Re: [Netconf] Is there a problem with confirmed commits?

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Mon, 14 January 2019 16:19 UTC

Return-Path: <j.schoenwaelder@jacobs-university.de>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62618131054 for <netconf@ietfa.amsl.com>; Mon, 14 Jan 2019 08:19:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fXlccrD6hPft for <netconf@ietfa.amsl.com>; Mon, 14 Jan 2019 08:19:24 -0800 (PST)
Received: from atlas5.jacobs-university.de (atlas5.jacobs-university.de [212.201.44.20]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD0F1130FEB for <netconf@ietf.org>; Mon, 14 Jan 2019 08:19:23 -0800 (PST)
Received: from localhost (demetrius5.irc-it.jacobs-university.de [10.70.0.222]) by atlas5.jacobs-university.de (Postfix) with ESMTP id 9D3C1F85; Mon, 14 Jan 2019 17:19:22 +0100 (CET)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from atlas5.jacobs-university.de ([10.70.0.217]) by localhost (demetrius5.jacobs-university.de [10.70.0.222]) (amavisd-new, port 10032) with ESMTP id XSa08BY9Bu5U; Mon, 14 Jan 2019 17:19:22 +0100 (CET)
Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hermes.jacobs-university.de", Issuer "Jacobs University CA - G01" (verified OK)) by atlas5.jacobs-university.de (Postfix) with ESMTPS; Mon, 14 Jan 2019 17:19:22 +0100 (CET)
Received: from localhost (demetrius2.jacobs-university.de [212.201.44.47]) by hermes.jacobs-university.de (Postfix) with ESMTP id 827942004A; Mon, 14 Jan 2019 17:19:22 +0100 (CET)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius2.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id hgXQJ1L0nSzc; Mon, 14 Jan 2019 17:19:21 +0100 (CET)
Received: from exchange.jacobs-university.de (SXCHMB02.jacobs.jacobs-university.de [10.70.0.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "exchange.jacobs-university.de", Issuer "DFN-Verein Global Issuing CA" (verified OK)) by hermes.jacobs-university.de (Postfix) with ESMTPS id 8A10B20045; Mon, 14 Jan 2019 17:19:21 +0100 (CET)
Received: from anna.localdomain (10.50.218.117) by sxchmb03.jacobs.jacobs-university.de (10.70.0.155) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1591.10; Mon, 14 Jan 2019 17:19:20 +0100
Received: by anna.localdomain (Postfix, from userid 501) id 848EC3005A2FB8; Mon, 14 Jan 2019 17:19:19 +0100 (CET)
Date: Mon, 14 Jan 2019 17:19:19 +0100
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: Jonathan Hansford <jonathan@hansfords.net>
CC: Robert Wilton <rwilton@cisco.com>, "netconf@ietf.org" <netconf@ietf.org>
Message-ID: <20190114161919.wlc7kfogae3t7n3r@anna.jacobs.jacobs-university.de>
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Mail-Followup-To: Jonathan Hansford <jonathan@hansfords.net>, Robert Wilton <rwilton@cisco.com>, "netconf@ietf.org" <netconf@ietf.org>
References: <em106ef27b-c989-4e0b-b819-413fef852d53@morpheus> <20190114135056.t6sow7dbcyow6qcn@anna.jacobs.jacobs-university.de> <em5dfb175c-7835-43eb-a767-38e270601427@morpheus> <20190114154026.tbevjbcdn3oh34uz@anna.jacobs.jacobs-university.de> <2492d27d-d64f-58bd-6006-2b10128f2813@cisco.com> <em586327fb-0cd6-4300-9bf2-3a4c22f2ae3b@morpheus>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
X-Clacks-Overhead: GNU Terry Pratchett
Content-Transfer-Encoding: 8bit
In-Reply-To: <em586327fb-0cd6-4300-9bf2-3a4c22f2ae3b@morpheus>
User-Agent: NeoMutt/20180716
X-ClientProxiedBy: SXCHMB03.jacobs.jacobs-university.de (10.70.0.155) To sxchmb03.jacobs.jacobs-university.de (10.70.0.155)
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/GmPLfFr96wao0prvn7SLgaCXtgs>
Subject: Re: [Netconf] Is there a problem with confirmed commits?
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Jan 2019 16:19:26 -0000

Someone can modify candidate between your discard_changes() and
lock().  I have to check whether lock requires <candidate/> to match
<running/>.

/js

On Mon, Jan 14, 2019 at 04:05:03PM +0000, Jonathan Hansford wrote:
> And maybe a discard_changes before the lock is better behaviour (or is there
> something that prevents that?) to ensure the lock will succeed.
> 
> ------ Original Message ------
> From: "Robert Wilton" <rwilton@cisco.com>;
> To: "netconf@ietf.org"; <netconf@ietf.org>;
> Cc: "Jonathan Hansford" <jonathan@hansfords.net>;
> Sent: 14/01/2019 15:48:58
> Subject: Re: [Netconf] Is there a problem with confirmed commits?
> 
> > Hi Juergen,
> > 
> > On 14/01/2019 15:40, Juergen Schoenwaelder wrote:
> > > It seems the <candidate> datastore should not be allowed to be used as
> > > long as a persistent confirmed commit is still ongoing. I leave it to
> > > Martin to check whether this is said somewhere or an omission.
> > > 
> > > In general, an application can't assume that <candidate> contains
> > > anything sensible. Hence, the proper way is to lock <candidate> and
> > > then to make sure it contains something sensible, i.e., issuing a
> > > discard_changes.
> > 
> > But the text that you quote below states that a client cannot acquire a lock on candidate if it contains any changes.  Doesn't this implies that discard_changes after acquiring the lock should be unnecessary?
> > 
> > Thanks,
> > Rob
> > 
> > 
> > >   And I think implementations should not allow an
> > > application to obtain a lock on <candidate> while a commit is active.
> > > The text on page 45 already says:
> > > 
> > >        A lock MUST NOT be granted if any of the following conditions is
> > >        true:
> > > 
> > >        [...]
> > > 
> > >        *  The target configuration is <candidate>, it has already been
> > >           modified, and these changes have not been committed or rolled
> > >           back.
> > > 
> > > I think this covers the case of an ongoing but not completed
> > > persistent confirmed commit, no?
> > > 
> > > /js
> > > 
> > > On Mon, Jan 14, 2019 at 03:14:02PM +0000, Jonathan Hansford wrote:
> > > > If a persistent confirmed commit has not timed out, the running
> > > > configuration datastore will be the same as the candidate and
> > > > <discard-changes> won't change its contents. Any edit of candidate will be
> > > > based on the configuration resulting from the persistent confirmed commit.
> > > > 
> > > > If the persistent confirmed commit has timed out, the running configuration
> > > > datastore will have reverted and <discard-changes> will change candidate.
> > > > Any edit of candidate in this case will be based on the configuration prior
> > > > to the start of the persistent confirmed commit.
> > > > 
> > > > ------ Original Message ------
> > > > From: "Juergen Schoenwaelder" <j.schoenwaelder@jacobs-university.de>;
> > > > To: "Jonathan Hansford" <jonathan@hansfords.net>;
> > > > Cc: "netconf@ietf.org"; <netconf@ietf.org>;
> > > > Sent: 14/01/2019 13:50:56
> > > > Subject: Re: [Netconf] Is there a problem with confirmed commits?
> > > > 
> > > > > Hi,
> > > > > 
> > > > > I have not yet understood where you see a problem. In general,
> > > > > <candidate/> contains arbitrary stuff and hence it is the client's
> > > > > responsibility to clear any arbitrary stuff found in <candidate/>
> > > > > after obtaining a lock. If does not really matter whether there has
> > > > > been a failed confirmed commit before or something else. I think the
> > > > > general safe pattern is:
> > > > > 
> > > > > lock(candidate)
> > > > > discard_changes()
> > > > > push_whatever_needed()
> > > > > commit()
> > > > > unlock(candidate)
> > > > > 
> > > > > If you do a confirmed commit and the session disappears, then the lock
> > > > > will disappear as well. But I do not think this creates a race
> > > > > condition, or I am just not yet seeing it. Perhaps it helps to write
> > > > > down the sequence of actions that leads to a race.
> > > > > 
> > > > > /js
> > > > > 
> > > > > On Mon, Jan 14, 2019 at 12:50:38PM +0000, Jonathan Hansford wrote:
> > > > > >   Hi,
> > > > > > 
> > > > > >   No one seems to be responding to my email and proposed erratum around
> > > > > >   the subject of confirmed commits (apart from Martin), but I would really
> > > > > >   like to know it I am missing something here. As far as I can tell,
> > > > > >   session termination during a confirmed commit leads to unpredictable
> > > > > >   behaviour and I would like to know whether anyone is using confirmed
> > > > > >   commits and how (if at all) they address the issues outlined below. My
> > > > > >   assumptions are that locks are used and :writable-running is not
> > > > > >   supported.
> > > > > > 
> > > > > >   If the <candidate> and <running> configuration datastores are locked to
> > > > > >   prevent concurrent access, and a confirmed commit sequence is
> > > > > >   interrupted by the session terminating, the locks will automatically be
> > > > > >   released but the server MUST NOT accept a lock on <running> from any
> > > > > >   session if another session has an ongoing confirmed <commit>.
> > > > > >   Consequently, after session termination no client can acquire a <lock>
> > > > > >   on <running>, not even the one that initiated the confirmed <commit>,
> > > > > >   until after the confirmed <commit> has timed out. However, if the
> > > > > >   confirmed <commit> included the <persist> parameter, the original client
> > > > > >   could still issue a <commit> using the persist-id to complete the
> > > > > >   sequence prior to the timeout, even without a lock.
> > > > > > 
> > > > > >   Of course, the problem now is the race for the new lock on <candidate>.
> > > > > >   If the original client is successful then all is good. But if a new
> > > > > >   client locks <candidate> before the timeout on the confirmed commit,
> > > > > >   whether or not they precede <lock> with <discard-changes>, <candidate>
> > > > > >   will be the same as <running> and the new client will pick up everything
> > > > > >   from the previous session. However, the client won’t be able to lock
> > > > > >   <running> until after the timeout, at which point <running> reverts but
> > > > > >   <candidate> still represents the previous session. If the client tries
> > > > > >   to lock <candidate> after the timeout, <running> will have reverted and
> > > > > >   the lock will only be granted after a <discard-changes> which will cause
> > > > > >   the <candidate> to revert. So, depending on when the lock on <candidate>
> > > > > >   occurs relative to the confirmed commit timeout, the client could be
> > > > > >   editing <candidate> in one of two states. Further, before the timeout on
> > > > > >   the confirmed commit, even if the new client has locked candidate, the
> > > > > >   original client could still issue a confirming commit (they don’t need a
> > > > > >   lock on <candidate> to do so) which would persistently commit any edits
> > > > > >   made by the new client. NOTE: it is not the use of the persist-id that
> > > > > >   introduces this behaviour; a new client would have the same problem even
> > > > > >   if a confirmed commit was not intended to persist beyond a session
> > > > > >   termination.
> > > > > > 
> > > > > >   If the server also supports the :startup capability then, if the session
> > > > > >   termination was due to the server rebooting, the behaviour above would
> > > > > >   be further complicated by <running> now containing the configuration
> > > > > >   from the <startup> configuration datastore.
> > > > > > 
> > > > > >   Am I right?
> > > > > > 
> > > > > >   Jonathan
> > > > > > 
> > > > > >   ---
> > > > > >   This email has been checked for viruses by Avast antivirus software.
> > > > > >   https://www.avast.com/antivirus
> > > > > >   _______________________________________________
> > > > > >   Netconf mailing list
> > > > > >   Netconf@ietf.org
> > > > > >   https://www.ietf.org/mailman/listinfo/netconf
> > > > > 
> > > > > --
> > > > > Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> > > > > Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> > > > > Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>
> 
> _______________________________________________
> Netconf mailing list
> Netconf@ietf.org
> https://www.ietf.org/mailman/listinfo/netconf

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>