diff --git a/daemon/libnetwork/iptables/firewalld.go b/daemon/libnetwork/iptables/firewalld.go index 8dee26acd8..5453d6c520 100644 --- a/daemon/libnetwork/iptables/firewalld.go +++ b/daemon/libnetwork/iptables/firewalld.go @@ -5,6 +5,7 @@ package iptables import ( "context" "fmt" + "os" "strings" "sync" "sync/atomic" @@ -64,6 +65,14 @@ func FirewalldReloadedAt() time.Time { func firewalldInit() error { var err error + // DOCKER_TEST_NO_FIREWALLD is used by integration tests to disable firewalld integration to make sure that the + // daemon started by the 'test-integration' script won't recreate iptables / nftables rules upon receiving the + // firewalld reload signal, otherwise it'll race against the daemon-under-test started by networking integration + // tests. This is an internal implementation detail and users shall never rely on this. + if disable := os.Getenv("DOCKER_TEST_NO_FIREWALLD"); disable != "" { + return nil + } + if connection, err = newConnection(); err != nil { return fmt.Errorf("Failed to connect to D-Bus system bus: %v", err) } diff --git a/hack/make/.integration-daemon-start b/hack/make/.integration-daemon-start index 94b3e97f8c..5ebce9998f 100644 --- a/hack/make/.integration-daemon-start +++ b/hack/make/.integration-daemon-start @@ -119,6 +119,14 @@ if [ -z "$DOCKER_TEST_HOST" ]; then ( echo "Starting dockerd" [ -n "$TESTDEBUG" ] && set -x + if [ -n "${FIREWALLD:-}" ] && [ "${DOCKER_FIREWALL_BACKEND:-}" == "iptables" ]; then + # Networking integration tests start their own daemon to have fine control over the configuration of the + # daemon-under-test. Two daemons running with firewalld integration enabled would race against each other + # when the firewalld reload signal is dispatched, and would result in iptables disappearing unexpectedly + # from the point of view of the daemon-under-test. So, disable firewalld integration on this daemon, as it's + # only used to load frozen images. + export DOCKER_TEST_NO_FIREWALLD="true" + fi exec \ ${dockerd} --debug \ --host "$DOCKER_HOST" \ diff --git a/integration/network/bridge/bridge_linux_test.go b/integration/network/bridge/bridge_linux_test.go index 96404529ff..92ec82a4c3 100644 --- a/integration/network/bridge/bridge_linux_test.go +++ b/integration/network/bridge/bridge_linux_test.go @@ -369,7 +369,13 @@ func TestFilterForwardPolicy(t *testing.T) { // address is reserved for a gateway, because it won't be used). func TestPointToPoint(t *testing.T) { ctx := setupTest(t) - apiClient := testEnv.APIClient() + + d := daemon.New(t) + d.StartWithBusybox(ctx, t) + t.Cleanup(func() { d.Stop(t) }) + + apiClient := d.NewClientT(t) + t.Cleanup(func() { apiClient.Close() }) testcases := []struct { name string @@ -423,7 +429,13 @@ func TestIsolated(t *testing.T) { skip.If(t, testEnv.IsRootless, "can't inspect bridge addrs in rootless netns") ctx := setupTest(t) - apiClient := testEnv.APIClient() + + d := daemon.New(t) + d.StartWithBusybox(ctx, t) + t.Cleanup(func() { d.Stop(t) }) + + apiClient := d.NewClientT(t) + t.Cleanup(func() { apiClient.Close() }) const netName = "testisol" const bridgeName = "br-" + netName diff --git a/integration/networking/firewall_linux_test.go b/integration/networking/firewall_linux_test.go index e697d071df..64af7ebded 100644 --- a/integration/networking/firewall_linux_test.go +++ b/integration/networking/firewall_linux_test.go @@ -6,6 +6,7 @@ import ( "github.com/moby/moby/client" "github.com/moby/moby/v2/integration/internal/testutils/networking" + "github.com/moby/moby/v2/testutil/daemon" "github.com/moby/moby/v2/testutil/request" "gotest.tools/v3/assert" is "gotest.tools/v3/assert/cmp" @@ -15,7 +16,13 @@ const defaultFirewallBackend = "iptables" func TestInfoFirewallBackend(t *testing.T) { ctx := setupTest(t) - c := testEnv.APIClient() + + d := daemon.New(t) + d.StartWithBusybox(ctx, t) + t.Cleanup(func() { d.Stop(t) }) + + c := d.NewClientT(t) + t.Cleanup(func() { c.Close() }) expDriver := defaultFirewallBackend if val := os.Getenv("DOCKER_FIREWALL_BACKEND"); val != "" {