Host reserved ports are not freed when container stops in rootful mode

[curiscold]

Description

In rootful mode, port mappings will spawn a sleep infinity process on the host to reserve the ports.

When the container stops, the iptables rules are cleaned up as expected. However, the reserved process remains and continues to stay in the LISTEN state.

This behavior can be confusing in some scenarios, as the port appears to still be in use even though the container has already exited.

Related change in v2.1.6:
rootful: reserve the ports on the host (#4526 )

Steps to reproduce the issue

1. In rootful mode, root user
2. nerdctl run -d -p 7000:7000 -name test-container test-image
3. nerdctl stop test-container
4. ss -ntlp | grep ":7000" (or netstat -ntlp )

Describe the results you received and expected

Received:

After the container stops, ss -ntlp still shows a sleep infinity process in the LISTEN state.

Expected:

Would it be possible to add cleanup logic for this process when the container stops?

Furthermore, is it possible to support a configuration similar to Docker:

# /etc/docker/daemon.json
{
  "userland-proxy": false
}

What version of nerdctl are you using?

v2.1.6

Are you using a variant of nerdctl? (e.g., Rancher Desktop)

None

Host information

nerdctl-full-2.1.6-linux-amd64.tar.gz

[unsuman]

Hi, I would like to work on this issue.

As per the OCI spec for POSIX-platform Hooks:

The poststop hooks MUST be called after the container is deleted

So the postStop event is not triggered by runc on nerdctl stop:

nerdctl/pkg/ocihook/ocihook.go

Lines 129 to 130 in 9b42487

	case "postStop":
	return onPostStop(opts)

How should I proceed with the issue? Should I kill the sleep infinity port reserver process on nerdctl stop?

[AkihiroSuda]

Should I kill the sleep infinity port reserver process on nerdctl stop?

Yes