Fix file descriptor leaks in remote import, save, and checkpoint operations

SebTardif · SebTardif · commit 49ff8c56f65b · 2026-05-19T17:05:23.000-07:00
Fix four file descriptor leaks: 1. tunnel/images.go Import: os.Open(opts.Source) never closed 2. tunnel/images.go Save: second os.Open for oci-dir/docker-dir never closed 3. bindings/checkpoint.go Restore: os.Open(importPath) never closed 4. container_internal_common.go: os.Create in checkpoint volume export loop not closed on five error paths These are the same class of bug fixed in #28723 and #28724. Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
diff --git a/libpod/container_internal_common.go b/libpod/container_internal_common.go
@@ -1201,26 +1201,31 @@ func (c *Container) exportCheckpoint(options ContainerCheckpointOptions) error {
 
 			volume, err := c.runtime.GetVolume(v.Name)
 			if err != nil {
+				volumeTarFile.Close()
 				return err
 			}
 
 			mp, err := volume.MountPoint()
 			if err != nil {
+				volumeTarFile.Close()
 				return err
 			}
 			if mp == "" {
+				volumeTarFile.Close()
 				return fmt.Errorf("volume %s is not mounted, cannot export: %w", volume.Name(), define.ErrInternal)
 			}
 			input, err := chrootarchive.Tar(mp, &archive.TarOptions{
 				Compression:      archive.Uncompressed,
 				IncludeSourceDir: true,
 			}, mp)
 			if err != nil {
+				volumeTarFile.Close()
 				return fmt.Errorf("reading volume directory %q: %w", v.Dest, err)
 			}
 
 			_, err = io.Copy(volumeTarFile, input)
 			if err != nil {
+				volumeTarFile.Close()
 				return err
 			}
 			volumeTarFile.Close()
diff --git a/pkg/bindings/containers/checkpoint.go b/pkg/bindings/containers/checkpoint.go
@@ -88,10 +88,12 @@ func Restore(ctx context.Context, nameOrID string, options *RestoreOptions) (*ty
 	}
 	if i != "" {
 		params.Set("import", "true")
-		r, err = os.Open(i)
+		importFile, err := os.Open(i)
 		if err != nil {
 			return nil, err
 		}
+		defer importFile.Close()
+		r = importFile
 		// Hard-code the name since it will be ignored in any case.
 		nameOrID = "import"
 	}
diff --git a/pkg/domain/infra/tunnel/images.go b/pkg/domain/infra/tunnel/images.go
@@ -267,6 +267,7 @@ func (ir *ImageEngine) Import(_ context.Context, opts entities.ImageImportOption
 		if err != nil {
 			return nil, err
 		}
+		defer f.Close()
 	}
 	return images.Import(ir.ClientCtx, f, options)
 }
@@ -354,6 +355,7 @@ func (ir *ImageEngine) Save(_ context.Context, nameOrID string, tags []string, o
 	if err != nil {
 		return err
 	}
+	defer f.Close()
 	info, err := os.Stat(opts.Output)
 	switch {
 	case err == nil:

Original file line number	Diff line number	Diff line change
`@@ -1201,26 +1201,31 @@ func (c *Container) exportCheckpoint(options ContainerCheckpointOptions) error {`
`1201`	`1201`
`1202`	`1202`	`volume, err := c.runtime.GetVolume(v.Name)`
`1203`	`1203`	`if err != nil {`
	`1204`	`+ volumeTarFile.Close()`
`1204`	`1205`	`return err`
`1205`	`1206`	`}`
`1206`	`1207`
`1207`	`1208`	`mp, err := volume.MountPoint()`
`1208`	`1209`	`if err != nil {`
	`1210`	`+ volumeTarFile.Close()`
`1209`	`1211`	`return err`
`1210`	`1212`	`}`
`1211`	`1213`	`if mp == "" {`
	`1214`	`+ volumeTarFile.Close()`
`1212`	`1215`	`return fmt.Errorf("volume %s is not mounted, cannot export: %w", volume.Name(), define.ErrInternal)`
`1213`	`1216`	`}`
`1214`	`1217`	`input, err := chrootarchive.Tar(mp, &archive.TarOptions{`
`1215`	`1218`	`Compression: archive.Uncompressed,`
`1216`	`1219`	`IncludeSourceDir: true,`
`1217`	`1220`	`}, mp)`
`1218`	`1221`	`if err != nil {`
	`1222`	`+ volumeTarFile.Close()`
`1219`	`1223`	`return fmt.Errorf("reading volume directory %q: %w", v.Dest, err)`
`1220`	`1224`	`}`
`1221`	`1225`
`1222`	`1226`	`_, err = io.Copy(volumeTarFile, input)`
`1223`	`1227`	`if err != nil {`
	`1228`	`+ volumeTarFile.Close()`
`1224`	`1229`	`return err`
`1225`	`1230`	`}`
`1226`	`1231`	`volumeTarFile.Close()`
Original file line number	Diff line number	Diff line change
`@@ -88,10 +88,12 @@ func Restore(ctx context.Context, nameOrID string, options RestoreOptions) (ty`
`88`	`88`	`}`
`89`	`89`	`if i != "" {`
`90`	`90`	`params.Set("import", "true")`
`91`		`- r, err = os.Open(i)`
	`91`	`+ importFile, err := os.Open(i)`
`92`	`92`	`if err != nil {`
`93`	`93`	`return nil, err`
`94`	`94`	`}`
	`95`	`+ defer importFile.Close()`
	`96`	`+ r = importFile`
`95`	`97`	`// Hard-code the name since it will be ignored in any case.`
`96`	`98`	`nameOrID = "import"`
`97`	`99`	`}`
Original file line number	Diff line number	Diff line change
`@@ -267,6 +267,7 @@ func (ir *ImageEngine) Import(_ context.Context, opts entities.ImageImportOption`
`267`	`267`	`if err != nil {`
`268`	`268`	`return nil, err`
`269`	`269`	`}`
	`270`	`+ defer f.Close()`
`270`	`271`	`}`
`271`	`272`	`return images.Import(ir.ClientCtx, f, options)`
`272`	`273`	`}`
`@@ -354,6 +355,7 @@ func (ir *ImageEngine) Save(_ context.Context, nameOrID string, tags []string, o`
`354`	`355`	`if err != nil {`
`355`	`356`	`return err`
`356`	`357`	`}`
	`358`	`+ defer f.Close()`
`357`	`359`	`info, err := os.Stat(opts.Output)`
`358`	`360`	`switch {`
`359`	`361`	`case err == nil:`