rootlessnetns: handle empty pid file gracefully

common/libnetwork/internal/rootlessnetns/netns_linux.go

@@ -45,6 +45,8 @@ const (
 	resolvConfName = "resolv.conf"
 )
 
+var errEmptyPIDFile = errors.New("PID file is empty")
+
 type Netns struct {
 	// dir used for the rootless netns
 	dir string
@@ -310,18 +312,25 @@ func (n *Netns) setupSlirp4netns(nsPath string) error {
 
 func (n *Netns) cleanupRootlessNetns() error {
 	pidFile := n.getPath(rootlessNetNsConnPidFile)
+
 	pid, err := readPidFile(pidFile)
 	// do not hard error if the file dos not exists, cleanup should be idempotent
 	if errors.Is(err, fs.ErrNotExist) {
 		logrus.Debugf("Rootless netns conn pid file does not exists %s", pidFile)
 		return nil
 	}
-	if err == nil {
-		// kill the slirp/pasta process so we do not leak it
-		err = unix.Kill(pid, unix.SIGTERM)
-		if err == unix.ESRCH {
-			err = nil
-		}
+	// if the pid file is empty, pasta failed to start so there is nothing to clean up
+	if errors.Is(err, errEmptyPIDFile) {
+		logrus.Debugf("Rootless netns conn pid file is empty, nothing to clean up")
+		return nil
+	}
+	if err != nil {
+		return fmt.Errorf("reading pid file: %w", err)
+	}
+	// kill the slirp/pasta process so we do not leak it
+	err = unix.Kill(pid, unix.SIGTERM)
+	if err == unix.ESRCH {
+		err = nil
 	}
 	return err
 }
@@ -602,9 +611,12 @@ func (n *Netns) Run(lock *lockfile.LockFile, toRun func() error) error {
 	}
 
 	if count == 0 {
-		err = n.cleanup()
-		if err != nil {
-			return wrapError("cleanup", err)
+		cleanupErr := n.cleanup()
+		if cleanupErr != nil {
+			if inErr != nil {
+				return wrapError("cleanup", fmt.Errorf("%v: %w", inErr, cleanupErr))
+			}
+			return wrapError("cleanup", cleanupErr)
 		}
 	}
 
@@ -652,7 +664,11 @@ func readPidFile(path string) (int, error) {
 	if err != nil {
 		return 0, err
 	}
-	return strconv.Atoi(strings.TrimSpace(string(b)))
+	s := strings.TrimSpace(string(b))
+	if s == "" {
+		return 0, errEmptyPIDFile
+	}
+	return strconv.Atoi(s)
 }
 
 func (n *Netns) serializeInfo() error {

common/libnetwork/internal/rootlessnetns/netns_linux_test.go

@@ -75,3 +75,66 @@ func Test_refCount(t *testing.T) {
 		})
 	}
 }
+
+func TestReadPidFile(t *testing.T) {
+	tests := []struct {
+		name    string
+		content string
+		create  bool
+		wantErr error
+		wantPid int
+	}{
+		{
+			name:    "valid pid",
+			content: "1234\n",
+			create:  true,
+			wantPid: 1234,
+		},
+		{
+			name:    "valid pid no newline",
+			content: "5678",
+			create:  true,
+			wantPid: 5678,
+		},
+		{
+			name:    "empty pid file",
+			content: "",
+			create:  true,
+			wantErr: errEmptyPIDFile,
+		},
+		{
+			name:    "only whitespace",
+			content: "  \n ",
+			create:  true,
+			wantErr: errEmptyPIDFile,
+		},
+		{
+			name:    "non-existent file",
+			create:  false,
+			wantErr: os.ErrNotExist,
+		},
+		{
+			name:    "invalid content",
+			content: "abc",
+			create:  true,
+			wantErr: strconv.ErrSyntax,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			path := filepath.Join(t.TempDir(), "pidfile")
+			if tt.create {
+				err := os.WriteFile(path, []byte(tt.content), 0o600)
+				assert.NoError(t, err)
+			}
+			pid, err := readPidFile(path)
+			if tt.wantErr != nil {
+				assert.Error(t, err)
+				assert.ErrorIs(t, err, tt.wantErr)
+			} else {
+				assert.NoError(t, err)
+				assert.Equal(t, tt.wantPid, pid)
+			}
+		})
+	}
+}