[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: convergence and undoing changes

From: Alva Couch
Subject: Re: convergence and undoing changes
Date: Fri, 18 Nov 2005 20:42:46 -0500
User-agent: Mozilla Thunderbird 0.6 (Windows/20040502)

Mark Burgess wrote:

> You are correct however in pointing out that users CAN screw this up
> by trying to be too clever, by not thinking convergently.

This is what I am getting at.

> But that is not the normal state of affairs.

My experience is that users are all too cavalier about the way they modify cfagent.conf. I think a specific discipline -- unknown to many users -- is the key. We can either document that discipline or encapsulate it in some kind of transaction engine. I propose to do both.

My examples using editfiles are a matter of public record. But the problem can even happen when one utilizes purely convergent actions.

Here's a "typical" example of user thinking.
- user asserts contents of a file F. Say it is a service startup
  in /etc/xinetd.d and the intent is to customize some service.
- then, some time after F is stable, the user changes the assertion
  to revert F to its original state.
- unbeknownst to the user, some different set of stations are down
  while F is reverting to the original state.
- then, satisfied that the file is reverted, the user takes the
  reversion assertion out of the script, considering work to be done.
- time passes and the unreverted machines come back up. There is
  no reversion to affect them. So they stay with the new version.
- At this point, there are two classes of machines: those with
  the original version of F and those with the new version. If the
  new version has a security hole, congratulations, you didn't manage
  to plug it.
The key here is that for reversions to be effective, they must stay
in the configuration until it is absolutely sure that all stations
have applied them. In a very large network, one is likely never
sure, so one can *never* remove the reversions from the config file.

This is the principle of observability:
  Once one manages a thing, one must continue to manage that
  thing in perpetuity.
In my experience this kind of "reversion botch" is very common.

Dr. Alva L. Couch
Associate Professor of Computer Science
Associate Professor of Electrical and Computer Engineering
Tufts University, 161 College Avenue, Medford, MA 02155
Phone: +1 (617) 627-3674

reply via email to

[Prev in Thread] Current Thread [Next in Thread]