From eece6ca00b008d6ec70afcc13bddbd534a6c332f Mon Sep 17 00:00:00 2001
From: Sebastien Tardif <sebtardif@ncf.ca>
Date: Tue, 19 May 2026 17:05:23 -0700
Subject: [PATCH] Fix file descriptor leaks in remote import, save, and
 checkpoint operations

Fix four file descriptor leaks:

1. tunnel/images.go Import: os.Open(opts.Source) never closed
2. tunnel/images.go Save: second os.Open for oci-dir/docker-dir never closed
3. bindings/checkpoint.go Restore: os.Open(importPath) never closed
4. container_internal_common.go: os.Create in checkpoint volume export
   loop not closed on five error paths

These are the same class of bug fixed in #28723 and #28724.

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
---
 libpod/container_internal_common.go   | 2 +-
 pkg/bindings/containers/checkpoint.go | 4 +++-
 pkg/domain/infra/tunnel/images.go     | 2 ++
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/libpod/container_internal_common.go b/libpod/container_internal_common.go
index 0da14e2774e..3ea84d5e9f8 100644
--- a/libpod/container_internal_common.go
+++ b/libpod/container_internal_common.go
@@ -1198,6 +1198,7 @@ func (c *Container) exportCheckpoint(options ContainerCheckpointOptions) error {
 			if err != nil {
 				return fmt.Errorf("creating %q: %w", volumeTarFileFullPath, err)
 			}
+			defer volumeTarFile.Close()
 
 			volume, err := c.runtime.GetVolume(v.Name)
 			if err != nil {
@@ -1223,7 +1224,6 @@ func (c *Container) exportCheckpoint(options ContainerCheckpointOptions) error {
 			if err != nil {
 				return err
 			}
-			volumeTarFile.Close()
 
 			includeFiles = append(includeFiles, volumeTarFilePath)
 		}
diff --git a/pkg/bindings/containers/checkpoint.go b/pkg/bindings/containers/checkpoint.go
index e4c4820dbae..933befe91d6 100644
--- a/pkg/bindings/containers/checkpoint.go
+++ b/pkg/bindings/containers/checkpoint.go
@@ -88,10 +88,12 @@ func Restore(ctx context.Context, nameOrID string, options *RestoreOptions) (*ty
 	}
 	if i != "" {
 		params.Set("import", "true")
-		r, err = os.Open(i)
+		f, err := os.Open(i)
 		if err != nil {
 			return nil, err
 		}
+		defer f.Close()
+		r = f
 		// Hard-code the name since it will be ignored in any case.
 		nameOrID = "import"
 	}
diff --git a/pkg/domain/infra/tunnel/images.go b/pkg/domain/infra/tunnel/images.go
index 0e3bd9631e2..5aabdf669cd 100644
--- a/pkg/domain/infra/tunnel/images.go
+++ b/pkg/domain/infra/tunnel/images.go
@@ -267,6 +267,7 @@ func (ir *ImageEngine) Import(_ context.Context, opts entities.ImageImportOption
 		if err != nil {
 			return nil, err
 		}
+		defer f.Close()
 	}
 	return images.Import(ir.ClientCtx, f, options)
 }
@@ -354,6 +355,7 @@ func (ir *ImageEngine) Save(_ context.Context, nameOrID string, tags []string, o
 	if err != nil {
 		return err
 	}
+	defer f.Close()
 	info, err := os.Stat(opts.Output)
 	switch {
 	case err == nil: