Re: [Netconf] Is there a problem with confirmed commits?

"Jonathan Hansford" <jonathan@hansfords.net> Mon, 14 January 2019 16:01 UTC

Return-Path: <jonathan@hansfords.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F741131107 for <netconf@ietfa.amsl.com>; Mon, 14 Jan 2019 08:01:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hansfords.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P2BkdK6f9Dak for <netconf@ietfa.amsl.com>; Mon, 14 Jan 2019 08:01:56 -0800 (PST)
Received: from mail.myfast.site (mail.myfast.site [109.203.117.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 457C7131102 for <netconf@ietf.org>; Mon, 14 Jan 2019 08:01:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=hansfords.net; s=default; h=Content-Transfer-Encoding:Content-Type: Mime-Version:Reply-To:References:In-Reply-To:Message-Id:Date:Cc:Subject:To: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=mnOhuHPyxhp0L9HMCH5u+uXeLQzrkqNVwxt+6AagyMQ=; b=DzFriu3JNG1z7AI8lc6tdHl+jv u2jjr96qRcIFhpo0XyX6L5V3hlqNhJm6DrINXqnUKsljB7Awrax9AIyckSzXBRsO752tQ8MSgi19r RiiKepykQrwcHE/wJM97vgimFHnnCu2JqmDCFNWDLU94O/RvuEgihBKt8Ur0Y2ivEtSYHQqPYH4Ow QM6ytBZqpjYB9J4q5CUAN16Z/R8qbuxqsAM/Wve0EA9ZzPVGcADBZHcq42tUET+P0EbNqhhscYNA9 2CaxrNml5slBuHOd6ooeDnnRtDkBcqQyS8nkpU4pccw0yuNNiExO9x8BZTTxteyCLa+9ByaIlLXlX x5fLfslA==;
Received: from [51.52.247.166] (port=61252 helo=[172.16.1.65]) by mail.myfast.site with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from <jonathan@hansfords.net>) id 1gj4gU-00GnfI-AI; Mon, 14 Jan 2019 16:01:54 +0000
From: "Jonathan Hansford" <jonathan@hansfords.net>
To: "Juergen Schoenwaelder" <j.schoenwaelder@jacobs-university.de>
Cc: "netconf@ietf.org" <netconf@ietf.org>
Date: Mon, 14 Jan 2019 16:01:59 +0000
Message-Id: <emd3042eae-a670-4eb3-8055-5f3379acc4d8@morpheus>
In-Reply-To: <20190114154026.tbevjbcdn3oh34uz@anna.jacobs.jacobs-university.de>
References: <em106ef27b-c989-4e0b-b819-413fef852d53@morpheus> <20190114135056.t6sow7dbcyow6qcn@anna.jacobs.jacobs-university.de> <em5dfb175c-7835-43eb-a767-38e270601427@morpheus> <20190114154026.tbevjbcdn3oh34uz@anna.jacobs.jacobs-university.de>
Reply-To: "Jonathan Hansford" <jonathan@hansfords.net>
User-Agent: eM_Client/7.2.34062.0
Mime-Version: 1.0
Content-Type: text/plain; format=flowed; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Antivirus: Avast (VPS 190114-0, 14/01/2019), Outbound message
X-Antivirus-Status: Clean
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - mail.myfast.site
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - hansfords.net
X-Get-Message-Sender-Via: mail.myfast.site: authenticated_id: jonathan@hansfords.net
X-Authenticated-Sender: mail.myfast.site: jonathan@hansfords.net
X-Source:
X-Source-Args:
X-Source-Dir:
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/bY9JoWDL0CLfGkzH8OLnz3U7TBM>
Subject: Re: [Netconf] Is there a problem with confirmed commits?
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Jan 2019 16:02:00 -0000

I think the text you refer to on page 45 is open to interpretation. If a 
persistent confirmed commit has occurred then the changes have been 
committed (albeit in a confirmed commit), and the candidate and running 
configuration datastores are the same (unless and until the confirmed 
commit times out). The text depends on the definition of 'modified' (and 
how the server detects it) and 'committed'.

------ Original Message ------
From: "Juergen Schoenwaelder" <j.schoenwaelder@jacobs-university.de>;
To: "Jonathan Hansford" <jonathan@hansfords.net>;
Cc: "netconf@ietf.org"; <netconf@ietf.org>;
Sent: 14/01/2019 15:40:26
Subject: Re: [Netconf] Is there a problem with confirmed commits?

>It seems the <candidate> datastore should not be allowed to be used as
>long as a persistent confirmed commit is still ongoing. I leave it to
>Martin to check whether this is said somewhere or an omission.
>
>In general, an application can't assume that <candidate> contains
>anything sensible. Hence, the proper way is to lock <candidate> and
>then to make sure it contains something sensible, i.e., issuing a
>discard_changes. And I think implementations should not allow an
>application to obtain a lock on <candidate> while a commit is active.
>The text on page 45 already says:
>
>       A lock MUST NOT be granted if any of the following conditions is
>       true:
>
>       [...]
>
>       *  The target configuration is <candidate>, it has already been
>          modified, and these changes have not been committed or rolled
>          back.
>
>I think this covers the case of an ongoing but not completed
>persistent confirmed commit, no?
>
>/js
>
>On Mon, Jan 14, 2019 at 03:14:02PM +0000, Jonathan Hansford wrote:
>>  If a persistent confirmed commit has not timed out, the running
>>  configuration datastore will be the same as the candidate and
>>  <discard-changes> won't change its contents. Any edit of candidate will be
>>  based on the configuration resulting from the persistent confirmed commit.
>>
>>  If the persistent confirmed commit has timed out, the running configuration
>>  datastore will have reverted and <discard-changes> will change candidate.
>>  Any edit of candidate in this case will be based on the configuration prior
>>  to the start of the persistent confirmed commit.
>>
>>  ------ Original Message ------
>>  From: "Juergen Schoenwaelder" <j.schoenwaelder@jacobs-university.de>;
>>  To: "Jonathan Hansford" <jonathan@hansfords.net>;
>>  Cc: "netconf@ietf.org"; <netconf@ietf.org>;
>>  Sent: 14/01/2019 13:50:56
>>  Subject: Re: [Netconf] Is there a problem with confirmed commits?
>>
>>  > Hi,
>>  >
>>  > I have not yet understood where you see a problem. In general,
>>  > <candidate/> contains arbitrary stuff and hence it is the client's
>>  > responsibility to clear any arbitrary stuff found in <candidate/>
>>  > after obtaining a lock. If does not really matter whether there has
>>  > been a failed confirmed commit before or something else. I think the
>>  > general safe pattern is:
>>  >
>>  > lock(candidate)
>>  > discard_changes()
>>  > push_whatever_needed()
>>  > commit()
>>  > unlock(candidate)
>>  >
>>  > If you do a confirmed commit and the session disappears, then the lock
>>  > will disappear as well. But I do not think this creates a race
>>  > condition, or I am just not yet seeing it. Perhaps it helps to write
>>  > down the sequence of actions that leads to a race.
>>  >
>>  > /js
>>  >
>>  > On Mon, Jan 14, 2019 at 12:50:38PM +0000, Jonathan Hansford wrote:
>>  > >  Hi,
>>  > >
>>  > >  No one seems to be responding to my email and proposed erratum around
>>  > >  the subject of confirmed commits (apart from Martin), but I would really
>>  > >  like to know it I am missing something here. As far as I can tell,
>>  > >  session termination during a confirmed commit leads to unpredictable
>>  > >  behaviour and I would like to know whether anyone is using confirmed
>>  > >  commits and how (if at all) they address the issues outlined below. My
>>  > >  assumptions are that locks are used and :writable-running is not
>>  > >  supported.
>>  > >
>>  > >  If the <candidate> and <running> configuration datastores are locked to
>>  > >  prevent concurrent access, and a confirmed commit sequence is
>>  > >  interrupted by the session terminating, the locks will automatically be
>>  > >  released but the server MUST NOT accept a lock on <running> from any
>>  > >  session if another session has an ongoing confirmed <commit>.
>>  > >  Consequently, after session termination no client can acquire a <lock>
>>  > >  on <running>, not even the one that initiated the confirmed <commit>,
>>  > >  until after the confirmed <commit> has timed out. However, if the
>>  > >  confirmed <commit> included the <persist> parameter, the original client
>>  > >  could still issue a <commit> using the persist-id to complete the
>>  > >  sequence prior to the timeout, even without a lock.
>>  > >
>>  > >  Of course, the problem now is the race for the new lock on <candidate>.
>>  > >  If the original client is successful then all is good. But if a new
>>  > >  client locks <candidate> before the timeout on the confirmed commit,
>>  > >  whether or not they precede <lock> with <discard-changes>, <candidate>
>>  > >  will be the same as <running> and the new client will pick up everything
>>  > >  from the previous session. However, the client won’t be able to lock
>>  > >  <running> until after the timeout, at which point <running> reverts but
>>  > >  <candidate> still represents the previous session. If the client tries
>>  > >  to lock <candidate> after the timeout, <running> will have reverted and
>>  > >  the lock will only be granted after a <discard-changes> which will cause
>>  > >  the <candidate> to revert. So, depending on when the lock on <candidate>
>>  > >  occurs relative to the confirmed commit timeout, the client could be
>>  > >  editing <candidate> in one of two states. Further, before the timeout on
>>  > >  the confirmed commit, even if the new client has locked candidate, the
>>  > >  original client could still issue a confirming commit (they don’t need a
>>  > >  lock on <candidate> to do so) which would persistently commit any edits
>>  > >  made by the new client. NOTE: it is not the use of the persist-id that
>>  > >  introduces this behaviour; a new client would have the same problem even
>>  > >  if a confirmed commit was not intended to persist beyond a session
>>  > >  termination.
>>  > >
>>  > >  If the server also supports the :startup capability then, if the session
>>  > >  termination was due to the server rebooting, the behaviour above would
>>  > >  be further complicated by <running> now containing the configuration
>>  > >  from the <startup> configuration datastore.
>>  > >
>>  > >  Am I right?
>>  > >
>>  > >  Jonathan
>>  > >
>>  > >  ---
>>  > >  This email has been checked for viruses by Avast antivirus software.
>>  > >  https://www.avast.com/antivirus
>>  >
>>  > >  _______________________________________________
>>  > >  Netconf mailing list
>>  > >  Netconf@ietf.org
>>  > >  https://www.ietf.org/mailman/listinfo/netconf
>>  >
>>  >
>>  > --
>>  > Juergen Schoenwaelder           Jacobs University Bremen gGmbH
>>  > Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
>>  > Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>
>
>--
>Juergen Schoenwaelder           Jacobs University Bremen gGmbH
>Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
>Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>