Candidate configuration modes

To configure the router using the MD-CLI, the user must enter a configuration mode using the explicit or implicit configuration workflow.

The configuration workflow (implicit or explicit) determines if the user is restricted to the configure branch or if the user can navigate freely while in configuration mode. For more information about configuration workflows, see Implicit and explicit configuration workflows.

The configuration mode determines the interaction with other simultaneous configuration sessions. Table: Configuration mode overview provides an overview of the available configuration modes:

Table: Configuration mode overview

Private configuration mode Exclusive configuration mode Global configuration mode Read-only configuration mode

Candidate configuration accessed

Private candidate configuration

Global candidate configuration

Global candidate configuration

Global candidate configuration

Single vs multiple users

Multiple users can simultaneously configure their own private candidate

Only one user can configure the global candidate

Multiple users can simultaneously configure the shared global candidate

Multiple users can have simultaneous read-only access to the global candidate

Privacy

User can see own changes.

Changes are not visible for read-only sessions.

User can see own changes.

Changes are visible for read-only sessions.

User can see changes from other global configuration sessions.

Changes are visible for read-only sessions.

Users can see changes from global or exclusive configuration sessions

Commits

Own changes are committed

Own changes are committed.

Commits from other configuration changes are blocked.

Changes made by all global configuration sessions are committed

Users cannot commit

Update needed?

Yes - baseline can become out-of-date when another private or global configuration session commits

No - baseline is always up-to-date. Other configuration sessions cannot commit.

Yes - baseline can become out-of-date when a private configuration session commits

No - updates are not allowed in read-only configuration mode

Note: Private configuration mode should not be used in the MD-CLI when the router is also configured using NETCONF or gRPC for the following reasons:

Multiple simultaneous candidate configurations

As introduced in Transactional configuration method, configuration changes are made in a candidate configuration and copied in the running configuration when the configuration changes are committed and become active.

This section describes:

The following figure shows multiple candidate configurations.

Figure: Multiple candidate configurations

The running configuration is the active configuration of the router and is stored in the running datastore. There is only one running configuration in the router and therefore, only one running datastore. The running datastore is always instantiated.

The candidate configuration is a working configuration that contains changes before they are activated in the router. A candidate configuration uses two datastores:

Multiple candidate configurations can exist simultaneously in the router with one of the following:

When a configuration session commits its candidate configuration, the router performs the following actions:

  1. verifies the running configuration has not been changed by another configuration session

  2. validates the candidate configuration by verifying the logic, constraints, and completeness of the candidate configuration

  3. activates the candidate configuration by sending the new candidate configuration to the corresponding applications

After a successful commit, the changes are copied to the running datastore, the baseline datastore contains a new copy of the running datastore, and the candidate datastore is empty.

Furthermore, when simultaneous configuration sessions access different candidate configurations:

Each configuration session adds changes in the candidate datastore relative to the baseline associated with the candidate configuration. The baseline datastore contains a snapshot copy of the running datastore at a specific time. Therefore, multiple, simultaneous configuration sessions that are active in the router and that access different candidate configurations have their own unique view of the candidate configuration and cannot see other users’ changes, as shown in the following figure.

Figure: Simultaneous configuration sessions

Changes in a candidate configuration can only be committed when the running configuration has not been changed or touched after the baseline snapshot was taken. In other words, the baseline must be up to date to commit the changes.

The following figure shows how the baseline datastore of user-2’s candidate configuration is out-of-date after user-1 committed its changes. An exclamation mark (!) is shown in the prompt to indicate an out-of-date baseline status.

Figure: Simultaneous configuration sessions - baseline out-of-date

Because the baseline is out-of-date, user-2 must update its candidate configuration before committing. An update copies a new snapshot from the running datastore to the baseline datastore and merges the changes from the candidate datastore, as shown in the following figure.

Figure: Simultaneous configuration sessions - update

With more than one user working on the same part of the configuration, conflicts can occur when committed changes of one user’s configuration session are merged into another user’s candidate configuration. A merge conflict occurs when a configuration element is added, deleted, or modified in the candidate configuration and the same configuration element is also added, deleted, or modified in the running configuration after the baseline snapshot was taken. With the update command, the router resolves each merge conflict and installs the result in the candidate configuration, as shown in the following figure.

Figure: Simultaneous configuration sessions - merge conflict

When a commit operation is executed in a configuration session while the baseline is out-of-date, the router first attempts to automatically update the candidate configuration. If a merge conflict is detected, the commit operation is canceled, to allow the administrator to resolve the merge conflicts manually. The candidate configuration remains in the same state as before the commit operation.

In configuration mode, the administrator can use the following tools to check and resolve potential merge conflicts:

Conflict detection and resolution is detailed in Updating the candidate configuration.

Private configuration mode

In private configuration mode, a private candidate configuration is reserved for editing by a single private configuration session. Each private configuration session works on its own copy of the running configuration. Only the changes made in the private configuration session are visible and can be committed. Private configuration mode can be used when multiple users are configuring simultaneously on different parts of the router configuration.

A private configuration session has the following characteristics:

For simultaneous configuration sessions:

Datastore interactions include the following characteristics:

When entering private configuration mode, the following messages are displayed:

[/]
A:admin@node-2# configure private
INFO: CLI #2070: Entering private configuration mode
INFO: CLI #2061: Uncommitted changes are discarded on configuration mode exit
Note: To display the current active configuration sessions in the router, use the command show system management-interface configuration-sessions.

When leaving private configuration mode, the following messages are displayed:

Note: Private configuration mode should not be used in the MD-CLI when the router is also configured using NETCONF or gRPC for the following reasons:
  • Private candidate configurations are not visible over NETCONF or gRPC.

  • An equivalent function of the MD-CLI update command to manage an out-of-date baseline is not available in NETCONF or gRPC.

Exclusive configuration mode

In exclusive configuration mode, the global configuration is reserved for editing by a single read-write configuration session. In addition, the running datastore is locked such that no other configuration session can commit changes. Exclusive configuration mode can be used when important router configuration changes must be implemented that cannot be interrupted or delayed, and to avoid the risk of committing other users’ partial completed changes.

An exclusive configuration session has the following characteristics:

For simultaneous configuration sessions:

Datastore interactions include the following characteristics:

When entering exclusive configuration mode, the following messages are displayed:

Note:
  • MGMT_CORE #2052 is shown only when applicable.

  • To display the current active configuration sessions in the router, use the command show system management-interface configuration-sessions.

When leaving exclusive configuration mode, the following messages are displayed:

Global configuration mode

In global configuration mode, the global configuration is shared with all global configuration sessions. When a user commits their changes, the changes from all users are also committed. Global configuration mode can be used when multiple users are working together on the same part of the router configuration but is generally not recommended because it can cause unintended configuration to be committed.

A global configuration session has the following characteristics:

For simultaneous configuration sessions:

Datastore interactions include the following characteristics:

When entering global configuration mode, the following messages are displayed:

[/]
A:admin@node-2# configure global
INFO: CLI #2054: Entering global configuration mode
INFO: CLI #2055: Uncommitted changes are present in the candidate configuration
INFO: CLI #2075: Other global configuration sessions are active
Note:
  • CLI #2055 and CLI #2075 are shown only when applicable.

  • To display the current active configuration sessions in the router, use the command show system management-interface configuration-sessions.

When leaving global configuration mode, the following messages are displayed:

*[gl:/configure]
A:admin@node-2# exit all
INFO: CLI #2056: Exiting global configuration mode
INFO: CLI #2057: Uncommitted changes are kept in the candidate configuration
Note: CLI #2057 is shown only when applicable.

Read-only configuration mode

In read-only configuration mode, no changes can be made to the global candidate configuration and no changes can be committed to the running configuration. Read-only configuration mode can be used when reviewing or monitoring configuration changes from other users in the global candidate configuration.

A read-only configuration session has the following characteristics:

For simultaneous configuration sessions:

When entering read-only configuration mode, the following message is displayed:

[/]
A:admin@node-2# configure read-only
INFO: CLI #2066: Entering read-only configuration mode

When leaving read-only configuration mode, the following message is displayed:

*[ro:/configure]
A:admin@node-2# exit all
INFO: CLI #2067: Exiting read-only configuration mode

Transitioning between candidate configuration modes

Exclusive, global, and read-only configuration sessions that access the global candidate configuration can transition between these configuration modes without exiting and re-entering the configuration mode.

Transitions from and to private configuration mode are not allowed.

The following summarizes the configuration mode transitions and transitions to operational mode.

Table: Configuration and operational mode transitions

Configuration and operational mode transition

To

Global

Exclusive

Read-only

Private

Operational mode

From

Global

X1

Allowed; no other exclusive or global configuration session can be active; uncommitted changes are kept

Allowed; uncommitted changes are kept

X

Allowed; uncommitted changes are kept

Exclusive

Allowed; uncommitted changes are discarded

X1

Allowed; uncommitted changes are discarded

X

Allowed; uncommitted changes are discarded

Read-only

Allowed; no exclusive configuration session can be active; uncommitted changes are kept

Allowed; no other exclusive or global configuration session can be active; uncommitted changes are kept

X1

X

Allowed; uncommitted changes are kept

Private

X

X

X

X1

Allowed; uncommitted changes are discarded

Operational mode

Allowed

Allowed

Allowed

Allowed

X

Example

Transitioning from exclusive to global or read-only configuration mode causes the candidate changes to be discarded.

[/]
A:admin@node-2# edit-config exclusive
INFO: CLI #2060: Entering exclusive configuration mode
INFO: CLI #2061: Uncommitted changes are discarded on configuration mode exit

(ex)[/]
A:admin@node-2# configure router interface my-int

*(ex)[/configure router "Base" interface "my-int"]
A:admin@node-2# edit-config global
INFO: CLI #2063: Uncommitted changes are present in the candidate configuration.    
Exiting exclusive configuration mode will discard those changes.

Discard uncommitted changes? [y,n] n
INFO: CLI #2065: Exit exclusive configuration mode canceled

*(ex)[/configure router "Base" interface "my-int"]
A:admin@node-2# edit-config read-only
INFO: CLI #2063: Uncommitted changes are present in the candidate configuration.    
Exiting exclusive configuration mode will discard those changes.

Discard uncommitted changes? [y,n] y
WARNING: CLI #2062: Exiting exclusive configuration mode - uncommitted changes are discarded
INFO: CLI #2066: Entering read-only configuration mode

(ro)[/configure router "Base" interface "my-int"]
A:admin@node-2#

Switching from global or read-only to exclusive configuration mode is allowed when no other global or exclusive configuration session is active. Uncommitted changes in the global candidate configuration are kept.

Example

In the following example, the admin disconnect command is used to disconnect another active global configuration session before the current session can switch to exclusive configuration.

[/]
A:admin@node-2# edit-config global
INFO: CLI #2054: Entering global configuration mode
INFO: CLI #2075: Other global configuration sessions are active

(gl)[/]
A:admin@node-2# configure router interface new-int

*(gl)[/configure router "Base" interface "new-int"]
A:admin@node-2# edit-config exclusive
MINOR: MGMT_CORE #2052: Exclusive datastore access unavailable - model-driven interface editing global candidate

*(gl)[/configure router "Base" interface "new-int"]
A:admin@node-2# /show system management-interface configuration-sessions
===============================================================================
Session ID  Region                 Datastore                     Lock State
   Username                        Session Mode                  Idle Time
   Session Type                    From
-------------------------------------------------------------------------------
#22         configure              Candidate                     Unlocked
   admin                           Global                        0d 00:00:00
   MD-CLI                          135.244.144.235
 23         configure              Candidate                     Unlocked
   user-1                          Global                        0d 00:00:42
   MD-CLI                          135.244.144.235
-------------------------------------------------------------------------------
Number of sessions: 2
'#' indicates the current active session
===============================================================================

*(gl)[/configure router "Base" interface "new-int"]
A:admin@node-2#

*(gl)[/configure router "Base" interface "new-int"]
A:admin@node-2# /admin disconnect session-id 23

*(gl)[/configure router "Base" interface "new-int"]
A:admin@node-2# edit-config exclusive
INFO: CLI #2056: Exiting global configuration mode
INFO: CLI #2057: Uncommitted changes are kept in the candidate configuration
INFO: CLI #2060: Entering exclusive configuration mode
INFO: CLI #2061: Uncommitted changes are discarded on configuration mode exit

*(ex)[/configure router "Base" interface "new-int"]
A:admin@node-2#

Exclusive private configuration session

An exclusive private configuration session is reserved for system internal use.

Note: Exclusive private is not a configuration mode. Users cannot enter an exclusive private configuration mode.

Router configuration changes are made via an exclusive private configuration session as a result of the following scenarios:

It is important to be aware that an exclusive private configuration session can exist, as it interacts with other active configuration sessions in the following ways:

Restricting configuration mode sessions

It may be desirable to deny a user the ability to use specific configuration modes. For example, denying the use of exclusive configuration mode prevents the user from locking the configuration datastore, or denying the use of the global configuration mode forces the user to work in a private candidate datastore.

It is possible to use AAA to deny access to particular configuration modes, as illustrated in the following configuration example.

Example

In this example, the user pr-user has profile admin-private. Entries 3 and 4 in the local profile effectively deny users in the admin-private profile from entering the exclusive configuration mode in the MD-CLI.

[ex:/configure system security aaa local-profiles profile "admin-private"]
A:admin@node-2# info detail
## cli-session-group
    default-action permit-all
---snip---
    entry 3 {
     ## apply-groups
     ## description
        action deny
        match "edit-config exclusive"
    }
    entry 4 {
     ## apply-groups
     ## description
        action deny
        match "configure exclusive"
    }
[/]
A:pr-user@node-2# configure exclusive
MINOR: MGMT_CORE #2020: Permission denied - unauthorized use of 'configure'
[/]
A:pr-user@node-2# configure ?

 configure

 Configuration modes:
 global               - Enter global (shared) mode for candidate configuration.
 private              - Enter private mode for candidate configuration.
 read-only            - Enter read-only mode for candidate configuration.

          - Enter a candidate li configuration mode

[/]
A:pr-user@node-2# edit-config exclusive
MINOR: MGMT_CORE #2020: Permission denied - unauthorized use of 'edit-config'

[/]
A:pr-user@node-2# edit-config ?

 edit-config

 Configuration modes:
 global               - Enter global (shared) mode for candidate configuration.
 private              - Enter private mode for candidate configuration.
 read-only            - Enter read-only mode for candidate configuration.

 li                   - Enter a candidate li configuration mode
Example

The following additional entries to the profile deny users from entering the global configuration mode in the MD-CLI.

[ex:configure system security aaa local-profiles profile "admin-pr"]
A:admin@node-2# info detail

---snip---

    entry 5 {
     ## apply-groups
     ## description
        action deny
        match "configure global"
    }
    entry 6 {
     ## apply-groups
     ## description
        action deny
        match "edit-config global"
    }
[]
A:pr-user@node-2# configure ?

 configure

 Configuration modes:
 private              - Enter private mode for candidate configuration.
 read-only            - Enter read-only mode for candidate configuration.

[]
A:pr-user@node-2# edit-config ?

 edit-config

 Configuration modes:
 private              - Enter private mode for candidate configuration.
 read-only            - Enter read-only mode for candidate configuration.

 li                   - Enter a candidate li configuration mode

[]
A:pr-user@node-2# configure global
MINOR: MGMT_CORE #2020: Permission denied - unauthorized use of 'configure'

[]
A:pr-user@node-2# edit-config global
MINOR: MGMT_CORE #2020: Permission denied - unauthorized use of 'edit-config'
1 Allowed, but no functional value