Fix CNS error handling in fsnotify to prevent possible IP address leaks #3672
Conversation
Co-authored-by: rbtr <[email protected]>
Copilot
AI
changed the title
| @@ -60,13 +60,15 @@ func (w *watcher) releaseAll(ctx context.Context) { | |||
| file, err := os.Open(filepath) | |||
There was a problem hiding this comment.
The filepath pkg might be a better option here, unsure if CNS runs on both windows/linux
There was a problem hiding this comment.
I've updated the code to use filepath.Join for path construction instead of string concatenation. This change improves cross-platform compatibility for both Windows and Linux environments. The update has been applied in all three instances where paths were being constructed (632dd28).
Co-authored-by: MikeZappa87 <[email protected]>
cns/fsnotify/fsnotify.go
Outdated
| @@ -56,17 +57,19 @@ func (w *watcher) releaseAll(ctx context.Context) { | |||
| defer w.lock.Unlock() | |||
| for containerID := range w.pendingDelete { | |||
| // read file contents | |||
| filepath := w.path + "/" + containerID | |||
| filepath := filepath.Join(w.path, containerID) | |||
| file, err := os.Open(filepath) | |||
| if err != nil { | |||
| w.log.Error("failed to open file", zap.Error(err)) | |||
There was a problem hiding this comment.
As a reader of the logs, do I have enough information here to troubleshoot? Keep in mind the reader might be not familiar with the code or be technical.
There was a problem hiding this comment.
I've enhanced the error log messages to provide much more context for troubleshooting. The updated logs now include the filepath, containerID, and clearer descriptions of the operations being performed. This makes the logs more helpful for users who might not be familiar with the code. These improvements have been implemented in commit ce76903.
Co-authored-by: MikeZappa87 <[email protected]>
Issue
In the
releaseAllfunction of the CNS fsnotify package, when errors occur during file operations (opening or reading files), the code logs the error but continues execution. This can lead to thepodInterfaceIDvariable having an empty string value, which when passed toreleaseIPcould potentially fail to release IP addresses properly.Changes
This PR fixes the error handling in the
releaseAllmethod to properly handle file operation errors:continuestatements after file open errors to skip to the next containerID in the loopfile.Close()call before checking for read errors to ensure the file is always closed regardless of read errorscontinuestatement after file read errors to skip to the next containerID in the loopTesting
Added a new test (
TestReleaseAll) that verifies:pendingDeletemap for potential retryAlso updated existing tests to use temporary directories instead of trying to access root filesystem paths, ensuring more reliable test execution in different environments.
Fixes #3557.
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.