Skip to content
LinkState
Go back

Rollback plans need their own gates

Introduction

AI‑generated rollback is a machine‑learned or rule‑based artifact that encodes the inverse of a planned configuration change. Produced automatically from the change request, the current device state, and a model of system behavior, it provides a repeatable, version‑controlled mechanism for restoring the pre‑change state when a change fails verification gates or when an operator aborts within a defined change window.

Treating this rollback as a first‑class artifact brings versionability, expiry awareness, reentry governance, operational clarity, and risk‑based gating to change management.


Benefits of Treating AI‑Generated Rollback as a First‑Class Artifact


Prerequisite Capture for AI‑Generated Rollback

Identifying Critical System Components

  1. Configuration Sources – NETCONF/YANG models, CLI snippets, Ansible playbooks, Terraform state, device‑local configs.
  2. Runtime State – BGP neighbor states, interface counters, QoS statistics, ARP/ND tables, etc.
  3. Dependencies – RADIUS/TACACS+ servers, NTP peers, DNS resolvers, and other external services whose state must remain unchanged.
  4. Change Blast Radius – Set of devices, interfaces, and logical entities the change will touch; prerequisite capture must cover the full blast radius.

Capturing Prerequisite Data

Integrating Prerequisite Capture into CI/CD

# Example: GitHub Actions workflow snippet
name: Change & Rollback Preparation
on:
  workflow_dispatch:
    inputs:
      change_id:
        description: 'Change identifier from ITSM'
        required: true

jobs:
  capture-prereqs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
        uses: actions/checkout@v4

      - name: Install capture tools
        run: |
          pip install pyats[genie] napalm

      - name: Capture device snapshots
        id: snapshots
        env:
          CHANGE_ID: ${{ github.event.inputs.change_id }}
        run: |
          mkdir -p artifacts/${CHANGE_ID}
          for dev in $(cat inventory.txt); do
            pyats learn --testbed testbed.yaml --device $dev \
              --output artifacts/${CHANGE_ID}/$dev.json
          done
          # Generate SHA‑256 manifests
          find artifacts/${CHANGE_ID} -type f -name '*.json' -exec sha256sum {} \; > artifacts/${CHANGE_ID}/manifest.sha256

      - name: Upload artifacts to immutable store
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-1
      - run: |
          aws s3 sync artifacts/${CHANGE_ID} s3://rollback-artifacts/${CHANGE_ID}/ \
            --storage-class GLACIER_IR \
            --object-lock-mode GOVERNANCE \
            --object-lock-retain-until-date 2099-12-31T00:00:00Z

      - name: Validate capture integrity
        run: |
          aws s3 cp s3://rollback-artifacts/${CHANGE_ID}/manifest.sha256 - | sha256sum -c -

This workflow ensures prerequisite data is captured, cryptographically sealed, and stored before any change proceeds.


Expiry Checks for AI‑Generated Rollback

Time‑Based Expiry

Version‑Based Expiry

Handling Expiry Check Failures


Reentry Rules for AI‑Generated Rollback

Defining Reentry Conditions

A rollback must not be reapplied after the system has progressed beyond its intended revert point. Conditions include:

  1. State Divergence – Current device state differs from the captured prerequisite state outside the original change scope (e.g., unrelated configuration drift).
  2. Subsequent Change Applied – A later change with a higher version/timestamp touches any part of the rollback’s scope.
  3. Health Check Failure – Post‑change verification indicates an unhealthy state; rolling back could worsen the issue.
  4. Manual Lock – Operator‑set reentry lock (feature flag or lock object) to prevent rollback reuse.

Implementing Reentry Rules

Encode conditions as a JSON policy evaluated by the rollback orchestrator:

{
  "reentry_rules": [
    { "type": "state_match", "scope": "prereq_snapshot", "operator": "equals" },
    { "type": "version_lt", "field": "change_version", "operator": "<", "value": "current_change_version" },
    { "type": "health_check", "script": "verify_health.sh", "expected_exit": 0 }
  ]
}

Evaluation Flow

  1. Load the prerequisite snapshot from the artifact store.
  2. Execute each rule; if any returns false, abort and raise a reentry‑violation event.
  3. If all pass, proceed with rollback application.

Handling Reentry Rule Violations


Integrating AI‑Generated Rollback into Change Management

Creating a Change Window

  1. Define Window Boundaries – Agree on window_start and window_end in the change request. The window must accommodate:
    • Prerequisite capture (if not pre‑done)
    • AI‑generated rollback creation and validation
    • Change execution
    • Verification gates
    • Rollback execution window (typically 15‑30 min after change completion)
  2. Lock the Window – Use the change‑management system (ServiceNow, Jira Service Management) to set the change to “Scheduled” and block overlapping windows on the same CI/device group.
  3. Communicate Expiry – Publish the rollback’s expires_at on the change ticket; the window must close before this time.

Validating AI‑Generated Rollback Artifacts

Applying AI‑Generated Rollback during Change Window

# Pseudocode for the orchestration step
ROLLBACK_ARTIFACT="s3://rollback-artifacts/${CHANGE_ID}/rollback.json"
# 1. Download and verify
aws s3 cp $ROLLBACK_ARTIFACT /tmp/rollback.json
sha256sum -c /tmp/rollback.manifest

# 2. Run reentry rule evaluation (python script)
python /opt/rollback/validate_reentry.py \
    --artifact /tmp/rollback.json \
    --inventory /etc/ansible/inventory.yml \
    --health-script /opt/rollback/verify_health.sh

if [ $? -ne 0 ]; then
    echo "Reentry rules failed – aborting rollback"
    exit 1
fi

# 3. Apply rollback (idempotent where possible)
ansible-playbook -i /etc/ansible/inventory.yml \
    /opt/rollback/playbooks/apply_rollback.yml \
    -e "artifact=/tmp/rollback.json"

# 4. Post‑apply verification
python /opt/rollback/verify_state.py --expected /tmp/rollback.json --actual /tmp/current_state.json

This sequence guarantees:


Troubleshooting AI‑Generated Rollback Issues

SymptomLikely CauseExample Message
ArtifactNotFoundArtifact missing from store or incorrect keyERROR: Unable to locate s3://rollback-artifacts/<change-id>/rollback.json
HashMismatchCorrupted download or tampered artifactsha256sum: WARNING: 1 of 1 computed checksum did NOT match
ExpiredRollbackTime‑ or version‑based expiry failureRollback expired: current time 2024-09-27T10:15:00Z > expires_at 2024-09-27T08:00:00Z
ReentryViolationOne or more reentry rules evaluated to falseReentry rule failed: state_match – current BGP neighbor count 5 ≠ expected 4
ValidationFailedSchema or semantic validation errorJSON schema validation failed: missing required property 'metadata.expires_at'

General Guidance


Share this post on:

Previous Post
Client-to-client reflection and IX loop risk
Next Post
Rendered subscriptions versus actual observed coverage