From fe9bd3f05ce208bae58689c335df60aa31182d45 Mon Sep 17 00:00:00 2001
From: Seth Hoenig <shoenig@duck.com>
Date: Mon, 9 Jan 2023 13:33:54 -0600
Subject: [PATCH] docker: configure restart policy for networking pause
 container

This PR modifies the configuration of the networking pause contaier to include
the "unless-stopped" restart policy. The pause container should always be
restored into a running state until Nomad itself issues a stop command for the
container.

This is not a _perfect_ fix for #12216 but it should cover the 99% use case -
where a pause container gets accidently stopped / killed for some reason. There
is still a possibility where the pause container and main task container are
stopped and started in the order where the bad behavior persists, but this is
fundamentally unavoidable due to how docker itself abstracts and manages the
underlying network namespace referenced by the containers.

Closes #12216
---
 .changelog/15732.txt           | 3 +++
 drivers/docker/network.go      | 6 ++++++
 drivers/docker/network_test.go | 6 ++++--
 3 files changed, 13 insertions(+), 2 deletions(-)
 create mode 100644 .changelog/15732.txt

diff --git a/.changelog/15732.txt b/.changelog/15732.txt
new file mode 100644
index 000000000000..b9e285e0e94b
--- /dev/null
+++ b/.changelog/15732.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+docker: configure restart policy for bridge network pause container
+```
diff --git a/drivers/docker/network.go b/drivers/docker/network.go
index 13b3e6b73f94..71a9ab512f3d 100644
--- a/drivers/docker/network.go
+++ b/drivers/docker/network.go
@@ -130,6 +130,12 @@ func (d *Driver) createSandboxContainerConfig(allocID string, createSpec *driver
 			// Set the network mode to none which creates a network namespace
 			// with only a loopback interface.
 			NetworkMode: "none",
+
+			// Set the restart policy to unless-stopped. The pause container should
+			// never not be running until Nomad issues a stop.
+			//
+			// https://docs.docker.com/engine/reference/run/#restart-policies---restart
+			RestartPolicy: docker.RestartUnlessStopped(),
 		},
 	}, nil
 }
diff --git a/drivers/docker/network_test.go b/drivers/docker/network_test.go
index 4b1ccd5179db..80c235cf8e4e 100644
--- a/drivers/docker/network_test.go
+++ b/drivers/docker/network_test.go
@@ -28,7 +28,8 @@ func TestDriver_createSandboxContainerConfig(t *testing.T) {
 					Image: "gcr.io/google_containers/pause-amd64:3.1",
 				},
 				HostConfig: &docker.HostConfig{
-					NetworkMode: "none",
+					NetworkMode:   "none",
+					RestartPolicy: docker.RestartUnlessStopped(),
 				},
 			},
 			name: "no input hostname",
@@ -45,7 +46,8 @@ func TestDriver_createSandboxContainerConfig(t *testing.T) {
 					Hostname: "linux",
 				},
 				HostConfig: &docker.HostConfig{
-					NetworkMode: "none",
+					NetworkMode:   "none",
+					RestartPolicy: docker.RestartUnlessStopped(),
 				},
 			},
 			name: "supplied input hostname",