IETF Logo Mail Archive

Re: [netmod] system configuration sync mechanism

Andy Bierman <andy@yumaworks.com> Wed, 04 August 2021 13:59 UTC

Return-Path: <andy@yumaworks.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99EB13A1B82 for <netmod@ietfa.amsl.com>; Wed, 4 Aug 2021 06:59:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.887
X-Spam-Level:
X-Spam-Status: No, score=-1.887 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yumaworks-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E2_zjH5I8Vz1 for <netmod@ietfa.amsl.com>; Wed, 4 Aug 2021 06:59:10 -0700 (PDT)
Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 543863A171E for <netmod@ietf.org>; Wed, 4 Aug 2021 06:59:10 -0700 (PDT)
Received: by mail-lf1-x129.google.com with SMTP id y34so4581578lfa.8 for <netmod@ietf.org>; Wed, 04 Aug 2021 06:59:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yumaworks-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=eBvsHjBPCt67BUP/3ViAohO6DUOE2miDFJblK5ZTnfo=; b=XQJyX2kFvpc3Hf0l+52GL8mCDUbggbJdUai6obSTZXWXRWBveynhBaCDoOxeI6LL7p 8CA5H2W20kzacUtUFF5ShKa+t62C6UamVckptBCIlsE7q/wc023ocKQSLztXuFrgVGhS 9JqtCbg00MgqnWDSdEXWGwIdYwS8rSotebFqWWJ8jCQofP6AMzjyvUy0Kc19xnpp/nZf 2InAZ5en9GJec7t7J7qGoTZK6/zDV0lcmTZ9DH90pAEun+yVGnd2S3U6xmN3ReqcO5bR aawip0rUWw3bEcPMzn7CW7+ArU8DZgYH+I97/NGSUsVrYODY6nuGbR5U1LHHR90a4olz dmNA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=eBvsHjBPCt67BUP/3ViAohO6DUOE2miDFJblK5ZTnfo=; b=clvSQygXnE9uzfsaEgRbx0iNlzA5lSZo4gmQKvGhns8fUtIFmYV1WLkWiNH8FHzlWA L7XWSeAbIZ7CKqDUkGfpZ7cUetwe7QKumclRA6K1h8ZHZkHX8RGZLN1e6G5FBLcp83gM t8Xn2+haWqK7h08BA0xbe3h6/C6JTY8tcolIi4Nq67FkCZu4oegrUT25NZL20N5WMO+w EfAUWfd301CuF3gCbKhXOFIhXaRiH9bQ5lDB7Dv0dFcSSjhKVgdSyhbZ8xvUrrToxNbc 3D9CKRWI9IceENiChC9QfqJahc7tcGw28ViATprFCN1OyWFPfwA6FZ5nOk4GmYGCVWTt E0cQ==
X-Gm-Message-State: AOAM5315n66GtqmnWTlKNqXMmTcKgyOn6DHrdG+HEmN5k87dOctZxzXg lBCPsGoN5mBy+cS8TUXs9GsZFHY15mh8JHzQKP4ZUg==
X-Google-Smtp-Source: ABdhPJxmUmp7TbIlNDTYZJZGtim7tQFStkjgEXlcbGhvTYBhxZdsbUoB1sSpxLNrc1yDFus4RWPYIymiomCj7El4Te0=
X-Received: by 2002:a05:6512:3253:: with SMTP id c19mr20502815lfr.568.1628085546899; Wed, 04 Aug 2021 06:59:06 -0700 (PDT)
MIME-Version: 1.0
References: <CABCOCHR+E7uh5EOxXaMaFEBb-Oi0U_4G41Z=Jwk3mUAcodnAPg@mail.gmail.com> <0100017b1128b30f-fe4c9258-3392-476a-ae21-604d2a80f523-000000@email.amazonses.com> <20210804133956.p73si5f63t4esmcj@anna.jacobs.jacobs-university.de>
In-Reply-To: <20210804133956.p73si5f63t4esmcj@anna.jacobs.jacobs-university.de>
From: Andy Bierman <andy@yumaworks.com>
Date: Wed, 04 Aug 2021 06:58:55 -0700
Message-ID: <CABCOCHSmHOQnSXwfHVr8p=2Xx8ERThtAtVk8iWgYObqNuqfo4Q@mail.gmail.com>
To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>, Kent Watsen <kent@watsen.net>, Andy Bierman <andy@yumaworks.com>, NetMod WG <netmod@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000aff43405c8bc34f0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/xw-zcsPqJYAgAKJRf57Z1uPh0tw>
Subject: Re: [netmod] system configuration sync mechanism
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Aug 2021 13:59:16 -0000

On Wed, Aug 4, 2021 at 6:39 AM Jürgen Schönwälder <
j.schoenwaelder@jacobs-university.de> wrote:

> The figure in RFC 8342 section 5 documents what was agreed upon
> before. System configuration flows into <operational> but not upwards
> into <running>. Over the years, we discussed several corner cases
> (including things like configuring a new user and the system
> automatically assigns an unused uid, which afterwards needs to be kept
> stable). While there are for sure tricky corner cases, I am not
> convinced that the model defined in RFC 8342 for the general cases is
> wrong and that merging a new system datastore into <running> is the
> right approach. If people want to change the model documented in RFC
> 8342, then they should make an explicit statement about this and
> provide strong reasons that the model is flawed or incomplete.
>
> Note that the model does allow having a system client merging config
> into <running> (ideally controlled by an ACM so that such a client can
> be turned off if it leads to surprises).
>


This is a solved problem in proprietary ways.  It is simple to treat system
config
as an access control issue.

I am quite concerned that NMDA is getting extended in ways that lead to
confusion and poor interoperability.  Adding a new datastore is very
serious.
IMO ANY new datastore (even factory default) should be standardized in
a new version of NMDA (replacing RFC 8342).

A datastore has a lot of baggage
   - YANG library
   - YANG XPath evaluation
   - subtree and XPath filtered retrieval
   - usage in RPC operations (ds:datastore data type parameter)

Every time a datastore is added, all the existing RPC operations that use
datastores need to be clarified wrt/ support for the new datastore.
(Of course this is never done, leading to lots of interoperability issues)

I am quite confused by the XPath discussions because XPath can only
access existing nodes (i.e. the "accessible tree")
https://datatracker.ietf.org/doc/html/rfc7950#section-6.4.1

So what does it mean for the system datastore to contain possible values
that
cannot be represented in <operational>? The accessible tree cannot include
these values, so XPath-based validation cannot use them.



> /js
>
>

Andy



> On Wed, Aug 04, 2021 at 12:34:45PM +0000, Kent Watsen wrote:
> >
> > I am confused by the confusion  ;)
> >
> > You all know that JUNOS implemented this concept before YANG was even a
> thing, right?
> >
> > Admittedly, it’s not a “datastore“, but flexing the NMDA is where we can
> do better.
> >
> > A “with-system” mechanism could also work.  The only downside is the
> inability for a client to get only the system configuration, without the
> rest of <running>.
> >
> > Please stop stating/suggesting “config true” nodes are referencing
> “config false” nodes,  or that config is referencing operational state.
> There is no intention to break either of these tenants here.
> >
> > I think that some folks just joined the conversation and may have missed
> out when we covered all this before.
> >
> > The draft needs to be updated to more clearly identify the goals.
> >
> > K.
> >
> >
> >
> > _______________________________________________
> > netmod mailing list
> > netmod@ietf.org
> > https://www.ietf.org/mailman/listinfo/netmod
>
> --
> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>
>

v2.23.0 | Report a Bug | By Email