Add a new integration test suite checking network behaviors

[akerouanton]

- What I did

This PR introduces a new integration test suite aimed at testing networking features like inter-container communication, network isolation, port mapping, what happens when the userland proxy is enabled or disabled, etc... and how these features interact with daemon-level and network-level parameters.

So far, there's pretty much no tests making sure our networks are working as expected. For instance, there's a few tests for port mapping, but they don't cover all cases (eg. like IPv6, disabling the userland proxy, etc...); 2. there're a few tests that check if a specific iptables rule exists, but that doesn't prevent that specific rule from be wrong in the first place.

As we're planning to refactor how iptables rules are written and change some of them to fix known security issues, we need a way to test all parameter combinations (at least, the important ones). So far, this was done by hand which is a particularly painful and time consuming experience. As such, this new test suite is foundational to upcoming work.

This test suite should help:

1. Assert networking security boundaries are working properly, and prevent regressions on security patches ;
2. Discover what's missing to make the userland proxy disabled by default ;
3. Give a canonical test plan for new port mappers ;

Following tests are implemented in this PR:

• Inter-container communication for internal and non-internal bridge networks, over IPv4 and IPv6 (using ULAs or link-local addresses, SLAAC-assigned or dynamically allocated) ;
• Inter-network communication for internal and non-internal bridge networks, over IPv4 and IPv6, is disallowed ;
• Connecting to published ports from the host, using either IPv4 or IPv6 loopback address or another local address ;
• Connecting to published ports from another bridge, using the bridge gateway address with either the userland proxy enabled or disabled ;
• Connecting to ports bound to loopback address, from another host running on a shared L2 segment ;
• Reaching a container that didn't publish any port, from another host running on a shared L2 segment ;
• Connecting to a published port bound to a specific IP address, from another host running on another L2 segment ;

I plan to write some more tests in the near future (eg. for CVE-2020-13401).

- How to verify it

CI is green.

- A picture of a cute animal (not mandatory but encouraged)

[corhere]

I would like to see the libnetwork testutils package moved under libnetwork/internal/ so we don't have to worry about some third party importing it.

[akerouanton]

I would like to see the libnetwork testutils package moved under libnetwork/internal/ so we don't have to worry about some third party importing it.

We can't move testutils into libnetwork/internal and use it from github.com/docker/docker/integration as internal packages can only be used by other packages in the parent directory they're rooted at. From https://dave.cheney.net/2019/10/06/use-internal-packages-to-reduce-your-public-api-surface:

For example, a package /a/b/c/internal/d/e/f can only be imported by code in the directory tree rooted at /a/b/c. It cannot be imported by code in /a/b/g or in any other repository.

[corhere]

We can't move testutils into libnetwork/internal and use it from github.com/docker/docker/integration

Fine, github.com/docker/docker/internal/... then. I don't care how, I just want it so that external modules can't import the package so we can make breaking changes to it at any time.

[thaJeztah]

Just some comments after making a first pass / glance over the changes 😅

[thaJeztah]

Starting to think if we could use icmd.Result for these, but it looks like it would need some contributing to upstream because the outBuffer and errBuffer are not exported.

Could be nice though to use that type for this as well 🤔

moby/vendor/gotest.tools/v3/icmd/command.go

Lines 43 to 52 in 7baab8b

	// Result stores the result of running a command
	type Result struct {
	Cmd *exec.Cmd
	ExitCode int
	Error error
	// Timeout is true if the command was killed because it ran for too long
	Timeout bool
	outBuffer *lockedBuffer
	errBuffer *lockedBuffer
	}

I think some of this code also shows that we need to improve some of the client to not having to write utilities like this (e.g. the demultiplexing). Perhaps something to work on (separately) to move code from the CLI, and/or provide better utilities in the client code 🤔

[corhere]

I disagree on all counts.

Starting to think if we could use icmd.Result for these

While there are a lot of similarities, this is not the result of an *exec.Cmd run. The gotest.tools module is Apache2 licensed so there's nothing preventing us from copying that code and modifying it to fit the needs of asserting on the result of attaching to a container or running an exec.

I think some of this code also shows that we need to improve some of the client to not having to write utilities like this (e.g. the demultiplexing).

Demultiplex into what? Buffering the whole demuxed output into an in-memory buffer is rarely the right thing to do in general as the output of an arbitrary command may be unbounded. We shouldn't provide utilities in the client code which make it easier to do the wrong thing than to do the right thing. By only providing stdcopy the consumer of the client is forced to choose which io.Writer to demux the streams into, giving them the opportunity to consider which choice would best fit their use case.

[thaJeztah]

Does this assert actually do anything? It would always be a non-nil error? Should this be a t.Fatal(err)?

[thaJeztah]

This part is a bit confusing ... no error, and producing a t.Fatal() 🤔

[thaJeztah]

It's ok to skip the runtime.UnlockOSThread() if we fail? (I guess it is if we os.Exit()

[corhere]

Not only is it okay, it's mandatory. See #45850 (comment)

[thaJeztah]

Just double checking; we should remove the path even if we failed to unmount?

[thaJeztah]

Wondering if we need a context passed so allow us to past a test-logger (instead of fmt.Printf 🤔

[corhere]

Please break this up into smaller PRs; this is way too much to review at once.

[corhere]

The test runner is perfectly capable of suppressing log output on passing tests. All you're doing by making this log conditional is breaking the -test.v flag. Don't break the -test.v flag.

[corhere]

Not only is it okay, it's mandatory. See #45850 (comment)

[corhere]

I disagree on all counts.

Starting to think if we could use icmd.Result for these

While there are a lot of similarities, this is not the result of an *exec.Cmd run. The gotest.tools module is Apache2 licensed so there's nothing preventing us from copying that code and modifying it to fit the needs of asserting on the result of attaching to a container or running an exec.

I think some of this code also shows that we need to improve some of the client to not having to write utilities like this (e.g. the demultiplexing).

Demultiplex into what? Buffering the whole demuxed output into an in-memory buffer is rarely the right thing to do in general as the output of an arbitrary command may be unbounded. We shouldn't provide utilities in the client code which make it easier to do the wrong thing than to do the right thing. By only providing stdcopy the consumer of the client is forced to choose which io.Writer to demux the streams into, giving them the opportunity to consider which choice would best fit their use case.

[akerouanton]

A similar L3Segment was introduced in #48545. It uses iproute2 commands instead of a full Go implementation. This makes it easier to manually reproduce the environment where a specific test is failing. Since the introduction of this L3Segment, we've merged various integration tests that simulates networking between multiple hosts on the same L2 / L3 semgnet.

Most / all the test cases in this PR should be covered by newer tests, so let me close it.