fix(provisioner): close SSH client before reassign, close pipe reader#659
Merged
ArangoGutierrez merged 1 commit intoNVIDIA:mainfrom Feb 13, 2026
Merged
Conversation
provision() overwrote p.Client with a new SSH connection without closing the old one, leaking TCP sockets and goroutines. Also close the io.Pipe reader after wg.Wait() for completeness. Audit findings #14 (MEDIUM), NVIDIA#29 (LOW). Signed-off-by: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>
Pull Request Test Coverage Report for Build 21978700032Details
💛 - Coveralls |
There was a problem hiding this comment.
Pull request overview
This PR fixes two resource leak issues in the provisioner identified by an audit: an SSH client that was being overwritten without closing, and an io.Pipe reader that was never closed. The changes prevent resource leaks by properly closing these resources before reassignment and after use.
Changes:
- Added SSH client close guard in
provision()before creating new connection - Added io.Pipe reader close after WaitGroup completes
|
|
||
| // Close existing client before creating new connection | ||
| if p.Client != nil { | ||
| _ = p.Client.Close() |
There was a problem hiding this comment.
The SSH client close logic here differs from the pattern used in resetConnection() and waitForNodeReboot(). Those functions check if the connection is still alive by attempting to create a session before closing. Consider using the same pattern here for consistency:
if p.Client != nil {
session, err := p.Client.NewSession()
if err == nil {
_ = session.Close()
if err := p.Client.Close(); err != nil {
return fmt.Errorf("failed to close ssh client: %w", err)
}
}
p.Client = nil
}
This prevents potential issues with closing already-dead connections and follows the established convention in the codebase.
Suggested change
| _ = p.Client.Close() | |
| // Try to create a new session to check if connection is alive | |
| session, err := p.Client.NewSession() | |
| if err == nil { | |
| _ = session.Close() | |
| // Connection is alive, close it | |
| if err := p.Client.Close(); err != nil { | |
| return fmt.Errorf("failed to close ssh client: %w", err) | |
| } | |
| } | |
| // If we get here, either the connection was already closed or we couldn't create a session |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
provision()Audit Findings
Changes
pkg/provisioner/provisioner.go: Add client close guard + pipe reader closeTest plan
gofmt— no formatting issuesgo build— compilesgo test ./pkg/...— all tests pass