diff --git a/.changelog/15214.txt b/.changelog/15214.txt new file mode 100644 index 00000000000..222889a0151 --- /dev/null +++ b/.changelog/15214.txt @@ -0,0 +1,3 @@ +```release-note:bug +client: fixed a bug where non-`docker` tasks with network isolation would leak network namespaces and iptables rules if the client was restarted while they were running +``` diff --git a/client/allocrunner/network_manager_linux.go b/client/allocrunner/network_manager_linux.go index a4a08ce29ce..b435b1c8b82 100644 --- a/client/allocrunner/network_manager_linux.go +++ b/client/allocrunner/network_manager_linux.go @@ -122,7 +122,18 @@ func (*defaultNetworkManager) CreateNetwork(allocID string, _ *drivers.NetworkCr nsPath := path.Join(nsutil.NetNSRunDir, allocID) _, err := os.Stat(nsPath) if err == nil { - return nil, false, nil + // Let's return a spec that points to the tested nspath, but indicate + // that we didn't make the namespace. That will stop the network_hook + // from calling its networkConfigurator.Setup function in the reconnect + // case, but provide the spec value necessary for the network_hook's + // Postrun function to not fast exit. + spec := &drivers.NetworkIsolationSpec{ + Mode: drivers.NetIsolationModeGroup, + Path: nsPath, + Labels: make(map[string]string), + } + + return spec, false, nil } } return nil, false, err