Extract the disable-docker.sh script

vjovanov · vjovanov · commit 3268b3bf870b · 2025-11-10T07:49:52.000+01:00
diff --git a/.github/workflows/check-new-library-versions-in-batch.yml b/.github/workflows/check-new-library-versions-in-batch.yml
@@ -118,15 +118,8 @@ jobs:
       - name: "Pull allowed docker images"
         run: ./gradlew pullAllowedDockerImages --coordinates="${{ env.TEST_COORDINATES }}"
 
-      - name: "Disable docker"
-        run: |
-          sudo apt-get install openbsd-inetd
-          sudo bash -c "cat ./.github/workflows/discard-port.conf >> /etc/inetd.conf"
-          sudo systemctl start inetd
-          sudo mkdir /etc/systemd/system/docker.service.d
-          sudo bash -c "cat ./.github/workflows/dockerd.service > /etc/systemd/system/docker.service.d/http-proxy.conf"
-          sudo systemctl daemon-reload
-          sudo systemctl restart docker
+      - name: "Disable docker networking"
+        run: bash ./.github/workflows/disable-docker.sh
 
       - name: "🧪 Run '${{ env.TEST_COORDINATES }}' tests"
         id: runtests
diff --git a/.github/workflows/disable-docker.sh b/.github/workflows/disable-docker.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# Copyright and related rights waived via CC0
+#
+# You should have received a copy of the CC0 legalcode along with this
+# work. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
+
+# Purpose:
+#   Make Docker unable to access the network during tests by:
+#     1) Enabling the discard service on localhost:9 (TCP/UDP) via inetd to accept and immediately discard traffic.
+#     2) Pointing Docker's HTTP(S) proxy environment variables to http(s)://localhost:9 using a systemd drop-in.
+#
+# Why:
+#   - Tests may only use pre-pulled/allowed Docker images. This prevents Docker from downloading anything else.
+#   - Using the discard service avoids long TCP connection timeouts: the local port accepts connections and discards
+#     data quickly, causing Docker's proxy connections to fail fast.
+#
+# Notes:
+#   - This script is designed for GitHub Actions Ubuntu runners with sudo.
+#   - It is idempotent: re-running it won't duplicate config lines or unnecessarily restart Docker.
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+sudo apt-get install openbsd-inetd
+sudo bash -c "cat ${SCRIPT_DIR}/discard-port.conf >> /etc/inetd.conf"
+sudo systemctl start inetd
+sudo mkdir /etc/systemd/system/docker.service.d
+sudo bash -c "cat ${SCRIPT_DIR}/dockerd.service > /etc/systemd/system/docker.service.d/http-proxy.conf"
+sudo systemctl daemon-reload
+sudo systemctl restart docker
+echo "Docker outbound network effectively disabled via proxy=http(s)://localhost:9 backed by inetd discard service."
diff --git a/.github/workflows/run-consecutive-tests.sh b/.github/workflows/run-consecutive-tests.sh
@@ -1,5 +1,10 @@
 #!/bin/bash
 
+# Copyright and related rights waived via CC0
+#
+# You should have received a copy of the CC0 legalcode along with this
+# work. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
+
 set -u
 set -x
 
diff --git a/.github/workflows/test-all-metadata.yml b/.github/workflows/test-all-metadata.yml
@@ -63,15 +63,8 @@ jobs:
       - name: "Pull allowed docker images"
         run: |
           ./gradlew pullAllowedDockerImages --coordinates=${{ matrix.coordinates }}
-      - name: "Disable docker"
-        run: |
-          sudo apt-get install openbsd-inetd
-          sudo bash -c "cat ./.github/workflows/discard-port.conf >> /etc/inetd.conf"
-          sudo systemctl start inetd
-          sudo mkdir /etc/systemd/system/docker.service.d
-          sudo bash -c "cat ./.github/workflows/dockerd.service > /etc/systemd/system/docker.service.d/http-proxy.conf"
-          sudo systemctl daemon-reload
-          sudo systemctl restart docker
+      - name: "Disable docker networking"
+        run: bash ./.github/workflows/disable-docker.sh
       - name: "🧪 Run '${{ matrix.coordinates }}' tests"
         run: |
           ./gradlew test -Pcoordinates=${{ matrix.coordinates }}
diff --git a/.github/workflows/test-changed-metadata.yml b/.github/workflows/test-changed-metadata.yml
@@ -66,15 +66,8 @@ jobs:
       - name: "Pull allowed docker images"
         run: |
           ./gradlew pullAllowedDockerImages --coordinates=${{ matrix.coordinates }}
-      - name: "Disable docker"
-        run: |
-          sudo apt-get install openbsd-inetd
-          sudo bash -c "cat ./.github/workflows/discard-port.conf >> /etc/inetd.conf"
-          sudo systemctl start inetd
-          sudo mkdir /etc/systemd/system/docker.service.d
-          sudo bash -c "cat ./.github/workflows/dockerd.service > /etc/systemd/system/docker.service.d/http-proxy.conf"
-          sudo systemctl daemon-reload
-          sudo systemctl restart docker
+      - name: "Disable docker networking"
+        run: bash ./.github/workflows/disable-docker.sh
       - name: "🔎 Check metadata config files content"
         run: |
           ./gradlew checkConfigFiles --coordinates=${{ matrix.coordinates }}
