rootlessnetns: handle empty pid file gracefully

kairosci · kairosci · commit a922767f0a8d · 2026-04-11T18:07:18.000+02:00
When pasta fails to start, it can leave an empty PID file which causes a crash in readPidFile. This fix handles empty PID files gracefully by returning a specific error and ignoring it during cleanup. Fixes: containers/podman#28441 Signed-off-by: Alessio Attilio <attilio.alessio@protonmail.com>
diff --git a/common/libnetwork/internal/rootlessnetns/netns_linux.go b/common/libnetwork/internal/rootlessnetns/netns_linux.go
@@ -308,20 +308,33 @@ func (n *Netns) setupSlirp4netns(nsPath string) error {
 	return nil
 }
 
+var (
+	// ErrEmptyPIDFile is returned when the PID file is empty.
+	ErrEmptyPIDFile = errors.New("PID file is empty")
+)
+
 func (n *Netns) cleanupRootlessNetns() error {
 	pidFile := n.getPath(rootlessNetNsConnPidFile)
+
 	pid, err := readPidFile(pidFile)
-	// do not hard error if the file dos not exists, cleanup should be idempotent
+	// do not hard error if the file does not exist, cleanup should be idempotent
 	if errors.Is(err, fs.ErrNotExist) {
 		logrus.Debugf("Rootless netns conn pid file does not exists %s", pidFile)
 		return nil
 	}
-	if err == nil {
-		// kill the slirp/pasta process so we do not leak it
-		err = unix.Kill(pid, unix.SIGTERM)
-		if err == unix.ESRCH {
-			err = nil
-		}
+	// if the pid file is empty, pasta failed to start so there is nothing to clean up
+	if errors.Is(err, ErrEmptyPIDFile) {
+		logrus.Debugf("Rootless netns conn pid file is empty, nothing to clean up")
+		return nil
+	}
+	if err != nil {
+		logrus.Warnf("Rootless netns conn pid file is invalid: %v", err)
+		return nil
+	}
+	// kill the slirp/pasta process so we do not leak it
+	err = unix.Kill(pid, unix.SIGTERM)
+	if err == unix.ESRCH {
+		err = nil
 	}
 	return err
 }
@@ -652,7 +665,11 @@ func readPidFile(path string) (int, error) {
 	if err != nil {
 		return 0, err
 	}
-	return strconv.Atoi(strings.TrimSpace(string(b)))
+	s := strings.TrimSpace(string(b))
+	if s == "" {
+		return 0, ErrEmptyPIDFile
+	}
+	return strconv.Atoi(s)
 }
 
 func (n *Netns) serializeInfo() error {
diff --git a/common/libnetwork/internal/rootlessnetns/netns_linux_test.go b/common/libnetwork/internal/rootlessnetns/netns_linux_test.go
@@ -75,3 +75,66 @@ func Test_refCount(t *testing.T) {
 		})
 	}
 }
+
+func TestReadPidFile(t *testing.T) {
+	tests := []struct {
+		name     string
+		content  string
+		create   bool
+		wantErr  error
+		wantPid  int
+	}{
+		{
+			name:    "valid pid",
+			content: "1234\n",
+			create:  true,
+			wantPid: 1234,
+		},
+		{
+			name:    "valid pid no newline",
+			content: "5678",
+			create:  true,
+			wantPid: 5678,
+		},
+		{
+			name:    "empty pid file",
+			content: "",
+			create:  true,
+			wantErr: ErrEmptyPIDFile,
+		},
+		{
+			name:    "only whitespace",
+			content: "  \n ",
+			create:  true,
+			wantErr: ErrEmptyPIDFile,
+		},
+		{
+			name:    "non-existent file",
+			create:  false,
+			wantErr: os.ErrNotExist,
+		},
+		{
+			name:    "invalid content",
+			content: "abc",
+			create:  true,
+			wantErr: strconv.ErrSyntax,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			path := filepath.Join(t.TempDir(), "pidfile")
+			if tt.create {
+				err := os.WriteFile(path, []byte(tt.content), 0o600)
+				assert.NoError(t, err)
+			}
+			pid, err := readPidFile(path)
+			if tt.wantErr != nil {
+				assert.Error(t, err)
+				assert.ErrorIs(t, err, tt.wantErr)
+			} else {
+				assert.NoError(t, err)
+				assert.Equal(t, tt.wantPid, pid)
+			}
+		})
+	}
+}
