Add a relative_network_cgroups test as one of the integration tests

[moz-sec]

This implements the relative_network_cgroups validation in #361 .
I wrote it based on linux_cgroups_relative_network.go from opencontainers/runtime-tools and tests/cgroups/network.rs from youki-dev/youki.

[YJDoc2]

Hey, thanks for the PR :)
I'll need some time to get to this, will comment once the review is done.

[YJDoc2]

Hey, here along with checking if the container is created, we also need validation for the created network cgroup resources - In the original test we call this function which does the validation, so need that here as well.

[moz-sec]

Thank you.
Added validation for the created network cgroup resources.

[YJDoc2]

Hey, I don't think it is fixed yet. Let me clarify in case there is any confusion -

1. In the original go test, at line https://github.com/opencontainers/runtime-tools/blob/master/validation/linux_cgroups_relative_network/linux_cgroups_relative_network.go#L24C1-L24C77, in the test_outside_container , they are passing util.ValidateLinuxResourcesNetwork function, which will do the validation that ok, the runtime has actually setup the relative network correctly.
2. The util.ValidateLinuxResourcesNetwork function defined at https://github.com/opencontainers/runtime-tools/blob/master/validation/util/linux_resources_network.go#L12 does the checking and validation of relative network cgroup.
3. The change you did in the last commit you pushed is actually almost a no-op. The original way of just calling the test_outside_container was correct, but also needs the cgroup checking logic as mentioned above.

[moz-sec]

I added a new validate_network() and changed the program to validate net_cls.classid and net_prio.ifpriomap.
However, network.rs only verifies check_container_created(&data).
Am I understanding this wrong?

[YJDoc2]

1. validation of this test using runc is failing, can you check?
2. If I'm correct, this is applicable only to cgroups v1, right?

[YJDoc2]

You can just return the test_outside_container value like this -

Suggested change

	let test_result = test_outside_container(spec.clone(), &|data| {
	test_result!(check_container_created(&data));
	test_result!(validate_network(cgroup_name, &spec));
	TestResult::Passed
	});
	if let TestResult::Failed(_) = test_result {
	return test_result;
	}
	TestResult::Passed
	test_outside_container(spec.clone(), &|data| {
	test_result!(check_container_created(&data));
	test_result!(validate_network(cgroup_name, &spec));
	TestResult::Passed
	})

The if let part here is basically a no-op

[moz-sec]

Unnecessary programs have been removed.
ca7ab449

[YJDoc2]

Is it ok to hard-code this here? I think in the can_run below you mention the cgroup can be at a couple of different points.

[moz-sec]

Address multiple network cgroup mount points.
Changed where to get paths for net_cls.classid and net_prio.ifpriomap.
ca7ab449

[moz-sec]

@YJDoc2
Thanks for the review.
I modified the program and verified that test_linux_cgroups_network is ok with just validate-contest-runc.
Could you please check the code?

[moz-sec]

@YJDoc2
I just talked with @utam0k offline, and we discussed whether it would be better to write the equivalent of ValidateLinuxResourcesNetwork in runtime-tools in network.rs and call that method in this relative-network.rs.
What do you think about this?

[YJDoc2]

Hey @moz-sec , that makes sense. I have been busy for some time, and wasn't able to take more detailed look after your changes, apologies. Please go ahead with the implementation as discussed with utam0k. Do you plan to do it in this PR only, or a separate PR (I'm fine with either). Thanks :)

[utam0k]

@YJDoc2
I have a room to review this PR. If you don't mind, please assign me instead of you.

[moz-sec]

@YJDoc2
I have proceeded with this PR.
Add validate_network, the equivalent of ValidateLinuxResourcesNetwork in runtime-tools, to network.rs and call it from relative-network.rs as well.
Please review when you have time.

[YJDoc2]

Hey @moz-sec , apologies I haven't been able to take a look at this. I had been quite busy, and then got a bit sick, and currently just have a lot of things I need to work on 😅 I'll try my best to take a look at this as soon as possible.

Sincere apologies, I should have done better managing this 🙏

@utam0k if I may ask of you, it would be great if you could help with reviewing this PR. Otherwise I'll get to this as soon as I can.

[utam0k]

@utam0k if I may ask of you, it would be great if you could help with reviewing this PR. Otherwise I'll get to this as soon as I can.

Sure!

[utam0k]

Thanks for your PR. I left some introductory comments. I'll return this week to review more details.

[utam0k]

Please make each condition have a meaning, not only checking if the path exists.

[moz-sec]

Each conditional branch will set net_cls_path to /sys/fs/cgroup/net_cls/net_cls.classid/test_network_cgroups or /sys/fs/cgroup/net_cls,net_prio/net_cls.classid/test_network_cgroup or /sys/fs/cgroup/net_prio,net_cls/net_cls.classid/network_cgroups.
But looking at this alone, I too find this program confusing.
How can I write the same thing more neatly?

[moz-sec]

I think it would be simplest to just use sys/fs/cgroup/net_cls,net_prio/, but looking at #39, do we still need to identify which directory it is mounted in and process it accordingly?

[utam0k]

Why is this change needed?

[moz-sec]

In the case of spec, ownership is passed to test_outside_container and I used spec.clone() since I cannot use spec on line 123.

[utam0k]

Please use consts instead of normal values.

[moz-sec]

For example, is it correct to write “const CGROUP_NAME: &str = ‘test_relative_network_cgroups’;`”?

[utam0k]

I don't think this binding is needed.

[utam0k]

testdir/runtime-test/container is duplicated with L66 in this file. How about passing cgroup path?

[moz-sec]

I think it is possible if I define it as a relative path (e.g. testdir/runtime-test/container/test_relative_network_cgroups) in the cgroup_name variable.
However, looking at other existing test code, the cgroup path consists of /runtime + cgroup_name variable, and I wrote this to match.
Is there a cleaner way to write this?

[utam0k]

Thanks for your PR. I left some introductory comments. I'll return this week to review more details.

[utam0k]

Thanks for your PR. I left some introductory comments. I'll return this week to review more details.

[utam0k]

For some reason, multiple copies were sent 😭