[octavia-ingress-controller] Possible lost update race conditions in adding and removing SGs #2630
Labels
kind/feature
Categorizes issue or PR as related to a new feature.
lifecycle/rotten
Denotes an issue or PR that has aged beyond stale and will be auto-closed.
Is this a BUG REPORT or FEATURE REQUEST?:
/kind feature
(it's a feature'y bug 😄)
What happened:
Neutron doesn't provide a way to add or remove port security groups individually. Instead, you indicate the total set of SGs that should be on the port, meaning to add an SG you must fetch the existing SGs, append the new SG to this set, and then apply this updated set. This opens us up to a TOCTOU race: if a security group is added or removed in the interim, we will lose that update. @dulek has noted this in places.
What you expected to happen:
Per @dulek's notes, we should make use of neutron's
revision-if-match
shim extension to set a revision ID.How to reproduce it:
N/A
Anything else we need to know?:
N/A
Environment:
master
The text was updated successfully, but these errors were encountered: