[Freeipa-devel] [PATCH] 0036 Abort full backup restoration on not matching host.
Jan Cholasta
jcholast at redhat.com
Mon Jan 12 15:32:05 UTC 2015
Dne 12.1.2015 v 16:30 Rob Crittenden napsal(a):
> Jan Cholasta wrote:
>> Dne 12.1.2015 v 13:37 David Kupka napsal(a):
>>> On 01/12/2015 01:14 PM, Jan Cholasta wrote:
>>>> Dne 12.1.2015 v 13:08 Martin Kosek napsal(a):
>>>>> On 01/12/2015 12:53 PM, David Kupka wrote:
>>>>>> https://fedorahosted.org/freeipa/ticket/4823
>>>>>
>>>>> Looking at this patch, are data-only backups supposed to work properly
>>>>> then?
>>>>> Wouldn't for example Directory Server fail to start when cn=config
>>>>> contain some
>>>>> hostname-bound values?
>>>>>
>>>>> Just checking...
>>>>>
>>>>
>>>> IMO the error should be raised in both data-only and full restore, if in
>>>> unattended mode or the user wishes not to continue.
>>>>
>>> Description of the problem in ticket states: "I tried to run ipa-restore
>>> (full kind) on replica from full backup taken on master and was
>>> expecting an error message that restore can not proceed and only data
>>> restore possible."
>>>
>>> I created the patch based on this request. Is it wrong and should
>>> ipa-restore fail every time when hostnames does not match?
>>
>> Yes, as Martin pointed out, the data may contain references to the
>> hostname.
>>
>>> Does it make
>>> sense to allow user to force the restoration in this case?
>>
>> Yes, if the users wish, they should be allowed to continue.
>
> IIRC a data restore is just the data from the replicated tree so there
> is nothing hostname-specific. It is probably worth investigating so we
> don't go too far one way or the other.
There's at least cn=<fqdn>,cn=masters,cn=etc,<suffix>.
>
> A full restore definitely shouldn't be done on the wrong host as it will
> restore certificates and keytabs that are definitely host-specific.
Should the continue prompt be removed then?
>
> rob
>
--
Jan Cholasta
More information about the Freeipa-devel
mailing list