fix: harden provider network cleanup to prevent orphaned bridges and routes (#6448)

When the host NIC disappears before daemon cleanup runs (e.g., Docker
disconnects the node), removeProviderNic() returned early without
cleaning up addresses and routes on the OVS bridge, leaving stale
kernel routes that cause subnet conflicts for subsequent operations.

When ovn-bridge-mappings has no entry for a provider (e.g., bridge
setup failed or daemon restarted), ovsCleanProviderNetwork() returned
early without attempting to clean up any orphaned OVS bridge or
restore renamed NICs, leaving the node network in a polluted state.

Signed-off-by: Mengxin Liu <liumengxinfly@gmail.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: oilbeater

pkg/daemon/init.go

@@ -154,16 +154,29 @@ func (c *Controller) ovsCleanProviderNetwork(provider string) error {
 
 	brName := mappings[provider]
 	if brName == "" {
-		return nil
+		// The mapping may have been cleared before cleanup finished (e.g., daemon restart
+		// or race with bridge setup failure). Fall back to the default bridge name to clean
+		// up any orphaned bridge and restore the original NIC name.
+		brName = util.ExternalBridgeName(provider)
+		klog.Infof("no ovn-bridge-mappings entry for provider %s, trying default bridge name %s", provider, brName)
 	}
 
 	output, err := ovs.Exec("list-br")
 	if err != nil {
 		return fmt.Errorf("failed to list OVS bridges: %w, %q", err, output)
 	}
 
-	if !slices.Contains(strings.Split(output, "\n"), brName) {
+	bridges := strings.Split(output, "\n")
+	if !slices.Contains(bridges, brName) {
 		klog.V(3).Infof("ovs bridge %s not found", brName)
+		// Even if no OVS bridge exists, check if a NIC was renamed to br-<provider>
+		// and needs to be restored (e.g., exchangeLinkName was used but bridge setup failed).
+		if br := util.ExternalBridgeName(provider); br != brName {
+			if _, err = c.changeProviderNicName(br, brName); err != nil {
+				klog.Errorf("failed to change provider nic name from %s to %s: %v", br, brName, err)
+				return err
+			}
+		}
 		return nil
 	}
 

pkg/daemon/ovs_linux.go

@@ -1553,14 +1553,18 @@ func (c *Controller) removeProviderNic(nicName, brName string) error {
 
 	nic, err := netlink.LinkByName(nicName)
 	if err != nil {
-		if _, ok := err.(netlink.LinkNotFoundError); ok {
-			klog.Warningf("failed to get nic by name %s: %v", nicName, err)
-			return nil
+		if _, ok := err.(netlink.LinkNotFoundError); !ok {
+			return fmt.Errorf("failed to get nic by name %s: %w", nicName, err)
 		}
-		return fmt.Errorf("failed to get nic by name %s: %w", nicName, err)
+		klog.Warningf("nic %s not found, will still clean up addresses and routes on bridge %s", nicName, brName)
 	}
+
 	bridge, err := netlink.LinkByName(brName)
 	if err != nil {
+		if _, ok := err.(netlink.LinkNotFoundError); ok {
+			klog.Warningf("bridge %s not found, skip cleanup", brName)
+			return nil
+		}
 		return fmt.Errorf("failed to get bridge by name %s: %w", brName, err)
 	}
 
@@ -1591,16 +1595,20 @@ func (c *Controller) removeProviderNic(nicName, brName string) error {
 		}
 		klog.Infof("address %q has been deleted from link %s", addr.String(), brName)
 
-		addr.Label = ""
-		if err = netlink.AddrReplace(nic, &addr); err != nil {
-			return fmt.Errorf("failed to replace address %q on nic %s: %w", addr.String(), nicName, err)
+		if nic != nil {
+			addr.Label = ""
+			if err = netlink.AddrReplace(nic, &addr); err != nil {
+				return fmt.Errorf("failed to replace address %q on nic %s: %w", addr.String(), nicName, err)
+			}
+			klog.Infof("address %q has been added/replaced to link %s", addr.String(), nicName)
 		}
-		klog.Infof("address %q has been added/replaced to link %s", addr.String(), nicName)
 	}
 
-	if err = netlink.LinkSetUp(nic); err != nil {
-		klog.Errorf("failed to set link %s up: %v", nicName, err)
-		return err
+	if nic != nil {
+		if err = netlink.LinkSetUp(nic); err != nil {
+			klog.Errorf("failed to set link %s up: %v", nicName, err)
+			return err
+		}
 	}
 
 	for _, scope := range routeScopeOrders {
@@ -1610,11 +1618,18 @@ func (c *Controller) removeProviderNic(nicName, brName string) error {
 				continue
 			}
 			if route.Scope == scope {
-				route.LinkIndex = nic.Attrs().Index
-				if err = netlink.RouteReplace(&route); err != nil {
-					return fmt.Errorf("failed to add/replace route %s: %w", route.String(), err)
+				if nic != nil {
+					route.LinkIndex = nic.Attrs().Index
+					if err = netlink.RouteReplace(&route); err != nil {
+						return fmt.Errorf("failed to add/replace route %s: %w", route.String(), err)
+					}
+					klog.Infof("route %q has been added/replaced to link %s", route.String(), nicName)
+				} else {
+					if err = netlink.RouteDel(&route); err != nil {
+						return fmt.Errorf("failed to delete route %s from bridge %s: %w", route.String(), brName, err)
+					}
+					klog.Infof("route %q has been deleted from link %s (nic %s not found)", route.String(), brName, nicName)
 				}
-				klog.Infof("route %q has been added/replaced to link %s", route.String(), nicName)
 			}
 		}
 	}