failure on arm is a known flaky test; #42357

[2021-05-18T08:05:56.917Z] --- FAIL: TestDaemonHostGatewayIP (5.39s)
[2021-05-18T08:05:56.917Z]     daemon_linux_test.go:161: [db2862c8d069f] failed to start daemon with arguments [--data-root /go/src/github.com/docker/docker/bundles/test-integration/TestDaemonHostGatewayIP/db2862c8d069f/root --exec-root /tmp/dxr/db2862c8d069f --pidfile /go/src/github.com/docker/docker/bundles/test-integration/TestDaemonHostGatewayIP/db2862c8d069f/docker.pid --userland-proxy=true --containerd-namespace db2862c8d069f --containerd-plugins-namespace db2862c8d069fp --containerd /var/run/docker/containerd/containerd.sock --host unix:///tmp/docker-integration/db2862c8d069f.sock --debug --storage-driver overlay2 --host-gateway-ip=6.7.8.9] : [db2862c8d069f] daemon exited during startup: exit status 1

Exactly the level of complexity and line count I expected when I saw the PR title 😭

Oh man, I went through multiple iterations; at first tried https://github.com/dmcgowan/quicktls (which is super handy), and even contributed a PR to it to add SAN support (dmcgowan/quicktls#3) but that didn't set the "subject" (CN) that was used by the Authz plugin. Tried https://github.com/FiloSottile/mkcert, which was recommended as an easy tool (and created by one of Go's security people, so seemed like a good choice), however that one also didn't offer the ability to set the CN (fields were filled by some "dummy" data). It also refuses to use * as SAN (which could be "correct", or not.. ? openssh accepts it, but TBH not sure if it's valid.. tests pass, so 🤷‍♂️)

So... time to dive into the openssh man pages, which was "down the rabbit hole". openssh design really looks to be "security is important to us, so we make this as complicated as can be for you. We hope you mess things up, so that security teams won't be out of a job!".

• learned that openssh req can either produce a csr or an actual certificate (if -x509 is set) 🤯 (great! so we can do it all in a single step... right?)
• when using openssh req -x509, the -addext option can be used to set x509 options (awesome! I can pass the options on the command-line, that way I don't need to create some config file 🥳)
• So I just pass the -CA and -CAkey to sign... wait.. those flags are not present?
• ok, nevermind, two steps it is then; create the CSR with all the options set, and then create / sign the certificate in the second step with openssh x509
• ahm.. right, so while x509 options can be included in a CSR, they are not inherited by openssh x509
• no worries! I'll just move the -addext flag to the openssh x509 step. oh.. right... that one doesn't support passing them on the command line
• back to creating a "config" file then 😞

Yepppp, it's a mess (slightly better in OpenSSL 3.0+ IIRC, but still pretty ugly). I can definitely relate. 😅