Disable Docker iptables and bridge networking by default

In I165199fc98fb98f227f2a20284e1bab03ef65b5b and
Ic745300b27e50132d80d03787fa4abfada2d0173 we provided flags to disable
Docker's control of iptables and bridge networking respectively. The
original behaviour was maintained for backwards compatibility, to allow
the patches to be backported.

This patch changes the default behaviour to disable the manipulation of
iptables and disabling bridge networking.

Related-Bug: #1849275
Related-Bug: #1848249

Change-Id: I4e8206f13a847ff79e06c36d22068597458b6c3d

ansible/group_vars/all.yml

@@ -103,7 +103,7 @@ docker_runtime_directory: ""
 docker_client_timeout: 120
 
 # Docker networking options
-docker_disable_default_iptables_rules: "no"
+docker_disable_default_iptables_rules: "yes"
 docker_disable_default_network: "{{ docker_disable_default_iptables_rules }}"
 
 # Retention settings for Docker logs

releasenotes/notes/disable-docker-iptables-bridge-493feb35cba4c405.yaml

@@ -0,0 +1,9 @@
+---
+upgrade:
+  - |
+    Docker iptables manipulation and bridge networking are now disabled by
+    default. This avoids problems that may be caused by Docker settings the
+    default policy of the ``FORWARD`` chain in the ``filter`` table to
+    ``DROP``. To revert to the previous behaviour, set
+    ``docker_disable_default_iptables_rules`` to ``no``. This sets the default
+    of ``docker_disable_default_network``.