Fix client hangs on stale SSH connections

Honny1 · Honny1 · commit 511db7e38cf1 · 2026-06-11T14:00:51.000+02:00
Wrap ssh.DialNet in a goroutine so it respects context cancellation, skip retries on context/timeout errors, and invalidate the cached connection on failure. Fixes: #28453 Signed-off-by: Jan Rodák <hony.com@seznam.cz>
diff --git a/pkg/bindings/connection.go b/pkg/bindings/connection.go
@@ -44,6 +44,7 @@ const (
 	clientKey      = valueKey("Client")
 	versionKey     = valueKey("ServiceVersion")
 	machineModeKey = valueKey("MachineMode")
+
 )
 
 type ConnectError struct {
@@ -297,8 +298,22 @@ func sshClient(_url *url.URL, uri string, identity string, machine bool) (Connec
 		val := strings.TrimSuffix(b.String(), "\n")
 		_url.Path = val
 	}
-	dialContext := func(_ context.Context, _, _ string) (net.Conn, error) {
-		return ssh.DialNet(conn, "unix", _url)
+	dialContext := func(ctx context.Context, _, _ string) (net.Conn, error) {
+		type result struct {
+			conn net.Conn
+			err  error
+		}
+		ch := make(chan result, 1)
+		go func() {
+			c, err := ssh.DialNet(conn, "unix", _url)
+			ch <- result{c, err}
+		}()
+		select {
+		case r := <-ch:
+			return r.conn, r.err
+		case <-ctx.Done():
+			return nil, ctx.Err()
+		}
 	}
 	connection.Client = &http.Client{
 		Transport: &http.Transport{
@@ -314,8 +329,8 @@ func tcpClient(_url *url.URL, opts Options) (Connection, error) {
 	connection := Connection{
 		URI: _url,
 	}
-	dialContext := func(_ context.Context, _, _ string) (net.Conn, error) {
-		return net.Dial("tcp", _url.Host)
+	dialContext := func(ctx context.Context, _, _ string) (net.Conn, error) {
+		return (&net.Dialer{}).DialContext(ctx, "tcp", _url.Host)
 	}
 	// use proxy if env `CONTAINER_PROXY` set
 	if proxyURI, found := os.LookupEnv("CONTAINER_PROXY"); found {
@@ -480,12 +495,17 @@ func (c *Connection) DoRequest(ctx context.Context, httpBody io.Reader, httpMeth
 		}
 	}
 
-	// Give the Do three chances in the case of a comm/service hiccup
+	// Give the Do three chances in the case of a comm/service hiccup.
+	// Don't retry on context or timeout errors — those won't recover.
 	for i := 1; i <= 3; i++ {
 		response, err = c.Client.Do(req) //nolint:bodyclose // The caller has to close the body.
 		if err == nil {
 			break
 		}
+		var netErr net.Error
+		if errors.Is(err, context.DeadlineExceeded) || errors.Is(err, context.Canceled) || (errors.As(err, &netErr) && netErr.Timeout()) {
+			break
+		}
 		time.Sleep(time.Duration(i*100) * time.Millisecond)
 	}
 	return &APIResponse{response, req}, err
diff --git a/pkg/domain/infra/runtime_tunnel.go b/pkg/domain/infra/runtime_tunnel.go
@@ -24,6 +24,8 @@ func newConnection(facts *entities.PodmanConfig, farmNodeName string) (context.C
 	if connection == nil || farmNodeName != "" {
 		ctx, err := newConnectionWithoutLock(context.Background(), facts)
 		if err != nil {
+			// Clear stale connection so the next call retries.
+			connection = nil
 			return ctx, err
 		}
 		connection = &ctx

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,8 @@ func newConnection(facts *entities.PodmanConfig, farmNodeName string) (context.C`
`24`	`24`	`if connection == nil \|\| farmNodeName != "" {`
`25`	`25`	`ctx, err := newConnectionWithoutLock(context.Background(), facts)`
`26`	`26`	`if err != nil {`
	`27`	`+ // Clear stale connection so the next call retries.`
	`28`	`+ connection = nil`
`27`	`29`	`return ctx, err`
`28`	`30`	`}`
`29`	`31`	`connection = &ctx`