fix(schema): no network validation on netplan systems without API #5254
Conversation
Do not validation network config against cloud-init's network v2 schema on netplan systems because netplan schema supports keys not present in cloud-init's v2 schema which can result in schema warnings from cloud-init which are perfectly acceptable netplan config keys. Given that cloud-init performs a clean passthrough of network version 2 directly to netplan without trying to process the network configuration, there is little value in providing such schema warnings unless cloud-init's network v2 schema is aligned with the specific netplan schema supported for each release. On mantic and later, cloud-init will call netplan's python API to validate schema with netplan itself, but prior to Ubuntu Mantic no python API exists, so we cannot validate network v2 against netplan. Update skip messaging and integration tests.
There was a problem hiding this comment.
This changeset solves the issue. I left some inline comments which are probably not meant to be solved as part of this PR, that could improve this module/functionality from a developer POV.
In addition to them, I would like to add that, at least, validate_cloudconfig_schema, validate_cloudconfig_file and cloud.config (within those functions) symbols do not refer anymore to only cloud-configs as they can also act upon network-configs, I'd like to see them renamed to reflect this fact. Problably a s/cloudconfig/config/ on them? Again, this is not blocking this PR, but it is something that I think developers would benefit from.
| # This may result in schema warnings for valid netplan config | ||
| # which would be successfully rendered by netplan but doesn't | ||
| # adhere to cloud-init's network v2. | ||
| return False |
There was a problem hiding this comment.
This change adds a new False exit point with a new meaning, invalidating the print statement in
cloud-init/cloudinit/config/schema.py
Line 1177 in fdc1e45
At a minimum, could we extend that print message? This is not needed because validate_cloudconfig_file manually calls netplan_validate_network_schema and repeat this plumbing.
There was a problem hiding this comment.
Not for this PR, but this function's documentation is not immediately clear. If I read the documentation, without reading the code, I do not understand that the validation is materialized as log warnings and that the boolean return value represents if the validation was performed or not.
There was a problem hiding this comment.
This change adds a new
Falseexit point with a new meaning, invalidating the print statement incloud-init/cloudinit/config/schema.py
Line 1177 in fdc1e45
.
We don't actually get to 1177 when on netplan and no netplan API is present because of the new segment that I introduced 10 lines above that
cloud-init/cloudinit/config/schema.py
Lines 1157 to 1162 in fdc1e45
At a minimum, could we extend that print message?This is not needed becausevalidate_cloudconfig_filemanually callsnetplan_validate_network_schemaand repeat this plumbing.
I do agree though that validate_cloudconfig_schema & _file functions need a significant refactor to avoid this complexity of schema handling. output formatting differences and duplication of logic. Maybe we take this as a separate issue to resolve at a later time?
| @@ -1140,6 +1154,12 @@ def validate_cloudconfig_file( | |||
| network_config=cloudconfig, strict=True, annotate=annotate | |||
There was a problem hiding this comment.
As the code stands, validate_cloudconfig_file partially reimplements what validate_cloudconfig_schema does, with no apparent reason but printing message instead of logging them (because validate_cloudconfig_file is only called to handle the cloud-init schema command). Unless I am missing another reason, and if so it should be documented, why don't we simplify this like:
diff --git a/cloudinit/config/schema.py b/cloudinit/config/schema.py
index 407cade0d..7468fb27b 100644
--- a/cloudinit/config/schema.py
+++ b/cloudinit/config/schema.py
@@ -1150,16 +1150,6 @@ def validate_cloudconfig_file(
network_version = network_schema_version(cloudconfig)
if network_version == 2:
schema_type = SchemaType.NETWORK_CONFIG_V2
- if netplan_validate_network_schema(
- network_config=cloudconfig, strict=True, annotate=annotate
- ):
- return True # schema validation performed by netplan
- elif netplan_available():
- print(
- "Skipping network-config schema validation for version: 2."
- " No netplan API available."
- )
- return False
elif network_version == 1:
schema_type = SchemaType.NETWORK_CONFIG_V1
# refresh schema since NETWORK_CONFIG defaults to V2and handle the printing-message-problem by returning an enum in validate_cloudconfig_schema?
There was a problem hiding this comment.
Either returning an enum from validate_cloudconfig_schema, or maybe raising specialized errors from validate_cloudconfig_schema which would allow us to differentiate no JSON schema importable from no netplan API importable. I think this warrants inclusion in a general refactor of these two functions that we should carry separate from this PR.
There was a problem hiding this comment.
I agree that it makes more sense to refactor with different return codes for: netplan validation (good or bad), networkv2 validation (good or bad), and skip-because-no-netplan-api-lack-of-validation
I agree wit hthe renames suggested and documentation improvements in code. Since it touches almost all config module test files, I'll followup this PR with a non-functional rename/doc PR that is separate to ensure we get fresh eyes on the medium-length changeset needed to rename. |
Many thanks, could we create a ticket representing this effort to not forget about it? |
| @@ -1140,6 +1154,12 @@ def validate_cloudconfig_file( | |||
| network_config=cloudconfig, strict=True, annotate=annotate | |||
There was a problem hiding this comment.
I agree that it makes more sense to refactor with different return codes for: netplan validation (good or bad), networkv2 validation (good or bad), and skip-because-no-netplan-api-lack-of-validation
Thanks @catmsred, I'm misunderstanding the question a bit I think, but I'll take a stab at it. Cloud-init's features.py module is typically reserved for hard-coding behavior of a downstream build of cloud-init to behave a certain way regardless of the environment around it when the behavior may differ from upstream's defaults In this case, our in-code validation is intending to make the same decision in all environments without exception:
The reason I didn't opt for the cloudinit.features approach here is because this is not specifically a behavior we want to hard-code or limit on just on Ubuntu Focal and Jammy downstreams. Instead, we want to avoid this behavior in any environment or distribution which has netplan installed, including some Debian images. This allows us to decouple cloud-init's behavior in schema validation from any features that netplan may introduce into a stable release on behalf of netplan as well as not force a strict behavior via a build feature-flag. To summarize:
Maybe I totally misunderstood your 'in-code release checks` comment though, please correct me if I've missed the question intent. |
Proposed Commit Message
Additional Context
Jenkins jammy integration test failures which should "skip" network schema validation https://jenkins.canonical.com/server-team/view/cloud-init/job/cloud-init-integration-jammy-lxd_container/440/testReport/
Test Steps
Checklist
Merge type