Add network attachment aliases

[thromel]

Closes #1839

Summary

This PR adds explicit network attachment aliases so a container can register additional DNS names on a network attachment.

• adds aliases to AttachmentOptions and Attachment
• parses repeated alias=NAME properties in --network, for example --network backend,alias=db
• passes aliases over the network-helper XPC allocation request
• registers aliases in the network allocator as additional names for the same address
• releases all names for an allocation when the attachment is released
• includes aliases in duplicate-name validation during container creation
• adds coverage for alias serialization compatibility and client attachment-option plumbing

Related

• Builds on Add container-facing DNS forwarding #1813 for container-facing DNS.
• Also depends on Normalize network hostname lookup #1810 through Add container-facing DNS forwarding #1813 for normalized hostname lookup.
• Related to [Request]: First-class container-to-container DNS discovery on custom networks #1809.

This PR is stacked and currently includes the commits from #1810 and #1813. I can rebase once those land, or split/re-target however maintainers prefer.

Notes

The CLI shape follows the existing network property syntax:

container run --network backend,alias=db,alias=database ...

Aliases are currently validated for emptiness and normalized case/trailing-dot in the allocator, matching existing hostname lookup behavior. This keeps the change narrow and avoids introducing a stricter hostname validator than the existing primary-hostname path uses.

Testing

• git diff --check
• swift test -c debug -Xswiftc -warnings-as-errors --filter 'ParserTest|AttachmentAllocatorTest'
• swift test -c debug -Xswiftc -warnings-as-errors --filter 'DNSServerTests|AttachmentAllocatorTest|ParserTest'
• swift test -c debug -Xswiftc -warnings-as-errors --filter 'UtilityTests|NetworkConfigurationTest|AttachmentTest|AttachmentAllocatorTest|ParserTest'
• swift test -c debug -Xswiftc -warnings-as-errors --filter 'DNSServerTests|UtilityTests|NetworkConfigurationTest|AttachmentTest|AttachmentAllocatorTest|ParserTest'
• swift build -c debug -Xswiftc -warnings-as-errors --product container-apiserver --product container
• make BUILD_CONFIGURATION=debug WARNINGS_AS_ERRORS=true container
• Live temp-install validation against debug build 620cfc3:
  • started debug service from a temporary install root with --install-root and --log-root
  • created codex-alias-live
  • started codex-alias-peer with --network codex-alias-live,alias=db,alias=database
  • from peer containers on the same network, nslookup db, nslookup database, and nslookup codex-alias-peer all resolved through 192.168.65.1:53 to the peer container IP
  • a second container using alias=db failed as expected with hostname(s) already exist: ["db"]
  • removed the test container/network afterward
  • restored the installed /usr/local release service and verified it reports release build ee848e3 with all helpers under /usr/local

[jglogan]

@thromel We won't have time to look at this in the next couple of days, but we should be able to get started on it in the next week sometime or the week after.

This is exactly the CLI shape I had in mind for this. Could you create an enhancement issue for this and then add a "Closes #issue" at the top of this PR? In the issue, provide a basic description of the feature use case, UX (CLI shape), and proposed design (mainly, how does our hostname database and the interactions with it change?)

Once that's in place we can have a discuss in the issue a couple other things I've had in mind relating to this capability.

Thank you for taking this on.

[jglogan]

@thromel Also, please configure commit signing and verification, as we can't merge unverified commits.

See: https://github.com/apple/containerization/blob/main/CONTRIBUTING.md#pull-requests

[thromel]

Thanks, done. I filed #1839 with the use case, CLI UX, and hostname database design notes, and updated this PR body to start with Closes #1839.

I also saw the signing note. I am setting up verified SSH commit signing and will force-push signed replacement commits once GitHub recognizes the signing key.

[thromel]

Signed replacement commits have been force-pushed.

I verified the current PR commits on GitHub are all marked verified/valid:

• 86421c9
• 703d9f3
• 65062e8
• f547bc3
• 638ad20