From caf06bc4f7e1e06913509c499531ff435f4b807a Mon Sep 17 00:00:00 2001
From: "wu.chunyang" <wchy1001@gmail.com>
Date: Thu, 6 Jul 2023 06:36:01 +0000
Subject: [PATCH] Prevent docker from manipulating iptables

by default, Docker sets the policy for the FORWARD chain to DROP.
this behavior will block our public network connectivity.

for more details: https://docs.docker.com/network/packet-filtering-firewalls/#docker-on-a-router

Change-Id: I66408c9e65f07c3c96cabb1f7f55a312f6dc9f36
---
 devstack/files/debs/trove      |  1 -
 devstack/files/rpms/trove      |  3 +--
 devstack/plugin.sh             |  2 ++
 integration/scripts/trovestack | 22 ++++++++++++++++++++++
 4 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/devstack/files/debs/trove b/devstack/files/debs/trove
index 43ab35595d..09dcee8104 100644
--- a/devstack/files/debs/trove
+++ b/devstack/files/debs/trove
@@ -1,2 +1 @@
 libxslt1-dev   # testonly
-docker.io
diff --git a/devstack/files/rpms/trove b/devstack/files/rpms/trove
index 04ae78401e..460aec629f 100644
--- a/devstack/files/rpms/trove
+++ b/devstack/files/rpms/trove
@@ -1,2 +1 @@
-libxslt-devel   # testonly
-docker
\ No newline at end of file
+libxslt-devel   # testonly
\ No newline at end of file
diff --git a/devstack/plugin.sh b/devstack/plugin.sh
index ca1c3cdd43..51d2acaca2 100644
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@@ -506,6 +506,8 @@ function create_guest_image {
 }
 
 function create_registry_container {
+    # install docker on the host.
+    $DEST/trove/integration/scripts/trovestack install-docker
     # running a docker registry container
     echo "Running a docker registry container..."
     container=$(sudo docker ps -a --format "{{.Names}}" --filter name=registry)
diff --git a/integration/scripts/trovestack b/integration/scripts/trovestack
index 886581ec2d..4f96d0139a 100755
--- a/integration/scripts/trovestack
+++ b/integration/scripts/trovestack
@@ -727,6 +727,26 @@ function cmd_test_init() {
     pip3 install -U git+https://opendev.org/openstack/python-troveclient@master#egg=python-troveclient
 }
 
+function cmd_install_docker() {
+    exclaim "install and configure docker: $@"
+    # It seems that rocky8 or newer use podman to emulate docker cli.
+    # the daemon.json file may make no sense here for rocky, but it may be useful for centos distro.
+    sudo mkdir /etc/docker
+    sudo tee /etc/docker/daemon.json >/dev/null <<EOF
+{
+    "bridge": "none",
+    "ip-forward": false,
+    "iptables": false
+}
+EOF
+    sudo $HTTP_PROXY $PKG_MGR $PKG_GET_ARGS update
+    if is_fedora; then
+      sudo $HTTP_PROXY $PKG_MGR $PKG_GET_ARGS install docker
+    else
+      sudo $HTTP_PROXY $PKG_MGR $PKG_GET_ARGS install docker.io
+    fi
+}
+
 # Build trove guest image
 function cmd_build_image() {
     exclaim "Params for cmd_build_image function: $@"
@@ -1283,6 +1303,7 @@ function print_usage() {
                           - Set DEVSTACK_BRANCH to switch the branch/commit of devstack
                             (i.e. 'stable/kilo' or '7ef2462')
           test-init       - Configure the test configuration files and add keystone test users
+          install-docker  - Install docker and configure docker to not manipulate iptables.
           build-image     - Builds the vm image for the trove guest
           initialize      - Reinitialize the trove database, users, services, and test config
 
@@ -1340,6 +1361,7 @@ function run_command() {
         "build-image" ) shift; cmd_build_image $@;;
         "upload-image" ) shift; cmd_build_and_upload_image $@;;
         "int-tests" ) shift; cmd_int_tests $@;;
+        "install-docker" ) shift; cmd_install_docker $@;;
         "debug" ) shift; echo "Enabling debugging."; \
                   set -o xtrace; TROVESTACK_DUMP_ENV=true; run_command $@;;
         "gate-tests" ) shift; cmd_gate_tests $@;;