[Freeipa-devel] [PATCH] 286-288 Warn when ID range with incorrect size was created

Fri Jul 13 14:00:16 UTC 2012

Martin Kosek wrote:
> On 07/12/2012 07:46 AM, Martin Kosek wrote:
>> On 07/11/2012 09:27 PM, Rob Crittenden wrote:
>>> Martin Kosek wrote:
>>>> IPA 3.0 introduced range ID objects in replicated space which specify
>>>> a range of IDs assigned via DNA plugin. ipa-ldap-updater generates the
>>>> default ID range which should correspond with IDs assigned to IPA
>>>> users.
>>>>
>>>> However, since correct range size is not known, we should at least
>>>> warn that a range with invalid size was created so that user can
>>>> amend it.
>>>>
>>>>
>>>> I created 2 new tickets to add further improve this area:
>>>>
>>>> 1) #2918: [doc] Upgrade procedure section should mention ipa-ldap-updater
>>>> 2) #2919: Improve safety checks in range command
>>>>
>>>>
>>>> To test this patch, you can:
>>>> 1) Install unpatched IPA server (and you may install replicas too) with custom
>>>> --idstart and --idmax options where difference is greater then 200000
>>>> 2) Remove default range with range-del command (will be restored during upgrade)
>>>> 3) Run RPM upgrade with RPMs built from patched sources - ERROR should now be
>>>> printed during update stating that a new range was created but its size is not
>>>> right
>>>
>>> I don't understand step 2, why would someone remove their range before upgrading?
>>>
>>> I installed with a 50k range, didn't remove it, then upgraded with no warning.
>>> I deleted the range and re-installed the packages again, still no warning but a
>>> new 200k range was created for me.
>>>
>>> rob
>>
>> The step 2 is artificial and is only done to force the default_range update
>> plugin to create/restore the default IPA range. The plugin would just be
>> skipped otherwise.
>>
>> We can only detect ranges larger than 200k - judging just from the number of
>> free IDs. Thus, 50k range will pass without any warning or error. If you create
>> a bigger range (this can be detected unless you deplete all IDs below 200k
>> mark), you will receive the warning. All this procedure will not handle all
>> situations ATM, its just heuristics to cover most cases...
>>
>> Martin
>
> Sending an updated patch with 2 small changes:
> 1) Console error formatting was changed similar to ipa-client-install
> 2) ipa-ldap-updater does not print information message when IPA is not
> configured to stderr so that rpm update output stays clean when updating rpms
> in machine without IPA installed
>
> This is the output of RPM with the new patch set:
>
> # ipa range-del IDM.LAB.BOS.REDHAT.COM_id_range
> --------------------------------------------------
> Deleted ID range "IDM.LAB.BOS.REDHAT.COM_id_range"
> --------------------------------------------------
> # rpm -Uvh --force freeipa-*
> Preparing...                ########################################### [100%]
>     1:freeipa-python         ########################################### [ 14%]
>     2:freeipa-client         ########################################### [ 29%]
>     3:freeipa-admintools     ########################################### [ 43%]
>     4:freeipa-server         ########################################### [ 57%]
>     5:freeipa-server-selinux ########################################### [ 71%]
>     6:freeipa-server-trust-ad########################################### [ 86%]
>     7:freeipa-debuginfo      ########################################### [100%]
> ERROR: default_range: could not verify default ID range size
> Please use the following command to set correct ID range size
>    $ ipa range-mod IDM.LAB.BOS.REDHAT.COM_id_range --range-size=RANGE_SIZE
> RANGE_SIZE may be computed from --idstart and --idmax options used during IPA
> server installation:
>    RANGE_SIZE = (--idmax) - (--idstart) + 1
>
> Martin
>

Your sys.exit() changes to ipa-ldap-updater cause the return val to be 0 
when IPA is not configured. It should return 1.

Fix that and ACK.

rob