network-interface-security.conf needs to go away when the interface does.

No so simple, unfortunately. Here's why it was written this way:

# In order to handle the lack of upstart feature LP: #568860, we need to
# run multiple times, for each of the above "starting" service instances, or
# else another one might run while we're running, and not wait for us to
# finish.
instance $JOB${INTERFACE:+/}${INTERFACE:-}

Thanks, I saw that comment before but bc I didn't go look at the bug itself I misunderstood it.

Changed bug title to reflect what we really need out of it. Turning it into a task was just the obvious (but as Kees points out wrong) way to do it.

@Kees,

is there any reason not to add a 'stop on net-device-removed INTERFACE=$INTERFACE' to this job?

So I have a fix for this which in addition to the uevent kernel fix for network devices moving to other netns should fix this bug entirely.

I'm testing the new kernel and upstart job now, should be uploaded soonish.

This bug was fixed in the package ifupdown - 0.7.5ubuntu2

---------------
ifupdown (0.7.5ubuntu2) raring; urgency=low

  * Update network-interface-security job to stop when the parent job is
    stopped itself. This avoids leftover instances. (LP: #1065684)
  * Set mtu of tunnel devices. (LP: #1074048)
  * Actually set the new calculated value for duplicate entries. (LP: #1086517)
 -- Stephane Graber <email address hidden> Tue, 11 Dec 2012 19:53:56 -0500