Integration of FRR ISIS Routing protocol to DANOS.

[KaushikNiral]

Integrated FRR ISIS Routing protocol to DANOS.

1. Added new set file. and operational file for isis under yang/
2. Added json script for isis under script/frr/configs/commands/
3. Added isis install file under debian/
4. Modified this files debian/control and debian/vyatta-frr-vci.component for isis

[odd22]

@KaushikNiral I think before adding ISIS to Vyatta/DANOS CLI, we must first update FRR included in DANOS. Current FRR version is 7.3 https://github.com/FRRouting/frr/releases while FRR version integrated within DANOS is the 6.0.

The main point here, is that since 6.0, FRR team has added a new northbound API for CLI based on tang model i.e. usable with NetConf. Not all daemons have been ported to this new NorthBound API, but ISIS yes. See here: https://github.com/FRRouting/frr/tree/master/yang

So, instead of creating a new yang model for ISIS, it will be better to adopt the yang models provided by the FRR release. As other daemons e.g zebra, bfd, rip, eigrp, ... and base modules e.g. interface, route-map, filter ... have also been ported to this new Northbound API, and thus, with corresponding yang model, I think it will also be necessary to adapt DANOS yang models to the FRR yang models. In addition, FRR aims to endorse and follow as much as possible IETF yang models. Deviations are explicitly release in additional yang model as augmentation to IETF yang model. Currently a great effort is made to port BGP, OSPF & LDP to this new Northbound API, thus with respective yang models.

[JammyStuff]

@odd22 Maybe @jsouthworth will have some thoughts as well, but it's really unclear to me how the FRR YANG models avoid the need for DANOS to have YANG models to integrate with FRR.

At some point, it would probably be desirable that DANOS starts configuring FRR via your new northbound API, which would obviously be using your YANG, but at the user interface level (CLI, NETCONF, etc) I really don't see how your YANG models directly would integrate cleanly into the configuration for the rest of the system. For example, how would interface configuration work? The FRR protocols YANG models augment the FRR interface YANG models, which are distinct from the DANOS interface YANG models. The only way that I can see this working is for there to be DANOS YANG models and infrastructure that would translate that config to fit the FRR YANG models and pass that over your new northbound API.

We don't have the infrastructure for it in place at the moment, but we do have an idea about "multi-model support", whereby it would be possible to configure the system through different YANG models (e.g. OpenConfig). Even with that though, it's not immediately obvious how a subsystem specific YANG model such as the FRR one would really work. How would the rest of the system be configured?

[odd22]

@JammyStuff Perhaps, I was not sufficiently clear with the new NorthBound API. In fact, for daemon which adopt the new Northbound API, the old CLI was removed except for the show command family. When a new command is introduce, we start by adding the corresponding entry/parameters in the yang model, then create the entry in the northbound API and then in the CLI a new call to this new NorthBound API. If DANOS used its own yang model, this introduce a double yang <-> CLI exchange which is not necessary: DANOS yang -> vtysh -> FRR yang -> daemon call

Just have a look for example to https://github.com/FRRouting/frr/blob/master/isisd/isis_nb_config.c and https://github.com/FRRouting/frr/blob/master/isisd/isis_cli.c

I agree that the work is not complete on FRR side and that what DANOS provided is great for the moment. I'm just suggesting to go to the FRR yang model when introducing new Daemon that already support the new Northbound API. But, this means that DANOS must first upgrade FRR to latest release.

[odd22]

Please use this file instead: https://github.com/FRRouting/frr/blob/master/yang/frr-isisd.yang

It will help further integration of next FRR release

[JammyStuff]

@odd22 Just to clarify (both in general and in your suggested change), are you suggesting that the FRR YANG is used verbatim, or that a DANOS YANG file should be created that is similar to the FRR YANG file but modified to fit with the rest of the DANOS YANG model in the hope that would minimise the work required by the layer to translate DANOS config to FRR config?

I was under the impression that you were suggesting to use the FRR YANG verbatim, in which case I still don't understand how that is going to fit with the rest of the DANOS config model.

[odd22]

@JammyStuff I'm suggesting to take the FRR YANG verbatim for the configuration part and keep the DANOS Yang for operational part as this one doesn't exist for FRR (Show CLI stay with the old CLI system). If you look to both proposed yang/vyatta-protocols-frr-isis-v1.yang model and https://github.com/FRRouting/frr/blob/master/yang/frr-isisd.yang model, they are almost identical. And, the FRR model contains all available configuration for ISIS.

[JammyStuff]

The frr-isisd YANG model doesn't stand on it's own. It's augmenting the frr-interface YANG model for the IS-IS interface configuration for example. If we're taking the model verbatim, how do we avoid needing to also take the frr-interface model and having 2 separate interface models?

[odd22]

That's the tricky point. We need to manage the transition phase in the smoother way to avoid problem and double work. It is exactly why I suggest to first upgrade to FRR 7.3 before integrating new daemon such isis in DANOS.

[jsouthworth]

Integrating YANG modules from individual projects is going to be extremely problematic. DANOS presents a full system data-model that is highly integrated. This is used to render all user facing interfaces. One of the driving intentions behind DANOS is to provide first a reasonable model to a human operators. This will necessitate some translation to happen somewhere in the system.

FRR presents a model for the subsystem it controls which is self-contained and highly integrated. We cannot pull the FRR models in to DANOS directly and present them as the interface model as this will require that an operator create objects in two places for shared configuration (interfaces, etc.).

Work is scheduled for a future release that will support a data-model translation framework that will allow one to translate between an interface model and another data-model that will also expose both models via the northbound interfaces. This may allow us to have NETCONF or gNMI speak the FRR model natively, but the infrastructure does not exist at this time and so we cannot integrate this in this way today. This does not remove the need to do a translation, it only moves it to a different place.

In the shorter term, when integrating a future FRR release it is highly likely that the gRPC based Northbound API would be used. The integration component for FRR would need to be modified to use this interface instead of using vtysh. We are aware of the need to do this and would welcome the addition if someone did the work. It is quite unfair, however, to expect someone adding integration for a single feature to do this work, which is far outside the scope of the current review. In my view, updating FRR and adding ISIS support are orthogonal. ISIS can be added with fairly little change to what is already here, of which this PR is evidence, and doesn't create much additional burden when porting to a newer FRR in the future.

Obviously, the closer the DANOS YANG is to the FRR YANG, the easier it will be to translate from one to the other in the future, but there is no way to get around needing to do it. FRR's YANG wants to bring in other FRR YANG and DANOS has duplication for it already, and at this time, this cannot be supported in a way that meet the goals of DANOS as a whole.

In general, all YANG models will have this same limitation, Openconfig is highly dependent on other Openconfig models, the IETF models are highly dependent on other IETF models, etc. Bringing in one will bring in the lot of other things. This makes utilizing modules in a modular way nearly impossible. If the YANG were written slightly differently, one could avoid some of this but that requires a lot of abstraction for no real benefit to the organization doing the work. As such, we are stuck with fragmentation in the data-model space in general. DANOS is no exception to this.

[jsouthworth]

We generally do interface augmentations as separate YANG files that import a grouping in the main file for the feature. We do this for modularity reasons so that not all interface types must be available on all builds.

[KaushikNiral]

Thanks @jsouthworth , for the review.
Hi @jsouthworth ,
We followed the "vyatta-protocols-frr-ospf-v1.yang" to perform the augmentations in the new file named "vyatta-protocols-frr-isis-v1.yang".
Since you are suggesting a different approach, can you please share a relevant file or example of it.

[jsouthworth]

OK, what is here should be sufficient then. Our guys didn't follow the convention when doing integration for the rest of the routing suite. It is highly unlike that an image would ever be built with out dataplane interfaces anyway. If support for other interface types are added in future release we'll need to follow the "tertiary model" convention for them.

[jsouthworth]

There is no reason to continue the "tagnode" naming convention, we only have this in some YANG due to an automated conversion from Vyatta's original data-modeling language.

[KaushikNiral]

We have fixed this issue.
We will send review after resolving the 1st review comment on augmentation.

[jsouthworth]

There seems to be a lot of whitespace errors in this file. For reference, the DANOS convention is to use Tabs to do indentation in YANG files.

[KaushikNiral]

We have fixed this issue.

[KaushikNiral]

Integrating YANG modules from individual projects is going to be extremely problematic. DANOS presents a full system data-model that is highly integrated. This is used to render all user facing interfaces. One of the driving intentions behind DANOS is to provide first a reasonable model to a human operators. This will necessitate some translation to happen somewhere in the system.

FRR presents a model for the subsystem it controls which is self-contained and highly integrated. We cannot pull the FRR models in to DANOS directly and present them as the interface model as this will require that an operator create objects in two places for shared configuration (interfaces, etc.).

Work is scheduled for a future release that will support a data-model translation framework that will allow one to translate between an interface model and another data-model that will also expose both models via the northbound interfaces. This may allow us to have NETCONF or gNMI speak the FRR model natively, but the infrastructure does not exist at this time and so we cannot integrate this in this way today. This does not remove the need to do a translation, it only moves it to a different place.

In the shorter term, when integrating a future FRR release it is highly likely that the gRPC based Northbound API would be used. The integration component for FRR would need to be modified to use this interface instead of using vtysh. We are aware of the need to do this and would welcome the addition if someone did the work. It is quite unfair, however, to expect someone adding integration for a single feature to do this work, which is far outside the scope of the current review. In my view, updating FRR and adding ISIS support are orthogonal. ISIS can be added with fairly little change to what is already here, of which this PR is evidence, and doesn't create much additional burden when porting to a newer FRR in the future.

Obviously, the closer the DANOS YANG is to the FRR YANG, the easier it will be to translate from one to the other in the future, but there is no way to get around needing to do it. FRR's YANG wants to bring in other FRR YANG and DANOS has duplication for it already, and at this time, this cannot be supported in a way that meet the goals of DANOS as a whole.

In general, all YANG models will have this same limitation, Openconfig is highly dependent on other Openconfig models, the IETF models are highly dependent on other IETF models, etc. Bringing in one will bring in the lot of other things. This makes utilizing modules in a modular way nearly impossible. If the YANG were written slightly differently, one could avoid some of this but that requires a lot of abstraction for no real benefit to the organization doing the work. As such, we are stuck with fragmentation in the data-model space in general. DANOS is no exception to this.

Thank you @JammyStuff , @jsouthworth and @odd22 for taking your time to review the PR.

[jsouthworth]

These values still have whitespace problems (the indentation is off by one).

[KaushikNiral]

We did not update the review changes yet, will share it in sometime.

[deastoe]

Thanks for your contribution @KaushikNiral.

The indentation in the new YANG modules is quite inconsistent; some parts use double space while others use tab. Please could you update the modules to use a consistent tab indent?

[deastoe]

Please add a space after the description keyword. This prevents a pyang error:

vyatta-protocols-frr-isis-v1.yang:148: error: syntax error: expected separator, got: ""This ..."

[deastoe]

Actually it looks like this typedef is unused? It could be removed.

[KaushikNiral]

This is Resolved.

[deastoe]

This import can be removed as it is unused. Removing it will suppress a warning from pyang:

vyatta-op-protocols-frr-isis-v1.yang:5: warning: imported module vyatta-types-v1 not used

[KaushikNiral]

This is Resolved.

[deastoe]

The must statements in this grouping can be removed, since the isis is not defined by the level enumeration.

[KaushikNiral]

This is Resolved.

[deastoe]

It looks like these groupings aren't currently used? I'd suggest only adding the groupings which are currently in use/supported.

[KaushikNiral]

This is Resolved.

[deastoe]

Looks like the adj-state-type and if-state-type types are also currently unused.

[KaushikNiral]

This is Resolved.

[deastoe]

This looks like it is not used currently, I'd recommend removing it until required.

[KaushikNiral]

This is Resolved.

[deastoe]

This looks like it is not used currently, I'd recommend removing it until required.

[KaushikNiral]

This is Resolved.

[deastoe]

This looks like it is not used currently, I'd recommend removing it until required.

[KaushikNiral]

This is Resolved.

[deastoe]

I'm not sure clear and md5 should be lists. Does isisd support configuring multiple passwords of the same type?

[KaushikNiral]

This is Resolved.

[deastoe]

Please could you share the reasoning for using the nested set of lists? IMO it would be simpler and cleaner to have all these delay values as leaves at the top level of the container. Doing this would also prevent the user from configuring multiple of the same delay value (which can be done with lists, using max-elements, but I think using leaves at the top level is a more straightforward and readable approach).

[KaushikNiral]

Got it. Thanks @deastoe .
This is Resolved.

[deastoe]

The description suggests this is a list of addresses, but a leaf will only allow a single value. Should this be a leaf-list instead?

[KaushikNiral]

This is Resolved.

[KaushikNiral]

Thank you @KaushikNiral, that makes these modules easier to read and review.

I personally prefer a deeper (such as 4 spaces or a Tab character) indent as it is easier for me to visualise the structure. We don't yet have this documented, but DANOS does have a convention to use Tab characters for indentation in YANG modules.

The existing YANG modules in vyatta-protocols-frr don't all follow this convention (some use 4 space indents). Given this and the current lack of documentation I won't insist on any more widespread whitespace changes for this PR - we can always re-format all the modules in future.

I've asked some of the DANOS YANG experts to take a look this PR, and I will also give it another pass over the next few days.

Thanks for your patience while we review this :)

Thanks @deastoe :)
Looking forward to it.

[wivory]

This should be the current date. It's important that revision dates are accurate, and updated when the file is changed, or NETCONF clients may continue using an older cached version of the file instead.

[KaushikNiral]

This is resolved.

[wivory]

Should be current date

[KaushikNiral]

This is resolved.
Thanks.

[wivory]

Use single quotes - 'point-to-point' - instead of escaped double quotes. Much cleaner.

[KaushikNiral]

Hi Wivory,

We tried using single quote in this below mentioned way.
must "(. = 'point-to-point') or (. = 'broadcast')";

But "configd" process crashes if we do it in this manner.

Thanks,

[wivory]

Well, I can compile this file just fine with single quotes, and I have written countless unit tests proving single quotes work in general here. Are you definitely using the correct single quote character, as we've had problems with the wrong one being used before now. Can you tell me what error you get in configd (traceback / log error), and attach a copy of the file that causes the problem so I can test it, as if this is really failing, that's a bug that needs fixing.

[KaushikNiral]

Sorry, actually we tried using backslash with single quote that's why we got the error, the screenshot is attached.
Now we have applied the changes and found working. It is also committed.

Thanks.

[wivory]

Thanks - looks much cleaner

[wivory]

DANOS does not yet support choice - it will compile, but is ignored. So, this isn't going to work. It also raises the question of what testing has been done on this?

[KaushikNiral]

Hi Wivory,

We have tested "choice" and found it to be working before sending for review.
We have attached 5 screenshot of the following below.

1. Screenshot of the DANOS CLI.
2. Screenshot of the frr.json file from location:- /etc/vyatta-routing/frr.json
3. Screenshot of the frr.conf file from location:- /etc/vyatta-routing/frr.conf
4. And finally from the frr.conf file from location:- /etc/frr/frr.conf
5. Screenshot of the set command from DANOS CLI.

Are you suggesting any other way to validate that it is working ?

Thanks,

[wivory]

Sorry - perhaps I wasn't clear what I meant by 'ignored'. We ignore the 'choice' element, and allow all choices to be configured as shown here:

[edit]
vyatta@vm-at-1# show protocols isis
+isis 1 {
+       area-password {
+               clear foo
+       }
+}
[edit]
vyatta@vm-at-1# set protocols isis 1 area-password md5 bar
[edit]
vyatta@vm-at-1# show protocols isis
+isis 1 {
+       area-password {
+               clear foo
+               md5 bar
+       }
+}

If we had implemented choice correctly, setting the md5 option would have removed the clear option. You certainly couldn't commit both options with choice implemented correctly - but you will find that on DANOS currently, you can.

So, I guess you can keep the YANG as-is, but for now you will be able to configure both 'clear' and 'md5' at the same time.

[KaushikNiral]

Okay,
Thanks.

[wivory]

Actually you must not keep this yang or there is a risk that someone configures both options, and then when we fix choice, the config becomes invalid, ie this would be backwards incompatible.

[KaushikNiral]

Hi Wivory,

We have found a way which does not use "choice" and hence it should be good.
We are committing this change now.

grouping isis-password {
leaf clear {
configd:help "Clear-text authentication type.";
description "Clear-text authentication type.";
type string {
length "1..254";
}
must "not(../md5)" {
error-message "Can't configure both clear and md5 for password";
}
}
leaf md5 {
configd:help "MD5 authentication type.";
description "MD5 authentication type.";
type string {
length "1..254";
}
must "not(../clear)" {
error-message "Can't configure both clear and md5 for password";
}
}
}

[wivory]

Yes, that will do the trick. You only need it on one of the 2 leaves though - no need to check both ways.

[KaushikNiral]

Okay, we rectified it and committed.

Thanks.

[wivory]

You don't need to check both ways round - with both you will get 2 warnings rather than one.

[KaushikNiral]

Okay, it is resolved now.

Thanks.

[wivory]

Is this an inherent property of the grouping, or of the 2 specific cases where it is used? If the former, you should put the must statement in the grouping on one of the two leaves.

[KaushikNiral]

Okay, we have kept the must statement in the grouping on one of the two leaves.

Thanks,

[wivory]

Better expressed as 'max-elements 1'

[KaushikNiral]

We found that ISIS allows multiple instances so we have removed the "must" statement as it is not required.

Thanks,

[KaushikNiral]

We found that ISIS allows multiple instances so we have removed the "must" statement as it is not required.

Thanks,

Approved YANG files as part of data model review process.

Thanks for the approval.

[wivory]

You could usefully define some common types for delays and timers as this will make the YANG more concise and more readable (and ensure consistency across different nodes)

[KaushikNiral]

This is resolved.

Thanks,

[wivory]

Approved YANG files as part of data model review process.

[KaushikNiral]

Approved YANG files as part of data model review process.

Thanks for the approval.

[dewi-morgan]

As a general rule when introducing new yang models, taking account of any existing IETF yang models is a good idea. I was wondering if you were aware of draft-ietf-isis-yang-isis-cfg-42 model and if your model is based upon it or another yang model ? Does it make sense to accommodate the structure of the draft IETF ISIS yang model where possible (or makes sense) into your existing yang model ?

Thank you,

[deastoe]

Please could you add a configd:secret "true"; statement to this leaf. This instructs the system to handle these values more carefully, for example redacting the value in audit logs.

[KaushikNiral]

Sure will do that and update.
Thanks,

[KaushikNiral]

This is Resolved.

[deastoe]

Please also add configd:secret "true"; to this leaf.

[KaushikNiral]

Sure, will add it.

Thanks,

[KaushikNiral]

This is Resolved.

[odd22]

Is it possible to also add the Segment Routing configuration stuff introduce with FRR-7.3 release?