Fix unsafe unwrap and improve error handling in network device operations.

nayuta-ai · nayuta-ai · commit 08e9e9890d0c · 2025-08-13T17:00:57.000Z
Signed-off-by: nayuta-ai &lt;nayuta723@gmail.com&gt;
diff --git a/crates/libcontainer/src/process/container_main_process.rs b/crates/libcontainer/src/process/container_main_process.rs
@@ -3,9 +3,10 @@ use std::path::PathBuf;
 
 use nix::sys::wait::{waitpid, WaitStatus};
 use nix::unistd::Pid;
-use oci_spec::runtime::{Linux, LinuxNamespaceType};
+use oci_spec::runtime::{Linux, LinuxNamespace, LinuxNamespaceType};
 
 use crate::network::network_device::dev_change_net_namespace;
+use crate::network::serialize::SerializableAddress;
 use crate::process::args::ContainerArgs;
 use crate::process::fork::{self, CloneCb};
 use crate::process::intel_rdt::setup_intel_rdt;
@@ -244,7 +245,6 @@ fn setup_network_device(
     main_receiver: &mut channel::MainReceiver,
     init_sender: &mut channel::InitSender,
 ) -> Result<()> {
-    let mut addrs_map = HashMap::new();
     // host network pods does not move network devices.
     if let Some(namespaces) = linux.namespaces() {
         if !namespaces
@@ -274,18 +274,17 @@ fn setup_network_device(
         // See: https://github.com/opencontainers/runtime-spec/blob/27cb0027fd92ef81eda1ea3a8153b8337f56d94a/config-linux.md#namespace-lifecycle-and-container-termination
         if let Some(devices) = linux.net_devices() {
             main_receiver.wait_for_network_setup_ready()?;
-            for (name, net_dev) in devices {
-                let addrs = dev_change_net_namespace(
-                    name,
-                    ns_path,
-                    net_dev,
-                )
-                .map_err(|err| {
-                    tracing::error!("failed to dev_change_net_namespace: {}", err);
-                    err
-                })?;
-                addrs_map.insert(name.clone(), addrs);
-            }
+            let addrs_map = devices
+                .iter()
+                .map(|(name, net_dev)| {
+                    let addrs =
+                        dev_change_net_namespace(name, ns_path, net_dev).map_err(|err| {
+                            tracing::error!("failed to dev_change_net_namespace: {}", err);
+                            err
+                        })?;
+                    Ok((name.clone(), addrs))
+                })
+                .collect::<Result<HashMap<String, Vec<SerializableAddress>>>>()?;
             init_sender.move_network_device(addrs_map)?;
         }
     }
diff --git a/crates/libcontainer/src/process/init/process.rs b/crates/libcontainer/src/process/init/process.rs
@@ -882,12 +882,10 @@ fn setup_net_devices(
     let addrs_map = init_receiver.wait_for_move_network_device()?;
     for (name, net_dev) in net_device {
         if let Some(serialize_addrs) = addrs_map.get(name) {
-            setup_network_device(name, net_dev, serialize_addrs.clone()).map_err(
-                |err| {
-                    tracing::error!(?err, "failed to setup_network_device");
-                    err
-                },
-            )?;
+            setup_network_device(name, net_dev, serialize_addrs.clone()).map_err(|err| {
+                tracing::error!(?err, "failed to setup_network_device");
+                err
+            })?;
         }
     }
 
diff --git a/crates/libcontainer/src/utils.rs b/crates/libcontainer/src/utils.rs
@@ -349,7 +349,7 @@ pub fn validate_spec_for_net_devices(
             .any(|ns| ns.typ() == LinuxNamespaceType::Network),
         None => false,
     };
-    
+
     if !has_net_namespace {
         return Err(NetDevicesError::NoNetNamespace);
     }
@@ -360,7 +360,7 @@ pub fn validate_spec_for_net_devices(
     }
 
     if let Some(devices) = linux.net_devices() {
-        for (name, net_dev) in devices {
+        devices.iter().try_for_each(|(name, net_dev)| {
             if !dev_valid_name(name) {
                 return Err(NetDevicesError::InvalidDeviceName(name.into()));
             }
@@ -369,7 +369,8 @@ pub fn validate_spec_for_net_devices(
                     return Err(NetDevicesError::InvalidDeviceName(dev_name.into()));
                 }
             }
-        }
+            Ok(())
+        })?;
     }
 
     Ok(())
@@ -581,9 +582,7 @@ mod tests {
             .map(|(key, val)| {
                 (
                     key.into(),
-                    LinuxNetDevice::default()
-                        .set_name(Some(val.into()))
-                        .clone(),
+                    LinuxNetDevice::default().set_name(Some(val.into())).clone(),
                 )
             })
             .collect();

Original file line number	Diff line number	Diff line change
`@@ -349,7 +349,7 @@ pub fn validate_spec_for_net_devices(`
`349`	`349`	`.any(\|ns\| ns.typ() == LinuxNamespaceType::Network),`
`350`	`350`	`None => false,`
`351`	`351`	`};`
`352`		`-`
	`352`	`+`
`353`	`353`	`if !has_net_namespace {`
`354`	`354`	`return Err(NetDevicesError::NoNetNamespace);`
`355`	`355`	`}`
`@@ -360,7 +360,7 @@ pub fn validate_spec_for_net_devices(`
`360`	`360`	`}`
`361`	`361`
`362`	`362`	`if let Some(devices) = linux.net_devices() {`
`363`		`- for (name, net_dev) in devices {`
	`363`	`+ devices.iter().try_for_each(\|(name, net_dev)\| {`
`364`	`364`	`if !dev_valid_name(name) {`
`365`	`365`	`return Err(NetDevicesError::InvalidDeviceName(name.into()));`
`366`	`366`	`}`
`@@ -369,7 +369,8 @@ pub fn validate_spec_for_net_devices(`
`369`	`369`	`return Err(NetDevicesError::InvalidDeviceName(dev_name.into()));`
`370`	`370`	`}`
`371`	`371`	`}`
`372`		`- }`
	`372`	`+ Ok(())`
	`373`	`+ })?;`
`373`	`374`	`}`
`374`	`375`
`375`	`376`	`Ok(())`
`@@ -581,9 +582,7 @@ mod tests {`
`581`	`582`	`.map(\|(key, val)\| {`
`582`	`583`	`(`
`583`	`584`	`key.into(),`
`584`		`- LinuxNetDevice::default()`
`585`		`- .set_name(Some(val.into()))`
`586`		`- .clone(),`
	`585`	`+ LinuxNetDevice::default().set_name(Some(val.into())).clone(),`
`587`	`586`	`)`
`588`	`587`	`})`
`589`	`588`	`.collect();`