hack/make/test-integration: disable firewalld integration

The daemon started by the test-integration script needs to run without
firewalld integration to make sure that daemons started by networking
tests will handle firewalld reload without any interference (i.e.
without another daemon racing against them to recreate the iptables
chains).

Most tests are already running their own daemons, but the few that don't
and need firewalld integration are updated to start their own.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>

daemon/libnetwork/iptables/firewalld.go

@@ -5,6 +5,7 @@ package iptables
 import (
 	"context"
 	"fmt"
+	"os"
 	"strings"
 	"sync"
 	"sync/atomic"
@@ -64,6 +65,14 @@ func FirewalldReloadedAt() time.Time {
 func firewalldInit() error {
 	var err error
 
+	// DOCKER_TEST_NO_FIREWALLD is used by integration tests to disable firewalld integration to make sure that the
+	// daemon started by the 'test-integration' script won't recreate iptables / nftables rules upon receiving the
+	// firewalld reload signal, otherwise it'll race against the daemon-under-test started by networking integration
+	// tests. This is an internal implementation detail and users shall never rely on this.
+	if disable := os.Getenv("DOCKER_TEST_NO_FIREWALLD"); disable != "" {
+		return nil
+	}
+
 	if connection, err = newConnection(); err != nil {
 		return fmt.Errorf("Failed to connect to D-Bus system bus: %v", err)
 	}

hack/make/.integration-daemon-start

@@ -119,6 +119,14 @@ if [ -z "$DOCKER_TEST_HOST" ]; then
 	(
 		echo "Starting dockerd"
 		[ -n "$TESTDEBUG" ] && set -x
+		if [ -n "${FIREWALLD:-}" ] && [ "${DOCKER_FIREWALL_BACKEND:-}" == "iptables" ]; then
+			# Networking integration tests start their own daemon to have fine control over the configuration of the
+			# daemon-under-test. Two daemons running with firewalld integration enabled would race against each other
+			# when the firewalld reload signal is dispatched, and would result in iptables disappearing unexpectedly
+			# from the point of view of the daemon-under-test. So, disable firewalld integration on this daemon, as it's
+			# only used to load frozen images.
+			export DOCKER_TEST_NO_FIREWALLD="true"
+		fi
 		exec \
 			${dockerd} --debug \
 			--host "$DOCKER_HOST" \

integration/network/bridge/bridge_linux_test.go

@@ -368,7 +368,13 @@ func TestFilterForwardPolicy(t *testing.T) {
 // address is reserved for a gateway, because it won't be used).
 func TestPointToPoint(t *testing.T) {
 	ctx := setupTest(t)
-	apiClient := testEnv.APIClient()
+
+	d := daemon.New(t)
+	d.StartWithBusybox(ctx, t)
+	t.Cleanup(func() { d.Stop(t) })
+
+	apiClient := d.NewClientT(t)
+	t.Cleanup(func() { apiClient.Close() })
 
 	testcases := []struct {
 		name   string
@@ -422,7 +428,13 @@ func TestIsolated(t *testing.T) {
 	skip.If(t, testEnv.IsRootless, "can't inspect bridge addrs in rootless netns")
 
 	ctx := setupTest(t)
-	apiClient := testEnv.APIClient()
+
+	d := daemon.New(t)
+	d.StartWithBusybox(ctx, t)
+	t.Cleanup(func() { d.Stop(t) })
+
+	apiClient := d.NewClientT(t)
+	t.Cleanup(func() { apiClient.Close() })
 
 	const netName = "testisol"
 	const bridgeName = "br-" + netName

integration/networking/firewall_linux_test.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/moby/moby/client"
 	"github.com/moby/moby/v2/integration/internal/testutils/networking"
+	"github.com/moby/moby/v2/testutil/daemon"
 	"github.com/moby/moby/v2/testutil/request"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
@@ -15,7 +16,13 @@ const defaultFirewallBackend = "iptables"
 
 func TestInfoFirewallBackend(t *testing.T) {
 	ctx := setupTest(t)
-	c := testEnv.APIClient()
+
+	d := daemon.New(t)
+	d.StartWithBusybox(ctx, t)
+	t.Cleanup(func() { d.Stop(t) })
+
+	c := d.NewClientT(t)
+	t.Cleanup(func() { c.Close() })
 
 	expDriver := defaultFirewallBackend
 	if val := os.Getenv("DOCKER_FIREWALL_BACKEND"); val != "" {