Re: [Netconf] Is there a problem with confirmed commits?

Robert Wilton <> Mon, 14 January 2019 15:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CC0971310DC for <>; Mon, 14 Jan 2019 07:49:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -19.053
X-Spam-Status: No, score=-19.053 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id A-TapWPcFPJP for <>; Mon, 14 Jan 2019 07:49:16 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6C6201310DD for <>; Mon, 14 Jan 2019 07:49:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=6983; q=dns/txt; s=iport; t=1547480955; x=1548690555; h=subject:to:references:cc:from:message-id:date: mime-version:in-reply-to:content-transfer-encoding; bh=qPRgOyQA1n0ciBISsZUC+TlsTB2WYOXsONUIk+qKwS4=; b=IJ3ntSgwuPeiUMduC7UXHCKb9CGU5h8ahiJEhuJpAWWRtAZDt6P5Cx2R mw1huT3hObfP/Nvr7YAdOxRLC8EQSfghzbfY5bDvkdhXj9mRB8Ph8qqXJ ZVt/VhEPKpHjXZneGW2hglD0/qQfoYq9wJKWhi3ysU0jkXcS5G34+pIj7 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BDAAD3rjxc/xbLJq1bBQMZAQEBAQE?= =?us-ascii?q?BAQEBAQEBBwEBAQEBAYFlgVuBD08hEieEAYh5jG4IJXyXFIFnDRgLgVSCL0Y?= =?us-ascii?q?CgmE4EgEDAQECAQECbRwBC4VKAQEBAQIBAQEhDwEFNgsFBwICCxABBAEBAQI?= =?us-ascii?q?CJgICGwwoCAYNBgIBARuDAwGBeQgPrU6BL4VChF0FBYEGi0uBQD+BEScMgio?= =?us-ascii?q?HLoMeAQGBLgENBQEJNyaCQoJXAolSh32QNQmSAgYYihqHZYFiiBOJbYcKgV0?= =?us-ascii?q?hZXEzGggbFTuCNAougicXg0szhGGFPz8DMIghgj4BAQ?=
X-IronPort-AV: E=Sophos;i="5.56,478,1539648000"; d="scan'208";a="9378922"
Received: from (HELO ([]) by with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 14 Jan 2019 15:48:58 +0000
Received: from [] ( []) by (8.15.2/8.15.2) with ESMTP id x0EFmw24020548; Mon, 14 Jan 2019 15:48:58 GMT
To: "" <>
References: <em106ef27b-c989-4e0b-b819-413fef852d53@morpheus> <> <em5dfb175c-7835-43eb-a767-38e270601427@morpheus> <>
From: Robert Wilton <>
Message-ID: <>
Date: Mon, 14 Jan 2019 15:48:58 +0000
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <>
Subject: Re: [Netconf] Is there a problem with confirmed commits?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Configuration WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 14 Jan 2019 15:49:19 -0000

Hi Juergen,

On 14/01/2019 15:40, Juergen Schoenwaelder wrote:
> It seems the <candidate> datastore should not be allowed to be used as
> long as a persistent confirmed commit is still ongoing. I leave it to
> Martin to check whether this is said somewhere or an omission.
> In general, an application can't assume that <candidate> contains
> anything sensible. Hence, the proper way is to lock <candidate> and
> then to make sure it contains something sensible, i.e., issuing a
> discard_changes.

But the text that you quote below states that a client cannot acquire a 
lock on candidate if it contains any changes.  Doesn't this implies that 
discard_changes after acquiring the lock should be unnecessary?


>   And I think implementations should not allow an
> application to obtain a lock on <candidate> while a commit is active.
> The text on page 45 already says:
>        A lock MUST NOT be granted if any of the following conditions is
>        true:
>        [...]
>        *  The target configuration is <candidate>, it has already been
>           modified, and these changes have not been committed or rolled
>           back.
> I think this covers the case of an ongoing but not completed
> persistent confirmed commit, no?
> /js
> On Mon, Jan 14, 2019 at 03:14:02PM +0000, Jonathan Hansford wrote:
>> If a persistent confirmed commit has not timed out, the running
>> configuration datastore will be the same as the candidate and
>> <discard-changes> won't change its contents. Any edit of candidate will be
>> based on the configuration resulting from the persistent confirmed commit.
>> If the persistent confirmed commit has timed out, the running configuration
>> datastore will have reverted and <discard-changes> will change candidate.
>> Any edit of candidate in this case will be based on the configuration prior
>> to the start of the persistent confirmed commit.
>> ------ Original Message ------
>> From: "Juergen Schoenwaelder" <>
>> To: "Jonathan Hansford" <>
>> Cc: "" <>
>> Sent: 14/01/2019 13:50:56
>> Subject: Re: [Netconf] Is there a problem with confirmed commits?
>>> Hi,
>>> I have not yet understood where you see a problem. In general,
>>> <candidate/> contains arbitrary stuff and hence it is the client's
>>> responsibility to clear any arbitrary stuff found in <candidate/>
>>> after obtaining a lock. If does not really matter whether there has
>>> been a failed confirmed commit before or something else. I think the
>>> general safe pattern is:
>>> lock(candidate)
>>> discard_changes()
>>> push_whatever_needed()
>>> commit()
>>> unlock(candidate)
>>> If you do a confirmed commit and the session disappears, then the lock
>>> will disappear as well. But I do not think this creates a race
>>> condition, or I am just not yet seeing it. Perhaps it helps to write
>>> down the sequence of actions that leads to a race.
>>> /js
>>> On Mon, Jan 14, 2019 at 12:50:38PM +0000, Jonathan Hansford wrote:
>>>>   Hi,
>>>>   No one seems to be responding to my email and proposed erratum around
>>>>   the subject of confirmed commits (apart from Martin), but I would really
>>>>   like to know it I am missing something here. As far as I can tell,
>>>>   session termination during a confirmed commit leads to unpredictable
>>>>   behaviour and I would like to know whether anyone is using confirmed
>>>>   commits and how (if at all) they address the issues outlined below. My
>>>>   assumptions are that locks are used and :writable-running is not
>>>>   supported.
>>>>   If the <candidate> and <running> configuration datastores are locked to
>>>>   prevent concurrent access, and a confirmed commit sequence is
>>>>   interrupted by the session terminating, the locks will automatically be
>>>>   released but the server MUST NOT accept a lock on <running> from any
>>>>   session if another session has an ongoing confirmed <commit>.
>>>>   Consequently, after session termination no client can acquire a <lock>
>>>>   on <running>, not even the one that initiated the confirmed <commit>,
>>>>   until after the confirmed <commit> has timed out. However, if the
>>>>   confirmed <commit> included the <persist> parameter, the original client
>>>>   could still issue a <commit> using the persist-id to complete the
>>>>   sequence prior to the timeout, even without a lock.
>>>>   Of course, the problem now is the race for the new lock on <candidate>.
>>>>   If the original client is successful then all is good. But if a new
>>>>   client locks <candidate> before the timeout on the confirmed commit,
>>>>   whether or not they precede <lock> with <discard-changes>, <candidate>
>>>>   will be the same as <running> and the new client will pick up everything
>>>>   from the previous session. However, the client won’t be able to lock
>>>>   <running> until after the timeout, at which point <running> reverts but
>>>>   <candidate> still represents the previous session. If the client tries
>>>>   to lock <candidate> after the timeout, <running> will have reverted and
>>>>   the lock will only be granted after a <discard-changes> which will cause
>>>>   the <candidate> to revert. So, depending on when the lock on <candidate>
>>>>   occurs relative to the confirmed commit timeout, the client could be
>>>>   editing <candidate> in one of two states. Further, before the timeout on
>>>>   the confirmed commit, even if the new client has locked candidate, the
>>>>   original client could still issue a confirming commit (they don’t need a
>>>>   lock on <candidate> to do so) which would persistently commit any edits
>>>>   made by the new client. NOTE: it is not the use of the persist-id that
>>>>   introduces this behaviour; a new client would have the same problem even
>>>>   if a confirmed commit was not intended to persist beyond a session
>>>>   termination.
>>>>   If the server also supports the :startup capability then, if the session
>>>>   termination was due to the server rebooting, the behaviour above would
>>>>   be further complicated by <running> now containing the configuration
>>>>   from the <startup> configuration datastore.
>>>>   Am I right?
>>>>   Jonathan
>>>>   ---
>>>>   This email has been checked for viruses by Avast antivirus software.
>>>>   _______________________________________________
>>>>   Netconf mailing list
>>> --
>>> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
>>> Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
>>> Fax:   +49 421 200 3103         <>