Re: [Netconf] Is there a problem with confirmed commits?

Andy Bierman <andy@yumaworks.com> Mon, 14 January 2019 16:57 UTC

Return-Path: <andy@yumaworks.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 032431311B8 for <netconf@ietfa.amsl.com>; Mon, 14 Jan 2019 08:57:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.041
X-Spam-Level:
X-Spam-Status: No, score=-2.041 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yumaworks-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t1GUG1EPIdCf for <netconf@ietfa.amsl.com>; Mon, 14 Jan 2019 08:57:20 -0800 (PST)
Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F42C1311B2 for <netconf@ietf.org>; Mon, 14 Jan 2019 08:57:19 -0800 (PST)
Received: by mail-lf1-x129.google.com with SMTP id p6so16164270lfc.1 for <netconf@ietf.org>; Mon, 14 Jan 2019 08:57:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yumaworks-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=jsXQPmNyXExNzKBibb970Ve/SOV278k9VSPu5objjTY=; b=VIZz/nviU1TRJWrI6kart+FYc4OB3En72e1wbtCKSdJQRg2A1FkvKdceKwlAGQY2kJ zRzi8t7LtUObNGZlheXUxkjgtH051wu2F2/oOQl8et3R2/TFuqHp7IERQV302NpJ6SgG jD1D4r/Yxwj2exNDPEo/qZA4YceuFZyICuGSgdujJoPsNHtMZzhf5ladHK9kZ4aX/79h Ul9qZmgz1ScRXAAhNFjirLMBWx9Qy/CByXSkcL5ig4yHzaTEj6/n2t3ihcMMgQxhfuph 8qY7B8Hn4XWoWN+NaNHWRxO/SqFVRBCRG1vXIHSayHZ0acDSq1b1uOQuwcJm0BVkF+X9 r4sQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=jsXQPmNyXExNzKBibb970Ve/SOV278k9VSPu5objjTY=; b=mjhUUNf/s5w31Fj0LhaMZplOpqMrwa8+PQ51VeSR62l7H5rXPrp/6Z/nxQFg8xLqaf rZnRK9zWls4qhHy9uRVVpvQh8lh+RmC8H5lW+YoT0JT+uT1yhvyQ1jSCFvf0N9cxClkl gvMEhIUcrH0KVG8PEb5xABt+iYiD/2ZSmNXyUp5cPB7gTdUrjACaSWBHJu3KpEeVjZKt 4VX/lW8Ah7oovIvnqbowPz06e2PLWh4BCVYNjqzerY53xN2TpIGmhxgdh+FF5llESP1i kNQEC9p6FIt5N/x2Yd/tbbnY53HVQJ78zsDwzzt3UwLH8Xts+V0m0KTob1WwdIcofztg 2Gdg==
X-Gm-Message-State: AJcUukctXQeZv4CLuyJmEhxLHaQA+UIaD3ODqfOZAVNOaea6l75DbpfX Kv6O758eYgcAXlcu+3DxM05GJPX0F9EvQufZiGGqKA==
X-Google-Smtp-Source: ALg8bN4qDh1SXoz9jkoB2Cfal7YtV5h19CXnNCQOXdCgZRp9+oBQpzgSqphkrCN2GuRDghnsyzrg9GSbeCHfS/bUXnA=
X-Received: by 2002:a19:ca51:: with SMTP id h17mr13423589lfj.126.1547485037368; Mon, 14 Jan 2019 08:57:17 -0800 (PST)
MIME-Version: 1.0
References: <em106ef27b-c989-4e0b-b819-413fef852d53@morpheus> <20190114135056.t6sow7dbcyow6qcn@anna.jacobs.jacobs-university.de> <em5dfb175c-7835-43eb-a767-38e270601427@morpheus> <20190114154026.tbevjbcdn3oh34uz@anna.jacobs.jacobs-university.de> <emd3042eae-a670-4eb3-8055-5f3379acc4d8@morpheus> <20190114162532.ptmzaxwghowda2o7@anna.jacobs.jacobs-university.de>
In-Reply-To: <20190114162532.ptmzaxwghowda2o7@anna.jacobs.jacobs-university.de>
From: Andy Bierman <andy@yumaworks.com>
Date: Mon, 14 Jan 2019 08:57:06 -0800
Message-ID: <CABCOCHTTMPq54_HPYOLBGavX2Q1NqzHPXLv0BVofBaKSxd=TdQ@mail.gmail.com>
To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>, Jonathan Hansford <jonathan@hansfords.net>, "netconf@ietf.org" <netconf@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f2b9a5057f6def97"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/9_eqCJ1Tsf9tzvUMEDt5yevknQE>
Subject: Re: [Netconf] Is there a problem with confirmed commits?
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Jan 2019 16:57:24 -0000

On Mon, Jan 14, 2019 at 8:25 AM Juergen Schoenwaelder <
j.schoenwaelder@jacobs-university.de>; wrote:

> For me, a confirmed commit is not complete if it can still timeout.
>
>
It is hard to imagine how a confirmed-commit could be considered complete
if the server is still waiting for the confirming commit.



> /js
>

Andy


>
> On Mon, Jan 14, 2019 at 04:01:59PM +0000, Jonathan Hansford wrote:
> > I think the text you refer to on page 45 is open to interpretation. If a
> > persistent confirmed commit has occurred then the changes have been
> > committed (albeit in a confirmed commit), and the candidate and running
> > configuration datastores are the same (unless and until the confirmed
> commit
> > times out). The text depends on the definition of 'modified' (and how the
> > server detects it) and 'committed'.
> >
> > ------ Original Message ------
> > From: "Juergen Schoenwaelder" <j.schoenwaelder@jacobs-university.de>;
> > To: "Jonathan Hansford" <jonathan@hansfords.net>;
> > Cc: "netconf@ietf.org"; <netconf@ietf.org>;
> > Sent: 14/01/2019 15:40:26
> > Subject: Re: [Netconf] Is there a problem with confirmed commits?
> >
> > > It seems the <candidate> datastore should not be allowed to be used as
> > > long as a persistent confirmed commit is still ongoing. I leave it to
> > > Martin to check whether this is said somewhere or an omission.
> > >
> > > In general, an application can't assume that <candidate> contains
> > > anything sensible. Hence, the proper way is to lock <candidate> and
> > > then to make sure it contains something sensible, i.e., issuing a
> > > discard_changes. And I think implementations should not allow an
> > > application to obtain a lock on <candidate> while a commit is active.
> > > The text on page 45 already says:
> > >
> > >       A lock MUST NOT be granted if any of the following conditions is
> > >       true:
> > >
> > >       [...]
> > >
> > >       *  The target configuration is <candidate>, it has already been
> > >          modified, and these changes have not been committed or rolled
> > >          back.
> > >
> > > I think this covers the case of an ongoing but not completed
> > > persistent confirmed commit, no?
> > >
> > > /js
> > >
> > > On Mon, Jan 14, 2019 at 03:14:02PM +0000, Jonathan Hansford wrote:
> > > >  If a persistent confirmed commit has not timed out, the running
> > > >  configuration datastore will be the same as the candidate and
> > > >  <discard-changes> won't change its contents. Any edit of candidate
> will be
> > > >  based on the configuration resulting from the persistent confirmed
> commit.
> > > >
> > > >  If the persistent confirmed commit has timed out, the running
> configuration
> > > >  datastore will have reverted and <discard-changes> will change
> candidate.
> > > >  Any edit of candidate in this case will be based on the
> configuration prior
> > > >  to the start of the persistent confirmed commit.
> > > >
> > > >  ------ Original Message ------
> > > >  From: "Juergen Schoenwaelder" <j.schoenwaelder@jacobs-university.de
> >
> > > >  To: "Jonathan Hansford" <jonathan@hansfords.net>;
> > > >  Cc: "netconf@ietf.org"; <netconf@ietf.org>;
> > > >  Sent: 14/01/2019 13:50:56
> > > >  Subject: Re: [Netconf] Is there a problem with confirmed commits?
> > > >
> > > >  > Hi,
> > > >  >
> > > >  > I have not yet understood where you see a problem. In general,
> > > >  > <candidate/> contains arbitrary stuff and hence it is the client's
> > > >  > responsibility to clear any arbitrary stuff found in <candidate/>
> > > >  > after obtaining a lock. If does not really matter whether there
> has
> > > >  > been a failed confirmed commit before or something else. I think
> the
> > > >  > general safe pattern is:
> > > >  >
> > > >  > lock(candidate)
> > > >  > discard_changes()
> > > >  > push_whatever_needed()
> > > >  > commit()
> > > >  > unlock(candidate)
> > > >  >
> > > >  > If you do a confirmed commit and the session disappears, then the
> lock
> > > >  > will disappear as well. But I do not think this creates a race
> > > >  > condition, or I am just not yet seeing it. Perhaps it helps to
> write
> > > >  > down the sequence of actions that leads to a race.
> > > >  >
> > > >  > /js
> > > >  >
> > > >  > On Mon, Jan 14, 2019 at 12:50:38PM +0000, Jonathan Hansford wrote:
> > > >  > >  Hi,
> > > >  > >
> > > >  > >  No one seems to be responding to my email and proposed erratum
> around
> > > >  > >  the subject of confirmed commits (apart from Martin), but I
> would really
> > > >  > >  like to know it I am missing something here. As far as I can
> tell,
> > > >  > >  session termination during a confirmed commit leads to
> unpredictable
> > > >  > >  behaviour and I would like to know whether anyone is using
> confirmed
> > > >  > >  commits and how (if at all) they address the issues outlined
> below. My
> > > >  > >  assumptions are that locks are used and :writable-running is
> not
> > > >  > >  supported.
> > > >  > >
> > > >  > >  If the <candidate> and <running> configuration datastores are
> locked to
> > > >  > >  prevent concurrent access, and a confirmed commit sequence is
> > > >  > >  interrupted by the session terminating, the locks will
> automatically be
> > > >  > >  released but the server MUST NOT accept a lock on <running>
> from any
> > > >  > >  session if another session has an ongoing confirmed <commit>.
> > > >  > >  Consequently, after session termination no client can acquire
> a <lock>
> > > >  > >  on <running>, not even the one that initiated the confirmed
> <commit>,
> > > >  > >  until after the confirmed <commit> has timed out. However, if
> the
> > > >  > >  confirmed <commit> included the <persist> parameter, the
> original client
> > > >  > >  could still issue a <commit> using the persist-id to complete
> the
> > > >  > >  sequence prior to the timeout, even without a lock.
> > > >  > >
> > > >  > >  Of course, the problem now is the race for the new lock on
> <candidate>.
> > > >  > >  If the original client is successful then all is good. But if
> a new
> > > >  > >  client locks <candidate> before the timeout on the confirmed
> commit,
> > > >  > >  whether or not they precede <lock> with <discard-changes>,
> <candidate>
> > > >  > >  will be the same as <running> and the new client will pick up
> everything
> > > >  > >  from the previous session. However, the client won’t be able
> to lock
> > > >  > >  <running> until after the timeout, at which point <running>
> reverts but
> > > >  > >  <candidate> still represents the previous session. If the
> client tries
> > > >  > >  to lock <candidate> after the timeout, <running> will have
> reverted and
> > > >  > >  the lock will only be granted after a <discard-changes> which
> will cause
> > > >  > >  the <candidate> to revert. So, depending on when the lock on
> <candidate>
> > > >  > >  occurs relative to the confirmed commit timeout, the client
> could be
> > > >  > >  editing <candidate> in one of two states. Further, before the
> timeout on
> > > >  > >  the confirmed commit, even if the new client has locked
> candidate, the
> > > >  > >  original client could still issue a confirming commit (they
> don’t need a
> > > >  > >  lock on <candidate> to do so) which would persistently commit
> any edits
> > > >  > >  made by the new client. NOTE: it is not the use of the
> persist-id that
> > > >  > >  introduces this behaviour; a new client would have the same
> problem even
> > > >  > >  if a confirmed commit was not intended to persist beyond a
> session
> > > >  > >  termination.
> > > >  > >
> > > >  > >  If the server also supports the :startup capability then, if
> the session
> > > >  > >  termination was due to the server rebooting, the behaviour
> above would
> > > >  > >  be further complicated by <running> now containing the
> configuration
> > > >  > >  from the <startup> configuration datastore.
> > > >  > >
> > > >  > >  Am I right?
> > > >  > >
> > > >  > >  Jonathan
> > > >  > >
> > > >  > >  ---
> > > >  > >  This email has been checked for viruses by Avast antivirus
> software.
> > > >  > >  https://www.avast.com/antivirus
> > > >  >
> > > >  > >  _______________________________________________
> > > >  > >  Netconf mailing list
> > > >  > >  Netconf@ietf.org
> > > >  > >  https://www.ietf.org/mailman/listinfo/netconf
> > > >  >
> > > >  >
> > > >  > --
> > > >  > Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> > > >  > Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen |
> Germany
> > > >  > Fax:   +49 421 200 3103         <
> https://www.jacobs-university.de/>
> > >
> > > --
> > > Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> > > Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> > > Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>
> >
>
> --
> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>
>
> _______________________________________________
> Netconf mailing list
> Netconf@ietf.org
> https://www.ietf.org/mailman/listinfo/netconf
>