Add a relative_network_cgroups test as one of the integration tests

[moz-sec]

This implements the relative_network_cgroups validation in #361 .
I wrote it based on linux_cgroups_relative_network.go from opencontainers/runtime-tools and tests/cgroups/network.rs from youki-dev/youki.

[YJDoc2]

Hey, thanks for the PR :)
I'll need some time to get to this, will comment once the review is done.

[YJDoc2]

Hey, here along with checking if the container is created, we also need validation for the created network cgroup resources - In the original test we call this function which does the validation, so need that here as well.

[moz-sec]

Thank you.
Added validation for the created network cgroup resources.

[YJDoc2]

Hey, I don't think it is fixed yet. Let me clarify in case there is any confusion -

1. In the original go test, at line https://github.com/opencontainers/runtime-tools/blob/master/validation/linux_cgroups_relative_network/linux_cgroups_relative_network.go#L24C1-L24C77, in the test_outside_container , they are passing util.ValidateLinuxResourcesNetwork function, which will do the validation that ok, the runtime has actually setup the relative network correctly.
2. The util.ValidateLinuxResourcesNetwork function defined at https://github.com/opencontainers/runtime-tools/blob/master/validation/util/linux_resources_network.go#L12 does the checking and validation of relative network cgroup.
3. The change you did in the last commit you pushed is actually almost a no-op. The original way of just calling the test_outside_container was correct, but also needs the cgroup checking logic as mentioned above.

[moz-sec]

I added a new validate_network() and changed the program to validate net_cls.classid and net_prio.ifpriomap.
However, network.rs only verifies check_container_created(&data).
Am I understanding this wrong?

[YJDoc2]

1. validation of this test using runc is failing, can you check?
2. If I'm correct, this is applicable only to cgroups v1, right?

[YJDoc2]

You can just return the test_outside_container value like this -

Suggested change

	let test_result = test_outside_container(spec.clone(), &|data| {
	test_result!(check_container_created(&data));
	test_result!(validate_network(cgroup_name, &spec));
	TestResult::Passed
	});
	if let TestResult::Failed(_) = test_result {
	return test_result;
	}
	TestResult::Passed
	test_outside_container(spec.clone(), &|data| {
	test_result!(check_container_created(&data));
	test_result!(validate_network(cgroup_name, &spec));
	TestResult::Passed
	})

The if let part here is basically a no-op

[moz-sec]

Unnecessary programs have been removed.
ca7ab449

[YJDoc2]

Is it ok to hard-code this here? I think in the can_run below you mention the cgroup can be at a couple of different points.

[moz-sec]

Address multiple network cgroup mount points.
Changed where to get paths for net_cls.classid and net_prio.ifpriomap.
ca7ab449

[moz-sec]

@YJDoc2
Thanks for the review.
I modified the program and verified that test_linux_cgroups_network is ok with just validate-contest-runc.
Could you please check the code?

[moz-sec]

@YJDoc2
I just talked with @utam0k offline, and we discussed whether it would be better to write the equivalent of ValidateLinuxResourcesNetwork in runtime-tools in network.rs and call that method in this relative-network.rs.
What do you think about this?

[YJDoc2]

Hey @moz-sec , that makes sense. I have been busy for some time, and wasn't able to take more detailed look after your changes, apologies. Please go ahead with the implementation as discussed with utam0k. Do you plan to do it in this PR only, or a separate PR (I'm fine with either). Thanks :)

[utam0k]

@YJDoc2
I have a room to review this PR. If you don't mind, please assign me instead of you.