kolla-ansible/releasenotes/notes/docker-disable-ip-forward-b0490b71f9f07cd6.yaml

---
fixes:
  - |
    Adds a new flag, ``docker_disable_ip_forward``, which
    defaults to ``docker_disable_default_iptables_rules`` and is used to
    disable docker's ``ip-forward`` option which makes docker set
    ``net.ipv4.ip_forward`` sysctl to ``1``.
    This is to protect from creating all-forwarding hosts.
    `LP#1931615 <https://launchpad.net/bugs/1931615>`__
upgrade:
  - |
    Adds a new flag, ``docker_disable_ip_forward``, which
    defaults to ``docker_disable_default_iptables_rules`` and is used to
    disable docker's ``ip-forward`` option which makes docker set
    ``net.ipv4.ip_forward`` sysctl to ``1``. By default,
    ``docker_disable_default_iptables_rules`` is ``true``, in which case
    docker's ``ip-forward`` option is ``disabled``.

    For existing hosts, this configuration change is applied when configuring
    docker via ``kolla-ansible bootstrap-servers``. Docker changes the sysctl
    in a non-persistent manner, so it will revert to the default of ``0`` after
    a reboot, if not configured elsewhere. This should not cause a problem,
    since Kolla Ansible applies the sysctl where necessary. Operators may wish
    to perform a proactive reboot, or apply the default through other means.
Disable docker's ip-forward when iptables disabled With the new default since Wallaby, starting Docker makes it enable forwarding and not filter it at all. This may pose a security risk and should be mitigated. Closes-Bug: #1931615 Change-Id: I5129136c066489fdfaa4d93741c22e5010b7e89d 2021-06-10 17:26:38 +00:00			`---`
			`fixes:`
			`- \|`
			Adds a new flag, ``docker_disable_ip_forward``, which
			defaults to ``docker_disable_default_iptables_rules`` and is used to
			disable docker's ``ip-forward`` option which makes docker set
			``net.ipv4.ip_forward`` sysctl to ``1``.
			`This is to protect from creating all-forwarding hosts.`
			`LP#1931615 <https://launchpad.net/bugs/1931615>`__
Reno follow up for docker_disable_ip_forward Follow up to I5129136c066489fdfaa4d93741c22e5010b7e89d, adding upgrade notes. Related-Bug: #1931615 Change-Id: I2f88b8fc2c6924de9f6bc1840b183ee024c5c1e9 2021-06-15 09:49:38 +01:00			`upgrade:`
			`- \|`
			Adds a new flag, ``docker_disable_ip_forward``, which
			defaults to ``docker_disable_default_iptables_rules`` and is used to
			disable docker's ``ip-forward`` option which makes docker set
			``net.ipv4.ip_forward`` sysctl to ``1``. By default,
			``docker_disable_default_iptables_rules`` is ``true``, in which case
			docker's ``ip-forward`` option is ``disabled``.

			`For existing hosts, this configuration change is applied when configuring`
			docker via ``kolla-ansible bootstrap-servers``. Docker changes the sysctl
			in a non-persistent manner, so it will revert to the default of ``0`` after
			`a reboot, if not configured elsewhere. This should not cause a problem,`
			`since Kolla Ansible applies the sysctl where necessary. Operators may wish`
			`to perform a proactive reboot, or apply the default through other means.`