From b9f51008a58df00123a578a7b1774b3309fc15bb Mon Sep 17 00:00:00 2001
From: bjorn3 <17426603+bjorn3@users.noreply.github.com>
Date: Mon, 13 Jan 2025 11:26:22 +0100
Subject: [PATCH] Disable network access for the containers

Turns out setting up a network namespace and reconfiguring the firewall
is pretty expensive. Disabling this setup brings down test times from
~210s to ~65s.
---
 test-framework/sudo-test/src/docker.rs | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/test-framework/sudo-test/src/docker.rs b/test-framework/sudo-test/src/docker.rs
index 474218d1e..eb11a8638 100644
--- a/test-framework/sudo-test/src/docker.rs
+++ b/test-framework/sudo-test/src/docker.rs
@@ -60,6 +60,14 @@ impl Container {
     pub fn new_with_hostname(image: &str, hostname: Option<&str>) -> Result<Self> {
         let mut docker_run = docker_command();
         docker_run.args(["run", "--detach"]);
+        if !crate::is_original_sudo() {
+            // Disable network access for the containers. This removes the overhead of setting up a
+            // new network namespace and associated firewall rule adjustments. We still need to keep
+            // network access enabled for original sudo however as it needs to be able to resolve
+            // it's own hostname to a fully qualified domain name, which isn't possible with
+            // `--net=none`.
+            docker_run.arg("--net=none");
+        }
         if let Some(hostname) = hostname {
             docker_run.args(["--hostname", hostname]);
         }