Prevent docker from manipulating iptables

by default, Docker sets the policy for the FORWARD chain to DROP.
this behavior will block our public network connectivity.

for more details: https://docs.docker.com/network/packet-filtering-firewalls/#docker-on-a-router

Change-Id: I66408c9e65f07c3c96cabb1f7f55a312f6dc9f36
This commit is contained in:
wu.chunyang 2023-07-06 06:36:01 +00:00
parent 1fe5dcbf75
commit caf06bc4f7
4 changed files with 25 additions and 3 deletions

View File

@ -1,2 +1 @@
libxslt1-dev # testonly
docker.io

View File

@ -1,2 +1 @@
libxslt-devel # testonly
docker
libxslt-devel # testonly

View File

@ -506,6 +506,8 @@ function create_guest_image {
}
function create_registry_container {
# install docker on the host.
$DEST/trove/integration/scripts/trovestack install-docker
# running a docker registry container
echo "Running a docker registry container..."
container=$(sudo docker ps -a --format "{{.Names}}" --filter name=registry)

View File

@ -727,6 +727,26 @@ function cmd_test_init() {
pip3 install -U git+https://opendev.org/openstack/python-troveclient@master#egg=python-troveclient
}
function cmd_install_docker() {
exclaim "install and configure docker: $@"
# It seems that rocky8 or newer use podman to emulate docker cli.
# the daemon.json file may make no sense here for rocky, but it may be useful for centos distro.
sudo mkdir /etc/docker
sudo tee /etc/docker/daemon.json >/dev/null <<EOF
{
"bridge": "none",
"ip-forward": false,
"iptables": false
}
EOF
sudo $HTTP_PROXY $PKG_MGR $PKG_GET_ARGS update
if is_fedora; then
sudo $HTTP_PROXY $PKG_MGR $PKG_GET_ARGS install docker
else
sudo $HTTP_PROXY $PKG_MGR $PKG_GET_ARGS install docker.io
fi
}
# Build trove guest image
function cmd_build_image() {
exclaim "Params for cmd_build_image function: $@"
@ -1283,6 +1303,7 @@ function print_usage() {
- Set DEVSTACK_BRANCH to switch the branch/commit of devstack
(i.e. 'stable/kilo' or '7ef2462')
test-init - Configure the test configuration files and add keystone test users
install-docker - Install docker and configure docker to not manipulate iptables.
build-image - Builds the vm image for the trove guest
initialize - Reinitialize the trove database, users, services, and test config
@ -1340,6 +1361,7 @@ function run_command() {
"build-image" ) shift; cmd_build_image $@;;
"upload-image" ) shift; cmd_build_and_upload_image $@;;
"int-tests" ) shift; cmd_int_tests $@;;
"install-docker" ) shift; cmd_install_docker $@;;
"debug" ) shift; echo "Enabling debugging."; \
set -o xtrace; TROVESTACK_DUMP_ENV=true; run_command $@;;
"gate-tests" ) shift; cmd_gate_tests $@;;