[Netconf] Is there a problem with confirmed commits?

"Jonathan Hansford" <jonathan@hansfords.net> Mon, 14 January 2019 12:50 UTC

Return-Path: <jonathan@hansfords.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id A9B50129BBF for <netconf@ietfa.amsl.com>; Mon, 14 Jan 2019 04:50:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.091
X-Spam-Status: No, score=-0.091 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hansfords.net
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id j29wWHuUWQxP for <netconf@ietfa.amsl.com>; Mon, 14 Jan 2019 04:50:34 -0800 (PST)
Received: from mail.myfast.site (mail.myfast.site []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E93C8131060 for <netconf@ietf.org>; Mon, 14 Jan 2019 04:50:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=hansfords.net; s=default; h=Content-Type:Mime-Version:Reply-To:Message-Id: Date:Subject:To:From:Sender:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=XCXNnEfJDHDiBu98EPyx94TQCDWt6fHkF1lxASQWvPg=; b=G5f/7AVKS5a2EnhE9O5b7ZIf9Y LpPyv4ZYubRyToPVPnhCiArqSkQXpz0boETTLzifun2CjF3rrgQ7jIcjkAMFtldgwZu3EOftfGPuf Pbms9nY7tF8DvtlYm28ii/pB7zQ8H8A7AnHM6ILvcJ6Q31SNuV5gW1VqUaVNTh+3UzOAAEeJ+UXhK lKMg3vMeoGQSnPrjlx/f7XWIHE7zgRSaY9lp79sA0EiWsM1a8uy5UrnCUROKVdvHOUsapXT3jI/T4 MHJtoIHeK7+vQmQz/UT5k9sezzoYtX9yK8oslQQ+G8igwjcbAzT1gzD96yrPA256OWkmV6Ga9cNe4 w8gb/WMQ==;
Received: from [] (port=49676 helo=[]) by mail.myfast.site with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from <jonathan@hansfords.net>) id 1gj1hH-00FsDh-PV for netconf@ietf.org; Mon, 14 Jan 2019 12:50:31 +0000
From: "Jonathan Hansford" <jonathan@hansfords.net>
To: "netconf@ietf.org" <netconf@ietf.org>
Date: Mon, 14 Jan 2019 12:50:38 +0000
Message-Id: <em106ef27b-c989-4e0b-b819-413fef852d53@morpheus>
Reply-To: "Jonathan Hansford" <jonathan@hansfords.net>
User-Agent: eM_Client/7.2.34062.0
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="------=_MB1F53A85D-C947-40D0-9D1A-CFDCDC8BD38D"
X-Antivirus: Avast (VPS 190114-0, 14/01/2019), Outbound message
X-Antivirus-Status: Clean
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - mail.myfast.site
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - hansfords.net
X-Get-Message-Sender-Via: mail.myfast.site: authenticated_id: jonathan@hansfords.net
X-Authenticated-Sender: mail.myfast.site: jonathan@hansfords.net
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/Qir0ilcwkK5VGavWef8cI9ebK4M>
Subject: [Netconf] Is there a problem with confirmed commits?
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Jan 2019 12:50:37 -0000


No one seems to be responding to my email and proposed erratum around 
the subject of confirmed commits (apart from Martin), but I would really 
like to know it I am missing something here. As far as I can tell, 
session termination during a confirmed commit leads to unpredictable 
behaviour and I would like to know whether anyone is using confirmed 
commits and how (if at all) they address the issues outlined below. My 
assumptions are that locks are used and :writable-running is not 

If the <candidate> and <running> configuration datastores are locked to 
prevent concurrent access, and a confirmed commit sequence is 
interrupted by the session terminating, the locks will automatically be 
released but the server MUST NOT accept a lock on <running> from any 
session if another session has an ongoing confirmed <commit>. 
Consequently, after session termination no client can acquire a <lock> 
on <running>, not even the one that initiated the confirmed <commit>, 
until after the confirmed <commit> has timed out. However, if the 
confirmed <commit> included the <persist> parameter, the original client 
could still issue a <commit> using the persist-id to complete the 
sequence prior to the timeout, even without a lock.

Of course, the problem now is the race for the new lock on <candidate>. 
If the original client is successful then all is good. But if a new 
client locks <candidate> before the timeout on the confirmed commit, 
whether or not they precede <lock> with <discard-changes>, <candidate> 
will be the same as <running> and the new client will pick up everything 
from the previous session. However, the client won’t be able to lock 
<running> until after the timeout, at which point <running> reverts but 
<candidate> still represents the previous session. If the client tries 
to lock <candidate> after the timeout, <running> will have reverted and 
the lock will only be granted after a <discard-changes> which will cause 
the <candidate> to revert. So, depending on when the lock on <candidate> 
occurs relative to the confirmed commit timeout, the client could be 
editing <candidate> in one of two states. Further, before the timeout on 
the confirmed commit, even if the new client has locked candidate, the 
original client could still issue a confirming commit (they don’t need a 
lock on <candidate> to do so) which would persistently commit any edits 
made by the new client. NOTE: it is not the use of the persist-id that 
introduces this behaviour; a new client would have the same problem even 
if a confirmed commit was not intended to persist beyond a session 

If the server also supports the :startup capability then, if the session 
termination was due to the server rebooting, the behaviour above would 
be further complicated by <running> now containing the configuration 
from the <startup> configuration datastore.

Am I right?


This email has been checked for viruses by Avast antivirus software.