Prevent docker from manipulating iptables

by default, Docker sets the policy for the FORWARD chain to DROP. this behavior will block our public network connectivity. for more details: https://docs.docker.com/network/packet-filtering-firewalls/#docker-on-a-router Change-Id: I66408c9e65f07c3c96cabb1f7f55a312f6dc9f36
2023-07-06 06:36:01 +00:00 · 2023-07-06 06:36:01 +00:00 · caf06bc4f7
commit caf06bc4f7
parent 1fe5dcbf75
4 changed files with 25 additions and 3 deletions
--- a/devstack/files/debs/trove
+++ b/devstack/files/debs/trove
@ -1,2 +1 @@
 libxslt1-dev   # testonly
-docker.io
--- a/devstack/files/rpms/trove
+++ b/devstack/files/rpms/trove
@ -1,2 +1 @@
 libxslt-devel   # testonly
-docker
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@ -506,6 +506,8 @@ function create_guest_image {
 }

 function create_registry_container {
+    # install docker on the host.
+    $DEST/trove/integration/scripts/trovestack install-docker
    # running a docker registry container
    echo "Running a docker registry container..."
    container=$(sudo docker ps -a --format "{{.Names}}" --filter name=registry)
--- a/integration/scripts/trovestack
+++ b/integration/scripts/trovestack
@ -727,6 +727,26 @@ function cmd_test_init() {
    pip3 install -U git+https://opendev.org/openstack/python-troveclient@master#egg=python-troveclient
 }

+function cmd_install_docker() {
+    exclaim "install and configure docker: $@"
+    # It seems that rocky8 or newer use podman to emulate docker cli.
+    # the daemon.json file may make no sense here for rocky, but it may be useful for centos distro.
+    sudo mkdir /etc/docker
+    sudo tee /etc/docker/daemon.json >/dev/null <<EOF
+{
+    "bridge": "none",
+    "ip-forward": false,
+    "iptables": false
+}
+EOF
+    sudo $HTTP_PROXY $PKG_MGR $PKG_GET_ARGS update
+    if is_fedora; then
+      sudo $HTTP_PROXY $PKG_MGR $PKG_GET_ARGS install docker
+    else
+      sudo $HTTP_PROXY $PKG_MGR $PKG_GET_ARGS install docker.io
+    fi
+}
+
 # Build trove guest image
 function cmd_build_image() {
    exclaim "Params for cmd_build_image function: $@"
@ -1283,6 +1303,7 @@ function print_usage() {
                          - Set DEVSTACK_BRANCH to switch the branch/commit of devstack
                            (i.e. 'stable/kilo' or '7ef2462')
          test-init       - Configure the test configuration files and add keystone test users
+          install-docker  - Install docker and configure docker to not manipulate iptables.
          build-image     - Builds the vm image for the trove guest
          initialize      - Reinitialize the trove database, users, services, and test config

@ -1340,6 +1361,7 @@ function run_command() {
        "build-image" ) shift; cmd_build_image $@;;
        "upload-image" ) shift; cmd_build_and_upload_image $@;;
        "int-tests" ) shift; cmd_int_tests $@;;
+        "install-docker" ) shift; cmd_install_docker $@;;
        "debug" ) shift; echo "Enabling debugging."; \
                  set -o xtrace; TROVESTACK_DUMP_ENV=true; run_command $@;;
        "gate-tests" ) shift; cmd_gate_tests $@;;