Submit an issue View all issues Source
MIR-754

Subnet IP leak when pause container is already gone during sandbox cleanup

Done public
phinze phinze Opened Mar 4, 2026 Updated Mar 9, 2026
Release subnet IPs even when pause container is already gone

Summary

In stopSandbox, the IP release loop (c.Subnet.ReleaseAddr) is inside the if container != nil block. When the pause container is already gone but IPs were recovered from the entity store fallback, those IPs are never released back to the subnet allocator.

Code reference

controllers/sandbox/sandbox.gostopSandbox method, around line 2356-2369. The for ipStr := range sandboxIPs loop is nested inside if container != nil, but sandboxIPs can be populated from the entity store fallback (line 2284) even when the container is nil.

Fix

Move the IP release loop outside the if container != nil block so it runs regardless of whether the pause container was found.

Context

Found during review of PR #644 (MIR-752). Pre-existing issue, not introduced by that PR.