Commit/Confirm Mechanic for OND Changes
Problem Statement
We need a notion of intended state that is explicitly confirmed after making a change.
Who will benefit?
This will improve operational safety of the controller for numerous reasons.
- You need to "hit enter" twice, thus think twice
- It allows a notion of "last running state"
- Thus rollbacks and versioning can be implemented easily
- The change is executed "offline" which allows for simple error and consistency checking.
Benefits and risks
The benefit of this proposal is operational safety and versioning. Thus a decreased risk of operational errors and misconfigurations. It can also be leveraged for templateing in future releases.
Proposed solution
My first approach would be to copy the state of a given OND to an arbitrary .proto
struct and apply the change there. If this change does not raise an error the new state will be committed to the device.
I'd also suggest a commit-confirm mechanism that commits the state to the OND but performs a rollback if the change is not confirmed within a given period of time. This way changes that accidentally disrupt connectivity are self-healing.
Examples
For example Ubiquiti's EdgeOS uses this mechanism.
Priority/Severity
-
High (This will bring a huge increase in performance/productivity/usability/legislative cover) -
Medium (This will bring a good increase in performance/productivity/usability) -
Low (anything else e.g., trivial, minor improvements)