[Freeipa-devel] [PATCH] [WIP] ipa-replica-manage del with managed topology
Ludwig Krispenz
lkrispen at redhat.com
Fri Jun 12 08:26:41 UTC 2015
On 06/12/2015 10:20 AM, Petr Vobornik wrote:
> On 06/12/2015 09:24 AM, Ludwig Krispenz wrote:
>> Hi Petr,
>> On 06/11/2015 06:34 PM, Petr Vobornik wrote:
>>> Attaching a wip patch for `ipa-replica-manage del` to work with
>>> managed topology.
>>>
>>> There are two prerequisite patches, they add following commands. All
>>> commands has NO_CLI flag which means they are hidden in CLI.
>>> - server-del
>>> - serverservice-add, mod, del, show, find
>>>
>>> serverservice is object name for server "services" in cn=masters. I
>>> don't like the "service" name much but it's already been used in
>>> general discussions.
>>>
>>> The main patch introduces two distinct methods for deleting servers,
>>> one for managed topology another for the old method. They share some
>>> code.
>>>
>>> There are some differences in behavior.
>>>
>>> 1. the original 'del' worked also with winsync agreements. I'm not
>>> sure why is that. Shouldn't 'disconnect' be used for winsync
>>> agreements? At least man page says that.
>>>
>>> 2. options --clean and --force aren't used in the new method. I don't
>>> think that they are required. They serve for deleting the server entry
>>> in cn=masters. The new method is build around this deletion so that
>>> it's always done which also means the cleanup is done.
>>>
>>> 3. Clean RUV task is run after deleting server entry and related
>>> cleanup. I don't think it works well. From observing the changes, it
>>> looks like it's executed before topology plugin manages to delete the
>>> agreements. This task then doesn't want to end and it reports that it
>>> has not finished somewhere. It finishes successfully if dirsrv is
>>> restarted. Agreements are then removed as well and all is fine.
>>>
>>> Ludwig, should the clean RUV step be done differently? E.g. somewhere
>>> else or after something finishes?
>> good question, investigateing the cleanallruv problems was on my agenda
>> after the topology plugin is "stable". We have seen many issues (eg
>> corrupted ruvs), where we don't know why they exist in DS and if
>> anything in the management code of ipa is contributing to this. So I can
>> not really recommend a "best practice" at the moment.
>> Regarding required changes in the manage-del, I think the problem is
>> that without the topo plugin the agreement was deleted, then cleanallruv
>> was started (it no longer tried to contact the removed replica and
>> didn't get contacted by that replica). Now the direct deletion of the
>> agreement is rejected and the cleanallruv will act in the full topology,
>> so it probably should be done after the server was removed.
>
> Would it be sufficient to check deletion of related segments?
yes, that should be enough.
> Deletion check of rep. agreement seems error prone to me (this server
> doesn't have to have any and must contact different server...).
agree, don't need to rely on repl agreements. That's something I didn't
understand with the old method, there could be agreements to the removed
replica on other servers, were they removed as well ?
>>
>> You call server_del before calling replica_cleanup (which also deletes
>> the server). I don't see the deletion of the services before server_del,
>> so this should fail since it has children.
>>
>
> It won't fail, server_del inherits from LDAPDelete which deletes the
> children on errors.NotAllowedOnNonLeaf and then it retries the deletion.
>
> replica cleanup tries to do it again but if the server entry is not
> there, it continue without raising error. This is fine. The logic was
> kept there for the old del method.
Thanks for explanation
More information about the Freeipa-devel
mailing list