integration: Add a new networking integration test suite

[akerouanton]

• Slice of Add a new integration test suite checking network behaviors #45850, to make it easier to review

- What I did

This PR introduces a new integration test suite aimed at testing networking features like inter-container communication, network isolation, port mapping, what happens when the userland proxy is enabled or disabled, etc... and how these features interact with daemon-level and network-level parameters.

So far, there's pretty much no tests making sure our networks are working as expected. For instance, there's a few tests for port mapping, but they don't cover all cases (eg. IPv6, disabling the userland proxy, etc...), and a few tests check if a specific iptables rule exists, but that doesn't prevent that specific rule from be wrong in the first place.

As we're planning to refactor how iptables rules are written and change some of them to fix known security issues, we need a way to test all parameter combinations (at least, the important ones). So far, this was done by hand which is painful and time consuming. As such, this new test suite is foundational to upcoming work.

This test suite should help:

• Assert networking security boundaries are working properly, and prevent regressions on security patches;
• Discover what's missing to make the userland proxy disabled by default;
• Give a canonical test plan for new port mappers;

Following tests are implemented in this PR:

• Inter-container communication for internal and non-internal bridge networks, over IPv4 and * IPv6 (using ULAs or link-local addresses, SLAAC-assigned or dynamically allocated) ;
• Inter-network communication for internal and non-internal bridge networks, over IPv4 and IPv6, is disallowed ;

- How to verify it

CI is green.

- A picture of a cute animal (not mandatory but encouraged)

[corhere]

Nit: define a struct type instead of using maps with a fixed set of keys. Types can be declared inside a function body, BTW.

[akerouanton]

Types can be declared inside a function body, BTW.

Yeah, I was hesitant on this one; didn't know what approach would be more idiomatic. Will fix that.

[thaJeztah]

LGTM

[thaJeztah]

DOH! Looks like there's some failures though. So the good news; "tests are testing", The bad news.. something's failing;

=== FAIL: amd64.integration.networking TestBridgeICC/IPv4_internal_network (8.64s)
    bridge_test.go:126: assertion failed: expression is false: strings.Contains(res.Stdout.String(), "1 packets transmitted, 1 packets received")
    bridge_test.go:128: Logs from ctr-icc-1-2:
    --- FAIL: TestBridgeICC/IPv4_internal_network (8.64s)

=== FAIL: amd64.integration.networking TestBridgeICC/IPv6_ULA_on_internal_network (8.66s)
    bridge_test.go:126: assertion failed: expression is false: strings.Contains(res.Stdout.String(), "1 packets transmitted, 1 packets received")
    bridge_test.go:128: Logs from ctr-icc-3-2:
    --- FAIL: TestBridgeICC/IPv6_ULA_on_internal_network (8.66s)

☝️ Also wondering if is.Contains(...) instead of string.Contains() would be useful for those (would it print the string it tried to match?)

[akerouanton]

@corhere @thaJeztah Since #46603 has been merged, the error for such case has changed from "no response" to "network is unreachable".

[corhere]

Suggested change

	assert.Check(t, res.ExitCode == 0)
	assert.Check(t, res.Stderr.Len() == 0)
	assert.Check(t, is.Equal(res.ExitCode, 0))
	assert.Check(t, is.Equal(res.Stderr.Len(), 0))

This is kinda repetitive. Have you considered extracting these assertions to a test helper function?

[akerouanton]

@corhere I coalesced both TestBridgeICC and TestBridgeIPv6SLAACLLAddress together.

[thaJeztah]

LGTM, but left one tiny comment

(CI is currently happy, so once that's addressed we can bring this one in)

[thaJeztah]

I guess this was meant to be in the first commit 🙈