Merge pull request #22335 from openshift-cherrypick-robot/cherry-pick…

…-22332-to-v5.0

[v5.0] fix "concurrent map writes" in network ls compat endpoint

pkg/api/handlers/compat/networks.go

@@ -17,6 +17,7 @@ import (
 	"github.com/containers/podman/v5/pkg/domain/infra/abi"
 	"github.com/containers/podman/v5/pkg/util"
 	"github.com/docker/docker/api/types"
+	"golang.org/x/exp/maps"
 
 	dockerNetwork "github.com/docker/docker/api/types/network"
 	"github.com/sirupsen/logrus"
@@ -118,7 +119,9 @@ func convertLibpodNetworktoDockerNetwork(runtime *libpod.Runtime, statuses []abi
 	if changeDefaultName && name == runtime.Network().DefaultNetworkName() {
 		name = nettypes.BridgeNetworkDriver
 	}
-	options := network.Options
+	// Make sure to clone the map as we have access to the map stored in
+	// the network backend and will overwrite it which is not good.
+	options := maps.Clone(network.Options)
 	// bridge always has isolate set in the compat API but we should not return it to not confuse callers
 	// https://github.com/containers/podman/issues/15580
 	delete(options, nettypes.IsolateOption)

test/apiv2/35-networks.at

@@ -192,6 +192,22 @@ t DELETE libpod/networks/macvlan1 200 \
   .[0].Name~macvlan1 \
   .[0].Err=null
 
+
+# create network with isolate option and make sure it is not shown in docker compat endpoint
+podman network create --opt isolate=true isolate-test
+# Note the order of both list calls is important to test for https://github.com/containers/podman/issues/22330
+# First call the compat endpoint, then the libpod one. Previously this would have removed
+# the internal option for the libpod endpoint as well.
+t GET networks?filters='{"name":["isolate-test"]}' 200 \
+  .[0].Name=isolate-test \
+  .[0].Options="{}"
+
+t GET libpod/networks/json?filters='{"name":["isolate-test"]}' 200 \
+  .[0].name=isolate-test \
+  .[0].options.isolate="true"
+
+t DELETE libpod/networks/isolate-test 200
+
 #
 # test networks with containers
 #