feat: add support for com.docker.network.bridge.enable_icc network option #4311
Conversation
| return helpers.Command("run", "--rm", "--net", data.Identifier(), | ||
| testutil.CommonImage, "ping", "-c", "1", "-W", "1", data.Identifier("c1")) | ||
| }, | ||
| Expected: test.Expects(1, nil, nil), // Expect ping to fail with exit code 1 |
There was a problem hiding this comment.
Wondering if ping portably returns that same exit code.
Maybe use expect.ExitCodeGenericFail to check for failure without being specific on exit code?
There was a problem hiding this comment.
eg: on macOS, it seems to exit 2
There was a problem hiding this comment.
I will change this to just check for any non-zero exit code
pkg/netutil/netutil_unix.go
Outdated
| } | ||
|
|
||
| // firewallPluginGEQ110 checks if the firewall plugin is greater than or equal to v1.1.0 | ||
| func firewallPluginGEQ110(firewallPath string) (bool, error) { |
There was a problem hiding this comment.
Maybe we can just remove this helper and call directly firewallPluginGEQVersion(firewallPath, "v1.1.0") where needs be?
| testutil.CommonImage, "ping", "-c", "1", "-W", "1", data.Identifier("c1")) | ||
| }, | ||
| Expected: test.Expects(0, nil, nil), // Expect ping to succeed with exit code 0 | ||
| }, |
There was a problem hiding this comment.
Maybe add a third case where enable_icc is not specified, to verify the default behavior?
There was a problem hiding this comment.
Sure, will add
| @@ -129,9 +135,24 @@ func (e *CNIEnv) generateCNIPlugins(driver string, name string, ipam map[string] | |||
| if ipv6 { | |||
| bridge.Capabilities["ips"] = true | |||
| } | |||
| plugins = []CNIPlugin{bridge, newPortMapPlugin(), newFirewallPlugin(), newTuningPlugin()} | |||
|
|
|||
| // Determine the appropriate firewall ingress policy based on icc setting | |||
There was a problem hiding this comment.
This only matter for non-default network, right?
Maybe the entire section should be moved inside the if name != DefaultNetworkName { section?
There was a problem hiding this comment.
Yes, currently network options are only applied to non default network, which makes sense since the default network is created by nerdctl. That being said, there isn't a hard rule that these network options can never be applied to the default network. Docker actually allows you to configure the default network with these options on daemon startup. I think we can keep this as is, and let the callers decide how they want to invoke this.
| @@ -111,6 +112,11 @@ func (e *CNIEnv) generateCNIPlugins(driver string, name string, ipam map[string] | |||
| if err != nil { | |||
| return nil, err | |||
| } | |||
| case "icc", "com.docker.network.bridge.enable_icc": | |||
swagatbora90
force-pushed
the
feat-icc-nerdctl
branch
3 times, most recently
from
c85e72d to
bea516f
Compare
| @@ -439,3 +442,23 @@ func ContainerdVersion(v string) *test.Requirement { | |||
| }, | |||
| } | |||
| } | |||
|
|
|||
| // CNIFirewallVersionGE checks if the CNI firewall plugin version is greater than or equal to the specified version | |||
| func CNIFirewallVersionGE(requiredVersion string) *test.Requirement { | |||
There was a problem hiding this comment.
nit: "GE" suffix isn't consistent with ContainerdVersion()
|
|
||
| testCase.Require = require.All( | ||
| require.Linux, | ||
| nerdtest.Rootful, |
…tion Signed-off-by: Swagat Bora <[email protected]>
swagatbora90
force-pushed
the
feat-icc-nerdctl
branch
from
bea516f to
e0f7d38
Compare
This PR adds support for docker compatible
com.docker.network.bridge.enable_iccor--iccnetwork create option. This option is used to enable/disable intercontainer connectivity.By default, any bridge network allows connectivity between containers attached to the same network, while containers in different networks are isolated. The enable_icc feature can be further used to enable/disable intra bridge container connectivity.
Requires firewall plugin >= v1.7.1
Testing
com.docker.network.bridge.enable_iccset to false, saytest-nettest-nettest-netWith icc=true, it will fallback to default behavior