Merge pull request #50819 from akerouanton/firewalld-ci

hack/make/test-integration: disable firewalld integration

daemon/libnetwork/iptables/firewalld.go

@@ -5,6 +5,7 @@ package iptables
 import (
 	"context"
 	"fmt"
+	"os"
 	"strings"
 	"sync"
 	"sync/atomic"
@@ -64,6 +65,14 @@ func FirewalldReloadedAt() time.Time {
 func firewalldInit() error {
 	var err error
 
+	// DOCKER_TEST_NO_FIREWALLD is used by integration tests to disable firewalld integration to make sure that the
+	// daemon started by the 'test-integration' script won't recreate iptables / nftables rules upon receiving the
+	// firewalld reload signal, otherwise it'll race against the daemon-under-test started by networking integration
+	// tests. This is an internal implementation detail and users shall never rely on this.
+	if disable := os.Getenv("DOCKER_TEST_NO_FIREWALLD"); disable != "" {
+		return nil
+	}
+
 	if connection, err = newConnection(); err != nil {
 		return fmt.Errorf("Failed to connect to D-Bus system bus: %v", err)
 	}

hack/make/.integration-daemon-start

@@ -119,6 +119,14 @@ if [ -z "$DOCKER_TEST_HOST" ]; then
 	(
 		echo "Starting dockerd"
 		[ -n "$TESTDEBUG" ] && set -x
+		if [ -n "${FIREWALLD:-}" ] && [ "${DOCKER_FIREWALL_BACKEND:-}" == "iptables" ]; then
+			# Networking integration tests start their own daemon to have fine control over the configuration of the
+			# daemon-under-test. Two daemons running with firewalld integration enabled would race against each other
+			# when the firewalld reload signal is dispatched, and would result in iptables disappearing unexpectedly
+			# from the point of view of the daemon-under-test. So, disable firewalld integration on this daemon, as it's
+			# only used to load frozen images.
+			export DOCKER_TEST_NO_FIREWALLD="true"
+		fi
 		exec \
 			${dockerd} --debug \
 			--host "$DOCKER_HOST" \

integration/network/bridge/bridge_linux_test.go

@@ -369,7 +369,13 @@ func TestFilterForwardPolicy(t *testing.T) {
 // address is reserved for a gateway, because it won't be used).
 func TestPointToPoint(t *testing.T) {
 	ctx := setupTest(t)
-	apiClient := testEnv.APIClient()
+
+	d := daemon.New(t)
+	d.StartWithBusybox(ctx, t)
+	t.Cleanup(func() { d.Stop(t) })
+
+	apiClient := d.NewClientT(t)
+	t.Cleanup(func() { apiClient.Close() })
 
 	testcases := []struct {
 		name   string
@@ -423,7 +429,13 @@ func TestIsolated(t *testing.T) {
 	skip.If(t, testEnv.IsRootless, "can't inspect bridge addrs in rootless netns")
 
 	ctx := setupTest(t)
-	apiClient := testEnv.APIClient()
+
+	d := daemon.New(t)
+	d.StartWithBusybox(ctx, t)
+	t.Cleanup(func() { d.Stop(t) })
+
+	apiClient := d.NewClientT(t)
+	t.Cleanup(func() { apiClient.Close() })
 
 	const netName = "testisol"
 	const bridgeName = "br-" + netName

integration/networking/firewall_linux_test.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/moby/moby/client"
 	"github.com/moby/moby/v2/integration/internal/testutils/networking"
+	"github.com/moby/moby/v2/testutil/daemon"
 	"github.com/moby/moby/v2/testutil/request"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
@@ -15,7 +16,13 @@ const defaultFirewallBackend = "iptables"
 
 func TestInfoFirewallBackend(t *testing.T) {
 	ctx := setupTest(t)
-	c := testEnv.APIClient()
+
+	d := daemon.New(t)
+	d.StartWithBusybox(ctx, t)
+	t.Cleanup(func() { d.Stop(t) })
+
+	c := d.NewClientT(t)
+	t.Cleanup(func() { c.Close() })
 
 	expDriver := defaultFirewallBackend
 	if val := os.Getenv("DOCKER_FIREWALL_BACKEND"); val != "" {