Transactional (Candidate) configurations with Nokia SROS

While it’s not a new feature for SROS, the introduction of transactional configurations with SROS was not a day one feature (unlike JunOS), so it may be less known to existing users.

Firstly before getting into rollback configurations, I would like to point out that SROS has been saving multiple copies of configurations via rotation based mechanism for quite some time without needing specific activation.

A:SR1# show system information | match expression "Config|Backup"
Config Source          : primary
Last Booted Config File: cf3:\config.cfg
Last Boot Config Header: # TiMOS-B-14.0.R4 both/i386 Nokia 7750 SR Copyright
Last Saved Config      : cf3:\config.cfg
Max Cfg/BOF Backup Rev : 5

cf3:\config.cfg (which can be changed from this default by modifying the boot options file) will store the current config and the previous 4 versions and while the number of saved configs is modifiable, 5 is most likely enough for most. Anyway, reverting to a previous configuration can be quite a disruptive event, if you copy an older config over cf3:\config.cfg and performing a system reboot. This is where rollback configurations and combining them with transactional (called candidate) configurations become helpful particularly during a complex task like a network migration.

Achyar Nur Andi has a good post discussing the mechanics around rollbacks and candidate configurations at www.achyarnurandi.net, so I will just highlight a few of the main features and how you can enforce the method of router configuration to only use candidate configurations.

The first thing to do is to specify the rollback file prefix (in this case conf-rollback on compact flash 3):

A:SR1# /configure system rollback
A:SR1>config>system>rollback# rollback-location cf3:\conf-rollback
INFO: CLI No checkpoints currently exist at the rollback location.
*A:SR1>config>system>rollback# show system rollback
===============================================================================
Rollback Information
===============================================================================
Rollback Location            : cf3:\conf-rollback
Max Local  Rollback Files    : 10
Max Remote Rollback Files    : 10
Save
Last Rollback Save Result  : None
Last Save Completion Time  : N/A
Revert
In Progress                : No
Last Revert Initiated User : N/A
Last Revert Checkpoint File: N/A
Last Revert Result         : None
Last Revert Initiated Time : N/A
Last Revert Completion Time: N/A
Delete
Last Rollback Delete Result: None

===============================================================================
Rollback Files
===============================================================================
Idx    Suffix    Creation Time            Release           User
Comment
-------------------------------------------------------------------------------
No Matching Entries
===============================================================================
*A:SR1>config>system>rollback# exit all

We’ll create our first rollback point:

*A:SR1# admin rollback save comment "Baseline Config"
Saving rollback configuration to cf3:\conf-rollback.rb... OK
*A:SR1# show system rollback

===============================================================================
Rollback Information
===============================================================================
Rollback Location            : cf3:\conf-rollback
Max Local  Rollback Files    : 10
Max Remote Rollback Files    : 10
Save
Last Rollback Save Result  : Successful
Last Save Completion Time  : 2017/05/23 02:35:38  UTC
Revert
In Progress                : No
Last Revert Initiated User : N/A
Last Revert Checkpoint File: N/A
Last Revert Result         : None
Last Revert Initiated Time : N/A
Last Revert Completion Time: N/A
Delete
Last Rollback Delete Result: None

===============================================================================
Rollback Files
===============================================================================
Idx    Suffix    Creation Time            Release           User
Comment
-------------------------------------------------------------------------------
latest .rb       2017/05/23 02:35:38  UTC B-14.0.R4         admin
Baseline Config
-------------------------------------------------------------------------------
No. of Rollback Files: 1
===============================================================================

There’s only one rollback called latest.rb

For this example, just a simply system name change:

*A:SR1# /configure system name "Wrong Name"

Now to compare the current working configuration with the rollback:

*A:Wrong Name# admin rollback compare
Processing current config... 0.010 s
Processing "cf3:\conf-rollback.rb"... 0.020 s
----------------------------------------------
configure
    system
+        name "Wrong Name"
-        name "SR1"
    exit
exit

It’s very clear what the differences are. I would just like to highlight that at present, these configuration changes are still immediate – rollbacks on their own just provide a means to manage the change, and doesnt provide any atomic operations yet.

Let’s revert back to our old configuration:

*A:Wrong Name# admin rollback revert latest-rb
Restoring rollback configuration cf3:\rollback-dir.rb
Processing current config... 0.010 s
Processing "cf3:\rollback-dir.rb"... 0.020 s
Resolving dependencies... 0.000 s
Tearing setup down... 0.010 s
Rebuilding setup... 0.000 s
Finished in 0.050 s
*A:SR1#

Using candidate configuration mode, as opposed to the default “immediate” configuration mode does not implement the configuration changes until you commit them, in the event of a failure applying the configuration, the system will back out and re-wind the configuration allowing you the option to discard or modify your changes. Candidate configuration mode is enabled via “candidate edit”. For this example we are going to set the system address on our router, configure an ethernet port, create an IES and attach a VLAN on that port to an IP interface.

A:SR1# candidate edit
A:SR1>edit-cfg# configure router interface "system" address 111.111.111.111/32
A:SR1>edit-cfg# configure port 1/2/3 shutdown
A:SR1>edit-cfg# configure port 1/2/3 ethernet mode access
A:SR1>edit-cfg# configure port 1/2/3 ethernet encap-type dot1q
A:SR1>edit-cfg# configure port 1/2/3 no shutdown
A:SR1>edit-cfg# configure service ies 123 customer 1 create
A:SR1>edit-cfg>config>service>ies# interface TEST create
A:SR1>edit-cfg>config>service>ies>if# address 192.168.1.1/24
A:SR1>edit-cfg>config>service>ies>if# sap 1/2/3:4 create
A:SR1>edit-cfg>config>service>ies>if>sap# back
A:SR1>edit-cfg>config>service>ies>if# back
A:SR1>edit-cfg>config>service>ies# no shutdown

Based on where we are within the configuration tree, we can see the associated configuration changes:

A:SR1>edit-cfg>config>service>ies# candidate view
----------------------------------------------
17:             interface "TEST" create
18:                 address "192.168.1.1/24"
19:                 sap "1/2/3:4" create
20:                 exit
21:             exit
22:*            no shutdown
----------------------------------------------

Or if we get to the root of the configuration tree, we can see all the associated changes that are yet to be applied to the running configuration:

A:SR1>edit-cfg>config>service>ies# exit all
A:SR1>edit-cfg# candidate view
----------------------------------------------
1:  configure
2:      router
3:          interface "system"
4:              address "111.111.111.111/32"
5:          exit
6:      exit
7:      port "1/2/3"
8:          shutdown
9:          ethernet
10:             mode access
11:             encap-type dot1q
12:         exit
13:         no shutdown
14:     exit
15:     service
16:         ies "123" customer 1 create
17:             interface "TEST" create
18:                 address "192.168.1.1/24"
19:                 sap "1/2/3:4" create
20:                 exit
21:             exit
22:*            no shutdown
23:         exit
24:     exit
25: exit
----------------------------------------------

Now we can accept and attempt to push the configuration the router using “candidate commit”

A:SR1>edit-cfg# candidate commit
Processing current config... 0.010 s
Error at line 7: Command 'port "1/2/3"' failed in 'configure'
MINOR: CLI Port "1/2/3" does not exist.
Reverting changes...
Processing current config... 0.010 s
Processing memory checkpoint... 0.000 s
Resolving dependencies... 0.000 s
Tearing setup down... 0.000 s
Rebuilding setup... 0.010 s
Finished in 0.040 s
MINOR: CLI Commit failed and has been reverted.

Since there was an error in the configuration – our router doesn’t have a port 1/2/3 – the configuration failed and the whole new configuration context was backed out allowing the option to correct and reapply, or to reject the changes which is quite a powerful configuration tool and concept. As we know the problem was on line 7, we can specifically edit that line using “candidate replace 7” and replacing the string port “1/2/3” with the proper port which is “1/1/3”

*A:SR1>edit-cfg# candidate replace 7
*A:Replace by: port "1/1/3"
INFO: CLI Added 10 lines: 'port "1/1/3"'.
INFO: CLI Removed 10 lines: 'port "1/2/3"'.

It’s probably worth double checking the revised configuration is okay

*A:SR1>edit-cfg# candidate view
----------------------------------------------
1:  configure
2:      router
3:          interface "system"
4:              address "111.111.111.111/32"
5:          exit
6:      exit
7:      port "1/1/3"
8:          shutdown
9:          ethernet
10:             mode access
11:             encap-type dot1q
12:         exit
13:         no shutdown
14:     exit
15:     service
16:         ies "123" customer 1 create
17:             interface "TEST" create
18:                 address "192.168.2.1/24"
19:                 sap "1/2/3:4" create
20:                 exit
21:             exit
22:*            no shutdown
23:         exit
24:     exit
25: exit
----------------------------------------------

The SAP also requires correction to align with the new port – this is on line 19

*A:SR1>edit-cfg# candidate replace 19
*A:Replace by: sap "1/1/3:4" create
INFO: CLI Added 2 lines: 'sap "1/1/3:4" create'.
INFO: CLI Removed 2 lines: 'sap "1/2/3:4" create'.

Now lets apply the configuration

*A:SR1>edit-cfg# candidate commit
Saving checkpoint file... OK
INFO: CLI Successfully executed 25 lines in 0.000 s.

Configuration mode is still quite handy to view what has been configure by jumping into the right configuration context and doing an info or info detail:

*A:SR1# /configure service
*A:SR1>config>service# info
----------------------------------------------
customer 1 create
    description "Default customer"
exit
ies 1 customer 1 create
    interface "External" create
        address 200.200.200.1/24
        sap 1/1/1 create
        exit
    exit
    no shutdown
exit
ies 123 customer 1 create
    interface "TEST" create
        address 192.168.2.1/24
        sap 1/1/3:4 create
        exit
    exit
    no shutdown
exit
----------------------------------------------

An operational problem can occur if we allow the use of both configuration candidate and immediate configurations such as being able to do

*A:SR1>config>service# ies 123 description "Candidate Config Test"

the most likely will end up with people sticking with immediate configuration mode unless they are forced to use candidate configs. Fortunately there it is quite easy to enable this.

*A:SR1# /configure system management cli configuration no immediate

It doesn’t remove the facility to view configurations, just configuration changes:

*A:SR1# configure service ies 123
*A:SR1>config>service>ies# info
----------------------------------------------
description "Candidate Config Test"
    interface "TEST" create
    address 192.168.2.1/24
        sap 1/1/3:4 create
        exit
    exit
no shutdown
----------------------------------------------

If we now attempt a non-candidate mode configuration change:

*A:SR1>config>service>ies# description "New Description"
MINOR: CLI Direct modification of the configuration is not allowed. Use 'candidate edit' for all changes.

We are now forced to use candidate configs:

*A:SR1>config>service>ies# candidate edit
*A:SR1>edit-cfg# configure service ies 123 description "New Description"
*A:SR1>edit-cfg# candidate commit
Processing current config... 0.010 s
Saving checkpoint file... OK
INFO: CLI Successfully executed 7 lines in 0.000 s.

Coupled with the right processes, this is one of the tools to help increase the MTBM (Mean Time Between Mistakes) and reduce the amount of network disruption.