[bug] Return a spec on reconnect (#15214)

client: fixed a bug where non-`docker` tasks with network isolation would leak network namespaces and iptables rules if the client was restarted while they were running
2022-11-11 13:27:36 -05:00 · 2022-11-11 13:27:36 -05:00 · c73fb51d3a
parent 21237d8337
commit c73fb51d3a
2 changed files with 15 additions and 1 deletions
--- a/.changelog/15214.txt
+++ b/.changelog/15214.txt
@ -0,0 +1,3 @@
+```release-note:bug
+client: fixed a bug where non-`docker` tasks with network isolation would leak network namespaces and iptables rules if the client was restarted while they were running
+```
--- a/client/allocrunner/network_manager_linux.go
+++ b/client/allocrunner/network_manager_linux.go
@ -122,7 +122,18 @@ func (*defaultNetworkManager) CreateNetwork(allocID string, _ *drivers.NetworkCr
 			nsPath := path.Join(nsutil.NetNSRunDir, allocID)
 			_, err := os.Stat(nsPath)
 			if err == nil {
-				return nil, false, nil
+				// Let's return a spec that points to the tested nspath, but indicate
+				// that we didn't make the namespace. That will stop the network_hook
+				// from calling its networkConfigurator.Setup function in the reconnect
+				// case, but provide the spec value necessary for the network_hook's
+				// Postrun function to not fast exit.
+				spec := &drivers.NetworkIsolationSpec{
+					Mode:   drivers.NetIsolationModeGroup,
+					Path:   nsPath,
+					Labels: make(map[string]string),
+				}
+
+				return spec, false, nil
 			}
 		}
 		return nil, false, err