Passing an empty Netns causes leak iptable rules #1872
Description
Description
Run or start a container will leak three iptables rules when using cni bridge plugin and set "ipMasq": true .
Steps to reproduce the issue
1.nerdctl run container
2.nerdctl stop container
3.nerdctl start container
This action will leak six iptables rules in the host.
Describe the results you received and expected
It'll create three iptable rules when run task.Start. But it didn't remove when run task.Delete.
The reason is that cni.Remove() just pass an empty Netns path to the bridge plugin.
if err := opts.cni.Remove(ctx, opts.fullID, "", namespaceOpts...); err != nil {
logrus.WithError(err).Errorf("failed to call cni.Remove")
return err
}
Bridge plugin just reclaim ipam pool and skip teardown ip masq when Netns is empty.
if args.Netns == "" {
return ipamDel()
}
Why not pass the correct sandbox path into cni.Remove() ?
What version of nerdctl are you using?
latest
Are you using a variant of nerdctl? (e.g., Rancher Desktop)
None
Host information
Client:
Namespace: default
Debug Mode: false
Server:
Server Version: v1.6.6
Storage Driver: overlayfs
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 1
Plugins:
Log: fluentd journald json-file
Storage: aufs native overlayfs
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 5.13.0-40-generic
Operating System: Ubuntu 20.04.1 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 15.59GiB
Name: env2-node02
ID: eb7dbbb8-64a4-40c7-9a64-07e0b1de9d04