Re: [Netconf] Is there a problem with confirmed commits?

"Jonathan Hansford" <jonathan@hansfords.net> Mon, 14 January 2019 14:47 UTC

Return-Path: <jonathan@hansfords.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDA1A12D4EC for <netconf@ietfa.amsl.com>; Mon, 14 Jan 2019 06:47:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.989
X-Spam-Level:
X-Spam-Status: No, score=-1.989 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hansfords.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JqZ-xQl0ATZs for <netconf@ietfa.amsl.com>; Mon, 14 Jan 2019 06:47:09 -0800 (PST)
Received: from mail.myfast.site (mail.myfast.site [109.203.117.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3652C128CF2 for <netconf@ietf.org>; Mon, 14 Jan 2019 06:47:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=hansfords.net; s=default; h=Content-Type:Mime-Version:Reply-To:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Cc: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=SIfjJCVnZmYsnoXknW31E4gQ0swyi5/57expjIswMIg=; b=abxqCCrSDOzFdUj6sp31afGqn bE1zqYr+CQ6n+YGye7iiX1kMq/zmUl2swj4wRFEGIYxTbFyLNFeZvUTLSxyVk0+7alAz79YjieaQG iD6aUir1fMs5ZJlwLMiqhePz3z/kgPd2KYa8pYXQkFmE1HFr5Gq294U5nGcNEpCzQibe/nwujC53U nVOHdWWijQuztO5Ie0An5PXdc2wZbfrKKmx08z/VXdF59Ba6NG1W5hQYiLLVbGD+5Dg6QPdpcENeu UK6mFtYjJos5XeNHOYU0UuZiKIdF+R7c4143MqoOmRAIDVARKeq57+5mCNvQ0bMdMYo76D6Dm1s/E 3QcbZ1lvA==;
Received: from [51.52.247.166] (port=50648 helo=[172.16.1.65]) by mail.myfast.site with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from <jonathan@hansfords.net>) id 1gj3W7-00GRHK-MJ for netconf@ietf.org; Mon, 14 Jan 2019 14:47:07 +0000
From: "Jonathan Hansford" <jonathan@hansfords.net>
To: "netconf@ietf.org" <netconf@ietf.org>
Date: Mon, 14 Jan 2019 14:47:14 +0000
Message-Id: <em074e85b0-0b46-4b04-b6c4-5ea64a0f328b@morpheus>
In-Reply-To: <em106ef27b-c989-4e0b-b819-413fef852d53@morpheus>
References: <em106ef27b-c989-4e0b-b819-413fef852d53@morpheus>
Reply-To: "Jonathan Hansford" <jonathan@hansfords.net>
User-Agent: eM_Client/7.2.34062.0
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="------=_MB75A471B5-D2C9-4154-AB08-3AF25EFEFCEC"
X-Antivirus: Avast (VPS 190114-0, 14/01/2019), Outbound message
X-Antivirus-Status: Clean
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - mail.myfast.site
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - hansfords.net
X-Get-Message-Sender-Via: mail.myfast.site: authenticated_id: jonathan@hansfords.net
X-Authenticated-Sender: mail.myfast.site: jonathan@hansfords.net
X-Source:
X-Source-Args:
X-Source-Dir:
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/EZN3Sik7Np2fMJUOzcdjThgcRkk>
Subject: Re: [Netconf] Is there a problem with confirmed commits?
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Jan 2019 14:47:12 -0000

RFC 6241, Section 8.2.4.1 states, 'If the running or candidate 
configuration is currently locked by a different session, the <commit> 
operation MUST fail with an <error-tag> value of "in-use".' So if the 
new client acquires a lock on <candidate>, the original client cannot 
<commit> to <running>. So that fixes one of the issues below.

Section 8.3.5.2 states, 'When a client fails with outstanding changes to 
the candidate configuration, recovery can be difficult.  To facilitate 
easy recovery, any outstanding changes are discarded when the lock is 
released, whether explicitly with the <unlock> operation or implicitly 
from session failure.' So this means <candidate> would revert. Section 
8.4.1 also states, 'If the device reboots for any reason before the 
confirm timeout expires, the server MUST restore the configuration to 
its state before the confirmed commit was issued.' However, earlier in 
Section 8.4.1 it states, 'If the session issuing the confirmed commit is 
terminated for any reason before the confirm timeout expires, the server 
MUST restore the configuration to its state before the confirmed commit 
was issued, unless the confirmed commit also included a <persist> 
element.', Section 8.4.5.1 states the persist parameter makes 'the 
confirmed commit survive a session termination, and set a token on the 
ongoing confirmed commit' and its description in Appendix C states, 
'This parameter is used to make a confirmed commit persistent.  A 
persistent confirmed commit is not aborted if the NETCONF session 
terminates.  The only way to abort a persistent confirmed commit is to 
let the timer expire, or to use the <cancel-commit> operation.'

So it is the persist-id that is the cause of all the problems, not just 
the use of confirmed commit as I previously stated. But is there a way 
to resolve the outstanding issues around the use of the persist-id?

Thanks

------ Original Message ------
From: "Jonathan Hansford" <jonathan@hansfords.net>;
To: "netconf@ietf.org"; <netconf@ietf.org>;
Sent: 14/01/2019 12:50:38
Subject: [Netconf] Is there a problem with confirmed commits?

>Hi,
>
>No one seems to be responding to my email and proposed erratum around 
>the subject of confirmed commits (apart from Martin), but I would 
>really like to know it I am missing something here. As far as I can 
>tell, session termination during a confirmed commit leads to 
>unpredictable behaviour and I would like to know whether anyone is 
>using confirmed commits and how (if at all) they address the issues 
>outlined below. My assumptions are that locks are used and 
>:writable-running is not supported.
>
>If the <candidate> and <running> configuration datastores are locked to 
>prevent concurrent access, and a confirmed commit sequence is 
>interrupted by the session terminating, the locks will automatically be 
>released but the server MUST NOT accept a lock on <running> from any 
>session if another session has an ongoing confirmed <commit>. 
>Consequently, after session termination no client can acquire a <lock> 
>on <running>, not even the one that initiated the confirmed <commit>, 
>until after the confirmed <commit> has timed out. However, if the 
>confirmed <commit> included the <persist> parameter, the original 
>client could still issue a <commit> using the persist-id to complete 
>the sequence prior to the timeout, even without a lock.
>
>Of course, the problem now is the race for the new lock on <candidate>. 
>If the original client is successful then all is good. But if a new 
>client locks <candidate> before the timeout on the confirmed commit, 
>whether or not they precede <lock> with <discard-changes>, <candidate> 
>will be the same as <running> and the new client will pick up 
>everything from the previous session. However, the client won’t be able 
>to lock <running> until after the timeout, at which point <running> 
>reverts but <candidate> still represents the previous session. If the 
>client tries to lock <candidate> after the timeout, <running> will have 
>reverted and the lock will only be granted after a <discard-changes> 
>which will cause the <candidate> to revert. So, depending on when the 
>lock on <candidate> occurs relative to the confirmed commit timeout, 
>the client could be editing <candidate> in one of two states. Further, 
>before the timeout on the confirmed commit, even if the new client has 
>locked candidate, the original client could still issue a confirming 
>commit (they don’t need a lock on <candidate> to do so) which would 
>persistently commit any edits made by the new client. NOTE: it is not 
>the use of the persist-id that introduces this behaviour; a new client 
>would have the same problem even if a confirmed commit was not intended 
>to persist beyond a session termination.
>
>If the server also supports the :startup capability then, if the 
>session termination was due to the server rebooting, the behaviour 
>above would be further complicated by <running> now containing the 
>configuration from the <startup> configuration datastore.
>
>Am I right?
>
>Jonathan
>
>
>--------------------------------------------------------------------------------
>Avast logo
><https://www.avast.com/antivirus>
>				This email has been checked for viruses by Avast antivirus 
>software. 				
>www.avast.com <https://www.avast.com/antivirus>
>
>
><#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus