[octavia-ingress-controller] Possible lost update race conditions in adding and removing SGs #2630
Labels
kind/feature
Categorizes issue or PR as related to a new feature.
Comments
k8s-ci-robot
added
the
kind/feature
stephenfin
added a commit
to stephenfin/cloud-provider-openstack
that referenced
this issue
Aug 19, 2024
Signed-off-by: Stephen Finucane <stephenfin@redhat.com> Closes: kubernetes#2630
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is this a BUG REPORT or FEATURE REQUEST?:
/kind feature
(it's a feature'y bug 😄)
What happened:
Neutron doesn't provide a way to add or remove port security groups individually. Instead, you indicate the total set of SGs that should be on the port, meaning to add an SG you must fetch the existing SGs, append the new SG to this set, and then apply this updated set. This opens us up to a TOCTOU race: if a security group is added or removed in the interim, we will lose that update. @dulek has noted this in places.
What you expected to happen:
Per @dulek's notes, we should make use of neutron's
revision-if-matchshim extension to set a revision ID.How to reproduce it:
N/A
Anything else we need to know?:
N/A
Environment:
masterThe text was updated successfully, but these errors were encountered: