[Freeipa-devel] disabling topology segment has no effect

[Ludwig Krispenz]

On 06/17/2015 04:46 PM, Oleg Fayans wrote:
> Hi Ludwig,
>
> On 06/17/2015 04:15 PM, Ludwig Krispenz wrote:
>>
>> On 06/17/2015 03:37 PM, Oleg Fayans wrote:
>>> Hi Ludwig, Petr,
>>>
>>> Presently I have noticed that disabling a segment, using `ipa 
>>> topologysegment-mod realm replica1-to-replica2
>>> --enabled=off` does not have effect on the way the data is replicated.
>>>
>>> I mean that if we have the following tolopogy:
>>> master <-> replica1 <-> replica2
>> on which server did you apply the mod ?
> On master.
just to be clear, you have master <-> replica1 <-> replica2
on master you disable replica1-replica2
why would you expect mods on master not to be replicated ? at least to 
replica1 ?
the disable should only effect the connection between r1 and r2.
There is one problem in this linear topology, the disable reaches r1, it 
disables the agmt to r2 and so fails to replicate  the disable to r2.

> It reproduces though even in a situation with the topology
> replica3 <-> master <-> replica1 <-> replica2 and you disable the 
> replica1-replica2 segment on replica3 (quite expectedly)
>>> and disable one of the segments, one would expect the changes 
>>> implemented on master would not be replicated to other nodes (or do 
>>> I misunderstand the concept of disabling a segment?). However, in 
>>> reality any changes in master do get replicated despite the segment 
>>> is disabled.
>>>
>>> Is it a correct behavior?
>>>
>>> The second question is: if disabled segments should not let the 
>>> changes through, then we probably should implement a check for 
>>> topology disconnection in similar way as `ipa topologysegment-del` 
>>> does. I mean, whenever a user tries to disable a segment, the plugin 
>>> should probably check whether it disconnects any of the nodes.
>> well, I think disabling should be temporary, you want to disconnect 
>> for some time. eg for debugging, not deleting the agreement 
>> completely, I would allow this.
>>
>