Browse code
hack/make/test-integration: disable firewalld integration
The daemon started by the test-integration script needs to run without
firewalld integration to make sure that daemons started by networking
tests will handle firewalld reload without any interference (i.e.
without another daemon racing against them to recreate the iptables
chains).
Most tests are already running their own daemons, but the few that don't
and need firewalld integration are updated to start their own.
Signed-off-by: Albin Kerouanton <albinker@gmail.com>
Albin Kerouanton authored on 2025/08/27 06:25:22Showing 4 changed files
- daemon/libnetwork/iptables/firewalld.go
- hack/make/.integration-daemon-start
- integration/network/bridge/bridge_linux_test.go
- integration/networking/firewall_linux_test.go
| ... | ... |
@@ -5,6 +5,7 @@ package iptables |
| 5 | 5 |
import ( |
| 6 | 6 |
"context" |
| 7 | 7 |
"fmt" |
| 8 |
+ "os" |
|
| 8 | 9 |
"strings" |
| 9 | 10 |
"sync" |
| 10 | 11 |
"sync/atomic" |
| ... | ... |
@@ -64,6 +65,14 @@ func FirewalldReloadedAt() time.Time {
|
| 64 | 64 |
func firewalldInit() error {
|
| 65 | 65 |
var err error |
| 66 | 66 |
|
| 67 |
+ // DOCKER_TEST_NO_FIREWALLD is used by integration tests to disable firewalld integration to make sure that the |
|
| 68 |
+ // daemon started by the 'test-integration' script won't recreate iptables / nftables rules upon receiving the |
|
| 69 |
+ // firewalld reload signal, otherwise it'll race against the daemon-under-test started by networking integration |
|
| 70 |
+ // tests. This is an internal implementation detail and users shall never rely on this. |
|
| 71 |
+ if disable := os.Getenv("DOCKER_TEST_NO_FIREWALLD"); disable != "" {
|
|
| 72 |
+ return nil |
|
| 73 |
+ } |
|
| 74 |
+ |
|
| 67 | 75 |
if connection, err = newConnection(); err != nil {
|
| 68 | 76 |
return fmt.Errorf("Failed to connect to D-Bus system bus: %v", err)
|
| 69 | 77 |
} |
| ... | ... |
@@ -119,6 +119,14 @@ if [ -z "$DOCKER_TEST_HOST" ]; then |
| 119 | 119 |
( |
| 120 | 120 |
echo "Starting dockerd" |
| 121 | 121 |
[ -n "$TESTDEBUG" ] && set -x |
| 122 |
+ if [ -n "${FIREWALLD:-}" ] && [ "${DOCKER_FIREWALL_BACKEND:-}" == "iptables" ]; then
|
|
| 123 |
+ # Networking integration tests start their own daemon to have fine control over the configuration of the |
|
| 124 |
+ # daemon-under-test. Two daemons running with firewalld integration enabled would race against each other |
|
| 125 |
+ # when the firewalld reload signal is dispatched, and would result in iptables disappearing unexpectedly |
|
| 126 |
+ # from the point of view of the daemon-under-test. So, disable firewalld integration on this daemon, as it's |
|
| 127 |
+ # only used to load frozen images. |
|
| 128 |
+ export DOCKER_TEST_NO_FIREWALLD="true" |
|
| 129 |
+ fi |
|
| 122 | 130 |
exec \ |
| 123 | 131 |
${dockerd} --debug \
|
| 124 | 132 |
--host "$DOCKER_HOST" \ |
| ... | ... |
@@ -368,7 +368,13 @@ func TestFilterForwardPolicy(t *testing.T) {
|
| 368 | 368 |
// address is reserved for a gateway, because it won't be used). |
| 369 | 369 |
func TestPointToPoint(t *testing.T) {
|
| 370 | 370 |
ctx := setupTest(t) |
| 371 |
- apiClient := testEnv.APIClient() |
|
| 371 |
+ |
|
| 372 |
+ d := daemon.New(t) |
|
| 373 |
+ d.StartWithBusybox(ctx, t) |
|
| 374 |
+ t.Cleanup(func() { d.Stop(t) })
|
|
| 375 |
+ |
|
| 376 |
+ apiClient := d.NewClientT(t) |
|
| 377 |
+ t.Cleanup(func() { apiClient.Close() })
|
|
| 372 | 378 |
|
| 373 | 379 |
testcases := []struct {
|
| 374 | 380 |
name string |
| ... | ... |
@@ -422,7 +428,13 @@ func TestIsolated(t *testing.T) {
|
| 422 | 422 |
skip.If(t, testEnv.IsRootless, "can't inspect bridge addrs in rootless netns") |
| 423 | 423 |
|
| 424 | 424 |
ctx := setupTest(t) |
| 425 |
- apiClient := testEnv.APIClient() |
|
| 425 |
+ |
|
| 426 |
+ d := daemon.New(t) |
|
| 427 |
+ d.StartWithBusybox(ctx, t) |
|
| 428 |
+ t.Cleanup(func() { d.Stop(t) })
|
|
| 429 |
+ |
|
| 430 |
+ apiClient := d.NewClientT(t) |
|
| 431 |
+ t.Cleanup(func() { apiClient.Close() })
|
|
| 426 | 432 |
|
| 427 | 433 |
const netName = "testisol" |
| 428 | 434 |
const bridgeName = "br-" + netName |
| ... | ... |
@@ -6,6 +6,7 @@ import ( |
| 6 | 6 |
|
| 7 | 7 |
"github.com/moby/moby/client" |
| 8 | 8 |
"github.com/moby/moby/v2/integration/internal/testutils/networking" |
| 9 |
+ "github.com/moby/moby/v2/testutil/daemon" |
|
| 9 | 10 |
"github.com/moby/moby/v2/testutil/request" |
| 10 | 11 |
"gotest.tools/v3/assert" |
| 11 | 12 |
is "gotest.tools/v3/assert/cmp" |
| ... | ... |
@@ -15,7 +16,13 @@ const defaultFirewallBackend = "iptables" |
| 15 | 15 |
|
| 16 | 16 |
func TestInfoFirewallBackend(t *testing.T) {
|
| 17 | 17 |
ctx := setupTest(t) |
| 18 |
- c := testEnv.APIClient() |
|
| 18 |
+ |
|
| 19 |
+ d := daemon.New(t) |
|
| 20 |
+ d.StartWithBusybox(ctx, t) |
|
| 21 |
+ t.Cleanup(func() { d.Stop(t) })
|
|
| 22 |
+ |
|
| 23 |
+ c := d.NewClientT(t) |
|
| 24 |
+ t.Cleanup(func() { c.Close() })
|
|
| 19 | 25 |
|
| 20 | 26 |
expDriver := defaultFirewallBackend |
| 21 | 27 |
if val := os.Getenv("DOCKER_FIREWALL_BACKEND"); val != "" {
|