Re: [netmod] AD review: draft-ietf-netmod-revised-datastores-08

[Vladimir Vassilev <vladimir@transpacket.com>]

On 12/21/2017 11:34 AM, Robert Wilton wrote:

> Hi Vladimir,
>
> First point of clarification is that this is not about 
> running/intended at all.  The contents of running/intended do not 
> change in anyway depending on whether hardware is present or absent.
>
> The section is only concerned with how the configuration is applied in 
> operational, and basically says that you cannot apply configuration 
> for resources that are missing (which seems reasonable).  E.g. I 
> cannot configure an IP address on a physical interface that isn't 
> there.  Or if the physical interface gets removed then the 
> configuration associated with that interface is also removed from 
> operational.
>
> Operational isn't validated and data model constraints are allowed to 
> be broken (ideally transiently).
I want to focus on this. IMO giving up schema validitiy for any 
datastore is unacceptable price. Pre-NMDA devices had full model support 
in operational data (all YANG constrains part of the model without 
discrimination were enforced). If this is about to change it will 
compromise interoperability and a significant portion of the client 
implementation workload that can be automated will need to be coded in 
hand and tested. Unresolved leafrefs, undefined behaviour of different 
implementations removing different configuration nodes in violation of 
YANG semantic constraints (which I do not think can be so clearly 
separated from the syntactic constraints when one considers types like 
leafref, instance-identifier etc.) and the corresponding side effects 
based on the server implementators own creativity is eventually going to 
create more problems.

1. IMO the only acceptable solution is to have YANG valid operational 
datastore at all times. operational like any other datastore MUST be 
valid YANG data tree and it has to be a system implementation task to 
consider all complications resulting from the removal of the resources 
leading to any data transformations. If this is difficult or impossible 
other mechanisms to flag missing resources should be used (e.g. 
/interfaces/interface/oper-status=not-present) This sounds like a useful 
contract providing the value of a standard the alternative does not.

2. Even with the change in 1. I do not see the removal of intended 
configuration nodes from operational as a solution worth implementing on 
our servers. I do not see a real world plug-and-play scenario that can 
be automatically solved without specific additions to the models e.g. 
/interfaces/interface/oper-status=not-present is oversimplified solution 
but it needs to be extended exactly as much as the solution provided by 
the removal of config true; nodes without the sacrifice of YANG validity 
of operational.

3. Solutions like /interfaces/interface/admin-state stop working. With 
the interface removed you can no longer figure if the if-mib has or does 
not have the interface enabled so an operator has to use SNMP or wait 
for a replacement line card to be connected to figure this bit of 
information. My interpretation of the MAY as requirement level in sec. 
5.3. The Operational State Datastore (<operational>) is that 
plug-and-play solutions can be implemented without this limited approach 
that has the same problem as the pre-NMDA only now we have to have 
/interfaces-state to keep config false; data relevant to hardware that 
is configured but not present:

    configuration data nodes supported in a configuration datastore
    MAY be omitted from <operational> if a server is not able to
    accurately report them.

I realize this discussion comes late. I have stated my objections to 
this particular part of the NMDA draft earlier.

Vladimir

>   But I agree that there could be configuration that is referencing 
> those missing resources, and depending on implementation then that 
> configuration may need to become not applied as well.  Or perhaps the 
> failure is reported in a different way (e.g. IGP neighbor is down).
>
> I also agree that this is non trivial, but the systems that I am 
> familiar with have always had to deal with this issue.  At the data 
> model level I don't think that this is any more complex than the 
> existing 'when' statement processing that has exactly the same issues 
> if a "when" statement becomes invalid during a config change and 
> requires the associated configuration to be deleted (which again can 
> recursively require configuration to be removed).
>
> Alternative solutions are:
>  - mandate that nobody physically removes a linecard if there is still 
> configuration referencing it, but it is hard to enforce this in 
> software :-)
>  - freeze the config from any further changes if a linecard is removed 
> that makes the config invalid, but this doesn't seem like a robust 
> solution ...
>
> I think that the existing solution is the best approach.
>
> A couple of further comments inline below as well ...
>
> On 20/12/2017 21:44, Vladimir Vassilev wrote:
>> Hello,
>>
>> On 12/20/2017 05:40 PM, Benoit Claise wrote:
>>
>>> Dear all,
>>>
>>> In order not to be the bottleneck in the process and assuming that 
>>> the document will be in "publication requested" pretty soon, here is 
>>> my AD review of draft-ietf-netmod-revised-datastores-08
>>>
>>> -
>>>
>>>
>>>         5.3.2. Missing Resources
>>>
>>>     Configuration in <intended> can refer to resources that are not
>>>     available or otherwise not physically present.  In these 
>>> situations,
>>>     these parts of <intended> are not applied.  The data appears in
>>>     <intended> but does not appear in <operational>.
>>
>> I have some concerns with this section.
>>
>> Systems implementing this are expected to remove config true; nodes 
>> while figuring the necessary changes to ensure the remaining set of 
>> config true; nodes in operational validates against the operational 
>> datastore model. The implementation of this is not a trivial task at 
>> all. In order to remove configuration nodes considered inactive on 
>> the fly one needs to remove all references to those nodes in 
>> mandatory leafrefs in the best case and a potentially long and 
>> complex dependency chain of YANG constrain-statements (Xpath etc.) 
>> have to be resolved in a worse case. It is difficult to automate 
>> this. It requires significant effort to track and remove/fix all 
>> those dependencies just to come up with valid configuration that 
>> represents the configuration without the "inactive" nodes which in 
>> many usecases is completely unjustified implementation effort.
>>
>> In addition in many cases it is not desirable to remove config true; 
>> nodes that depended on a removed resource. For example:
>>
>> 1. A configuration instance of a filter with mandatory interface-ref 
>> ingress and egress ports has to be removed from the operational 
>> datastore if the egress port is removed as a physical resource. This 
>> in effect removes the config false; statistics that might be still of 
>> interest counting the matched traffic while the filter does not have 
>> physical egress port to send the packets.
> This isn't necessarily true.  The architecture does not require that 
> the filter object is removed because operational is allowed to violate 
> the constraints.  Ultimately I think that the behaviour here will 
> depend on implementation.
>
>>
>> 2. Alarm that is configured with mandatory reference to the missing 
>> resource containing a counter of the elapsed time since the resource 
>> went missing etc.
> Again, the draft does not require that the alarm becomes not applied.  
> This also depends on the implementation.
>
> Thanks,
> Rob
>
>
>>
>> I do not find any text in the draft addressing the concerns above. I 
>> do not propose a change yet but I hope to hear what others think 
>> about that.
>>
>> Vladimir
>>
>>> I understand what you want to say.
>>> Let me take an example. I have a router with a Line Card configured 
>>> and working well. if I remove the LC, the configuration should still 
>>> be in the <running> and <intended> but not in <operational>.
>>> However, based on figure below, the notion of "inactive" nodes might 
>>> be misleading. Indeed, people might read that the LC is inactive, so 
>>> the LC configuration should not be in <intended>
>>>       +-------------+                 +-----------+
>>>       | <candidate> |                 | <startup> |
>>>       |  (ct, rw)   |<---+       +--->| (ct, rw)  |
>>>       +-------------+    |       |    +-----------+
>>>              |           |       |           |
>>>              |         +-----------+         |
>>>              +-------->| <running> |<--------+
>>>                        | (ct, rw)  |
>>>                        +-----------+
>>>                              |
>>>                              |        // configuration transformations,
>>>                              |        // e.g., removal of "inactive"
>>>                              |        // nodes, expansion of templates
>>>                              v
>>>                        +------------+
>>>                        | <intended> | // subject to validation
>>>                        | (ct, ro)   |
>>>                        +------------+
>>> I understand that "inactive nodes" has a different meaning.
>>>
>>> Proposal:
>>> OLD: removal of "inactive" nodes
>>> NEW: removal of the nodes marked as "inactive"
>>>
>>> - In the C.1 example,
>>>     <system
>>>         xmlns="urn:example:system"
>>>         xmlns:or="urn:ietf:params:xml:ns:yang:ietf-origin">
>>>
>>>       <hostname or:origin="or:dynamic">bar</hostname>
>>>
>>>       <interface or:origin="or:intended">
>>>         <name>eth0</name>
>>>         <auto-negotiation>
>>>           <enabled or:origin="or:default">true</enabled>
>>>           <speed>1000</speed>
>>>         </auto-negotiation>
>>>         <speed>100</speed>
>>>         <address>
>>>           <ip>2001:db8::10</ip>
>>>           <prefix-length>64</prefix-length>
>>>         </address>
>>>         <address or:origin="or:dynamic">
>>>           <ip>2001:db8::1:100</ip>
>>>           <prefix-length>64</prefix-length>
>>>         </address>
>>>       </interface>
>>> I guess it "or:dynamic" should be replaced by "or:learned"
>>>
>>> Justification:
>>>
>>>       identity learned {
>>>         base origin;
>>>         description
>>>           "Denotes configuration learned from protocol interactions 
>>> with
>>>            other devices, instead of via either the intended
>>>            configuration datastore or any dynamic configuration
>>>            datastore.
>>>
>>>            Examples of protocols that provide learned configuration
>>>            include link-layer negotiations, routing protocols,_and 
>>> DHCP._";
>>>
>>> _Editorial:_
>>>
>>> - number the figures
>>>
>>> - section 8.2
>>>     This document registers two YANG modules in the YANG Module Names
>>>     registry [RFC6020 <https://tools.ietf.org/html/rfc6020>].  
>>> Following the format in [RFC6020 
>>> <https://tools.ietf.org/html/rfc6020>], the the
>>>     following registrations are requested:
>>>
>>> duplicated "the the"
>>>   Regards, Benoit (OPS AD)
>>>
>>>
>>> _______________________________________________
>>> netmod mailing list
>>> netmod@ietf.org
>>> https://www.ietf.org/mailman/listinfo/netmod
>>
>> _______________________________________________
>> netmod mailing list
>> netmod@ietf.org
>> https://www.ietf.org/mailman/listinfo/netmod
>