Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dcnm_vrf: Fix issues #351, #356, #357 #354

Merged
merged 58 commits into from
Jan 16, 2025
Merged

Conversation

allenrobel
Copy link
Collaborator

@allenrobel allenrobel commented Dec 5, 2024

Summary

This PR includes:

  1. A fix for issue dcnm_vrf: infinite loop in wait_for_vrf_del_ready() #351
  2. A fix for issue dcnm_vrf: TOP_DOWN_VRF_VLAN resources are leaked #356
  3. A fix for issue dcnm_vrf: 500 error at /rest/top-down/fabrics/f1/vrfs/attachments #357
  4. Improve code readability
  5. Harden against KeyErrors and misinterpreted booleans
  6. Add logging
  7. Standardize integration test vars and task titles for dcnm_vrf integration tests
  8. Add example dynamic inventory to playbooks/files/dynamic_inventory.py

Status

All items are complete.

Fix for issue #351

This involves a change to wait_for_vrf_del_ready() where we call fail_json() if both lanAttachedState == "DEPLOYED" and isLanAttached is True.

                            if (
                                atch["lanAttachState"] == "DEPLOYED"
                                and atch["isLanAttached"] is True
                            ):
                                vrf_name = atch.get("vrfName", "unknown")
                                fabric_name = atch.get("fabricName", "unknown")
                                switch_ip = atch.get("ipAddress", "unknown")
                                switch_name = atch.get("switchName", "unknown")
                                vlan_id = atch.get("vlanId", "unknown")
                                msg = f"{self.class_name}.{method_name}: "
                                msg += f"Network attachments associated with vrf {vrf_name} "
                                msg += "must be removed (e.g. using the dcnm_network module) "
                                msg += "prior to deleting the vrf. "
                                msg += f"Details: fabric_name: {fabric_name}, "
                                msg += f"vrf_name: {vrf_name}. "
                                msg += "Network attachments found on "
                                msg += f"switch_ip: {switch_ip}, "
                                msg += f"switch_name: {switch_name}, "
                                msg += f"vlan_id: {vlan_id}"
                                self.module.fail_json(msg=msg)

fix for issue #356

Added two methods:

  • release_orphaned_resources()
  • release_resources_by_id()

release_orphaned_resources() creates a list of resource IDs which are "orphaned". In this context, "orphaned" means that the resource's allocatedFlag is False and the resourcePool.vrfName field is null. It then checks that the resource's entityName matches the current VRF name, and that the ressourcePool.fabricName matches the current fabric name. If all of this is True, then it adds the resource's id to a list of IDs to be deleted and passes that list to release_resources_by_id() which releases the resource IDs in the list.

In push_to_remote(), a call to release_orphaned_resources() is then made for every VRF that was previously deleted in push_diff_delete().

fix for issue #357

Previously, fail_json() was called only if the switch did not contain any interfaces with extensionValues. If an interface in the playbook contains a vrf_lite config, and the interface in this vrf_lite config does not match an interface on the switch with extensionValues, but at least one interface on the switch DOES have extensionValues, the generated payload for the interface in the vrf_lite config will be incomplete, which generates the 500 error.

The fix is to call fail_json() if any interface in the playbook's vrf_lite config does not match an interface with extensionValues on the switch. This new check causes several unit-tests to fail, since the unit-tests meet all the conditions for fail_json() to be called with this new check in place. These unit-tests need to be modified so that the interface in the vrf_lite config will match one of the interfaces in the test case fixture that contains extensionValues.

Improve code readability

Refactored a few bits of code that were duplicated in multiple places into the following methods

  • compare_properties()
  • find_dict_in_list_by_key_value()
  • to_bool()
  • dict_values_differ()
  • get_vrf_objects()
  • get_vrf_lite_objects()
  • get_items_to_detach()

Reversed the logic of several conditionals to reduce indentation.

Examples can be found in:

  • get_have()
  • push_to_remote()

Populate dicts before appending them to list

Previously, dicts were appended to a list (within another dict) and then populated. This resulted in code that was harder to read due to the multi-level accesses made when setting each key/value in the embedded dict. This was changed in a couple places so that we first populate the dict, and then append the dict to the list afterwards.

Examples in:

  • get_have()
  • update_attach_params()

Use in to simplify or conditionals

For example, changed:

if state == "merged" or state == "overridden" or state == "replaced":

To:

if state in ("merged", "overridden", "replaced"):

Rename vars whose names were hard to understand

In some cases, the name was hard to understand, and didn't add any value. In these cases, used a generic name like item instead:

a_l renamed to item

In other cases, the name was ambiguous:

dep_vrf seemed to me to mean "dependent vrf", but it actually means "deploy vrf", so renamed it to deploy_vrf. Several other cases along these lines.

Harden against KeyErrors and misinterpreted booleans

Removed all bool() casts

In multiple places bool(thing) was used to try to cast thing into a boolean. This can (potentially) result in misinterpretation of thing. For example:

bool("false") returns True.

Removed all cases of bool() casts since debugging these showed that, in all of them, the thing being casted was already a boolean. Hence, in these cases, there was no misinterpretation, but casting to bool should be considered bad practice in most circumstances.

Harden against KeyError

Several places were accessing dict keys directly without using dict.get(). Changed those that I noticed.

Add logging

Standard python logging was added (similarly to e.g. dcnm_fabric, etc).

  • self.class_name was added to init() and used in all logged messages.
  • inspect is used to add the method name to all logged messages and to messages passed to fail_json().
  • Added logging of data structure contents in many places to help with future refactoring.

One issue that adding logging raised is that unit tests failed until the following was changed in main():

From:

    # Logging setup
    try:
        log = Log()
        log.commit()
    except (TypeError, ValueError) as error:
        module.fail_json(str(error))

To:

    # Logging setup
    try:
        log = Log()
        log.commit()
    except (TypeError, ValueError) as error:
        pass

The issue seems to be that the dcnm_vrf unit tests are run like this:

result = self.execute_module(changed=True, failed=False)

And somehow (which I don't understand) this is causing the following error in logging.config.DictConfigurator (part of the standard Python logging system), but ONLY when unit tests for log_v2.py are run in the same session as unit tests for dcnm_vrf.py, i.e.:

The following results in the error:

pytest -k "test_dcnm_vrf or test_log"

Whereas the following does not:

pytest -k test_log
pytest -k test_dcnm_vrf

                for name in sorted(handlers):
                    try:
                        handler = self.configure_handler(handlers[name])
                        handler.name = name
                        handlers[name] = handler
                    except Exception as e:
                        if ' not configured yet' in str(e.__cause__):
                            deferred.append(name)
                        else:
>                           raise ValueError('Unable to configure handler '
                                             '%r' % name) from e
E                                            ValueError: Unable to configure handler 'file'

Which is called from common/log_v2.py, in enable_logging() here:

        try:
            dictConfig(logging_config)
        except (RuntimeError, TypeError, ValueError) as error:
            msg = "logging.config.dictConfig: "
            msg += f"Unable to configure logging from {self.config}. "
            msg += f"Error detail: {error}"
>           raise ValueError(msg) from error
E           ValueError: logging.config.dictConfig: Unable to configure logging from /private/var/folders/xc/1kd3k6xx1vlgw_pfqrckmqsm0000gn/T/pytest-of-arobel/pytest-35/test_log_v2_002500/log_dir/logging_config.json. Error detail: Unable to configure handler 'file'

So, maybe something having to do with the use of the temporary path /private/var/..., or permissions on this path when both tests are run, or the path's length?

Will investigate further, but the "fix" (ugly as it is) above works for both the unit tests and for normal usage.

The fix entails a modification to wait_for_vrf_del_ready()

In both the legitimate case (user trying to delete a VRF after having removed all network attachments) `lanAttachState` very briefly transitions to DEPLOY before transitioning to its final state of NA.  However, in this case, `isLanAttached` (in the same data structure) is False.  Whereas in the illegitimate case (user hasn't removed network attachments) `isLanAttached` is True.  Hence, we can leverage `isLanAttached` to differentiate between legitimate and illegitimate cases.

Adding another conditional that checks if `lanAttachState` == DEPLOY AND `isLanAttached` == True.  If this is the case, then the user is trying to delete a VRF that still contains network attachments and we now fail immediately with an appropriate error message.

Other changes:

1. Add standard python logging

2. Use `ControllerVersion()` to retrieve the NDFC version and remove import for `dcnm_version_supported`

3. Use `FabricDetails()` to retrieve fabric type.

4. Modify `update_attach_params()` to improve readability by first populating the neighbor dictionary before appending it.  This way, we avoid a lot of unsightly accesses to element 0 of the list.  For example:

```python
                    if a_l["peer_vrf"]:
                        vrflite_con["VRF_LITE_CONN"][0]["PEER_VRF_NAME"] = a_l["peer_vrf"]
                    else:
                        vrflite_con["VRF_LITE_CONN"][0]["PEER_VRF_NAME"] = ""
```

Becomes:

```python
                    if a_l["peer_vrf"]:
                        nbr_dict["PEER_VRF_NAME"] = a_l["peer_vrf"]
                    else:
                        nbr_dict["PEER_VRF_NAME"] = ""
```

5. diff_for_attach_deploy() - Reduce indentation by reversing logic of conditional.

The following:

```python
                                    if wlite["IF_NAME"] == hlite["IF_NAME"]:
                                        # Lots of indented code ...
```

Becomes:

```python
                                    if wlite["IF_NAME"] != hlite["IF_NAME"]:
                                        continue
                                    # unindent the above code
```

6. get_have()

- Reduce indentation levels by reversing logic (similar to #5 above)

7. Add method want_and_have_vrf_template_configs_differ(), see next item.

8. diff_for_create()

- Leverage want_and_have_vrf_template_configs_differ() to simplify.

9. Add method to_bool(), see next item

10. diff_for_attach_deploy()

- Simplify/shorten by leveraging to_bool()

11. In multiple places, ensure that a key exists before accessing it or deleting it.

12. Run though black

13. Several minor formatting changes for improved readability.
The initial implementation would return True for e.g. "false" since bool(non-null-string) is always True.

1. Modify to explicitly compare against known boolean-like strings i.e. "false", "False", "true", and "True".

2. Add the caller to the error message for better debugging ability in the future.
* Fix for issue 347

Manually tested this to verify.

Still need to update integration and unit tests.

* dcnm_image_policy: Update integration test

Update integration test for overridden state.

1. playbooks/roles/dcnm_image_policy/dcnm_tests.yaml

- Add vars
    - install_package_1
    - uninstall_package_1

2. test/integration/targets/dcnm_image_policy/tests/dcnm_image_policy_overridden.yaml

- Add packages.install and packages.uninstall configuration
- Verify that merged state adds these packages to the controller config
- Verify that overridden state removes packages.install and packages.uninstall
- Verify that overridden state metadata.action is "replace" instead of "update"
Two bits of vulnerable code found when porting to ndfc-python.

1. plugins/modules/dcnm_fabric.py

Accessing dictionary key directly can lead to a KeyError exception.

2. plugins/module_utils/fabric/replaced.py

If user omits the DEPLOY parameter from their playbook (ndfc-python) the DEPLOY key would be None, and not get popped from the payload.  This would cause NDFC to complain about an invalid key in the payload.  We need to unconditionally pop DEPLOY here, if it's present.  Hence, we've removed the value check (if DEPLOY is not None).
1. Removed all instances where values were cast to bool.  These potentially could result in bad results e.g. bool("false") returns True.

2. Renamed and fixed want_and_have_vrf_template_configs_differ().

Renamed to dict_values_differ()

Fix was to add a skip_keys parameter so that we can skip vrfVlanId in one of the elif()s

3. Added some debugging statements.
1. find_dict_in_list_by_key_value() new method to generalize and consolidate duplicate code.

2. Remove a few cases of single-use vars.

3. Run though black
I opened an issue to track what this comment describes, so can remove the comment from the module.

#352
1. Replace several bits that can be replaced with a call to get_vrf_lite_objects().

2. Fix a few pylint f-string complaints.  There are many more of these, which we'll address in the next commit.  One of these required a change to an associated unit test.
1. Appease pylint f-string complaints

2. optimize a couple conditionals

3. Change an "== True" to the preferred "is True"

4. Add a few TODO comments
@allenrobel allenrobel added the Work in Progress Code not ready for review. label Dec 5, 2024
@allenrobel allenrobel self-assigned this Dec 5, 2024
Unit tests pass locally if Ithe tests in the following file are disabled:

~/test/unit/module_utils/common/test_log_v2.py.

Temporarily disabling these to see if the same is seen when running the unit tests on Github.

If the same is seen, will debug why this is happening.
Fix bare-except and dangerous-default-value errors.
test_dcnm_vrf.py: Removed two (out of four) contiguous blank lines.
python 3.9 doesn't like:

def find_dict_in_list_by_key_value( ... ) -> dict | None:

Removed the type hint:

def find_dict_in_list_by_key_value( ... ):
If we fail_json(), or even if we sys.exit() in main() logging setup, the unit tests fail.

The failure is a KeyError in logging.config.dictConfig when disabling logging in log_v2.py:

    def disable_logging(self):
        logger = logging.getLogger()
        for handler in logger.handlers.copy():
            try:
                logger.removeHandler(handler)
            except ValueError:  # if handler already removed
                pass
        logger.addHandler(logging.NullHandler())
        logger.propagate = False

Above, the KeyError happens here

logger.removeHandler(handler)

The value of handler when this happens is "standard"

I'm not sure why this happens ONLY when the log_v2.py unit tests are run prior to the dcnm_vrf.py unit tests (running these tests separately works).

For now, a "fix" is to pass in the except portion of the try/except block in dcnm_vrf.py main().

def main():
    try:
        log = Log()
        log.commit()
    except (TypeError, ValueError) as error:
        pass

Will investigate further, but the above works, and logging is enabled with no issue in normal use.

Am renaming __DISABLE_test_log_v2.py back to test_log_v2.py
Remove unused import (sys, added to test fixes for the unit test failures).

Remove extra lines.
@allenrobel allenrobel added ready for review PR is ready to be reviewed and removed Work in Progress Code not ready for review. labels Dec 5, 2024
@allenrobel allenrobel linked an issue Dec 5, 2024 that may be closed by this pull request
Modify another OR-conditional to use the preferred:

if X "in" (X, Y, Z):
Use generic names for the two dicts.
plugins/modules/dcnm_vrf.py Outdated Show resolved Hide resolved
plugins/modules/dcnm_vrf.py Outdated Show resolved Hide resolved
plugins/modules/dcnm_vrf.py Outdated Show resolved Hide resolved
1. Include all vars used in the dcnm_vrf integration tests.

2. Update the path to dynamic_inventory.py
Address mwiebe comments by including more detailed usage and examples.

Add fabric_2, fabric_3 in case any tests require more than one fabric.
1. The current interface var names did not incorporate a way to encode switch ownership.  Modified the var naming to allow for specifying multiple interfaces per switch in such a way that the switch ownership of an interface is evident.

This is documented in:

playbooks/files/dynamic_inventory.py

2. Modified all dcnm_vrf test cases to align with this convention.

- Updated test case header comments with the new usage
- Updated all test case interface vars
- Ran the following tests
  - deleted.yaml
  - overridden.yaml
  - replaced.yaml
  - query.yaml
  - sanity.yaml

3. dynamic_interface.py

In addition to the changes above:

- Fixed the documentation for environment variable ND_ROLE (previously it was misnamed NDFC_ROLE in the documentation, but was correct -- ND_ROLE -- in the actual usage).

- Fix Markdown heading levels
1. Use standardized task titles
2. Print results prior to each assert
1.  dcnm_vrf: use switch_1, switch_2, switch_3 directly
2. Add scale role to the 'if nd_role' conditional
@allenrobel allenrobel linked an issue Dec 13, 2024 that may be closed by this pull request
1. Fix case where previous commit in this PR broke undeploy.

2. Fix for issue #356

2. Update unit tests to align with changes in this commit

3. Some simplifications, including

- Add a method send_to_controller() to aggregate POST, PUT, DELETE verb handling.  This method calls dcnm_send() and then calls the response handler, etc.  This removes duplicated code throughout the module.

- Refactor vrf_lite handlng out of update_attach_params() and into new method update_attach_params_extension_values()

- Never noticed this, but it appears we don't have to use inspect() with the new logging system, except in cases where fail_json() is called.  Removed inspect() from all methods that do not call fail_json()

- New method is_border_switch() to remove this code from push_diff_attach() and for future consolidation into a shared library.

- Move dcnm_vrf_paths dictionary out of the class.  These endpoints will later be moved to common/api/ep/.

- in __init__(), add self.sn_ip, built from self.ip_sn.  There were several case where the module wanted a serial_number given an ip_address.  Added two methods that leverage self.sn_ip and self.ip_sn:

- self.serial_number_to_ip()
- self.ip_to_serial_number()

Replaced all instances where duplicated code was performing these functions.
@allenrobel allenrobel linked an issue Dec 16, 2024 that may be closed by this pull request
@allenrobel allenrobel added Work in Progress Code not ready for review. and removed ready for review PR is ready to be reviewed labels Dec 16, 2024
1. Potential fix for issue #357

If any interface in the playbook task's vrf_lite configuration does not match an interface on the switch that had extensionValues, call fail_json().

- Refactor vrf_lite processing out of push_diff_attach() and into:

- update_vrf_attach_vrf_lite_extensions()

- In update_vrf_attach_vrf_lite_extensions() verify that all interfaces in the playbook's vrf_lite section match an interface on the switch that has extensionValues.  If this check fails, call fail_json()

2. Rename get_extension_values_from_lite_object() to get_extension_values_from_lite_objects() and be explicit that the method takes a list of objects and returns a list of objects, or an empty list.

3. Add some debug statements

4. Rename vrf to vrf_name in push_to_remote()
@allenrobel allenrobel changed the title dcnm_vrf fix issue 351 dcnm_vrf fix issues #351, #356, #357 Dec 16, 2024
allenrobel and others added 6 commits December 16, 2024 07:43
1. Update task titles to group tests.

2. Print results before each assert stanza.

3. Increase pause after VRF deletion from 40 to 60 seconds.
Update the comment for test 3b to indicate that the workaround is needed only when Overlay Mode is set to "config-profile" (which is the default for new fabrics).  The issue does not happen when Overlay Mode is set to "cli".
1. Uncommenting a call to dcnm_get_ip_addr_info() after realizing it also converts serial numbers to ip addresses.

2. Added a method to break up long lists into a list of lists comprizing smaller lists.  This is called in release_resources_by_id() to limit the size of the list of IDs we send to the controller to 512.  The actual size NDFC can process is somewhere between 512 and 630, but don't know exactly what the limit is, so leaving at 512.

I checked later and, since we are processing the release of IDs per-vrf, we are not sending anywhere near a 512 item list, but get_list_of_lists() will be a noop if the length is under (in this case) 512, so no harm adding this.  And, depending on the number of switches in a fabric, this could actually be larger than 512 in some environments.
Due to refactoring, conf_changed was set in diff_merge_create() and then cleared before being accessed in diff_merge_attach().  These two methods used to be part of a larger method before the refactoring, so the value of conf_changed was accessible by diff_merged_attach().

This commit does the following to rectify this.

1.Change the scope of conf_changed to class scope by renaming to self.conf_changed and initializing self.conf_changed in __init__().

2. In diff_merge_attach(), remove the line where conf_changed was initialized.

3. Rename an unrelated var (named conf_changed, but is a boolean) to configuration_changed to avoid any future confusion.

4. In diff_merge_attach() (re)initialize self.conf_changed to {}.

All Integration tests have been run with these changes and pass.
Some test cases were previously (incorrectly) passing, but starting failing after the commit for issue #357   This commit updates these test cases to (correctly pass and adds corresponding test cases which (correctly) fail.

1. Updated test cases that previously passed incorrectly to now pass correctly.  These test cases previously passed despite using an interface that did not contain extensionValues.  Modified these test cases to use an interface WITH extensionValues.

2. Added test cases, corresponding to the above test cases, which fail due to using an interface without extensionValues.  These test cases are modified to expect fail_json() to be called.

3. Modified ALL testcases to call self.test_data.get() to retrieve their playbook.  Previously, global vars were used for their playbook.  This has a couple advantages.  a. when a testcase (or set of testcases) are run, only the playbook fixtures needed to be retrieved are retrieved.  Previously, ALL playbook fixtures where retrieved even if only one test case was run.  b. The dict() definition is now simpler and more consistent between testcases, since the config key in the dict() will always be playbook i.e. dict(config=playbook), where previously the config key contained different vars for every testcase.

4. Fixed a reference to a non-existent fixture in delete_std_lite.

This test case was trying to access self.mock_vrf_attach_get_ext_object_dcnm_att4_only, which does not exist.  Modified it to use self.mock_vrf_attach_get_ext_object_dcnm_att2_only.

5. Ran black, isort linters.
1. The first return statement was inconsistent with the second return statement.  Fixed by adding the boolean configuration_changed to the first return statement.

2. All the other changes are due to running the black and isort linters.
In push_diff_attach(), only the last update to lan_attach_list was being appended to diff_attach_list because the update to dif_attach_list was happening outside the 'for diff_attach` loop.

The fix was to indent the append for new_diff_attach_list to be under the 'for diff_attach' loop.
@allenrobel allenrobel added ready for review PR is ready to be reviewed and removed Work in Progress Code not ready for review. labels Jan 6, 2025
@allenrobel allenrobel changed the title dcnm_vrf fix issues #351, #356, #357 dcnm_vrf: fix issues #351, #356, #357 Jan 8, 2025
@allenrobel allenrobel changed the title dcnm_vrf: fix issues #351, #356, #357 dcnm_vrf: Fix issues #351, #356, #357 Jan 8, 2025
@mikewiebe mikewiebe merged commit 9e49fc9 into develop Jan 16, 2025
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
ready for review PR is ready to be reviewed
Projects
None yet
2 participants