[Freeipa-devel] Proposal: reverse stance on installing CA on new masters
Petr Vobornik
pvoborni at redhat.com
Thu Apr 9 14:27:43 UTC 2015
On 04/09/2015 04:05 PM, Rob Crittenden wrote:
> Right now when a new master is installed it is not configured with a CA
> unless one passes in --setup-ca (or afterward runs ipa-ca-install).
>
> Over and over we've seen people who have multiple masters and a single
> CA, in some cases that CA machine is gone, leaving the realm with no CA
> at all.
>
> I think this is due to the fact that CA replicas are not created by
> default and the users are not aware of the implications of a single
> point-of-failure since things otherwise seem to be working.
>
> So perhaps the default should be to install a CA unless the user
> requests one not be installed. A related task may be to create an
> uninstaller for just the CA.
>
> rob
>
From a general perspective:
When I hear "replica" it evokes a "clone", something equal/identical.
Based on this, the expected behavior for me would be that:
- if master has DNS and CA, then the new replica would also have DNS and
CA (without any configuration option needed).
- if an optional service is missing then replica wouldn't have it as
well by default
This would required reverse options like: --no-dns.
--
Petr Vobornik
More information about the Freeipa-devel
mailing list