[Freeipa-devel] [PATCH] 286-288 Warn when ID range with incorrect size was created
Rob Crittenden
rcritten at redhat.com
Fri Jul 13 14:00:16 UTC 2012
Martin Kosek wrote:
> On 07/12/2012 07:46 AM, Martin Kosek wrote:
>> On 07/11/2012 09:27 PM, Rob Crittenden wrote:
>>> Martin Kosek wrote:
>>>> IPA 3.0 introduced range ID objects in replicated space which specify
>>>> a range of IDs assigned via DNA plugin. ipa-ldap-updater generates the
>>>> default ID range which should correspond with IDs assigned to IPA
>>>> users.
>>>>
>>>> However, since correct range size is not known, we should at least
>>>> warn that a range with invalid size was created so that user can
>>>> amend it.
>>>>
>>>>
>>>> I created 2 new tickets to add further improve this area:
>>>>
>>>> 1) #2918: [doc] Upgrade procedure section should mention ipa-ldap-updater
>>>> 2) #2919: Improve safety checks in range command
>>>>
>>>>
>>>> To test this patch, you can:
>>>> 1) Install unpatched IPA server (and you may install replicas too) with custom
>>>> --idstart and --idmax options where difference is greater then 200000
>>>> 2) Remove default range with range-del command (will be restored during upgrade)
>>>> 3) Run RPM upgrade with RPMs built from patched sources - ERROR should now be
>>>> printed during update stating that a new range was created but its size is not
>>>> right
>>>
>>> I don't understand step 2, why would someone remove their range before upgrading?
>>>
>>> I installed with a 50k range, didn't remove it, then upgraded with no warning.
>>> I deleted the range and re-installed the packages again, still no warning but a
>>> new 200k range was created for me.
>>>
>>> rob
>>
>> The step 2 is artificial and is only done to force the default_range update
>> plugin to create/restore the default IPA range. The plugin would just be
>> skipped otherwise.
>>
>> We can only detect ranges larger than 200k - judging just from the number of
>> free IDs. Thus, 50k range will pass without any warning or error. If you create
>> a bigger range (this can be detected unless you deplete all IDs below 200k
>> mark), you will receive the warning. All this procedure will not handle all
>> situations ATM, its just heuristics to cover most cases...
>>
>> Martin
>
> Sending an updated patch with 2 small changes:
> 1) Console error formatting was changed similar to ipa-client-install
> 2) ipa-ldap-updater does not print information message when IPA is not
> configured to stderr so that rpm update output stays clean when updating rpms
> in machine without IPA installed
>
> This is the output of RPM with the new patch set:
>
> # ipa range-del IDM.LAB.BOS.REDHAT.COM_id_range
> --------------------------------------------------
> Deleted ID range "IDM.LAB.BOS.REDHAT.COM_id_range"
> --------------------------------------------------
> # rpm -Uvh --force freeipa-*
> Preparing... ########################################### [100%]
> 1:freeipa-python ########################################### [ 14%]
> 2:freeipa-client ########################################### [ 29%]
> 3:freeipa-admintools ########################################### [ 43%]
> 4:freeipa-server ########################################### [ 57%]
> 5:freeipa-server-selinux ########################################### [ 71%]
> 6:freeipa-server-trust-ad########################################### [ 86%]
> 7:freeipa-debuginfo ########################################### [100%]
> ERROR: default_range: could not verify default ID range size
> Please use the following command to set correct ID range size
> $ ipa range-mod IDM.LAB.BOS.REDHAT.COM_id_range --range-size=RANGE_SIZE
> RANGE_SIZE may be computed from --idstart and --idmax options used during IPA
> server installation:
> RANGE_SIZE = (--idmax) - (--idstart) + 1
>
> Martin
>
Your sys.exit() changes to ipa-ldap-updater cause the return val to be 0
when IPA is not configured. It should return 1.
Fix that and ACK.
rob
More information about the Freeipa-devel
mailing list