From 6f1120693feb07f4ec6cd8c51c4b1d206a801ba5 Mon Sep 17 00:00:00 2001
From: Stefan Hanreich <s.hanreich@proxmox.com>
Date: Tue, 29 Jul 2025 11:29:31 +0200
Subject: api: add lock token parameter to apply endpoint

Committing the configuration now requires a lock on the SDN
configuration, which was not required before. This is to prevent
concurrent callers from applying the SDN configuration, while the lock
is held. If there is no lock set, then this function behaves the same
as before.

Also add the functionality to automatically release the lock after
applying the configuration, for convenience reasons.

Co-authored-by: Gabriel Goller <g.goller@proxmox.com>
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
Link: https://lore.proxmox.com/20250729092933.90118-4-g.goller@proxmox.com
---
 src/PVE/API2/Network/SDN.pm | 32 ++++++++++++++++++++++++++++----
 1 file changed, 28 insertions(+), 4 deletions(-)

diff --git a/src/PVE/API2/Network/SDN.pm b/src/PVE/API2/Network/SDN.pm
index 6645f28..924c9e4 100644
--- a/src/PVE/API2/Network/SDN.pm
+++ b/src/PVE/API2/Network/SDN.pm
@@ -9,7 +9,7 @@ use PVE::JSONSchema qw(get_standard_option);
 use PVE::RESTHandler;
 use PVE::RPCEnvironment;
 use PVE::SafeSyslog;
-use PVE::Tools qw(run_command);
+use PVE::Tools qw(run_command extract_param);
 use PVE::Network::SDN;
 
 use PVE::API2::Network::SDN::Controllers;
@@ -126,6 +126,16 @@ __PACKAGE__->register_method({
     },
     parameters => {
         additionalProperties => 0,
+        properties => {
+            'lock-token' => get_standard_option('pve-sdn-lock-token'),
+            'release-lock' => {
+                type => 'boolean',
+                optional => 1,
+                default => 1,
+                description =>
+                    'When lock-token has been provided and configuration successfully commited, release the lock automatically afterwards',
+            },
+        },
     },
     returns => {
         type => 'string',
@@ -136,10 +146,24 @@ __PACKAGE__->register_method({
         my $rpcenv = PVE::RPCEnvironment::get();
         my $authuser = $rpcenv->get_user();
 
-        my $previous_config_has_frr = PVE::Network::SDN::running_config_has_frr();
-        PVE::Network::SDN::commit_config();
+        my $lock_token = extract_param($param, 'lock-token');
+        my $release_lock = extract_param($param, 'release-lock');
+
+        my $previous_config_has_frr;
+        my $new_config_has_frr;
+
+        PVE::Network::SDN::lock_sdn_config(
+            sub {
+                $previous_config_has_frr = PVE::Network::SDN::running_config_has_frr();
+                PVE::Network::SDN::commit_config();
+                $new_config_has_frr = PVE::Network::SDN::running_config_has_frr();
+
+                PVE::Network::SDN::delete_global_lock() if $lock_token && $release_lock;
+            },
+            "could not commit SDN config",
+            $lock_token,
+        );
 
-        my $new_config_has_frr = PVE::Network::SDN::running_config_has_frr();
         my $skip_frr = !($previous_config_has_frr || $new_config_has_frr);
 
         my $code = sub {
-- 
cgit v1.2.3