From 7d13151a4465a951bbf50e14babe4ff720b3f2a7 Mon Sep 17 00:00:00 2001
From: Dan Prince <dprince@redhat.com>
Date: Wed, 2 Aug 2017 16:51:47 -0400
Subject: [PATCH] Configure dockerd with --iptables=false

This change defaults --iptables=false for dockerd to avoid
having Docker create its own FORWARD iptables rules. These
rules can interact with normal OS networking rules and disable
communications between hosts on reboot.

Change-Id: I875fa14f7d810c7f0aba3b3a1b04b60a19470f0f
Closes-bug: #1708279
---
 manifests/profile/base/docker.pp                 | 4 ++--
 spec/classes/tripleo_profile_base_docker_spec.rb | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/manifests/profile/base/docker.pp b/manifests/profile/base/docker.pp
index e042947..95d7098 100644
--- a/manifests/profile/base/docker.pp
+++ b/manifests/profile/base/docker.pp
@@ -32,7 +32,7 @@
 #   OPTIONS that are used to startup the docker service.  NOTE:
 #   --selinux-enabled is dropped due to recommendations here:
 #   https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.2_Release_Notes/technology-preview-file_systems.html
-#   Defaults to '--log-driver=journald --signature-verification=false'
+#   Defaults to '--log-driver=journald --signature-verification=false --iptables=false'
 #
 # [*configure_storage*]
 #   Boolean. Whether to configure a docker storage backend. Defaults to true.
@@ -69,7 +69,7 @@
 class tripleo::profile::base::docker (
   $insecure_registry_address = undef,
   $registry_mirror = false,
-  $docker_options = '--log-driver=journald --signature-verification=false',
+  $docker_options = '--log-driver=journald --signature-verification=false --iptables=false',
   $configure_storage = true,
   $storage_options = '-s overlay2',
   $step = Integer(hiera('step')),
diff --git a/spec/classes/tripleo_profile_base_docker_spec.rb b/spec/classes/tripleo_profile_base_docker_spec.rb
index dc5efa7..c3cf7c9 100644
--- a/spec/classes/tripleo_profile_base_docker_spec.rb
+++ b/spec/classes/tripleo_profile_base_docker_spec.rb
@@ -28,7 +28,7 @@ describe 'tripleo::profile::base::docker' do
       it { is_expected.to contain_service('docker') }
       it {
           is_expected.to contain_augeas('docker-sysconfig-options').with_changes([
-            "set OPTIONS '\"--log-driver=journald --signature-verification=false\"'",
+            "set OPTIONS '\"--log-driver=journald --signature-verification=false --iptables=false\"'",
           ])
       }
     end
-- 
2.16.6