Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[yang-models] required service field for control plane ACL table #9294

Closed
qiluo-msft opened this issue Nov 17, 2021 · 2 comments
Closed

[yang-models] required service field for control plane ACL table #9294

qiluo-msft opened this issue Nov 17, 2021 · 2 comments
Assignees
@ghooo @wen587

Comments

@qiluo-msft
Copy link
Collaborator

Description

This issue is found by config apply-patch development.

I see the difference in redis monitor log:

$ sudo config load -y config_add_table.json
[4 unix:/var/run/redis/redis.sock] "HMSET" "ACL_TABLE|V8_SSH_ONLY" "policy_desc" "V8_SSH_ONLY" "services@" "SSH" "stage" "ingress" "type" "CTRLPLANE"

$ sudo config apply-patch patch_add_table.json
[4 127.0.0.1:47474] "HMSET" "ACL_TABLE|V8_SSH_ONLY" "type" "CTRLPLANE"
[4 127.0.0.1:47474] "HMSET" "ACL_TABLE|V8_SSH_ONLY" "policy_desc" "V8_SSH_ONLY" "type" "CTRLPLANE"
[4 127.0.0.1:47474] "HMSET" "ACL_TABLE|V8_SSH_ONLY" "policy_desc" "V8_SSH_ONLY" "services@" "SSH" "type" "CTRLPLANE"
[4 127.0.0.1:47474] "HMSET" "ACL_TABLE|V8_SSH_ONLY" "policy_desc" "V8_SSH_ONLY" "services@" "SSH" "stage" "ingress" "type" "CTRLPLANE"

Checking the source code src/sonic-host-services/scripts/caclmgrd, it subscribes ACL_TABLE_TABLE and ACL_RULE_TABLE. I believe the non-atomic HMSET operations by config apply-patch mess the caclmgrd logic.

Steps to reproduce the issue:

Describe the results you received:

Describe the results you expected:

Output of show version:

(paste your output here)

Output of show techsupport:

(paste your output here or download and attach the file here )

Additional information you deem important (e.g. issue happens only occasionally):
@ghooo ghooo mentioned this issue Nov 17, 2021
Merged
5 tasks
@ghooo
Copy link
Contributor

ghooo commented Nov 18, 2021
edited
Loading

The patch-applier command produces the following steps:

Patch Applier: The patch was sorted into 4 changes:
Patch Applier:   * [{"op": "add", "path": "/ACL_TABLE/V8_SSH_ONLY", "value": {"type": "CTRLPLANE"}}]
Patch Applier:   * [{"op": "add", "path": "/ACL_TABLE/V8_SSH_ONLY/policy_desc", "value": "ACTRLPLANETABLE"}]
Patch Applier:   * [{"op": "add", "path": "/ACL_TABLE/V8_SSH_ONLY/services", "value": ["SSH"]}]
Patch Applier:   * [{"op": "add", "path": "/ACL_TABLE/V8_SSH_ONLY/stage", "value": "ingress"}]

Although the config on the switch are valid after each application of the above steps according to YANG models. There is a problem with src/sonic-host-services/scripts/caclmgrd, specifically this code snippet:

            # Ignore non-control-plane ACL tables
            if table_data["type"] != self.ACL_TABLE_TYPE_CTRLPLANE:
                continue

            acl_services = table_data["services"]

caclmgrd expect services to exist in case the ACL type is CTRLPLANE, it does not do any validation. So when the patch-applier is applying the first change above caclmgrd breaks and it does not recover fast enough for the rest of the steps.

There are 2 ways to fix this issue:

@qiluo-msft please let me know if my understanding is not correct, or if you have any concerns

ghooo added a commit that referenced this issue Dec 10, 2021
@ghooo
[yang-models] Validating 'services' exist if ACL type is 'CTRLPLANE' (#…
02d2732 
…9295)

#### Why I did it
Fixing issue #9294

#### How I did it
Updating ACL yang model

#### How to verify it

Validating issue with `config patch-apply` is fixed.

- Start a KVM
- Add file `add-ctrl-plane-tbl.json-patch ` with content:
```json
[
    {
     "op": "add",
     "path": "/ACL_TABLE/ACTRLPLANETABLE",
     "value": {
      "policy_desc": "ACTRLPLANETABLE",
      "services": [
       "SSH"
      ],
      "stage": "ingress",
      "type": "CTRLPLANE"
     }
    }
]
```
- Run `sudo config apply-patch add-ctrl-plane-tbl.json-patch`


Before:
```
Patch Applier: The patch was sorted into 4 changes:
Patch Applier:   * [{"op": "add", "path": "/ACL_TABLE/ACTRLPLANETABLE", "value": {"type": "CTRLPLANE"}}]
Patch Applier:   * [{"op": "add", "path": "/ACL_TABLE/ACTRLPLANETABLE/policy_desc", "value": "ACTRLPLANETABLE"}]
Patch Applier:   * [{"op": "add", "path": "/ACL_TABLE/ACTRLPLANETABLE/services", "value": ["SSH"]}]
Patch Applier:   * [{"op": "add", "path": "/ACL_TABLE/ACTRLPLANETABLE/stage", "value": "ingress"}]
```

After:
```
Patch Applier: The patch was sorted into 1 change:
Patch Applier:   * [{"op": "add", "path": "/ACL_TABLE/ACTRLPLANETABLE", "value": {"policy_desc": "ACTRLPLANETABLE", "services": ["SSH"], "stage": "ingress", "type": "CTRLPLANE"}}]
```

#### Which release branch to backport (provide reason below if selected)

<!--
- Note we only backport fixes to a release branch, *not* features!
- Please also provide a reason for the backporting below.
- e.g.
- [x] 202006
-->

- [ ] 201811
- [ ] 201911
- [ ] 202006
- [ ] 202012
- [ ] 202106

#### Description for the changelog
<!--
Write a short (one line) summary that describes the changes in this
pull request for inclusion in the changelog:
-->


#### A picture of a cute animal (not mandatory but encouraged)
@ghooo
Copy link
Contributor

ghooo commented Dec 17, 2021

Fixed by #9295

@ghooo ghooo closed this as completed Dec 17, 2021
judyjoseph pushed a commit that referenced this issue Jan 9, 2022
@ghooo @judyjoseph
[yang-models] Validating 'services' exist if ACL type is 'CTRLPLANE' (#…
3af0f6a 
…9295)

#### Why I did it
Fixing issue #9294

#### How I did it
Updating ACL yang model

#### How to verify it

Validating issue with `config patch-apply` is fixed.

- Start a KVM
- Add file `add-ctrl-plane-tbl.json-patch ` with content:
```json
[
    {
     "op": "add",
     "path": "/ACL_TABLE/ACTRLPLANETABLE",
     "value": {
      "policy_desc": "ACTRLPLANETABLE",
      "services": [
       "SSH"
      ],
      "stage": "ingress",
      "type": "CTRLPLANE"
     }
    }
]
```
- Run `sudo config apply-patch add-ctrl-plane-tbl.json-patch`


Before:
```
Patch Applier: The patch was sorted into 4 changes:
Patch Applier:   * [{"op": "add", "path": "/ACL_TABLE/ACTRLPLANETABLE", "value": {"type": "CTRLPLANE"}}]
Patch Applier:   * [{"op": "add", "path": "/ACL_TABLE/ACTRLPLANETABLE/policy_desc", "value": "ACTRLPLANETABLE"}]
Patch Applier:   * [{"op": "add", "path": "/ACL_TABLE/ACTRLPLANETABLE/services", "value": ["SSH"]}]
Patch Applier:   * [{"op": "add", "path": "/ACL_TABLE/ACTRLPLANETABLE/stage", "value": "ingress"}]
```

After:
```
Patch Applier: The patch was sorted into 1 change:
Patch Applier:   * [{"op": "add", "path": "/ACL_TABLE/ACTRLPLANETABLE", "value": {"policy_desc": "ACTRLPLANETABLE", "services": ["SSH"], "stage": "ingress", "type": "CTRLPLANE"}}]
```

#### Which release branch to backport (provide reason below if selected)

<!--
- Note we only backport fixes to a release branch, *not* features!
- Please also provide a reason for the backporting below.
- e.g.
- [x] 202006
-->

- [ ] 201811
- [ ] 201911
- [ ] 202006
- [ ] 202012
- [ ] 202106

#### Description for the changelog
<!--
Write a short (one line) summary that describes the changes in this
pull request for inclusion in the changelog:
-->


#### A picture of a cute animal (not mandatory but encouraged)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ghooo ghooo

@wen587 wen587

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ghooo @wen587 @qiluo-msft