[Freeipa-devel] Topology Plugin design questions

Oleg Fayans ofayans at redhat.com
Fri Aug 14 11:55:23 UTC 2015 

Hi Petr, Ludwig,

On 08/14/2015 09:25 AM, Petr Vobornik wrote:
> On 08/14/2015 08:26 AM, Oleg Fayans wrote:
>> The problem of current implementation of topologysegment-add is that it
>> does not support '--connectivity' commandline option:
>> $ ipa help topologysegment-add
>> Usage: ipa [global-options] topologysegment-add TOPOLOGYSUFFIX NAME
>> [options]
>>
>> Add a new segment.
>> Options:
>>    -h, --help            show this help message and exit
>>    --leftnode=STR        Left replication node - an IPA server
>>    --rightnode=STR       Right replication node - an IPA server
>>    --stripattrs=STR      A space separated list of attributes which are
>> removed
>>                          from replication updates.
>>    --replattrs=STR       Attributes that are not replicated to a consumer
>>                          server during a fractional update. E.g.,
>>                          `(objectclass=*) $ EXCLUDE accountlockout
>> memberof
>>    --replattrstotal=STR  Attributes that are not replicated to a consumer
>>                          server during a total update. E.g.
>> (objectclass=*) $
>>                          EXCLUDE accountlockout
>>    --timeout=INT         Number of seconds outbound LDAP operations
>> waits for a
>>                          response from the remote replica before timing
>> out and
>>                          failing
>>    --setattr=STR         Set an attribute to a name/value pair. Format is
>>                          attr=value. For multi-valued attributes, the
>> command
>>                          replaces the values already present.
>>    --addattr=STR         Add an attribute/value pair. Format is
>> attr=value. The
>>                          attribute must be part of the schema.
>>    --all                 Retrieve and print all attributes from the
>> server.
>>                          Affects command output.
>>    --raw                 Print entries as stored on the server. Only
>> affects
>>                          output format.
>
> This is correct, see https://fedorahosted.org/freeipa/ticket/5061
>
>>
>> But when you actually create a segment, it asks for connectivity
>> interactively, which effectively blocks automation.
>
> It should not ask, it's a bug, please file a ticket.
Filed the following ticket:
https://fedorahosted.org/freeipa/ticket/5222

>
>>
>>
>>
>> On 08/13/2015 12:13 PM, Ludwig Krispenz wrote:
>>>
>>> On 08/13/2015 10:49 AM, Petr Vobornik wrote:
>>>> On 08/13/2015 09:55 AM, Ludwig Krispenz wrote:
>>>>>
>>>>> On 08/10/2015 10:54 AM, Oleg Fayans wrote:
>>>>>> Hi Ludwig,
>>>>>>
>>>>>> It seems the Design page for the topology plugin is a bit outdated.
>>>>>> 1. It still operates with the terms like plugin version
>>>>>> (http://www.freeipa.org/page/V4/Manage_replication_topology#Check_for_modify_operation),
>>>>>>
>>>>>>
>>>>>>
>>>>>> although it was generally agreed, that we do not use plugin
>>>>>> version at
>>>>>> all.
>>>>>>
>>>>>> 2. The section
>>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology#Check_after_online_initializatition
>>>>>>
>>>>>>
>>>>>>
>>>>>> should be a bit clarified:
>>>>>> Does this mean, that if we prepare a replica from a master that has
>>>>>> domainlevel = 1, then the replica, that already had a domain level
>>>>>> = 0
>>>>>> will raise it? Do we support this scenario at all?
>>>>>>
>>>>>> 3. Segment directions. Currently there is no way to specify segment
>>>>>> direction using the cli `ipa topologysegment-add`. However the
>>>>>> direction is shown with `ipa topologysegment-find` and `ipa
>>>>>> topologysegment-show`, which leads to confusing of the users. We
>>>>>> probably should remove this info from the output at all and update
>>>>>> the
>>>>>> design page accordingly.
>>>>> this is not true, in segment add youcan specify the direction:
>>>>>
>>>>> adding the segment:
>>>>> -------------
>>>>> [root at vm-215 ~]# ipa topologysegment-add realm
>>>>> Left node: vm-112.abc.idm.lab.eng.brq.redhat.com
>>>>> Right node: vm-179.abc.idm.lab.eng.brq.redhat.com
>>>>> Connectivity [both]: left-right
>>>>> Segment name
>>>>> [vm-112.abc.idm.lab.eng.brq.redhat.com-to-vm-179.abc.idm.lab.eng.brq.redhat.com]:
>>>>>
>>>>>
>>>>>
>>>>> onedirect
>>>>> -------------------------
>>>>> Added segment "onedirect"
>>>>> -------------------------
>>>>>    Segment name: onedirect
>>>>>    Left node: vm-112.abc.idm.lab.eng.brq.redhat.com
>>>>>    Right node: vm-179.abc.idm.lab.eng.brq.redhat.com
>>>>>    Connectivity: left-right
>>>>>
>>>>>
>>>>> checking the segment:
>>>>>
>>>>> [root at vm-215 ~]# ipa topologysegment-find realm
>>>>> ------------------
>>>>> .....
>>>>> ------------------
>>>>>    Segment name: onedirect
>>>>>    Left node: vm-112.abc.idm.lab.eng.brq.redhat.com
>>>>>    Right node: vm-179.abc.idm.lab.eng.brq.redhat.com
>>>>>    Connectivity: left-right
>>>>>
>>>>> ......
>>>>>
>>>>
>>>> This is a bug. Option "direction" was removed from -add and -mod
>>>> commands on purpose.
>>> I thought it should only be removed from the mod, as it was not handled
>>> in the plugin, but I think initial creation of a one directional segment
>>> should be ok
>>>
>>>> But CLI still incorrectly asks for the value and therefore allows to
>>>> change the default "both".
>>>
>>
>
>

-- 
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

More information about the Freeipa-devel mailing list