Re: [Netconf] Is there a problem with confirmed commits?

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Mon, 14 January 2019 14:51 UTC

Return-Path: <j.schoenwaelder@jacobs-university.de>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34A86128CF2 for <netconf@ietfa.amsl.com>; Mon, 14 Jan 2019 06:51:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8fcwCl0yJ37z for <netconf@ietfa.amsl.com>; Mon, 14 Jan 2019 06:51:38 -0800 (PST)
Received: from atlas5.jacobs-university.de (atlas5.jacobs-university.de [212.201.44.20]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDD8612D4EC for <netconf@ietf.org>; Mon, 14 Jan 2019 06:51:37 -0800 (PST)
Received: from localhost (demetrius5.irc-it.jacobs-university.de [10.70.0.222]) by atlas5.jacobs-university.de (Postfix) with ESMTP id 9F2B6E33; Mon, 14 Jan 2019 15:51:36 +0100 (CET)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from atlas5.jacobs-university.de ([10.70.0.217]) by localhost (demetrius5.jacobs-university.de [10.70.0.222]) (amavisd-new, port 10032) with ESMTP id QRQ3kvoHqZdc; Mon, 14 Jan 2019 15:51:36 +0100 (CET)
Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hermes.jacobs-university.de", Issuer "Jacobs University CA - G01" (verified OK)) by atlas5.jacobs-university.de (Postfix) with ESMTPS; Mon, 14 Jan 2019 15:51:36 +0100 (CET)
Received: from localhost (demetrius1.jacobs-university.de [212.201.44.46]) by hermes.jacobs-university.de (Postfix) with ESMTP id 8648620046; Mon, 14 Jan 2019 15:51:36 +0100 (CET)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius1.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id Oiq03nLAaC94; Mon, 14 Jan 2019 15:51:36 +0100 (CET)
Received: from exchange.jacobs-university.de (sxchmb03.jacobs.jacobs-university.de [10.70.0.155]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "exchange.jacobs-university.de", Issuer "DFN-Verein Global Issuing CA" (verified OK)) by hermes.jacobs-university.de (Postfix) with ESMTPS id 054CB20045; Mon, 14 Jan 2019 15:51:35 +0100 (CET)
Received: from anna.localdomain (10.50.218.117) by sxchmb03.jacobs.jacobs-university.de (10.70.0.155) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1591.10; Mon, 14 Jan 2019 15:51:35 +0100
Received: by anna.localdomain (Postfix, from userid 501) id F3D673005A298C; Mon, 14 Jan 2019 15:51:34 +0100 (CET)
Date: Mon, 14 Jan 2019 15:51:34 +0100
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: Jonathan Hansford <jonathan@hansfords.net>
CC: "netconf@ietf.org" <netconf@ietf.org>
Message-ID: <20190114145134.hnjxxyqgqzkx2h7q@anna.jacobs.jacobs-university.de>
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Mail-Followup-To: Jonathan Hansford <jonathan@hansfords.net>, "netconf@ietf.org" <netconf@ietf.org>
References: <em106ef27b-c989-4e0b-b819-413fef852d53@morpheus> <em074e85b0-0b46-4b04-b6c4-5ea64a0f328b@morpheus>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
X-Clacks-Overhead: GNU Terry Pratchett
Content-Transfer-Encoding: 8bit
In-Reply-To: <em074e85b0-0b46-4b04-b6c4-5ea64a0f328b@morpheus>
User-Agent: NeoMutt/20180716
X-ClientProxiedBy: SXCHMB04.jacobs.jacobs-university.de (10.70.0.156) To sxchmb03.jacobs.jacobs-university.de (10.70.0.155)
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/-LHOm9TguB7OdukC4YoLZ6UuSZ4>
Subject: Re: [Netconf] Is there a problem with confirmed commits?
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Jan 2019 14:51:41 -0000

Dear Jonathan,

can you please explain how we get into a race condition? What is the
sequence of actions the clients involved have to go through to arrive
at a race?

/js

On Mon, Jan 14, 2019 at 02:47:14PM +0000, Jonathan Hansford wrote:
> RFC 6241, Section 8.2.4.1 states, 'If the running or candidate
> configuration is currently locked by a different session, the <commit>
> operation MUST fail with an <error-tag> value of "in-use".' So if the
> new client acquires a lock on <candidate>, the original client cannot
> <commit> to <running>. So that fixes one of the issues below.
> 
> Section 8.3.5.2 states, 'When a client fails with outstanding changes to
> the candidate configuration, recovery can be difficult.  To facilitate
> easy recovery, any outstanding changes are discarded when the lock is
> released, whether explicitly with the <unlock> operation or implicitly
> from session failure.' So this means <candidate> would revert. Section
> 8.4.1 also states, 'If the device reboots for any reason before the
> confirm timeout expires, the server MUST restore the configuration to
> its state before the confirmed commit was issued.' However, earlier in
> Section 8.4.1 it states, 'If the session issuing the confirmed commit is
> terminated for any reason before the confirm timeout expires, the server
> MUST restore the configuration to its state before the confirmed commit
> was issued, unless the confirmed commit also included a <persist>
> element.', Section 8.4.5.1 states the persist parameter makes 'the
> confirmed commit survive a session termination, and set a token on the
> ongoing confirmed commit' and its description in Appendix C states,
> 'This parameter is used to make a confirmed commit persistent.  A
> persistent confirmed commit is not aborted if the NETCONF session
> terminates.  The only way to abort a persistent confirmed commit is to
> let the timer expire, or to use the <cancel-commit> operation.'
> 
> So it is the persist-id that is the cause of all the problems, not just
> the use of confirmed commit as I previously stated. But is there a way
> to resolve the outstanding issues around the use of the persist-id?
> 
> Thanks
> 
> ------ Original Message ------
> From: "Jonathan Hansford" <jonathan@hansfords.net>;
> To: "netconf@ietf.org"; <netconf@ietf.org>;
> Sent: 14/01/2019 12:50:38
> Subject: [Netconf] Is there a problem with confirmed commits?
> 
> > Hi,
> > 
> > No one seems to be responding to my email and proposed erratum around
> > the subject of confirmed commits (apart from Martin), but I would
> > really like to know it I am missing something here. As far as I can
> > tell, session termination during a confirmed commit leads to
> > unpredictable behaviour and I would like to know whether anyone is
> > using confirmed commits and how (if at all) they address the issues
> > outlined below. My assumptions are that locks are used and
> > :writable-running is not supported.
> > 
> > If the <candidate> and <running> configuration datastores are locked to
> > prevent concurrent access, and a confirmed commit sequence is
> > interrupted by the session terminating, the locks will automatically be
> > released but the server MUST NOT accept a lock on <running> from any
> > session if another session has an ongoing confirmed <commit>.
> > Consequently, after session termination no client can acquire a <lock>
> > on <running>, not even the one that initiated the confirmed <commit>,
> > until after the confirmed <commit> has timed out. However, if the
> > confirmed <commit> included the <persist> parameter, the original
> > client could still issue a <commit> using the persist-id to complete
> > the sequence prior to the timeout, even without a lock.
> > 
> > Of course, the problem now is the race for the new lock on <candidate>.
> > If the original client is successful then all is good. But if a new
> > client locks <candidate> before the timeout on the confirmed commit,
> > whether or not they precede <lock> with <discard-changes>, <candidate>
> > will be the same as <running> and the new client will pick up
> > everything from the previous session. However, the client won’t be able
> > to lock <running> until after the timeout, at which point <running>
> > reverts but <candidate> still represents the previous session. If the
> > client tries to lock <candidate> after the timeout, <running> will have
> > reverted and the lock will only be granted after a <discard-changes>
> > which will cause the <candidate> to revert. So, depending on when the
> > lock on <candidate> occurs relative to the confirmed commit timeout,
> > the client could be editing <candidate> in one of two states. Further,
> > before the timeout on the confirmed commit, even if the new client has
> > locked candidate, the original client could still issue a confirming
> > commit (they don’t need a lock on <candidate> to do so) which would
> > persistently commit any edits made by the new client. NOTE: it is not
> > the use of the persist-id that introduces this behaviour; a new client
> > would have the same problem even if a confirmed commit was not intended
> > to persist beyond a session termination.
> > 
> > If the server also supports the :startup capability then, if the
> > session termination was due to the server rebooting, the behaviour
> > above would be further complicated by <running> now containing the
> > configuration from the <startup> configuration datastore.
> > 
> > Am I right?
> > 
> > Jonathan
> > 
> > 
> > --------------------------------------------------------------------------------
> > Avast logo
> > <https://www.avast.com/antivirus>
> > 				This email has been checked for viruses by Avast antivirus
> > software.
> > www.avast.com <https://www.avast.com/antivirus>
> > 
> > 
> > <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
> 
> ---
> This email has been checked for viruses by Avast antivirus software.
> https://www.avast.com/antivirus

> _______________________________________________
> Netconf mailing list
> Netconf@ietf.org
> https://www.ietf.org/mailman/listinfo/netconf


-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>