Re: [Netconf] Is there a problem with confirmed commits?
<jonathan@hansfords.net> Mon, 14 January 2019 20:07 UTC
Return-Path: <jonathan@hansfords.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5436413128D for <netconf@ietfa.amsl.com>; Mon, 14 Jan 2019 12:07:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.989
X-Spam-Level:
X-Spam-Status: No, score=-1.989 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hansfords.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JbNp2SZLRFMS for <netconf@ietfa.amsl.com>; Mon, 14 Jan 2019 12:07:25 -0800 (PST)
Received: from mail.myfast.site (mail.myfast.site [109.203.117.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D06213128A for <netconf@ietf.org>; Mon, 14 Jan 2019 12:07:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=hansfords.net; s=default; h=Content-Type:MIME-Version:Message-ID:Date: Subject:In-Reply-To:References:To:From:Sender:Reply-To:Cc: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=R0r9hob2LzVywZZ3dos78K7xg2UCAEjyrefoqTj+MDA=; b=E3J1g1w8FIBPvoLAJ9TOpwTZq yvbBnt4NwbvEPCUHQVsgrE4v1j5tuhQ/zC+uu7rVMK4LTeUERNPl5IDUDMV3Hvv/NzXcTI+dazC2Q BMoMhh0bg1/+52im3xYSAlOEmIY7HRuA2UnGoyKpJjVtORGsbE2vb8GbE4sn1ue4QtFnLBC/TiNft CmUvYG5YyAcc5TXRsOs35zhivtqiLl3nLhj3MeC1OF32HBBax8ST34AJfg0MiGskcx1hzMEoRo1eD vHaE3yrs0tAsbx7q43GqnHqAsN069Plzz4c6ptUoUMncK+KE8u0yJmBzfnkfVCGENts4cv/hpb9vT gpl9SGNTQ==;
Received: from hansfords.plus.com ([84.92.116.209]:53876 helo=Vanguard) by mail.myfast.site with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from <jonathan@hansfords.net>) id 1gj8W3-000Q8u-Lc; Mon, 14 Jan 2019 20:07:24 +0000
From: jonathan@hansfords.net
To: 'Andy Bierman' <andy@yumaworks.com>, 'Juergen Schoenwaelder' <j.schoenwaelder@jacobs-university.de>, netconf@ietf.org
References: <em106ef27b-c989-4e0b-b819-413fef852d53@morpheus> <20190114135056.t6sow7dbcyow6qcn@anna.jacobs.jacobs-university.de> <em5dfb175c-7835-43eb-a767-38e270601427@morpheus> <20190114154026.tbevjbcdn3oh34uz@anna.jacobs.jacobs-university.de> <emd3042eae-a670-4eb3-8055-5f3379acc4d8@morpheus> <20190114162532.ptmzaxwghowda2o7@anna.jacobs.jacobs-university.de> <CABCOCHTTMPq54_HPYOLBGavX2Q1NqzHPXLv0BVofBaKSxd=TdQ@mail.gmail.com>
In-Reply-To: <CABCOCHTTMPq54_HPYOLBGavX2Q1NqzHPXLv0BVofBaKSxd=TdQ@mail.gmail.com>
Date: Mon, 14 Jan 2019 20:07:26 -0000
Message-ID: <009301d4ac44$c55b0fe0$50112fa0$@hansfords.net>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0094_01D4AC44.C5623BD0"
X-Mailer: Microsoft Outlook 16.0
Content-Language: en-gb
Thread-Index: AQLE0RaQ1Uz4CppdTOUjYIi6BiQW6AJU4JgjAirII84C+DiKVALt8NSsAdIEl3wA1BF+DqNmd0aA
X-Antivirus: Avast (VPS 190114-4, 14/01/2019), Outbound message
X-Antivirus-Status: Clean
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - mail.myfast.site
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - hansfords.net
X-Get-Message-Sender-Via: mail.myfast.site: authenticated_id: jonathan@hansfords.net
X-Authenticated-Sender: mail.myfast.site: jonathan@hansfords.net
X-Source:
X-Source-Args:
X-Source-Dir:
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/20g-21_zOKRGSuXZx8UVLTa9Q5s>
Subject: Re: [Netconf] Is there a problem with confirmed commits?
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Jan 2019 20:07:30 -0000
So what you are both saying is that a commit isn’t a commit if it is a confirmed commit that hasn’t been followed by a confirming commit. That being the case, it would be helpful if, rather than trying to come up with a form of words that clarifies the second bullet on page 45, the third bullet was modified to state ‘The target configuration is <candidate> or <running>, and another NETCONF session has an ongoing confirmed commit (Section 8.4).’ In summary: * If a non-persistent confirmed commit suffers a session termination, any locks are released and the <running> configuration datastore rolls back to its state prior to the confirmed commit, or the first confirmed commit in a sequence, being issued. * If a persistent confirmed commit suffers a session termination, any locks are released but the <running> configuration datastore does not roll back until the confirmed commit times out. In the meantime, neither the <candidate> nor the <running> configuration datastore can be locked by any session, but any session that knows the persist-id can prevent the rollback on the timeout by issuing a confirming commit which will irrevocably commit the <candidate> configuration datastore to <running>. Is that everyone’s understanding of how non-persistent and persistent confirmed commits work? Just as a footnote, if the cause of the session termination was the device rebooting and the :startup capability was supported, the <running> configuration datastore will contain whatever was in the <startup> configuration datastore. However, a confirming commit on a persistent confirmed commit would still commit the <candidate> configuration datastore to <running>. If the purpose of the confirmed commit was to test the new configuration prior to making it permanent, it would therefore make sense to copy the <candidate> configuration datastore to the <startup> configuration datastore prior to the confirmed commit. From: Andy Bierman <andy@yumaworks.com> Sent: 14 January 2019 16:57 To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>; Jonathan Hansford <jonathan@hansfords.net>; netconf@ietf.org Subject: Re: [Netconf] Is there a problem with confirmed commits? On Mon, Jan 14, 2019 at 8:25 AM Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de <mailto:j.schoenwaelder@jacobs-university.de> > wrote: For me, a confirmed commit is not complete if it can still timeout. It is hard to imagine how a confirmed-commit could be considered complete if the server is still waiting for the confirming commit. /js Andy On Mon, Jan 14, 2019 at 04:01:59PM +0000, Jonathan Hansford wrote: > I think the text you refer to on page 45 is open to interpretation. If a > persistent confirmed commit has occurred then the changes have been > committed (albeit in a confirmed commit), and the candidate and running > configuration datastores are the same (unless and until the confirmed commit > times out). The text depends on the definition of 'modified' (and how the > server detects it) and 'committed'. > > ------ Original Message ------ > From: "Juergen Schoenwaelder" <j.schoenwaelder@jacobs-university.de <mailto:j.schoenwaelder@jacobs-university.de> > > To: "Jonathan Hansford" <jonathan@hansfords.net <mailto:jonathan@hansfords.net> > > Cc: "netconf@ietf.org <mailto:netconf@ietf.org> " <netconf@ietf.org <mailto:netconf@ietf.org> > > Sent: 14/01/2019 15:40:26 > Subject: Re: [Netconf] Is there a problem with confirmed commits? > > > It seems the <candidate> datastore should not be allowed to be used as > > long as a persistent confirmed commit is still ongoing. I leave it to > > Martin to check whether this is said somewhere or an omission. > > > > In general, an application can't assume that <candidate> contains > > anything sensible. Hence, the proper way is to lock <candidate> and > > then to make sure it contains something sensible, i.e., issuing a > > discard_changes. And I think implementations should not allow an > > application to obtain a lock on <candidate> while a commit is active. > > The text on page 45 already says: > > > > A lock MUST NOT be granted if any of the following conditions is > > true: > > > > [...] > > > > * The target configuration is <candidate>, it has already been > > modified, and these changes have not been committed or rolled > > back. > > > > I think this covers the case of an ongoing but not completed > > persistent confirmed commit, no? > > > > /js > > > > On Mon, Jan 14, 2019 at 03:14:02PM +0000, Jonathan Hansford wrote: > > > If a persistent confirmed commit has not timed out, the running > > > configuration datastore will be the same as the candidate and > > > <discard-changes> won't change its contents. Any edit of candidate will be > > > based on the configuration resulting from the persistent confirmed commit. > > > > > > If the persistent confirmed commit has timed out, the running configuration > > > datastore will have reverted and <discard-changes> will change candidate. > > > Any edit of candidate in this case will be based on the configuration prior > > > to the start of the persistent confirmed commit. > > > > > > ------ Original Message ------ > > > From: "Juergen Schoenwaelder" <j.schoenwaelder@jacobs-university.de <mailto:j.schoenwaelder@jacobs-university.de> > > > > To: "Jonathan Hansford" <jonathan@hansfords.net <mailto:jonathan@hansfords.net> > > > > Cc: "netconf@ietf.org <mailto:netconf@ietf.org> " <netconf@ietf.org <mailto:netconf@ietf.org> > > > > Sent: 14/01/2019 13:50:56 > > > Subject: Re: [Netconf] Is there a problem with confirmed commits? > > > > > > > Hi, > > > > > > > > I have not yet understood where you see a problem. In general, > > > > <candidate/> contains arbitrary stuff and hence it is the client's > > > > responsibility to clear any arbitrary stuff found in <candidate/> > > > > after obtaining a lock. If does not really matter whether there has > > > > been a failed confirmed commit before or something else. I think the > > > > general safe pattern is: > > > > > > > > lock(candidate) > > > > discard_changes() > > > > push_whatever_needed() > > > > commit() > > > > unlock(candidate) > > > > > > > > If you do a confirmed commit and the session disappears, then the lock > > > > will disappear as well. But I do not think this creates a race > > > > condition, or I am just not yet seeing it. Perhaps it helps to write > > > > down the sequence of actions that leads to a race. > > > > > > > > /js > > > > > > > > On Mon, Jan 14, 2019 at 12:50:38PM +0000, Jonathan Hansford wrote: > > > > > Hi, > > > > > > > > > > No one seems to be responding to my email and proposed erratum around > > > > > the subject of confirmed commits (apart from Martin), but I would really > > > > > like to know it I am missing something here. As far as I can tell, > > > > > session termination during a confirmed commit leads to unpredictable > > > > > behaviour and I would like to know whether anyone is using confirmed > > > > > commits and how (if at all) they address the issues outlined below. My > > > > > assumptions are that locks are used and :writable-running is not > > > > > supported. > > > > > > > > > > If the <candidate> and <running> configuration datastores are locked to > > > > > prevent concurrent access, and a confirmed commit sequence is > > > > > interrupted by the session terminating, the locks will automatically be > > > > > released but the server MUST NOT accept a lock on <running> from any > > > > > session if another session has an ongoing confirmed <commit>. > > > > > Consequently, after session termination no client can acquire a <lock> > > > > > on <running>, not even the one that initiated the confirmed <commit>, > > > > > until after the confirmed <commit> has timed out. However, if the > > > > > confirmed <commit> included the <persist> parameter, the original client > > > > > could still issue a <commit> using the persist-id to complete the > > > > > sequence prior to the timeout, even without a lock. > > > > > > > > > > Of course, the problem now is the race for the new lock on <candidate>. > > > > > If the original client is successful then all is good. But if a new > > > > > client locks <candidate> before the timeout on the confirmed commit, > > > > > whether or not they precede <lock> with <discard-changes>, <candidate> > > > > > will be the same as <running> and the new client will pick up everything > > > > > from the previous session. However, the client won’t be able to lock > > > > > <running> until after the timeout, at which point <running> reverts but > > > > > <candidate> still represents the previous session. If the client tries > > > > > to lock <candidate> after the timeout, <running> will have reverted and > > > > > the lock will only be granted after a <discard-changes> which will cause > > > > > the <candidate> to revert. So, depending on when the lock on <candidate> > > > > > occurs relative to the confirmed commit timeout, the client could be > > > > > editing <candidate> in one of two states. Further, before the timeout on > > > > > the confirmed commit, even if the new client has locked candidate, the > > > > > original client could still issue a confirming commit (they don’t need a > > > > > lock on <candidate> to do so) which would persistently commit any edits > > > > > made by the new client. NOTE: it is not the use of the persist-id that > > > > > introduces this behaviour; a new client would have the same problem even > > > > > if a confirmed commit was not intended to persist beyond a session > > > > > termination. > > > > > > > > > > If the server also supports the :startup capability then, if the session > > > > > termination was due to the server rebooting, the behaviour above would > > > > > be further complicated by <running> now containing the configuration > > > > > from the <startup> configuration datastore. > > > > > > > > > > Am I right? > > > > > > > > > > Jonathan > > > > > > > > > > --- > > > > > This email has been checked for viruses by Avast antivirus software. > > > > > https://www.avast.com/antivirus > > > > > > > > > _______________________________________________ > > > > > Netconf mailing list > > > > > Netconf@ietf.org <mailto:Netconf@ietf.org> > > > > > https://www.ietf.org/mailman/listinfo/netconf > > > > > > > > > > > > -- > > > > Juergen Schoenwaelder Jacobs University Bremen gGmbH > > > > Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany > > > > Fax: +49 421 200 3103 <https://www.jacobs-university.de/> > > > > -- > > Juergen Schoenwaelder Jacobs University Bremen gGmbH > > Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany > > Fax: +49 421 200 3103 <https://www.jacobs-university.de/> > -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany Fax: +49 421 200 3103 <https://www.jacobs-university.de/> _______________________________________________ Netconf mailing list Netconf@ietf.org <mailto:Netconf@ietf.org> https://www.ietf.org/mailman/listinfo/netconf
- [Netconf] Is there a problem with confirmed commi… Jonathan Hansford
- Re: [Netconf] Is there a problem with confirmed c… Martin Bjorklund
- Re: [Netconf] Is there a problem with confirmed c… Juergen Schoenwaelder
- Re: [Netconf] Is there a problem with confirmed c… Jonathan Hansford
- Re: [Netconf] Is there a problem with confirmed c… Juergen Schoenwaelder
- Re: [Netconf] Is there a problem with confirmed c… Jonathan Hansford
- Re: [Netconf] Is there a problem with confirmed c… Jonathan Hansford
- Re: [Netconf] Is there a problem with confirmed c… Juergen Schoenwaelder
- Re: [Netconf] Is there a problem with confirmed c… Robert Wilton
- Re: [Netconf] Is there a problem with confirmed c… Jonathan Hansford
- Re: [Netconf] Is there a problem with confirmed c… Jonathan Hansford
- Re: [Netconf] Is there a problem with confirmed c… Juergen Schoenwaelder
- Re: [Netconf] Is there a problem with confirmed c… Juergen Schoenwaelder
- Re: [Netconf] Is there a problem with confirmed c… Andy Bierman
- Re: [Netconf] Is there a problem with confirmed c… jonathan
- Re: [Netconf] Is there a problem with confirmed c… Juergen Schoenwaelder
- Re: [Netconf] Is there a problem with confirmed c… Jonathan Hansford
- Re: [Netconf] Is there a problem with confirmed c… Juergen Schoenwaelder
- Re: [Netconf] Is there a problem with confirmed c… Jonathan Hansford
- Re: [Netconf] Is there a problem with confirmed c… Juergen Schoenwaelder
- Re: [Netconf] Is there a problem with confirmed c… Jonathan Hansford