From 4053a0afdb3d0a230557883453b89b06cf4d7057 Mon Sep 17 00:00:00 2001
From: Dincer Celik <hello@dincercelik.com>
Date: Mon, 21 Oct 2019 23:02:17 +0300
Subject: [PATCH] [docker] Added a new flag to disable default network

Docker is using 172.17.0.0/16 by default for bridge networking on
docker0, and this might cause routing problems for operator networks.

This change introduces docker_disable_default_network to disable the
bridge networking by putting "bridge: none"[1] to daemon.json

Bridge networking does not work without iptables, so we set the default
for docker_disable_default_network to
docker_disable_default_iptables_rules.

For better defaults, this feature will be enabled by default in
Wallaby.

[1] https://docs.docker.com/engine/reference/commandline/dockerd/

Change-Id: Ic745300b27e50132d80d03787fa4abfada2d0173
Closes-Bug: #1848249
Related-Bug: #1849275
---
 ansible/group_vars/all.yml                       |  1 +
 ansible/roles/baremetal/tasks/post-install.yml   | 16 +++++++++++++++-
 .../docker-disable-bridge-14df8b7fddbd5000.yaml  |  9 +++++++++
 3 files changed, 25 insertions(+), 1 deletion(-)
 create mode 100644 releasenotes/notes/docker-disable-bridge-14df8b7fddbd5000.yaml

diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
index d95d8e59fa..1b23b6416b 100644
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -104,6 +104,7 @@ docker_client_timeout: 120
 
 # Docker networking options
 docker_disable_default_iptables_rules: "no"
+docker_disable_default_network: "{{ docker_disable_default_iptables_rules }}"
 
 # Retention settings for Docker logs
 docker_log_max_file: "5"
diff --git a/ansible/roles/baremetal/tasks/post-install.yml b/ansible/roles/baremetal/tasks/post-install.yml
index 0f1b468974..e742e11629 100644
--- a/ansible/roles/baremetal/tasks/post-install.yml
+++ b/ansible/roles/baremetal/tasks/post-install.yml
@@ -93,7 +93,7 @@
 - name: Warn about docker default iptables
   debug:
     msg: >-
-      Docker default iptables rules will be disabled by default from the Victoria 11.0.0
+      Docker default iptables rules will be disabled by default from the Wallaby 12.0.0
       release. If you have any non-Kolla containers that need this functionality, you should
       plan a migration for this change, or set docker_disable_default_iptables_rules to false.
   when: not docker_disable_default_iptables_rules | bool
@@ -103,6 +103,20 @@
     docker_config: "{{ docker_config | combine({'iptables': false}) }}"
   when: docker_disable_default_iptables_rules | bool
 
+- name: Warn about docker default networking
+  debug:
+    msg: >-
+      Docker default network on docker0 will be disabled by default from the
+      Wallaby 12.0.0 release. If you have any non-Kolla containers that need
+      this functionality, you should plan a migration for this change, or set
+      docker_disable_default_network to false.
+  when: not docker_disable_default_network | bool
+
+- name: Disable docker default network on docker0
+  set_fact:
+    docker_config: "{{ docker_config | combine({'bridge': 'none'}) }}"
+  when: docker_disable_default_network | bool
+
 - name: Merge custom docker config
   set_fact:
     docker_config: "{{ docker_config | combine(docker_custom_config) }}"
diff --git a/releasenotes/notes/docker-disable-bridge-14df8b7fddbd5000.yaml b/releasenotes/notes/docker-disable-bridge-14df8b7fddbd5000.yaml
new file mode 100644
index 0000000000..23ab9632a9
--- /dev/null
+++ b/releasenotes/notes/docker-disable-bridge-14df8b7fddbd5000.yaml
@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    Adds a new flag, ``docker_disable_default_network``, which
+    defaults to ``no``. Docker is using ``172.17.0.0/16`` by default for bridge
+    networking on ``docker0``, and this might cause routing problems for
+    operator networks. Setting this flag to ``yes`` will disable Docker's
+    bridge networking. This feature will be enabled by default from the
+    Wallaby 12.0.0 release.