[Freeipa-devel] [PATCH] [WIP] ipa-replica-manage del with managed topology

Petr Vobornik pvoborni at redhat.com
Fri Jun 12 08:20:52 UTC 2015 

On 06/12/2015 09:24 AM, Ludwig Krispenz wrote:
> Hi Petr,
> On 06/11/2015 06:34 PM, Petr Vobornik wrote:
>> Attaching a wip patch for `ipa-replica-manage del` to work with
>> managed topology.
>>
>> There are two prerequisite patches, they add following commands. All
>> commands has NO_CLI flag which means they are hidden in CLI.
>> - server-del
>> - serverservice-add, mod, del, show, find
>>
>> serverservice is object name for server "services" in cn=masters. I
>> don't like the "service" name much but it's already been used in
>> general discussions.
>>
>> The main patch introduces two distinct methods for deleting servers,
>> one for managed topology another for the old method. They share some
>> code.
>>
>> There are some differences in behavior.
>>
>> 1. the original 'del' worked also with winsync agreements. I'm not
>> sure why is that. Shouldn't 'disconnect' be used for winsync
>> agreements? At least man page says that.
>>
>> 2. options --clean and --force aren't used in the new method. I don't
>> think that they are required. They serve for deleting the server entry
>> in cn=masters.  The new method is build around this deletion so that
>> it's always done which also means the cleanup is done.
>>
>> 3. Clean RUV task is run after deleting server entry and related
>> cleanup. I don't think it works well. From observing the changes, it
>> looks like it's executed before topology plugin manages to delete the
>> agreements. This task then doesn't want to end and it reports that it
>> has not finished somewhere. It finishes successfully if dirsrv is
>> restarted. Agreements are then removed as well and all is fine.
>>
>> Ludwig, should the clean RUV step be done differently? E.g. somewhere
>> else or after something finishes?
> good question, investigateing the cleanallruv problems was on my agenda
> after the topology plugin is "stable". We have seen many issues (eg
> corrupted ruvs), where we don't know why they exist in DS and if
> anything in the management code of ipa is contributing to this. So I can
> not really recommend a "best practice" at the moment.
> Regarding required changes in the manage-del, I think the problem is
> that without the topo plugin the agreement was deleted, then cleanallruv
> was started (it no longer tried to contact the removed replica and
> didn't get contacted by that replica). Now the direct deletion of the
> agreement is rejected and the cleanallruv will act in the full topology,
> so it probably should be done after the server was removed.

Would it be sufficient to check deletion of related segments? Deletion 
check of rep. agreement seems error prone to me (this server doesn't 
have to have any and must contact different server...).
>
> You call server_del before calling replica_cleanup (which also deletes
> the server). I don't see the deletion of the services before server_del,
> so this should fail since it has children.
>

It won't fail, server_del inherits from LDAPDelete which deletes the 
children on errors.NotAllowedOnNonLeaf and then it retries the deletion.

replica cleanup tries to do it again but if the server entry is not 
there, it continue without raising error. This is fine. The logic was 
kept there for the old del method.
-- 
Petr Vobornik

More information about the Freeipa-devel mailing list