Fix race condition when creating/deleting namespace address set

Fix race condition: 1. deleteNamespaceLocked, after the 20s delay, checks that the current nsInfo for the namespace is nil 2. ensureNamespaceLockedCommon adds a new nsInfo referencing the existing address set 3. deleteNamespaceLocked destroys the existing address set Signed-off-by: Jaime Caamaño Ruiz <[email protected]>
ovn-org · May 22, 2024 · f5e9201 · f5e9201
1 parent 88b05ef
commit f5e9201
Showing 1 changed file with 18 additions and 9 deletions.
diff --git a/go-controller/pkg/ovn/base_network_controller.go b/go-controller/pkg/ovn/base_network_controller.go
@@ -532,22 +532,31 @@ func (bnc *BaseNetworkController) deleteNamespaceLocked(ns string) (*namespaceIn
 		}
 
 		// Delete the address set after a short delay.
-		// This is so NetworkPolicy handlers can converge and stop referencing it.
+		// This is to avoid OVN warnings while the address set is still
+		// referenced from NBDB ACLs until the NetworkPolicy handlers remove
+		// them.
 		addressSet := nsInfo.addressSet
 		go func() {
 			select {
 			case <-bnc.stopChan:
 				return
 			case <-time.After(20 * time.Second):
-				// Check to see if the NS was re-added in the meanwhile. If so,
-				// only delete if the new NS's AddressSet shouldn't exist.
-				nsInfo, nsUnlock := bnc.getNamespaceLocked(ns, true)
-				if nsInfo != nil {
+				// make sure nobody changes the namespace while we delete
+				// stuff from it
+				_, nsUnlock := bnc.getNamespaceLocked(ns, true)
+				if nsUnlock != nil {
 					defer nsUnlock()
-					if nsInfo.addressSet != nil {
-						klog.V(5).Infof("Skipping deferred deletion of AddressSet for NS %s: re-created", ns)
-						return
-					}
+				}
+				// make sure nobody adds the namespace back while we delete
+				// stuff from it
+				bnc.namespacesMutex.Lock()
+				defer bnc.namespacesMutex.Unlock()
+				// do not delete the address set if the namespace was added back
+				// during the delay
+				nsInfo := bnc.namespaces[ns]
+				if nsInfo != nil && nsInfo.addressSet != nil {
+					klog.V(5).Infof("Skipping deferred deletion of AddressSet for NS %s: re-created", ns)
+					return
 				}
 
 				klog.V(5).Infof("Finishing deferred deletion of AddressSet for NS %s", ns)