fix "concurrent map writes" in network ls compat endpoint

Not sure why this only triggers now but this code was broken for a while. It is racy as reported on the issue but because it changes the actual map part of the network backend it means it can also alter the behavior of the network which is very bad. Fixes #22330 Signed-off-by: Paul Holzinger <[email protected]>
containers · Apr 10, 2024 · 2b93cdc · 2b93cdc
1 parent 0a8914d
commit 2b93cdc
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 1 deletion.
diff --git a/pkg/api/handlers/compat/networks.go b/pkg/api/handlers/compat/networks.go
@@ -17,6 +17,7 @@ import (
 	"github.com/containers/podman/v5/pkg/domain/infra/abi"
 	"github.com/containers/podman/v5/pkg/util"
 	"github.com/docker/docker/api/types"
+	"golang.org/x/exp/maps"
 
 	dockerNetwork "github.com/docker/docker/api/types/network"
 	"github.com/sirupsen/logrus"
@@ -118,7 +119,9 @@ func convertLibpodNetworktoDockerNetwork(runtime *libpod.Runtime, statuses []abi
 	if changeDefaultName && name == runtime.Network().DefaultNetworkName() {
 		name = nettypes.BridgeNetworkDriver
 	}
-	options := network.Options
+	// Make sure to clone the map as we have access to the map stored in
+	// the network backend and will overwrite it which is not good.
+	options := maps.Clone(network.Options)
 	// bridge always has isolate set in the compat API but we should not return it to not confuse callers
 	// https://github.com/containers/podman/issues/15580
 	delete(options, nettypes.IsolateOption)

diff --git a/test/apiv2/35-networks.at b/test/apiv2/35-networks.at
@@ -192,6 +192,22 @@ t DELETE libpod/networks/macvlan1 200 \
   .[0].Name~macvlan1 \
   .[0].Err=null
 
+
+# create network with isolate option and make sure it is not shown in docker compat endpoint
+podman network create --opt isolate=true isolate-test
+# Note the order of both list calls is important to test for https://github.com/containers/podman/issues/22330
+# First call the compat endpoint, then the libpod one. Previously this would have removed
+# the internal option for the libpod endpoint as well.
+t GET networks?filters='{"name":["isolate-test"]}' 200 \
+  .[0].Name=isolate-test \
+  .[0].Options="{}"
+
+t GET libpod/networks/json?filters='{"name":["isolate-test"]}' 200 \
+  .[0].name=isolate-test \
+  .[0].options.isolate="true"
+
+t DELETE libpod/networks/isolate-test 200
+
 #
 # test networks with containers
 #