Fix CNIEnv concurrency issue

Signed-off-by: apostasie <spam_blackhole@farcloser.world>

Author: apostasie

pkg/netutil/netutil.go

@@ -242,6 +242,9 @@ func (e *CNIEnv) NetworkMap() (map[string]*NetworkConfig, error) { //nolint:revi
 	return m, nil
 }
 
+// FIXME: this is currently walking networkConfigList in an unsafe way.
+// However, enforcing locking here will deadlock.
+// To be investigated.
 func (e *CNIEnv) NetworkByNameOrID(key string) (*NetworkConfig, error) {
 	networks, err := e.networkConfigList()
 	if err != nil {
@@ -260,20 +263,6 @@ func (e *CNIEnv) NetworkByNameOrID(key string) (*NetworkConfig, error) {
 	return nil, fmt.Errorf("no such network: %q", key)
 }
 
-func (e *CNIEnv) filterNetworks(filterf func(*NetworkConfig) bool) ([]*NetworkConfig, error) {
-	networkConfigs, err := e.networkConfigList()
-	if err != nil {
-		return nil, err
-	}
-	result := []*NetworkConfig{}
-	for _, networkConfig := range networkConfigs {
-		if filterf(networkConfig) {
-			result = append(result, networkConfig)
-		}
-	}
-	return result, nil
-}
-
 func (e *CNIEnv) getConfigPathForNetworkName(netName string) string {
 	if netName == DefaultNetworkName || e.Namespace == "" {
 		return filepath.Join(e.NetconfPath, "nerdctl-"+netName+".conflist")
@@ -359,47 +348,35 @@ func (e *CNIEnv) RemoveNetwork(net *NetworkConfig) error {
 // label, or falls back to checking whether any network bears the
 // `DefaultNetworkName` name.
 func (e *CNIEnv) GetDefaultNetworkConfig() (*NetworkConfig, error) {
-	// Search for networks bearing the `labels.NerdctlDefaultNetwork` label.
-	defaultLabelFilterF := func(nc *NetworkConfig) bool {
-		if nc.NerdctlLabels == nil {
-			return false
-		} else if _, ok := (*nc.NerdctlLabels)[labels.NerdctlDefaultNetwork]; ok {
-			return true
-		}
-		return false
-	}
-	labelMatches, err := e.filterNetworks(defaultLabelFilterF)
-	if err != nil {
-		return nil, err
-	}
-	if len(labelMatches) >= 1 {
-		if len(labelMatches) > 1 {
-			log.L.Warnf("returning the first network bearing the %q label out of the multiple found: %#v", labels.NerdctlDefaultNetwork, labelMatches)
-		}
-		return labelMatches[0], nil
-	}
+	var networkConfigs []*NetworkConfig
+	var err error
+	// NOTE: we cannot lock NetconfPath directly, as Cilium (maybe others) are also locking it.
+	err = lockutil.WithDirLock(filepath.Join(e.NetconfPath, ".nerdctl.lock"), func() error {
+		networkConfigs, err = e.networkConfigList()
+		return err
+	})
 
-	// Search for networks bearing the DefaultNetworkName.
-	defaultNameFilterF := func(nc *NetworkConfig) bool {
-		return nc.Name == DefaultNetworkName
-	}
-	nameMatches, err := e.filterNetworks(defaultNameFilterF)
 	if err != nil {
 		return nil, err
 	}
-	if len(nameMatches) >= 1 {
-		if len(nameMatches) > 1 {
-			log.L.Warnf("returning the first network bearing the %q default network name out of the multiple found: %#v", DefaultNetworkName, nameMatches)
-		}
 
-		// Warn the user if the default network was not created by nerdctl.
-		match := nameMatches[0]
-		_, statErr := os.Stat(e.getConfigPathForNetworkName(DefaultNetworkName))
-		if match.NerdctlID == nil || statErr != nil {
-			log.L.Warnf("default network named %q does not have an internal nerdctl ID or nerdctl-managed config file, it was most likely NOT created by nerdctl", DefaultNetworkName)
+	for _, networkConfig := range networkConfigs {
+		if networkConfig.NerdctlLabels == nil {
+			continue
+		}
+		if _, ok := (*networkConfig.NerdctlLabels)[labels.NerdctlDefaultNetwork]; ok {
+			return networkConfig, nil
 		}
+	}
 
-		return nameMatches[0], nil
+	for _, networkConfig := range networkConfigs {
+		if networkConfig.Name == DefaultNetworkName {
+			_, statErr := os.Stat(e.getConfigPathForNetworkName(DefaultNetworkName))
+			if networkConfig.NerdctlID == nil || statErr != nil {
+				log.L.Warnf("default network named %q does not have an internal nerdctl ID or nerdctl-managed config file, it was most likely NOT created by nerdctl", DefaultNetworkName)
+			}
+			return networkConfig, nil
+		}
 	}
 
 	return nil, nil