[docker] Added a new flag to disable default network

Docker is using 172.17.0.0/16 by default for bridge networking on docker0, and this might cause routing problems for operator networks. This change introduces docker_disable_default_network to disable the bridge networking by putting "bridge: none"[1] to daemon.json Bridge networking does not work without iptables, so we set the default for docker_disable_default_network to docker_disable_default_iptables_rules. For better defaults, this feature will be enabled by default in Wallaby. [1] https://docs.docker.com/engine/reference/commandline/dockerd/ Change-Id: Ic745300b27e50132d80d03787fa4abfada2d0173 Closes-Bug: #1848249 Related-Bug: #1849275
2019-10-21 23:02:17 +03:00 · 2019-10-21 23:02:17 +03:00 · 4053a0afdb
parent 3c5e0f9f28
commit 4053a0afdb
3 changed files with 25 additions and 1 deletions
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@ -104,6 +104,7 @@ docker_client_timeout: 120

 # Docker networking options
 docker_disable_default_iptables_rules: "no"
+docker_disable_default_network: "{{ docker_disable_default_iptables_rules }}"

 # Retention settings for Docker logs
 docker_log_max_file: "5"
--- a/ansible/roles/baremetal/tasks/post-install.yml
+++ b/ansible/roles/baremetal/tasks/post-install.yml
@ -93,7 +93,7 @@
 - name: Warn about docker default iptables
  debug:
    msg: >-
-      Docker default iptables rules will be disabled by default from the Victoria 11.0.0
+      Docker default iptables rules will be disabled by default from the Wallaby 12.0.0
      release. If you have any non-Kolla containers that need this functionality, you should
      plan a migration for this change, or set docker_disable_default_iptables_rules to false.
  when: not docker_disable_default_iptables_rules | bool
@ -103,6 +103,20 @@
    docker_config: "{{ docker_config | combine({'iptables': false}) }}"
  when: docker_disable_default_iptables_rules | bool

+- name: Warn about docker default networking
+  debug:
+    msg: >-
+      Docker default network on docker0 will be disabled by default from the
+      Wallaby 12.0.0 release. If you have any non-Kolla containers that need
+      this functionality, you should plan a migration for this change, or set
+      docker_disable_default_network to false.
+  when: not docker_disable_default_network | bool
+
+- name: Disable docker default network on docker0
+  set_fact:
+    docker_config: "{{ docker_config | combine({'bridge': 'none'}) }}"
+  when: docker_disable_default_network | bool
+
 - name: Merge custom docker config
  set_fact:
    docker_config: "{{ docker_config | combine(docker_custom_config) }}"
--- a/releasenotes/notes/docker-disable-bridge-14df8b7fddbd5000.yaml
+++ b/releasenotes/notes/docker-disable-bridge-14df8b7fddbd5000.yaml
@ -0,0 +1,9 @@
+---
+features:
+  - |
+    Adds a new flag, ``docker_disable_default_network``, which
+    defaults to ``no``. Docker is using ``172.17.0.0/16`` by default for bridge
+    networking on ``docker0``, and this might cause routing problems for
+    operator networks. Setting this flag to ``yes`` will disable Docker's
+    bridge networking. This feature will be enabled by default from the
+    Wallaby 12.0.0 release.