[Freeipa-devel] Proposal: reverse stance on installing CA on new masters
Rob Crittenden
rcritten at redhat.com
Thu Apr 9 19:42:10 UTC 2015
Petr Vobornik wrote:
> On 04/09/2015 04:05 PM, Rob Crittenden wrote:
>> Right now when a new master is installed it is not configured with a CA
>> unless one passes in --setup-ca (or afterward runs ipa-ca-install).
>>
>> Over and over we've seen people who have multiple masters and a single
>> CA, in some cases that CA machine is gone, leaving the realm with no CA
>> at all.
>>
>> I think this is due to the fact that CA replicas are not created by
>> default and the users are not aware of the implications of a single
>> point-of-failure since things otherwise seem to be working.
>>
>> So perhaps the default should be to install a CA unless the user
>> requests one not be installed. A related task may be to create an
>> uninstaller for just the CA.
>>
>> rob
>>
>
> From a general perspective:
>
> When I hear "replica" it evokes a "clone", something equal/identical.
>
> Based on this, the expected behavior for me would be that:
>
> - if master has DNS and CA, then the new replica would also have DNS and
> CA (without any configuration option needed).
> - if an optional service is missing then replica wouldn't have it as
> well by default
>
> This would required reverse options like: --no-dns.
Pretty much exactly what I was thinking.
For the option I think we should go with a more generic --ca, --dns,
with the default value matching what the remote master has configured.
But that's bike shedding.
The real question is, what do others think? Is this worth filing a
ticket for? It would be a subtle but significant change. This might tie
in nicely with planned topology management too.
rob
More information about the Freeipa-devel
mailing list