yahoo-eng-team team mailing list archive

Thread
Date
[Bug 2115798] [NEW] race conditions in security-group removals

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Kyle Tee <2115798@xxxxxxxxxxxxxxxxxx>
Date: Wed, 02 Jul 2025 13:20:48 -0000
Reply-to: Bug 2115798 <2115798@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Public bug reported:

Description
===========

When attempting to remove multiple security groups from a single server
concurrently, some of the security groups may not actually get removed
despite requests being accepted.

Originally discovered by submitting multiple simultaneous requests to
the Nova API (compute 2.1) `/v2.1/servers/<uuid>/action` like:

```json
{
    "removeSecurityGroup": {
        "name": "<security-group-name>"
    }
}
```

and receiving `202 Accepted`, but the changes only partially reflect.

This occurs almost always.

Quite possibly related to https://bugs.launchpad.net/nova/+bug/1417975.

Steps to reproduce
==================

This can also be reproduced via the `openstack` cli client. Sample
script:

```sh
#!/bin/bash

# Usage: ./remove-sgs-simultaneously.sh <SERVER_ID> <SECGROUP1>
<SECGROUP2>

SERVER_ID="$1"
SECGROUP1="$2"
SECGROUP2="$3"

if [[ -z "$SERVER_ID" || -z "$SECGROUP1" || -z "$SECGROUP2" ]]; then
    echo "Usage: $0 <SERVER_ID> <SECGROUP1> <SECGROUP2>"
    exit 1
fi

openstack server remove security group "$SERVER_ID" "$SECGROUP1" &
openstack server remove security group "$SERVER_ID" "$SECGROUP2" &

wait

openstack server show "$SERVER_ID" -c security_groups
```

Expected result
===============

Both security groups are removed from the server.

Actual result
=============

When requesting 2 removals, while both are accepted, most often only 1
will be committed.

** Affects: nova
     Importance: Undecided
         Status: New


** Tags: network race-condition security-groups

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/2115798

Title:
  race conditions in security-group removals

Status in OpenStack Compute (nova):
  New

Bug description:
  Description
  ===========

  When attempting to remove multiple security groups from a single
  server concurrently, some of the security groups may not actually get
  removed despite requests being accepted.

  Originally discovered by submitting multiple simultaneous requests to
  the Nova API (compute 2.1) `/v2.1/servers/<uuid>/action` like:

  ```json
  {
      "removeSecurityGroup": {
          "name": "<security-group-name>"
      }
  }
  ```

  and receiving `202 Accepted`, but the changes only partially reflect.

  This occurs almost always.

  Quite possibly related to
  https://bugs.launchpad.net/nova/+bug/1417975.

  Steps to reproduce
  ==================

  This can also be reproduced via the `openstack` cli client. Sample
  script:

  ```sh
  #!/bin/bash

  # Usage: ./remove-sgs-simultaneously.sh <SERVER_ID> <SECGROUP1>
  <SECGROUP2>

  SERVER_ID="$1"
  SECGROUP1="$2"
  SECGROUP2="$3"

  if [[ -z "$SERVER_ID" || -z "$SECGROUP1" || -z "$SECGROUP2" ]]; then
      echo "Usage: $0 <SERVER_ID> <SECGROUP1> <SECGROUP2>"
      exit 1
  fi

  openstack server remove security group "$SERVER_ID" "$SECGROUP1" &
  openstack server remove security group "$SERVER_ID" "$SECGROUP2" &

  wait

  openstack server show "$SERVER_ID" -c security_groups
  ```

  Expected result
  ===============

  Both security groups are removed from the server.

  Actual result
  =============

  When requesting 2 removals, while both are accepted, most often only 1
  will be committed.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/2115798/+subscriptions