feat: add support for com.docker.network.bridge.enable_icc network option

[swagatbora90]

This PR adds support for docker compatible com.docker.network.bridge.enable_icc or --icc network create option. This option is used to enable/disable intercontainer connectivity.

By default, any bridge network allows connectivity between containers attached to the same network, while containers in different networks are isolated. The enable_icc feature can be further used to enable/disable intra bridge container connectivity.

Requires firewall plugin >= v1.7.1

Testing

1. Create a network with com.docker.network.bridge.enable_icc set to false, say test-net
2. Run a container and attach it to test-net
3. Run a second container and attach it to test-net
4. Ping from container 1 to container 2 should not succeed.

sudo nerdctl network create  -o "com.docker.network.bridge.enable_icc=false" test-net          
254ddbe0ec1e5f3ed4b492876e2b6b9a051436b44c40d00ebd5e72bf7aa88435

sudo nerdctl run -d  --network test-net --name C1 ubuntu  sleep infinity  
6f22e651b9a4f3988e1ebce35f13806f65d0be942bfe9a2325c668a53cafcc9b

 sudo nerdctl run --network test-net alpine ping -c 1 -W 1 C1
PING C1 (10.4.4.4): 56 data bytes

--- C1 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss

With icc=true, it will fallback to default behavior

sudo nerdctl network create  -o "com.docker.network.bridge.enable_icc=true" test-net1   
cf021853e2fd31f5ef29264e5fd834d45bf1ea364c3fef8ff60edec326899b77
 
sudo nerdctl run -d  --network test-net1 --name C2 ubuntu  sleep infinity  
2c95ae6ad9da8a07de97c609d9e65acdc95f3b343ea6e4c46ccd4c9b3df79b90

sudo nerdctl run --network test-net1 alpine ping -c 1 -W 1 C2
PING C2 (10.4.5.2): 56 data bytes
64 bytes from 10.4.5.2: seq=0 ttl=127 time=0.115 ms

--- C2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.115/0.115/0.115 ms

[AkihiroSuda]

Thanks

[swagatbora90]

Looks like the test disabling ICC is failing on a few platform. Taking a look.

[AkihiroSuda]

Moving to the v2.1.4 milestone

[AkihiroSuda]

Needs rebase, in addition to fixing the CI

[swagatbora90]

Needs rebase, in addition to fixing the CI

@AkihiroSuda I had a hard time debugging the CI failures since this was working on my local test host. Finally, figured out that the the test are failing because the ubuntu runners do not have br-netfilter module loaded, which is required for this feature to work. We need the bridged traffic to go through netfilter.

We will need to load the module in our ubuntu runners first for this test to work. Given we have other features that also rely on cni firewall rules, I am thinking of enabling it across all the runners. let me know what you think?

[AkihiroSuda]

We will need to load the module in our ubuntu runners first for this test to work. Given we have other features that also rely on cni firewall rules, I am thinking of enabling it across all the runners. let me know what you think?

👍, but maybe you do not need to modprobe it explicitly if you mount -v /lib/modules:/lib/modules:ro here:

nerdctl/.github/workflows/job-test-in-container.yml

Line 166 in 832c455

docker run -t --rm --privileged -e GITHUB_STEP_SUMMARY="$GITHUB_STEP_SUMMARY" -v "$GITHUB_STEP_SUMMARY":"$GITHUB_STEP_SUMMARY" -e WORKAROUND_ISSUE_622=${WORKAROUND_ISSUE_622:-} "${args[@]}" -test.only-flaky=false -test.target=${{ inputs.binary }}

(and in the similar places in other test-in-*.yaml)

[swagatbora90]

but maybe you do not need to modprobe it explicitly if you mount -v /lib/modules:/lib/modules:ro here

I tried this option, but ran into the same errors swagatbora90@06d49d0. Looks like I need to load the br_netfilter module explicitly as they are not loaded by default.

[swagatbora90]

Opened [https://github.com//pull/4481] to load the br_netfilter module inn the runners.

[swagatbora90]

Test failures are not related and appear to be one of the flaky ones.

[swagatbora90]

@AkihiroSuda @apostasie Tests are passing now after latest CI update to load the br_netfilter module. I think this PR is good to be merged now. Still seeing some random flaky test failures though, but appears to be unrelated.

[ChengyuZhu6]

LGTM

[AkihiroSuda]

Thanks