[Freeipa-devel] disabling topology segment has no effect

Ludwig Krispenz lkrispen at redhat.com
Wed Jun 17 15:13:54 UTC 2015 

Hi,
On 06/17/2015 05:07 PM, Oleg Fayans wrote:
>
>
> On 06/17/2015 04:59 PM, Ludwig Krispenz wrote:
>>
>> On 06/17/2015 04:46 PM, Oleg Fayans wrote:
>>> Hi Ludwig,
>>>
>>> On 06/17/2015 04:15 PM, Ludwig Krispenz wrote:
>>>>
>>>> On 06/17/2015 03:37 PM, Oleg Fayans wrote:
>>>>> Hi Ludwig, Petr,
>>>>>
>>>>> Presently I have noticed that disabling a segment, using `ipa 
>>>>> topologysegment-mod realm replica1-to-replica2
>>>>> --enabled=off` does not have effect on the way the data is 
>>>>> replicated.
>>>>>
>>>>> I mean that if we have the following tolopogy:
>>>>> master <-> replica1 <-> replica2
>>>> on which server did you apply the mod ?
>>> On master.
>> just to be clear, you have master <-> replica1 <-> replica2
>> on master you disable replica1-replica2
>> why would you expect mods on master not to be replicated ? at least 
>> to replica1 ?
>> the disable should only effect the connection between r1 and r2.
>> There is one problem in this linear topology, the disable reaches r1, 
>> it disables the agmt to r2 and so fails to replicate  the disable to r2.
>
> To be precise, my topology is as follows
>
> master <-> replica3 <-> replica2 <-> replica1
> And I disabled the replica3 <-> replica2. So I expected the changes on 
> master to be only visible on master and replica3, but actually it kept 
> replicating to all nodes.
>
> root at f22replica1:/home/ofayans]$ ipa topologysegment-find realm
> ------------------
> 3 segments matched
> ------------------
>   Segment name: f22master.bagam.net-to-f22replica3.bagam.net
>   Left node: f22master.bagam.net
>   Right node: f22replica3.bagam.net
>   Connectivity: both
>
>   Segment name: replica1-to-replica2
>   Left node: f22replica1.bagam.net
>   Right node: f22replica2.bagam.net
>   Connectivity: both
>
>   Segment name: replica3-to-replica2
>   Left node: f22replica3.bagam.net
>   Right node: f22replica2.bagam.net
>   Connectivity: both
> ----------------------------
> Number of entries returned 3
> ----------------------------
> root at f22replica1:/home/ofayans]$ ipa topologysegment-show realm 
> replica3-to-replica2
>   Segment name: replica3-to-replica2
>   Left node: f22replica3.bagam.net
>   Right node: f22replica2.bagam.net
>   Connectivity: both
>   Replication agreement enabled: off
can you do a ldapsearch on cn=realm,cn=topology, ......

and on replica3 do a search -b "cn=config" 
"objectclass=nsds5replicationagreement"

would like to see the raw data.
>
>
>>
>>> It reproduces though even in a situation with the topology
>>> replica3 <-> master <-> replica1 <-> replica2 and you disable the 
>>> replica1-replica2 segment on replica3 (quite expectedly)
>>>>> and disable one of the segments, one would expect the changes 
>>>>> implemented on master would not be replicated to other nodes (or 
>>>>> do I misunderstand the concept of disabling a segment?). However, 
>>>>> in reality any changes in master do get replicated despite the 
>>>>> segment is disabled.
>>>>>
>>>>> Is it a correct behavior?
>>>>>
>>>>> The second question is: if disabled segments should not let the 
>>>>> changes through, then we probably should implement a check for 
>>>>> topology disconnection in similar way as `ipa topologysegment-del` 
>>>>> does. I mean, whenever a user tries to disable a segment, the 
>>>>> plugin should probably check whether it disconnects any of the nodes.
>>>> well, I think disabling should be temporary, you want to disconnect 
>>>> for some time. eg for debugging, not deleting the agreement 
>>>> completely, I would allow this.
>>>>
>>>
>>
>

More information about the Freeipa-devel mailing list