Update to kata 3.20.0 kernel. (apple#1114)

- Closes apple#1113.
- This is the newest we can do until we address apple#767.
- Slight change to PacketFilter error handling so unit tests work more
reliably.
- Try making CLINetworkTests serialized to see if parallel execution is
causing flakes.

Author: jglogan

Sources/ContainerPersistence/DefaultsStore.swift

@@ -181,9 +181,9 @@ extension DefaultsStore.Keys {
             }
             return "ghcr.io/apple/containerization/vminit:\(tag)"
         case .defaultKernelBinaryPath:
-            return "opt/kata/share/kata-containers/vmlinux-6.12.28-153"
+            return "opt/kata/share/kata-containers/vmlinux-6.12.42-162"
         case .defaultKernelURL:
-            return "https://github.com/kata-containers/kata-containers/releases/download/3.17.0/kata-static-3.17.0-arm64.tar.xz"
+            return "https://github.com/kata-containers/kata-containers/releases/download/3.20.0/kata-static-3.20.0-arm64.tar.xz"
         case .defaultSubnet:
             return "192.168.64.1/24"
         case .defaultIPv6Subnet:

Sources/Services/ContainerAPIService/Client/PacketFilter.swift

@@ -159,40 +159,44 @@ public struct PacketFilter {
     }
 
     public func reinitialize() throws {
+        let null = FileHandle.nullDevice
+
+        let checkProcess = Foundation.Process()
+        var checkStatus: Int32
+        checkProcess.executableURL = URL(fileURLWithPath: "/sbin/pfctl")
+        checkProcess.arguments = ["-n", "-f", configURL.path]
+        checkProcess.standardOutput = null
+        checkProcess.standardError = null
+
         do {
-            let pfctl = Foundation.Process()
-            let null = FileHandle.nullDevice
-            var status: Int32
-
-            pfctl.executableURL = URL(fileURLWithPath: "/sbin/pfctl")
-            pfctl.arguments = ["-n", "-f", configURL.path]
-            pfctl.standardOutput = null
-            pfctl.standardError = null
-
-            try pfctl.run()
-            pfctl.waitUntilExit()
-            status = pfctl.terminationStatus
-            guard status == 0 else {
-                throw ContainerizationError(.internalError, message: "invalid pf config \"\(configURL.path)\"")
-            }
+            try checkProcess.run()
+        } catch {
+            throw ContainerizationError(.internalError, message: "pfctl rule check exec failed: \"\(error)\"")
+        }
+
+        checkProcess.waitUntilExit()
+        checkStatus = checkProcess.terminationStatus
+        guard checkStatus == 0 else {
+            throw ContainerizationError(.internalError, message: "invalid pf config \"\(configURL.path)\"")
         }
 
+        let reloadProcess = Foundation.Process()
+        var reloadStatus: Int32
+
+        reloadProcess.executableURL = URL(fileURLWithPath: "/sbin/reloadProcess")
+        reloadProcess.arguments = ["-f", configURL.path]
+        reloadProcess.standardOutput = null
+        reloadProcess.standardError = null
+
         do {
-            let pfctl = Foundation.Process()
-            let null = FileHandle.nullDevice
-            var status: Int32
-
-            pfctl.executableURL = URL(fileURLWithPath: "/sbin/pfctl")
-            pfctl.arguments = ["-f", configURL.path]
-            pfctl.standardOutput = null
-            pfctl.standardError = null
-
-            try pfctl.run()
-            pfctl.waitUntilExit()
-            status = pfctl.terminationStatus
-            guard status == 0 else {
-                throw ContainerizationError(.invalidState, message: "pfctl -f \"\(configURL.path)\" failed with status \(status)")
-            }
+            try reloadProcess.run()
+        } catch {
+            throw ContainerizationError(.internalError, message: "pfctl reload exec failed: \"\(error)\"")
+        }
+        reloadProcess.waitUntilExit()
+        reloadStatus = reloadProcess.terminationStatus
+        guard reloadStatus == 0 else {
+            throw ContainerizationError(.invalidState, message: "pfctl -f \"\(configURL.path)\" failed with status \(reloadStatus)")
         }
     }
 }

Tests/CLITests/Subcommands/Networks/TestCLINetwork.swift

@@ -22,6 +22,7 @@ import ContainerizationOS
 import Foundation
 import Testing
 
+@Suite(.serialized)
 class TestCLINetwork: CLITest {
     private static let retries = 10
     private static let retryDelaySeconds = Int64(3)