hack/make/test-integration: disable firewalld integration

The daemon started by the test-integration script needs to run without firewalld integration to make sure that daemons started by networking tests will handle firewalld reload without any interference (i.e. without another daemon racing against them to recreate the iptables chains). Most tests are already running their own daemons, but the few that don't and need firewalld integration are updated to start their own. Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2026-01-11 18:51:37 +00:00 · 2025-08-26 23:25:22 +02:00
parent 18651d8819
commit 60c6e57b82
4 changed files with 39 additions and 3 deletions
--- a/hack/make/.integration-daemon-start
+++ b/hack/make/.integration-daemon-start
@@ -119,6 +119,14 @@ if [ -z "$DOCKER_TEST_HOST" ]; then
 	(
 		echo "Starting dockerd"
 		[ -n "$TESTDEBUG" ] && set -x
+		if [ -n "${FIREWALLD:-}" ] && [ "${DOCKER_FIREWALL_BACKEND:-}" == "iptables" ]; then
+			# Networking integration tests start their own daemon to have fine control over the configuration of the
+			# daemon-under-test. Two daemons running with firewalld integration enabled would race against each other
+			# when the firewalld reload signal is dispatched, and would result in iptables disappearing unexpectedly
+			# from the point of view of the daemon-under-test. So, disable firewalld integration on this daemon, as it's
+			# only used to load frozen images.
+			export DOCKER_TEST_NO_FIREWALLD="true"
+		fi
 		exec \
 			${dockerd} --debug \
 			--host "$DOCKER_HOST" \