Re: [netmod] system configuration sync mechanism
Andy Bierman <andy@yumaworks.com> Wed, 04 August 2021 03:48 UTC
Return-Path: <andy@yumaworks.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA15F3A0688 for <netmod@ietfa.amsl.com>; Tue, 3 Aug 2021 20:48:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.886
X-Spam-Level:
X-Spam-Status: No, score=-1.886 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yumaworks-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yZyZ6vxE_2Oh for <netmod@ietfa.amsl.com>; Tue, 3 Aug 2021 20:48:53 -0700 (PDT)
Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F00903A0659 for <netmod@ietf.org>; Tue, 3 Aug 2021 20:48:52 -0700 (PDT)
Received: by mail-lj1-x231.google.com with SMTP id a7so969607ljq.11 for <netmod@ietf.org>; Tue, 03 Aug 2021 20:48:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yumaworks-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=eFv0q0KY5ImPqjzgdfMTQz3rhDwkvVCPMA3YjjPMbxs=; b=xF5Kg87rpxiR2toz4tF2TC53RuloAgOqpQvpDVzXs7Qhmp6rrJhGa2yADrWzQu9VSv s87btYrfeBeC/SdDmdandjHs0cYyDAWZGus7dImsoF4BfsQLiZZmJXYOqH432V1VQmI0 dNrrAx4sCyOwA8PjQFvJ+1h9JLJlb3NVl+qI+V4ukZ3NXBeKKklWAeCbfAQHkyZnPpw1 C0vtAX34gUh4rFs4RrfWaEhRZSPMR3BoPOoNSHShDD0CYuSiBBgf2VxgVnvFfKWuNZ1C 9p36PKd1pLoqTReENkxkmCqdlWTYH2Izzk0g/mDNVCJTCzJBtRMn7YAI6bAHp5KtJBa8 XCBw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=eFv0q0KY5ImPqjzgdfMTQz3rhDwkvVCPMA3YjjPMbxs=; b=RK0zEDtbhbz7YqYPID/BXAISllKiSHBB7Clm2MolvIhGVVxKypsx6sotz22hz6kzi/ kVrO1lQ8GN1UlsFZwLAC05cZ3N1hBfBLdj8n79x7pGrLYt/tzomMHngn3iFbWtQTG9zu SE6+Zqx13XZLkhGNY9Hu5jlf8MQCNSb5fDrHvquBiqCi7hG8YoscNIcWXy2Z9dvnEvaG jlErj8NgU8pWBJKXOmouTCSz4vFiEZ4NGgabozkgT2YTv/YMSDA9wIulIxjP565c44ZG 4HjgS893ZGKTnofT4tO8zkk9WNRDmqVLx+6D03BCzYK7Eb/uX30zkuzbXpLgUGeErSwp AKxQ==
X-Gm-Message-State: AOAM530lGK9gvbyTsOQlBGm9Um8yuEciyzHc3fz7iFtqa7Mi6euXV9rY YhprDoI7oIiPp0KNu28FIlxPe+tdCoQ+34Gd1J3L/g==
X-Google-Smtp-Source: ABdhPJzaXZ2eGHi+CoCXmLU3hAlujzvmdUbKaWal9E66L14l5lqRKXIP/8K31/1cNsKyqHGqzBfKsjD1CyVmz5rDuxw=
X-Received: by 2002:a05:651c:1792:: with SMTP id bn18mr17380151ljb.325.1628048930457; Tue, 03 Aug 2021 20:48:50 -0700 (PDT)
MIME-Version: 1.0
References: <7a1838a8d89d4de7b36e08c66f6d7c0c@huawei.com>
In-Reply-To: <7a1838a8d89d4de7b36e08c66f6d7c0c@huawei.com>
From: Andy Bierman <andy@yumaworks.com>
Date: Tue, 03 Aug 2021 20:48:39 -0700
Message-ID: <CABCOCHR+E7uh5EOxXaMaFEBb-Oi0U_4G41Z=Jwk3mUAcodnAPg@mail.gmail.com>
To: "maqiufang (A)" <maqiufang1@huawei.com>
Cc: "netmod@ietf.org" <netmod@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002d6af205c8b3ae73"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/VBb0MXmRbV53RSq0vWlsrKorNr0>
Subject: Re: [netmod] system configuration sync mechanism
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Aug 2021 03:48:59 -0000
Hi, I do not agree that a new datastore is needed to supposedly retrieve the system created nodes that exist (already supported by get-data) or the nodes that could be created by the server but do not currently exist. The <config> element is way too simplistic to represent all the real-world possibilities. Current XPath procedures define several contexts for evaluating expressions. None of these procedures support an additional <system> datastore that is somehow merged with the other datastores for XPath purposes. YANG 1.1 does not support this proposal at all. Andy On Tue, Aug 3, 2021 at 8:34 PM maqiufang (A) <maqiufang1@huawei.com> wrote: > Hi, Andy, > > > > Apologize for my chiming in. Please see my reply inline. > > > > *From:* netmod [mailto:netmod-bounces@ietf.org] *On Behalf Of *Andy > Bierman > *Sent:* Wednesday, August 4, 2021 1:11 AM > *To:* Fengchong (frank) <frank.fengchong@huawei.com> > *Cc:* Balázs Lengyel <balazs.lengyel=40ericsson.com@dmarc.ietf.org>; > netmod@ietf.org > *Subject:* Re: [netmod] 答复: system configuration sync mechanism > > > > > > > > On Tue, Aug 3, 2021 at 12:34 AM Fengchong (frank) < > frank.fengchong@huawei.com> wrote: > > Hi juergen, > Please see my comments inline. > > /frank > > -----邮件原件----- > 发件人: Jürgen Schönwälder [mailto:j.schoenwaelder@jacobs-university.de] > 发送时间: 2021年8月3日 12:15 > 收件人: Fengchong (frank) <frank.fengchong@huawei.com> > 抄送: Andy Bierman <andy@yumaworks.com>; Kent Watsen <kent+ietf@watsen.net>; > Balázs Lengyel <balazs.lengyel=40ericsson.com@dmarc.ietf.org>; > netmod@ietf.org > 主题: Re: [netmod] 答复: system configuration sync mechanism > > On Tue, Aug 03, 2021 at 01:45:40AM +0000, Fengchong (frank) wrote: > > Hi andy and all. > > > > I don’t think get-data with origin can solve the issues below: > > > > > > 1. Some leafs like interface type CAN NOT be modified by user, but > can be referenced by other config nodes(e.g. using leafref or occur in > when/must). The validation will be fail if these leafs are not be > configured by user now explicitly (we assume these leafs are optional and > no default value). > > The interface type in the RFC 8343 module is config true. YANG does not > allow you to refer to config false nodes in constraints that apply to > config true nodes. A core principle is that the content of a configuration > datastore can be validated without knowing the actual state of the system. > > Frank: yes, interface type is a config node, but it isn't allow to be > modified. If a config node reference if-type, in order to validate data > successfully ,user must have to config if-type with determined value again. > For example, user must config if-type with 'ethernet' for ethernet0/0/1. I > don't think it makes sense. The if-type has been created by system, when > running config is merged to <operational>, it can work and the validation > is successful. If you think running datastore is self-contained, I will > think the system configuration should be imported to running datastore > automatically to ensure successful validation > > > > > > I doubt another rewrite of ietf-interfaces would gain much support. > > > > There are many objects that have user access restrictions that are not > standardized > > with machine-readable statements. I am interested in the 2 use cases that > Balazs described. > > The system does its own access control (not NACM) wrt/ these objects. The > server just > > rejects the edit requests, even though the standard YANG indicates it > should be writable. > > Some standard extensions to tag the data would help applications better > predict server behavior. > > > > There is no way in YANG 1.1 to have a config=true node reference > config=false in the XPath. > > (Well, we implement it but the developer has to enable it). > > > > I do not see the point of the system datastore if it contains config=true > nodes, > > just so that XPath can reference it. I do not agree that it is useful or > easy to implement, > > especially since the contents of <system> are visible in <intended>. > Representing the possible > > instances is non-trivial (e.g. pattern allowed, not a fixed name, > resulting in 6 million possible values). > > *[Qiufang Ma] I don’ t see any system configuration handling behavior > standards in non-NMDA; NMDA defines that system configuration should only > be included in <operational>. I think it necessary to distinguish between > system configuration and operational state.* > > *Since there may be some requirements to reference the system > configuration, it doesn’t seem sensible to treat system configuration as > operational state. I don’t think retrieval from <operational> should be the > only way to get system configurations, given the definition of operational > datastore.* > > *That is to say, <operational> contains all applied configurations which > go through configuration combination and template expansion. Only the > system configurations which take effect are included and will be tagged as > “origin=intended” once being referenced in <running>. I believe there would > be a need to get the pure system configurations regardless of whether being > applied or not.* > > > > If the system datastore contains config=false nodes, then you are talking > about a rewrite > > of the YANG validation architecture and a new version of YANG. IMO there > is no need for that. > > *[Qiufang Ma] I don’t think <system> would contain config=false nodes. A > rewrite of the YANG validation architecture and a new version of YANG are > not our > intention. > * > > > > Best Regards, > > Qiufang Ma > > > > > > Andy > > > > > > > 2. Some instances are generated by system, but these instances can > be referenced by other config nodes. The validation must be fail if these > instances are not be recreated by user explicitly now. > > Yes, a configuration datastore is self-contained. If a client wants to > configure the interface x, it has to define the interface x in the > configuration. Note that this should not be confused with a system > generating an interface x after probing the hardware. Note the difference > between operational state, applied config, and running config. > > Frank: for example , predefined policies are provided by system, user > configuration can reference these predefined policy directly. but because > predefined policies are not configured by user explicitly, the validation > will be fail. If you want to get a successful validation , user MUST have > to redefined the system predefined policies. > So, system predefined data are useless. I think it is unreasonable. > > > > Let me add that the underlying model is that the client(s) have control > over the configuration. A system making ad-hoc changes to the config (even > with the best intentions) will be surprising. In this model, the only way > to inject config into running on system boot is to have a client making > changes to running following the normal procedures - at least conceptually. > This means that conceptually the other clients need to be aware that there > is a system client injecting configuration. > > If you follow this logic, it seems wrong to define a system datastore that > is somehow magically merged into running - and it is not needed. > > Frank: system configuration not only includes some instances generated on > reboot time, but also includes the configuration when hardware is plugged > in, or a function is enabled (for example, in huawei's implementation, when > QOS function is enabled, many qos predefined policies are created by > system) or a user-created list instance is created, some leafs' value will > be created by system. So , we need a system datastore to hold these > configuration. > > > 3. User may need know what the original system configuration is, > if we get data from <operational>, you may get the modified system > configuration.(for example, user modify or template is expanded, or only > active instances) > > If you have multiple clients managing shared configuration, then yes it is > good if they are aware of what is going on. I am not sure yet that exposing > other clients intentions via additional datastores and defining merge > mechanisms and semantics is the way to go. > > > I don’t care about whether system datastore is imported to running or > intended datastores. But I think if a config node reference a system node, > the validation (running or intended datastores) will be successful even if > the system node is not configured by user explicitly. > > I am concerned about having to define what "is imported" means precisely > and whether moving to a model multiple datastores have to be merged before > validation is the way to go. We already acknowledged that there are > template expansions in some implementations without working out how they > work. > > > Especially on the client side, if a client need validate all data > retrieved from server, the validation SHOULD be successful. If system > configuration are not imported to running, at a minimum, the client needs > to know what the original system configuration is. Another way is adding > with-system-used parameter to get-config operation to retrieved all user > configuration and system configuration referenced by user configuration. > > Let me repeat, in the original model, the running configuration datastore > is self-contained and can be validated without knowing additional > datastores. > > /js > > -- > Juergen Schoenwaelder Jacobs University Bremen gGmbH > Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany > Fax: +49 421 200 3103 <https://www.jacobs-university.de/> > >
- Re: [netmod] system configuration sync mechanism Kent Watsen
- Re: [netmod] system configuration sync mechanism maqiufang (A)
- Re: [netmod] system configuration sync mechanism Kent Watsen
- Re: [netmod] system configuration sync mechanism maqiufang (A)
- Re: [netmod] system configuration sync mechanism Kent Watsen
- Re: [netmod] system configuration sync mechanism maqiufang (A)
- Re: [netmod] system configuration sync mechanism Kent Watsen
- Re: [netmod] system configuration sync mechanism maqiufang (A)
- Re: [netmod] system configuration sync mechanism Balázs Lengyel
- Re: [netmod] system configuration sync mechanism Andy Bierman
- Re: [netmod] system configuration sync mechanism Kent Watsen
- Re: [netmod] system configuration sync mechanism Andy Bierman
- Re: [netmod] system configuration sync mechanism Kent Watsen
- [netmod] 答复: system configuration sync mechanism Fengchong (frank)
- Re: [netmod] 答复: system configuration sync mechan… Jürgen Schönwälder
- [netmod] 答复: 答复: system configuration sync mechan… Fengchong (frank)
- Re: [netmod] 答复: 答复: system configuration sync me… Jürgen Schönwälder
- Re: [netmod] 答复: system configuration sync mechan… Andy Bierman
- [netmod] 答复: 答复: system configuration sync mechan… Fengchong (frank)
- Re: [netmod] system configuration sync mechanism maqiufang (A)
- Re: [netmod] system configuration sync mechanism Andy Bierman
- Re: [netmod] system configuration sync mechanism Kent Watsen
- Re: [netmod] system configuration sync mechanism Andy Bierman
- Re: [netmod] system configuration sync mechanism Jürgen Schönwälder
- Re: [netmod] system configuration sync mechanism Andy Bierman
- Re: [netmod] system configuration sync mechanism Sterne, Jason (Nokia - CA/Ottawa)
- Re: [netmod] system configuration sync mechanism Andy Bierman
- Re: [netmod] system configuration sync mechanism Kent Watsen
- Re: [netmod] system configuration sync mechanism Sterne, Jason (Nokia - CA/Ottawa)
- Re: [netmod] system configuration sync mechanism Sterne, Jason (Nokia - CA/Ottawa)
- Re: [netmod] system configuration sync mechanism Andy Bierman
- Re: [netmod] system configuration sync mechanism Kent Watsen
- Re: [netmod] system configuration sync mechanism Andy Bierman
- Re: [netmod] system configuration sync mechanism Qin Wu
- Re: [netmod] system configuration sync mechanism Kent Watsen
- Re: [netmod] system configuration sync mechanism Andy Bierman
- Re: [netmod] system configuration sync mechanism Jan Lindblad (jlindbla)
- Re: [netmod] system configuration sync mechanism Sterne, Jason (Nokia - CA/Ottawa)
- Re: [netmod] system configuration sync mechanism Sterne, Jason (Nokia - CA/Ottawa)
- Re: [netmod] system configuration sync mechanism Sterne, Jason (Nokia - CA/Ottawa)