From 9ad90290e238c3ddaf1c715af2d1e4be1ac0a6b6 Mon Sep 17 00:00:00 2001 From: Charlie Voiselle <464492+angrycub@users.noreply.github.com> Date: Fri, 11 Nov 2022 13:27:36 -0500 Subject: [PATCH] [bug] Return a spec on reconnect (#15214) client: fixed a bug where non-`docker` tasks with network isolation would leak network namespaces and iptables rules if the client was restarted while they were running --- .changelog/15214.txt | 3 +++ client/allocrunner/network_manager_linux.go | 13 ++++++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 .changelog/15214.txt diff --git a/.changelog/15214.txt b/.changelog/15214.txt new file mode 100644 index 00000000000..222889a0151 --- /dev/null +++ b/.changelog/15214.txt @@ -0,0 +1,3 @@ +```release-note:bug +client: fixed a bug where non-`docker` tasks with network isolation would leak network namespaces and iptables rules if the client was restarted while they were running +``` diff --git a/client/allocrunner/network_manager_linux.go b/client/allocrunner/network_manager_linux.go index a4a08ce29ce..b435b1c8b82 100644 --- a/client/allocrunner/network_manager_linux.go +++ b/client/allocrunner/network_manager_linux.go @@ -122,7 +122,18 @@ func (*defaultNetworkManager) CreateNetwork(allocID string, _ *drivers.NetworkCr nsPath := path.Join(nsutil.NetNSRunDir, allocID) _, err := os.Stat(nsPath) if err == nil { - return nil, false, nil + // Let's return a spec that points to the tested nspath, but indicate + // that we didn't make the namespace. That will stop the network_hook + // from calling its networkConfigurator.Setup function in the reconnect + // case, but provide the spec value necessary for the network_hook's + // Postrun function to not fast exit. + spec := &drivers.NetworkIsolationSpec{ + Mode: drivers.NetIsolationModeGroup, + Path: nsPath, + Labels: make(map[string]string), + } + + return spec, false, nil } } return nil, false, err