Question:
How does the Locking and Snapshot feature work in the Versa Director?
This article describes the Resource Locking and Snapshot feature in Versa Director.
Resource Locking
Resource Locking is an important aspect of Network Management Systems. This feature prevents another user from making changes to the configuration of a resource until the completion of certain activities. The resource is unlocked and available for modification only after completion of the activity.
Versa Director allows this functionality at the device level and template level. A user can prevent other users from making changes to a device or a template by locking that particular device or template. An owner is a user who has locked the resource. The lock consists of these two modes:
-
All users are locked including the owner— In this situation, no changes are allowed on the resource. Even if the owner attempts it. This is typically used when the user does not want any change in the system until a critical situation has passed.
- All users are locked, except the owner—In this case, the owner can make changes but others cannot. This is particularly useful when the user is in the process of making some critical changes but does not want others to make changes which can interfere with what is being modified.
These locks are persistent and are applicable even on a system restart and across user sessions. The lock itself can be released by the owner or the Administrator.
Once the device is locked, the Resource Locking feature prevents the user from making any configuration changes under the appliance context, and the REST API for making device configuration changes. Any attempt to apply a template on the device is rejected.
This image shows how to lock a resource.
Similarly, the Versa Director also supports Template locking. Once a template is locked, the contents of the template cannot be modified.
Device and Template Snapshots
The need for a mechanism to restore older configurations is essential to a Network Management System.
Limitations of rollback and commit and why the Director doesn’t support them
Network elements sometimes support the ability to rollback a commit performed on the device. The idea is to revert a commit. This makes perfect sense at an appliance level where typically the changes are at the configuration level. Though an extension of this behavior at the Orchestrator level seems natural this has limitations and in many cases, is not possible either. The Versa Director is a much more complex system and these are some of the reasons:
- It is not possible to revert arbitrary transactions. Reverting a transaction is possible only if the dependencies are satisfied. The required dependency might have been removed in a different transaction altogether. For instance, a firewall policy rule which was deleted might be referring to a zone which was removed in a separate transaction.
- Versa Director is a complex system involving workflows that spawn multiple transactions. Reverting multiple transactions is error prone and leads to inconsistencies.
- If an appliance is deleted and a revert request is raised, then it is not possible to recreate the deleted instance and apply the configuration back.
- The Versa Director has multiple data sources internally; like the CDB for storing configuration data, Postgres as well as internal caches. Reverting the system means undoing all the changes in CDB, Postgres and the caches. This cannot be fool proof.
What the Versa Director offers as an alternative is the ability to take device and template level snapshots which can be restored at will. This is a more reliable approach than an attempt to revert an arbitrary commit. The image below shows the screenshot of the snapshot features.
Feature Availablity
| Device and template level Locks |
Available in Release 16.1R1. |
| Device and template level Snapshots |
Available in Release 16.1R2. |