Skip to content

fix for issue NewValidation: CSCwp95515 - Policydist crash-loop on upgrade if configpushShardCont headTx is non-zero while tailTx is zero #253 #260

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
monrog2 merged 16 commits into from
Sep 19, 2025
Merged

fix for issue NewValidation: CSCwp95515 - Policydist crash-loop on upgrade if configpushShardCont headTx is non-zero while tailTx is zero #253 #260

Show file tree
Hide file tree
Changes from 11 commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
4a2940e
fix for issue NewValidation: CSCwp95515 - Policydist crash-loop on up…
jeestr4d Jul 3, 2025
1098b6c
Welkin issue 245 (#263)
welkinhe Jul 11, 2025
69da617
Add ISIS DTEP Check (#247)
joelebla Jul 11, 2025
3f0cf6c
bump to v2.6.0
monrog2 Jul 11, 2025
d14a798
PUV updates (#254)
monrog2 Jul 22, 2025
f69d8c0
bump to v3.0.0
monrog2 Jul 22, 2025
fe09e86
fix for issue NewValidation: CSCwp95515 - Policydist crash-loop on up…
jeestr4d Jul 3, 2025
b1d14e1
testchange
jeestr4d Jul 22, 2025
8cce3d8
changes based on version3
jeestr4d Jul 23, 2025
bc70cfe
merge master
monrog2 Jul 25, 2025
3ddd729
logic + pytest cleanup
monrog2 Jul 25, 2025
2aab5dc
changed the query and content of pos file to match with bug coditions.
jeestr4d Jul 31, 2025
423d29f
fix query + cleanup docs
monrog2 Aug 1, 2025
d42fa12
title consistency
monrog2 Aug 4, 2025
5b3767c
fix doc link
monrog2 Sep 19, 2025
bdcfcfa
merge master
monrog2 Sep 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions aci-preupgrade-validation-script.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5297,6 +5297,36 @@ def apic_database_size_check(cversion, **kwargs):
result = FAIL_UF
return Result(result=result, headers=headers, data=data, recommended_action=recommended_action, doc_url=doc_url)


@check_wrapper(check_title='configpushShardCont headTx')
Copy link
Copy Markdown
Collaborator

@monrog2 monrog2 Jul 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If both scenarios to be covered, title must change

def configpush_shard_check(tversion, **kwargs):
result = NA
headers = ["dn", "headTx", "tailTx"]
data = []
recommended_action = 'Contact Cisco TAC for Support before upgrade'
doc_url = 'https://datacenter.github.io/ACI-Pre-Upgrade-Validation-Script/validations/#policydist-configpushshardcont-defect'

if not tversion:
return Result(result=MANUAL, msg=TVER_MISSING)

if tversion.older_than("6.1(4a)"):
result = PASS
configpushShardCont_api = 'configpushShardCont.json'
configpushShardCont_api += '?query-target-filter=or(ne(configpushShardCont.tailTx,"0"),ne(configpushShardCont.headTx,"0"))'
Comment thread
monrog2 marked this conversation as resolved.
Outdated
configpush_sh_cont = icurl('class', configpushShardCont_api)
if configpush_sh_cont:
for sh_cont in configpush_sh_cont:
headtx = sh_cont['configpushShardCont']['attributes']['headTx']
tailtx = sh_cont['configpushShardCont']['attributes']['tailTx']
if ((headtx != '0' and tailtx == '0') or (tailtx != '0' and headtx == '0')):
Comment thread
monrog2 marked this conversation as resolved.
Outdated
sh_cont_dn = sh_cont['configpushShardCont']['attributes']['dn']
data.append([sh_cont_dn, headtx, tailtx])

if data:
result = FAIL_O

return Result(result=result, headers=headers, data=data, recommended_action=recommended_action, doc_url=doc_url)

# ---- Script Execution ----

def parse_args(args):
Expand Down Expand Up @@ -5452,6 +5482,7 @@ def get_checks(api_only, debug_function):
standby_sup_sync_check,
stale_pcons_ra_mo_check,
isis_database_byte_check,
configpush_shard_check,

]
conn_checks = [
Expand Down
13 changes: 12 additions & 1 deletion docs/docs/validations.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -188,7 +188,7 @@ Items | Defect | This Script
[Observer Database Size][d25] | CSCvw45531 | :white_check_mark: | :no_entry_sign: |:no_entry_sign:
[Stale pconsRA Object][d26] | CSCwp22212 | :white_check_mark: | :no_entry_sign: |:no_entry_sign:
[ISIS DTEPs Byte Size][d27] | CSCwp15375 | :white_check_mark: | :no_entry_sign: |:no_entry_sign:

[Policydist configpushShardCont defect][d28] | CSCwp95515 | :white_check_mark: | :no_entry_sign: |:no_entry_sign:

[d1]: #ep-announce-compatibility
[d2]: #eventmgr-db-size-defect-susceptibility
Expand Down Expand Up @@ -217,6 +217,7 @@ Items | Defect | This Script
[d25]: #observer-database-size
[d26]: #stale-pconsra-object
[d27]: #isis-dteps-byte-size
[d28]: #policydist-configpushshardcont-defect


## General Check Details
Expand Down Expand Up @@ -2589,6 +2590,15 @@ Do not upgrade to any affected ACI software release if this check fails.
Nexus Dashboard Insights (NDI) integration can cause ACI tech support generation to happen automatically as part of the bug scan feature.


### Policydist configpushShardCont defect

Due to [CSCwp95515][59], a configpushShardCont MO in policydist has a non-zero headTx while tailTx is zero or viceversa. if APIC cluster is upgraded or if config is pushed to a PM shard corresponding to the DN that has the bad properties policydist can crash.

The Policydist component is responsible for policy enforcement and replicating policy actions and maintaining consistency of policy state across all APICs in the cluster.

The script scans for any instance of configpushShardCont that can lead to this defect, contact Cisco TAC to resolve the issue prior to the upgrade.


Comment thread
monrog2 marked this conversation as resolved.
Outdated
[0]: https://github.com/datacenter/ACI-Pre-Upgrade-Validation-Script
[1]: https://www.cisco.com/c/dam/en/us/td/docs/Website/datacenter/apicmatrix/index.html
[2]: https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-release-notes-list.html
Expand Down Expand Up @@ -2648,3 +2658,4 @@ Do not upgrade to any affected ACI software release if this check fails.
[56]: https://www.cisco.com/c/en/us/td/docs/dcn/whitepapers/cisco-aci-virtual-edge-migration.html
[57]: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwp22212
[58]: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwp15375
[59]: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwp95515
58 changes: 58 additions & 0 deletions tests/configpush_shard_check/configpushShardCont_pos.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
[
{
"configpushShardCont": {
"attributes": {
"childAction": "",
"dn": "configpush/sh-22",
"headTx": "576460752318322171",
"lcOwn": "local",
"modTs": "2025-06-28T21:32:58.754+00:00",
"shard": "2",
"status": "",
"tailTx": "0"
}
}
},
{
"configpushShardCont": {
"attributes": {
"childAction": "",
"dn": "configpush/sh-31",
"headTx": "516460756318314171",
"lcOwn": "local",
"modTs": "2025-06-23T18:12:06.867+00:00",
"shard": "3",
"status": "",
"tailTx": "0"
}
}
},
{
"configpushShardCont": {
"attributes": {
"childAction": "",
"dn": "configpush/sh-2",
"headTx": "0",
"lcOwn": "local",
"modTs": "2025-06-28T21:32:58.754+00:00",
"shard": "2",
"status": "",
"tailTx": "576460752318322171"
}
}
},
{
"configpushShardCont": {
"attributes": {
"childAction": "",
"dn": "configpush/sh-3",
"headTx": "0",
"lcOwn": "local",
"modTs": "2025-06-23T18:12:06.867+00:00",
"shard": "3",
"status": "",
"tailTx": "516460756318314171"
}
}
}
]
56 changes: 56 additions & 0 deletions tests/configpush_shard_check/test_configpush_shard_check.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
import os
import pytest
import logging
import importlib
from helpers.utils import read_data

script = importlib.import_module("aci-preupgrade-validation-script")

log = logging.getLogger(__name__)
dir = os.path.dirname(os.path.abspath(__file__))

# icurl queries
configpushShardCont_api = 'configpushShardCont.json'
configpushShardCont_api += '?query-target-filter=or(ne(configpushShardCont.tailTx,"0"),ne(configpushShardCont.headTx,"0"))'

@pytest.mark.parametrize(
"icurl_outputs, tversion, expected_result",
[
# tversion not given
(
{configpushShardCont_api: []},
None,
script.MANUAL,
),
# Non-fixed Versions
(
# affected tversion, configpushShardCont_api has non-zero headTx / tailTx
{configpushShardCont_api: read_data(dir, "configpushShardCont_pos.json")},
"6.0(3a)",
script.FAIL_O,
),
(
# affected tversion, all configpushShardCont_api tx are 0
{configpushShardCont_api: []},
"5.2(6a)",
script.PASS,
),
# Fixed Versions
(
# non-affected tversion, configpushShardCont_api has non-zero headTx / tailTx
{configpushShardCont_api: read_data(dir, "configpushShardCont_pos.json")},
"6.1(6b)",
script.NA,
),
(
# non-affected tversion, all configpushShardCont_api tx are 0
{configpushShardCont_api: []},
"6.1(4b)",
script.NA,
),
],
)
def test_logic(mock_icurl, tversion, expected_result):
tversion = script.AciVersion(tversion) if tversion else None
result = script.configpush_shard_check(1, 1, tversion)
assert result == expected_result