Add iptables -P FORWARD ACCEPT unit

On node reboot, kubelet and kube-proxy set
iptables -P FORWARD DROP which doesn't work with
flannel in the way we use it.
Add a systemd unit to set the rule to ACCEPT after
flannel,docker,kubelet,kube-proxy.

Squashed in this patch, is the release notes patch [0]

[0] I07771f2c4711b0b86a53610517abdc3dad270574 which is
(cherry picked from commit e6b3325120)

Change-Id: I7f6200a4966fda1cc701749bf1f37ddc492390c5
Co-Authored-By: Spyros Trigazis <spyridon.trigazis@cern.ch>
(cherry picked from commit cf5f78e5be)

magnum/drivers/common/templates/kubernetes/fragments/flannel-service.sh

@@ -6,8 +6,10 @@ if [ "$NETWORK_DRIVER" != "flannel" ]; then
     exit 0
 fi
 
+SYSTEMD_UNITS_DIR=/etc/systemd/system/
 FLANNEL_DOCKER_BRIDGE_BIN=/usr/local/bin/flannel-docker-bridge
 FLANNEL_DOCKER_BRIDGE_SERVICE=/etc/systemd/system/flannel-docker-bridge.service
+FLANNEL_IPTABLES_FORWARD_ACCEPT_SERVICE=flannel-iptables-forward-accept.service
 DOCKER_FLANNEL_CONF=/etc/systemd/system/docker.service.d/flannel.conf
 FLANNEL_DOCKER_BRIDGE_CONF=/etc/systemd/system/flanneld.service.d/flannel-docker-bridge.conf
 
@@ -77,6 +79,27 @@ EOF
 chown root:root $FLANNEL_DOCKER_BRIDGE_CONF
 chmod 0644 $FLANNEL_DOCKER_BRIDGE_CONF
 
+# Workaround for https://github.com/coreos/flannel/issues/799
+# Not solved upstream properly yet.
+cat >> "${SYSTEMD_UNITS_DIR}${FLANNEL_IPTABLES_FORWARD_ACCEPT_SERVICE}" <<EOF
+[Unit]
+After=flanneld.service docker.service kubelet.service kube-proxy.service
+Requires=flanneld.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/iptables -P FORWARD ACCEPT
+ExecStartPost=/usr/sbin/iptables -S
+
+[Install]
+WantedBy=flanneld.service
+EOF
+
+chown root:root "${SYSTEMD_UNITS_DIR}${FLANNEL_IPTABLES_FORWARD_ACCEPT_SERVICE}"
+chmod 0644 "${SYSTEMD_UNITS_DIR}${FLANNEL_IPTABLES_FORWARD_ACCEPT_SERVICE}"
+systemctl daemon-reload
+systemctl enable "${FLANNEL_IPTABLES_FORWARD_ACCEPT_SERVICE}"
+
 echo "activating service flanneld"
 systemctl enable flanneld
 systemctl start flanneld

magnum/drivers/common/templates/swarm/fragments/network-service.sh

@@ -31,9 +31,11 @@ if [ "$NETWORK_DRIVER" != "flannel" ]; then
     exit 0
 fi
 
+SYSTEMD_UNITS_DIR=/etc/systemd/system/
 FLANNELD_CONFIG=/etc/sysconfig/flanneld
 FLANNEL_DOCKER_BRIDGE_BIN=/usr/local/bin/flannel-docker-bridge
 FLANNEL_DOCKER_BRIDGE_SERVICE=/etc/systemd/system/flannel-docker-bridge.service
+FLANNEL_IPTABLES_FORWARD_ACCEPT_SERVICE=flannel-iptables-forward-accept.service
 DOCKER_FLANNEL_CONF=/etc/systemd/system/docker.service.d/flannel.conf
 FLANNEL_DOCKER_BRIDGE_CONF=/etc/systemd/system/flanneld.service.d/flannel-docker-bridge.conf
 
@@ -112,6 +114,27 @@ EOF
 chown root:root $FLANNEL_DOCKER_BRIDGE_CONF
 chmod 0644 $FLANNEL_DOCKER_BRIDGE_CONF
 
+# Workaround for https://github.com/coreos/flannel/issues/799
+# Not solved upstream properly yet.
+cat >> "${SYSTEMD_UNITS_DIR}${FLANNEL_IPTABLES_FORWARD_ACCEPT_SERVICE}" <<EOF
+[Unit]
+After=flanneld.service docker.service kubelet.service kube-proxy.service
+Requires=flanneld.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/iptables -P FORWARD ACCEPT
+ExecStartPost=/usr/sbin/iptables -S
+
+[Install]
+WantedBy=flanneld.service
+EOF
+
+chown root:root "${SYSTEMD_UNITS_DIR}${FLANNEL_IPTABLES_FORWARD_ACCEPT_SERVICE}"
+chmod 0644 "${SYSTEMD_UNITS_DIR}${FLANNEL_IPTABLES_FORWARD_ACCEPT_SERVICE}"
+systemctl daemon-reload
+systemctl enable "${FLANNEL_IPTABLES_FORWARD_ACCEPT_SERVICE}"
+
 echo "activating service flanneld"
 systemctl enable flanneld
 systemctl --no-block start flanneld

releasenotes/notes/flannel-reboot-fix-f1382818daed4fa8.yaml

@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Add iptables -P FORWARD ACCEPT unit. On node reboot, kubelet and kube-proxy
+    set iptables -P FORWARD DROP which doesn't work with flannel in the way we
+    use it.  Add a systemd unit to set the rule to ACCEPT after flannel,
+    docker, kubelet, kube-proxy.