Notification for leaf-list changes is not sent

I am testing the Confd notification function.
The YANG model is like this:

container container-x {
    leaf attributeQQ {
        type string;
    }
    leaf-list "conflicting-leaf-list" {
        type string;
        description
          "Holds the ns conflicting leaflist";
    }
}

The configuration is as below:

1.   <data> 
2.     <container-x xmlns="urn:rdns:com:oammodel:complete">
3.       <conflicting-leaf-list>Hello</conflicting-leaf-list>
4.       <conflicting-leaf-list>World</conflicting-leaf-list>
5.       <conflicting-leaf-list>new3</conflicting-leaf-list>
6.     </container-x>
7.   </data>

First the subscription is done. Then I update the leaf-list through netconf edit-config message:

<edit-config><target><running/></target>
<config xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0"
xmlns:yang="urn:ietf:params:xml:ns:yang:1"
xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
<container-x xmlns="urn:rdns:com:oammodel:complete"><conflicting-leaf-list>new4</conflicting-leaf-list>
</container-x>
</config>

The changes is successful:

1.   <data>
2.     <container-x xmlns="urn:rdns:com:oammodel:complete">
3.       <conflicting-leaf-list>Hello</conflicting-leaf-list>
4.       <conflicting-leaf-list>World</conflicting-leaf-list>
5.       <conflicting-leaf-list>new3</conflicting-leaf-list>
6.       <conflicting-leaf-list>new4</conflicting-leaf-list>
7.     </container-x>
8.   </data>

But there is no notification sent by ConfD. There is a error in log:

<ERR> 6-Aug-2020::10:18:43.997 confd[17]: devel-c Failed to send notification for stream DATA-CHANGE: /push-change-update/change/target: {34,
                                    [{<<"new4">>},
                                     1728446403,
                                     [252269338|1377102414]]}: The XPath /ecomplete:container-x/ecomplete:conflicting-leaf-list[.="new4"] doesn't belong to the restricted subset.

What is the root cause of this error? Thank you very much.

1 Like

This looks weird, but you do not show how the subscription was created, in particular how the filter looks like.

1 Like

Hi,

We use the simple netconf create command as below, no filter specified in the command:

<?xml version="1.0" encoding="UTF-8"?>
<netconf:rpc message-id="101"
      xmlns:netconf="urn:ietf:params:xml:ns:netconf:base:1.0">
    <create-subscription
        xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0">
                <stream>TEST-DATA-CHANGE</stream>
    </create-subscription>
</netconf:rpc>
]]>]]>
1 Like

Here is the configuration in confd.conf:

<notifications>
    <eventStreams>
        <stream>
            <name>NETCONF</name>
            <description>Netconf Stream</description>
            <replaySupport>true</replaySupport>
            <builtinReplayStore>
            <enabled>true</enabled>
            <dir>./</dir>
            <maxSize>10M</maxSize>
            <maxFiles>50</maxFiles>
            </builtinReplayStore>
        </stream>
        <stream>
            <name>TEST-DATA-CHANGE</name>
            <description>Test Netconf Stream</description>
            <replaySupport>true</replaySupport>
            <builtinReplayStore>
            <enabled>true</enabled>
            <dir>/tmp</dir>
            <maxSize>10M</maxSize>
            <maxFiles>50</maxFiles>
            </builtinReplayStore>
        </stream>
    </eventStreams>
</notifications>

What is this tagpath?
Can you share the YANG module snippet for the notification?
I am wondering if you have some restriction in the notification model, or the model expects a different format?

1 Like

Is the tagpath the XPath printed in the error log: /ecomplete:container-x/ecomplete:conflicting-leaf-list[.=“new4”]?

YANG module:

notification push-change-update {
    description "Generated when the server detects that the
        <running> datastore or state data has changed.
        The notification summarizes the changes. 

        Sent on the TEST-DATA-CHANGE stream,
        but not on the NETCONF stream.";

    /* As there might not be any data specific access control on
    * push-change-update notifications, a subscriber may receive information
    * about all data in the ME. This may include security sensitive data.
    * push-change-update notifications will only be sent to
    * subscribers for whom an explicit permit rule is defined. */
    nacm:default-deny-all;

    leaf sequence-number {
        type uint64 ;
    }

    uses ncn:changed-by-parms;

    list change {
        description "A change entry SHALL be present for each distinct
            configuration or state change that the server has detected.";

        leaf target {
            type instance-identifier;
            mandatory true;
            description "Top-most data node within
                the datastore associated with the change.";
        }

        leaf operation {
            type enumeration {
                enum create {
                  value 0;
                }
                enum delete {
                  value 1;
                }
                enum insert {
                  value 2;

                }
                enum "merge" {
                    value 3;
                }
                enum move {
                  value 4;
                }
                /* replace not used as containers/list entries are instead
                 * deleted and re-created while for other data nodes the
                 * merge operation is used.
                 *
                 * remove not used as in this context it means the same
                 * as delete */
            }
            mandatory true;
            description "Type of edit operation / change detected.";
        }

        leaf point {
            when "(../operation = 'insert' or ../operation = 'move')"
                    + "and (../where = 'before' or ../where = 'after')" {
                description
                    "This leaf only applies for 'insert' or 'move'
                     operations, before or after an existing entry.";
            }
            type instance-identifier;
            description
                "The path for the data node that is being
                used as the insertion point or move point for the
                target of this 'change' entry.";
    }
        anyxml value {
            when "../operation = 'create' "
                + "or ../operation = 'merge' "
                + "or ../operation = 'insert'";
        }
    }
}

Update on this issue:
We found a solution to send notification for this case:
change the 4th argument flags in function maapi_diff_iterate from 0 to ITER_WANT_LEAF_LIST_AS_LEAF which is deprecated.

I see. I think you need to remove ITER_WANT_LEAF_LIST_AS_LEAF and fix the issue of processing this leaf as a leaf-list (C_LIST type).
Your code that sends the notification needs to populate this field the right way.

Here is a snippet in c that can give you an idea:

confd_value_t arr[5];
confd_value_t v;

for (j=0; j<5; j++) CONFD_SET_INT32(&arr[j], j);

CONFD_SET_LIST(&v, &arr[0], 5);
CONFD_SET_TAG_VALUE(&vals[i], notif_extra_id, &v);i++;

Notification module:

notification push-change-update {
...
    list change {
        description "A change entry SHALL be present for each distinct
            configuration or state change that the server has detected.";

        leaf target {
            type instance-identifier;
            mandatory true;
            description "Top-most data node within
                the datastore associated with the change.";
        }
...
}

Error Logs

<ERR> 6-Aug-2020::10:18:43.997 confd[17]: devel-c Failed to send notification for stream DATA-CHANGE: /push-change-update/change/target: {34,
                                    [{<<"new4">>},
                                     1728446403,
                                     [252269338|1377102414]]}: The XPath /ecomplete:container-x/ecomplete:conflicting-leaf-list[.="new4"] doesn't belong to the restricted subset.

why confd reports the above error?

As you can see that /ecomplete:container-x/ecomplete:conflicting-leaf-list[.=“new4”] is a valid instance-identifier. Refer to rfc7950 (https://tools.ietf.org/html/rfc7950#section-9.13.4). why confd reports the error?

ITER_WANT_LEAF_LIST_AS_LEAF

if maapi_diff_iterate doesn’t use ITER_WANT_LEAF_LIST_AS_LEAF parameter, confd will generate the diff by go through every leaf of the leaf-list, and the xpath of the diff will be /ecomplete:container-x/ecomplete:conflicting-leaf-list[.=“new4”]. Am i right?

Build notification message

confd_hkeypath_t *thekp;
int res = maapi_xpath2kpath(_maapiSocket, kp.c_str(), &thekp);
CONFD_SET_TAG_OBJECTREF(&_valueArray[_i],_change_target->tag, thekp); _i++;

send out notification message

confd_notification_send(_live_ctx,&eventTime,valueArray,numberOfEntries);

Then confd reports the above error. is It a confd issue?

I think we are talking about two issues. I thought the issue was only around the “leaf-list as leaf”.
Regarding the maapi_diff_iterate, I think you can test and find out what ConfD diffs over, easily. That should answer your question. The diff will be similar to lists.

Regarding the notification, I think something is wrong here. You are right that the XPath expression is a valid value for an instance-identifier type, based on the YANG RFC.
But since the behavior of the leaf-list implementation is changed, I don’t know if this is why the path is restricted.

For sure, if you omit ‘[.=“new4”]’, it should work.

I think ConfD, in this case, looks at the XPath and thinks “leaf-list = leaf”, then the extra predicate shouldn’t be present. This explains the error message you get. One thing you can try is to remove the backward compatibility settings and try.

But I highly doubt it would work, so this may be a bug in ConfD. I will double check internally.

Thanks!
Nabil

2 Likes

Hi Nabil

Thanks for your answer!
We are trying to send out notifications when configuration changes, which includes the leaf-list changes. The bug in confd blocks our tasks.

please let us know if some new version confd can fix the bug.

BRs/Zhenhua