Skip to content

config-sync: T7784: Add command to diff configuration with secondary node#5081

Open
alexandr-san4ez wants to merge 1 commit intovyos:currentfrom
alexandr-san4ez:T7784-current
Open

config-sync: T7784: Add command to diff configuration with secondary node#5081
alexandr-san4ez wants to merge 1 commit intovyos:currentfrom
alexandr-san4ez:T7784-current

Conversation

@alexandr-san4ez
Copy link
Copy Markdown
Contributor

@alexandr-san4ez alexandr-san4ez commented Mar 24, 2026
edited
Loading

Change summary

Add a new operational command to compare configuration between nodes participating in config synchronization.

New command:

  • show configuration secondary sync [commands] [running|candidate|saved] [<config-node-path>].

This allows operators to view configuration differences across secondary peer
before applying or syncing changes.

Supports:

  • displaying using raw diff and 'commands' format;
  • optional section filtering (subtree comparison);
  • selectable config source (running, candidate, saved).

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Related PR(s)

How to test / Smoketest result

Manual test

  1. Prepare the second router:
set service https api rest
set service https api keys id KEY key 'id_key'
set service https listen-address '0.0.0.0'
  1. Prepare the primary router:
set service config-sync mode 'load'
set service config-sync secondary address '192.168.50.2'
set service config-sync secondary key 'id_key'
set service config-sync secondary port '443'
set service config-sync section system time-zone
set service config-sync section interfaces dummy
  1. Change time-zone using sync and prepare changes for candidate:
set system time-zone UTC
commit
set interfaces dummy dum0 description test1
  1. Verify difference:
vyos@vyos# run show configuration secondary sync candidate system time-zone
No changes between local and remote configuration
[edit]
vyos@vyos# run show configuration secondary sync candidate interfaces dummy
[interfaces]
+ dummy dum0 {
+     description "test1"
+ }
[edit]
vyos@vyos# run show configuration secondary sync commands candidate interfaces dummy
set interfaces dummy dum0 description 'test1'
[edit]
  1. Commit the change and verify difference again:
vyos@vyos# commit
INFO:vyos_config_sync:Config synchronization: Mode=load, Secondary=192.168.50.2
[edit]
vyos@vyos# run show configuration secondary sync candidate interfaces dummy
No changes between local and remote configuration
[edit]
vyos@vyos# run show configuration secondary sync running  interfaces dummy
No changes between local and remote configuration
[edit]

Smoketest

vyos@vyos:~$ sudo /usr/libexec/vyos/tests/smoke/cli/test_service_config-sync.py
test_basic (__main__.TestConfigSyncWithHTTPS.test_basic)
Validate: basic config-sync configuration (R1 side) ... ok
test_show_diff_candidate_interfaces (__main__.TestConfigSyncWithHTTPS.test_show_diff_candidate_interfaces)
Validate: show configuration secondary sync commands candidate interfaces dummy ... ok
test_show_diff_empty (__main__.TestConfigSyncWithHTTPS.test_show_diff_empty)
No candidate changes -> empty diff ... ok
test_show_diff_saved_system (__main__.TestConfigSyncWithHTTPS.test_show_diff_saved_system)
Validate: show configuration secondary sync saved system time-zone ... ok
----------------------------------------------------------------------
Ran 4 tests in 34.482s
OK

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@alexandr-san4ez alexandr-san4ez self-assigned this Mar 24, 2026
@alexandr-san4ez alexandr-san4ez added current bp/circinus Create automatic backport for circinus labels Mar 24, 2026
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 24, 2026
edited
Loading

👍
No issues in PR Title / Commit Title

Copilot AI reviewed Mar 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds an operational command to diff local configuration (running/candidate/saved) against a config-sync secondary node via the HTTPS API, to let operators preview differences before syncing/applying changes.

Changes:

  • Introduces show config-sync diff [commands] [running|candidate|saved] [section] op-mode command backed by a new src/op_mode/config_sync.py script.
  • Adds a small reusable HTTPS API client (python/vyos/http_api_client.py) and a ConfigMgmt.remote_compare() helper.
  • Adds op-mode XML definitions (including section include files) and a smoketest validating diff output.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
src/op_mode/config_sync.py Implements the op-mode handler that fetches remote config via REST API and renders a diff vs local config.
python/vyos/http_api_client.py Adds a small requests-based client with consistent exceptions for VyOS REST API calls.
python/vyos/config_mgmt.py Adds remote_compare() to diff a local tree (by source) against a provided remote ConfigTree.
op-mode-definitions/show-config-sync.xml.in Wires the new show config-sync diff command into the CLI tree (including commands format).
op-mode-definitions/include/show-config-sync-section.xml.i Defines selectable diff “sections” matching config-sync’s supported sections.
op-mode-definitions/include/show-config-sync-section-commands.xml.i Same as above, but for diff commands output.
smoketest/scripts/cli/test_service_config-sync.py Adds smoketest coverage for empty diff, candidate diff (commands format), and saved vs running diff.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@alexandr-san4ez alexandr-san4ez mentioned this pull request Mar 24, 2026
Open
1 task
sever-sever
sever-sever requested changes Mar 25, 2026
View reviewed changes
@sever-sever
Copy link
Copy Markdown
Member

sever-sever commented Mar 25, 2026
edited
Loading

main node config

set service config-sync mode 'load'
set service config-sync secondary address '192.168.122.11'
set service config-sync secondary key 'foo'
set service config-sync section policy
  1. I see the full diff between the main and secondary nodes, but as I understand, there should be only the policy section
    The same for candidate
vyos@r14:~$ show config-sync diff 
+ container {
+     name rsyslog {
+         allow-host-networks
+         image "docker.io/rsyslog/rsyslog"
+         volume config {
+             destination "/etc/rsyslog.conf"
+             source "/config/containers/rsyslog/rsyslog.conf"
+         }
+         volume tls-ca {
+             destination "/etc/rsyslog.d/ca.crt"
+             source "/config/containers/rsyslog/tls/ca.crt"
+         }
+         volume tls-server {
+             destination "/etc/rsyslog.d/server.crt"
+             source "/config/containers/rsyslog/tls/server.crt"
+         }
+         volume tls-server-key {
+             destination "/etc/rsyslog.d/server.key"
+             source "/config/containers/rsyslog/tls/server.key"
+         }
+     }
+ }
[interfaces ethernet eth0]
- address "192.168.122.11/24"
+ address "192.168.122.14/24"
- hw-id "52:54:00:25:ff:47"
+ hw-id "52:54:00:8d:67:6e"
+ offload {
+     gro
+     gso
+     sg
+     tso
+ }
...


vyos@r14:~$ show config-sync diff candidate  
+ container {
+     name rsyslog {
+         allow-host-networks
+         image "docker.io/rsyslog/rsyslog"
+         volume config {
+             destination "/etc/rsyslog.conf"
+             source "/config/containers/rsyslog/rsyslog.conf"
+         }
+         volume tls-ca {
+             destination "/etc/rsyslog.d/ca.crt"
+             source "/config/containers/rsyslog/tls/ca.crt"
+         }
+         volume tls-server {
+             destination "/etc/rsyslog.d/server.crt"
+             source "/config/containers/rsyslog/tls/server.crt"
+         }
+         volume tls-server-key {
+             destination "/etc/rsyslog.d/server.key"
+             source "/config/containers/rsyslog/tls/server.key"
+         }
+     }
+ }
  1. I'm not expecting to change anythin,g as only the policy section was configured
vyos@r14:~$ show config-sync diff candidate  interfaces 
[ethernet eth0]
- address "192.168.122.11/24"
+ address "192.168.122.14/24"
- hw-id "52:54:00:25:ff:47"
+ hw-id "52:54:00:8d:67:6e"
+ offload {
+     gro
+     gso
+     sg
+     tso
+ }
[ethernet]
+ eth1 {
+     address "192.0.2.14/24"
+     hw-id "52:54:00:f4:d5:cd"
+ }
+ eth2 {
+     hw-id "52:54:00:b5:3a:46"
+ }
+ eth3 {
+     hw-id "52:54:00:6c:c4:3e"
+ }
[]
+ vpp {
+ }
vyos@r14:~$

sever-sever
sever-sever reviewed Mar 25, 2026
View reviewed changes
sever-sever
sever-sever requested changes Mar 25, 2026
View reviewed changes
sever-sever
sever-sever reviewed Mar 27, 2026
View reviewed changes
sever-sever
sever-sever reviewed Mar 27, 2026
View reviewed changes
sever-sever
sever-sever reviewed Mar 27, 2026
View reviewed changes
sever-sever
sever-sever requested changes Mar 30, 2026
View reviewed changes
@alexandr-san4ez
config-sync: T7784: Add command to diff configuration with secondary …
54fc0e1 
…node

Add a new operational command to compare configuration between
nodes participating in config synchronization.

New command:
  - `show configuration secondary sync [commands] [running|candidate|saved] [config-node-path]`.

This allows operators to view configuration differences across secondary peer
before applying or syncing changes.

Supports:
  - displaying using raw diff and 'commands' format;
  - optional section filtering (subtree comparison);
  - selectable config source (running, candidate, saved).
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 1, 2026

CI integration 👍 passed!

Details

CI logs

  • CLI Smoketests 👍 passed
  • CLI Smoketests (interfaces only) 👍 passed
  • Config tests 👍 passed
  • RAID1 tests 👍 passed
  • CLI Smoketests VPP 👍 passed
  • Config tests VPP 👍 passed
  • TPM tests 👍 passed

sever-sever
sever-sever approved these changes Apr 3, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@sever-sever sever-sever left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works as expected:

set nat source rule 100 description 'rule100'
set nat source rule 100 outbound-interface name 'eth0'
set nat source rule 100 source address '100.64.0.0/24'
set nat source rule 100 translation address 'masquerade'
set policy route-map RMAP-IN description 'inbound'
set policy route-map RMAP-IN rule 10 action 'permit'
set policy route-map RMAP-IN rule 10 description 'test'
set service config-sync mode 'load'
set service config-sync secondary address '192.168.122.16'
set service config-sync secondary key 'foo'
set service config-sync section nat
set service config-sync section policy

Check:

vyos@r14:~$ show configuration secondary sync commands candidate nat
set nat source rule 100 description 'rule100'
set nat source rule 100 outbound-interface name 'eth0'
set nat source rule 100 source address '100.64.0.0/24'
set nat source rule 100 translation address 'masquerade'
vyos@r14:~$ 
vyos@r14:~$ 
vyos@r14:~$ show configuration secondary sync commands candidate policy 
delete policy route-map FOO
set policy route-map RMAP-IN description 'inbound'
set policy route-map RMAP-IN rule 10 action 'permit'
set policy route-map RMAP-IN rule 10 description 'test'
vyos@r14:~$ 
vyos@r14:~$ 
vyos@r14:~$ show configuration secondary sync commands 
set nat source rule 100 description 'rule100'
set nat source rule 100 outbound-interface name 'eth0'
set nat source rule 100 source address '100.64.0.0/24'
set nat source rule 100 translation address 'masquerade'
delete policy route-map FOO
set policy route-map RMAP-IN description 'inbound'
set policy route-map RMAP-IN rule 10 action 'permit'
set policy route-map RMAP-IN rule 10 description 'test'
vyos@r14:~$ 
vyos@r14:~$ 
vyos@r14:~$ show configuration secondary sync 
[nat]
+ source {
+     rule 100 {
+         description "rule100"
+         outbound-interface {
+             name "eth0"
+         }
+         source {
+             address "100.64.0.0/24"
+         }
+         translation {
+             address "masquerade"
+         }
+     }
+ }
[policy]
- route-map FOO {
- }
+ route-map RMAP-IN {
+     description "inbound"
+     rule 10 {
+         action "permit"
+         description "test"
+     }
+ }
vyos@r14:~$

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@sever-sever sever-sever sever-sever approved these changes

@dmbaturin dmbaturin Awaiting requested review from dmbaturin

@sarthurdev sarthurdev Awaiting requested review from sarthurdev

@zdc zdc Awaiting requested review from zdc

@jestabro jestabro Awaiting requested review from jestabro

@c-po c-po Awaiting requested review from c-po

At least 2 approving reviews are required to merge this pull request.

Assignees

@alexandr-san4ez alexandr-san4ez

Labels

bp/circinus Create automatic backport for circinus current

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@alexandr-san4ez @sever-sever