Skip to content

fix: protect cleanupContainerNetnsrom deleting non-veth interfaces #180

Merged
privateip merged 1 commit into
mainfrom
fix/issue-159
Jun 30, 2026
Merged

fix: protect cleanupContainerNetnsrom deleting non-veth interfaces #180
privateip merged 1 commit into
mainfrom
fix/issue-159

Conversation

@privateip

Copy link
Copy Markdown
Contributor

The cleanupContainerNetns function in the galactic-cni plugin deleted any interface matching the expected name without verifying it was the veth endpoint created by this plugin. If another tool or race condition created an interface with the same name, it could be accidentally removed, breaking network connectivity for an unrelated workload.

  • Add a type assertion to verify the link is a *netlink.Veth before deletion
  • Return a descriptive error when a non-veth interface is found at the expected name
  • Document the veth-only deletion behavior in the function comment
  • Add integration tests covering non-veth rejection, idempotent missing-interface handling, and successful veth cleanup

fixes #159

The cleanupContainerNetns function in the galactic-cni plugin deleted any
interface matching the expected name without verifying it was the veth
endpoint created by this plugin. If another tool or race condition created
an interface with the same name, it could be accidentally removed, breaking
network connectivity for an unrelated workload.

- Add a type assertion to verify the link is a *netlink.Veth before deletion
- Return a descriptive error when a non-veth interface is found at the expected name
- Document the veth-only deletion behavior in the function comment
- Add integration tests covering non-veth rejection, idempotent missing-interface handling, and successful veth cleanup

fixes #159
@privateip privateip requested a review from a team as a code owner June 30, 2026 21:24
@privateip privateip merged commit 9dd153d into main Jun 30, 2026
5 checks passed
@privateip privateip deleted the fix/issue-159 branch June 30, 2026 22:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

P2: cleanupContainerNetns does not check if the interface is a veth

2 participants