default for bridge networking on
    docker0, and this might cause routing problems for operator networks.

    This change introduces docker_disable_default_network to disable the
    bridge networking by putting "bridge: none"[1] to daemon.json

    Bridge networking does not work without iptables, so we set the default
    for docker_disable_default_network to
    docker_disable_default_iptables_rules.

    For better defaults, this feature will be enabled by default in
    Wallaby.

    [1] https://docs.docker.com/engine/reference/commandline/dockerd/

    Change-Id: Ic745300b27e50132d80d03787fa4abfada2d0173
    Closes-Bug: #1848249
    Related-Bug: #1849275
    (cherry picked from commit 4053a0afdb3d0a230557883453b89b06cf4d7057)

tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/ussuri)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/781200
Committed: https://opendev.org/openstack/kolla-ansible/commit/d7fcaca385bbba8c6db13543628f3834fab67873
Submitter: "Zuul (22348)"
Branch: stable/ussuri

commit d7fcaca385bbba8c6db13543628f3834fab67873
Author: Dincer Celik <email address hidden>
Date: Mon Oct 21 23:02:17 2019 +0300

    [docker] Added a new flag to disable default network

    Docker is using 172.17.0.0/16 by default for bridge networking on
    docker0, and this might cause routing problems for operator networks.

    This change introduces docker_disable_default_network to disable the
    bridge networking by putting "bridge: none"[1] to daemon.json

    Bridge networking does not work without iptables, so we set the default
    for docker_disable_default_network to
    docker_disable_default_iptables_rules.

    For better defaults, this feature will be enabled by default in
    Wallaby.

    [1] https://docs.docker.com/engine/reference/commandline/dockerd/

    Change-Id: Ic745300b27e50132d80d03787fa4abfada2d0173
    Closes-Bug: #1848249
    Related-Bug: #1849275
    (cherry picked from commit 4053a0afdb3d0a230557883453b89b06cf4d7057)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 11.1.0

This issue was fixed in the openstack/kolla-ansible 11.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 10.3.0

This issue was fixed in the openstack/kolla-ansible 10.3.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible train-eol

This issue was fixed in the openstack/kolla-ansible train-eol release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.