baremetal: Don't start Docker after install on Debian/Ubuntu

docker-ce on Debian/Ubuntu gets started just after installation, before
baremetal role configures daemon.json - which results in iptables rules
being implemented - but not removed on docker engine restart.

Closes-Bug: #1923203

Change-Id: Ib1faa092e0b8f0668d1752490a34d0c2165d58d2
(cherry picked from commit bc96179)

Author: mnasiadka

ansible/roles/baremetal/tasks/install.yml

@@ -46,6 +46,26 @@
   changed_when: false
   register: running_containers
 
+# APT starts Docker engine right after installation, which creates
+# iptables rules before we disable iptables in Docker config
+
+- name: Check if docker systemd unit exists
+  stat:
+    path: /etc/systemd/system/docker.service
+  register: docker_unit_file
+
+- name: Mask the docker systemd unit on Debian/Ubuntu
+  file:
+    src: /dev/null
+    dest: /etc/systemd/system/docker.service
+    owner: root
+    group: root
+    state: link
+  become: true
+  when:
+    - ansible_os_family == 'Debian'
+    - not docker_unit_file.stat.exists
+
 - name: Install apt packages
   package:
     name: "{{ (debian_pkg_install | join(' ')).split() }}"
@@ -78,10 +98,11 @@
     # At some point (at least on CentOS 7) Docker CE stopped starting
     # automatically after an upgrade from legacy docker . Start it manually.
     - name: Start docker
-      service:
+      systemd:
         name: docker
         state: started
         enabled: yes
+        masked: no
       become: True
 
     - name: Wait for Docker to start

ansible/roles/baremetal/tasks/post-install.yml

@@ -194,22 +194,25 @@
   when: create_kolla_user | bool
 
 - name: Start docker
-  service:
+  systemd:
     name: docker
     state: started
+    masked: no
   become: True
 
 - name: Restart docker
-  service:
+  systemd:
     name: docker
     state: restarted
+    masked: no
   become: True
   when: docker_configured.changed or docker_reloaded.changed
 
 - name: Enable docker
-  service:
+  systemd:
     name: docker
     enabled: yes
+    masked: no
   become: True
 
 - name: Stop time service

releasenotes/notes/bug-1923203-f9ff247befc4bd75.yaml

@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Fixed an issue when Docker was configured after startup on Debian/Ubuntu,
+    which resulted in iptables rules being created - before they were disabled.
+    `LP#1923203 <https://launchpad.net/bugs/1923203>`__