Passing an empty Netns causes leak iptable rules

[qkboy]

Description

Run or start a container will leak three iptables rules when using cni bridge plugin and set "ipMasq": true .

Steps to reproduce the issue

1.nerdctl run container
2.nerdctl stop container
3.nerdctl start container
This action will leak six iptables rules in the host.

Describe the results you received and expected

It'll create three iptable rules when run task.Start. But it didn't remove when run task.Delete.

The reason is that cni.Remove() just pass an empty Netns path to the bridge plugin.

if err := opts.cni.Remove(ctx, opts.fullID, "", namespaceOpts...); err != nil {
	logrus.WithError(err).Errorf("failed to call cni.Remove")
	return err
}

Bridge plugin just reclaim ipam pool and skip teardown ip masq when Netns is empty.

if args.Netns == "" {
	return ipamDel()
}

Why not pass the correct sandbox path into cni.Remove() ?

What version of nerdctl are you using?

latest

Are you using a variant of nerdctl? (e.g., Rancher Desktop)

None

Host information

Client:
 Namespace:	default
 Debug Mode:	false

Server:
 Server Version: v1.6.6
 Storage Driver: overlayfs
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Log: fluentd journald json-file
  Storage: aufs native overlayfs
 Security Options:
  apparmor
  seccomp
   Profile: default
 Kernel Version: 5.13.0-40-generic
 Operating System: Ubuntu 20.04.1 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 15.59GiB
 Name: env2-node02
 ID: eb7dbbb8-64a4-40c7-9a64-07e0b1de9d04

[qkboy]

In fact, nerdctl only execute cni.Remove() when run rm/start container instead of stopping container.

At that time, it has run task.Kill, the container progress has exited. So bridge plugin can't obtain the ip address from Netns even we pass the correct sandbox path to it. It'll fail to get ipns then skip to teardown ip masq.

I think this problem may not be easy to solve in nerdctl. However it can be handled in the bridge plugin.

refer: containernetworking/plugins#810