Hi Ludwig,
On 06/17/2015 05:13 PM, Ludwig Krispenz wrote:
> Hi,
> On 06/17/2015 05:07 PM, Oleg Fayans wrote:
>>
>>
>> On 06/17/2015 04:59 PM, Ludwig Krispenz wrote:
>>>
>>> On 06/17/2015 04:46 PM, Oleg Fayans wrote:
>>>> Hi Ludwig,
>>>>
>>>> On 06/17/2015 04:15 PM, Ludwig Krispenz wrote:
>>>>>
>>>>> On 06/17/2015 03:37 PM, Oleg Fayans wrote:
>>>>>> Hi Ludwig, Petr,
>>>>>>
>>>>>> Presently I have noticed that disabling a segment, using `ipa
>>>>>> topologysegment-mod realm replica1-to-replica2
>>>>>> --enabled=off` does not have effect on the way the data is
>>>>>> replicated.
>>>>>>
>>>>>> I mean that if we have the following tolopogy:
>>>>>> master <-> replica1 <-> replica2
>>>>> on which server did you apply the mod ?
>>>> On master.
>>> just to be clear, you have master <-> replica1 <-> replica2
>>> on master you disable replica1-replica2
>>> why would you expect mods on master not to be replicated ? at least
>>> to replica1 ?
>>> the disable should only effect the connection between r1 and r2.
>>> There is one problem in this linear topology, the disable reaches
>>> r1, it disables the agmt to r2 and so fails to replicate the
>>> disable to r2.
>>
>> To be precise, my topology is as follows
>>
>> master <-> replica3 <-> replica2 <-> replica1
>> And I disabled the replica3 <-> replica2. So I expected the changes
>> on master to be only visible on master and replica3, but actually it
>> kept replicating to all nodes.
>>
>> root at f22replica1:/home/ofayans]$ ipa topologysegment-find realm
>> ------------------
>> 3 segments matched
>> ------------------
>> Segment name: f22master.bagam.net-to-f22replica3.bagam.net
>> Left node: f22master.bagam.net
>> Right node: f22replica3.bagam.net
>> Connectivity: both
>>
>> Segment name: replica1-to-replica2
>> Left node: f22replica1.bagam.net
>> Right node: f22replica2.bagam.net
>> Connectivity: both
>>
>> Segment name: replica3-to-replica2
>> Left node: f22replica3.bagam.net
>> Right node: f22replica2.bagam.net
>> Connectivity: both
>> ----------------------------
>> Number of entries returned 3
>> ----------------------------
>> root at f22replica1:/home/ofayans]$ ipa topologysegment-show realm
>> replica3-to-replica2
>> Segment name: replica3-to-replica2
>> Left node: f22replica3.bagam.net
>> Right node: f22replica2.bagam.net
>> Connectivity: both
>> Replication agreement enabled: off
> can you do a ldapsearch on cn=realm,cn=topology, ......
$ ldapsearch -LLL -b
"cn=realm,cn=topology,cn=ipa,cn=etc,dc=bagam,dc=net" -D "cn=Directory
Manager" -w '<password>'
dn: cn=realm,cn=topology,cn=ipa,cn=etc,dc=bagam,dc=net
cn: realm
ipaReplTopoConfRoot: dc=bagam,dc=net
objectClass: top
objectClass: iparepltopoconf
dn:
cn=replica1-to-replica2,cn=realm,cn=topology,cn=ipa,cn=etc,dc=bagam,dc=net
ipaReplTopoSegmentRightNode: f22replica2.bagam.net
ipaReplTopoSegmentDirection: both
cn: replica1-to-replica2
ipaReplTopoSegmentLeftNode: f22replica1.bagam.net
objectClass: iparepltoposegment
objectClass: top
dn:
cn=f22master.bagam.net-to-f22replica3.bagam.net,cn=realm,cn=topology,cn=ip
a,cn=etc,dc=bagam,dc=net
ipaReplTopoSegmentDirection: both
objectClass: iparepltoposegment
objectClass: top
cn: f22master.bagam.net-to-f22replica3.bagam.net
ipaReplTopoSegmentLeftNode: f22master.bagam.net
ipaReplTopoSegmentRightNode: f22replica3.bagam.net
ipaReplTopoSegmentStatus: autogen
dn:
cn=f22replica3.bagam.net-f22replica1.bagam.net,cn=realm,cn=topology,cn=ipa
,cn=etc,dc=bagam,dc=net
objectClass: iparepltoposegment
objectClass: top
ipaReplTopoSegmentLeftNode: f22replica3.bagam.net
cn: f22replica3.bagam.net-f22replica1.bagam.net
ipaReplTopoSegmentDirection: both
ipaReplTopoSegmentRightNode: f22replica1.bagam.net
>
> and on replica3 do a search -b "cn=config"
> "objectclass=nsds5replicationagreement"
$ ldapsearch -LLL -b "cn=config" "objectclass=nsds5replicationagreement"
-D "cn=Directory Manager" -w '<password>'
dn:
cn=f22replica3.bagam.net-to-f22replica1.bagam.net,cn=replica,cn=dc\3Dbagam
\2Cdc\3Dnet,cn=mapping tree,cn=config
objectClass: nsds5replicationagreement
objectClass: ipaReplTopoManagedAgreement
objectClass: top
cn: f22replica3.bagam.net-to-f22replica1.bagam.net
nsDS5ReplicaHost: f22replica1.bagam.net
nsDS5ReplicaPort: 389
nsds5replicaTimeout: 300
nsDS5ReplicaRoot: dc=bagam,dc=net
description: f22replica3.bagam.net to f22replica1.bagam.net
ipaReplTopoManagedAgreementState: managed agreement - generated by
topology pl
ugin
nsDS5ReplicaTransportInfo: LDAP
nsDS5ReplicaBindMethod: SASL/GSSAPI
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof
idnssoaserial
entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
nsds5ReplicaStripAttrs: modifiersName modifyTimestamp
internalModifiersName in
ternalModifyTimestamp
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn
krblasts
uccessfulauth krblastfailedauth krbloginfailedcount
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 20150617151930Z
nsds5replicaLastUpdateEnd: 20150617151930Z
nsds5replicaChangesSentSinceStartup:: Njo1LzMyOSA0OjcvMCA=
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully:
Incremental upd
ate succeeded
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 19700101000000Z
nsds5replicaLastInitEnd: 19700101000000Z
dn:
cn=meTof22master.bagam.net,cn=replica,cn=dc\3Dbagam\2Cdc\3Dnet,cn=mapping
tree,cn=config
cn: meTof22master.bagam.net
description: me to f22master.bagam.net
ipaReplTopoManagedAgreementState: managed agreement - controlled by
topology p
lugin
nsDS5ReplicaBindMethod: SASL/GSSAPI
nsDS5ReplicaHost: f22master.bagam.net
nsDS5ReplicaPort: 389
nsDS5ReplicaRoot: dc=bagam,dc=net
nsDS5ReplicaTransportInfo: LDAP
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof
idnssoaserial
entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn
krblasts
uccessfulauth krblastfailedauth krbloginfailedcount
nsds50ruv: {replicageneration} 557fdff1000000040000
nsds50ruv: {replica 4 ldap://f22master.bagam.net:389}
557fdffc000100040000 558
00f44000300040000
nsds50ruv: {replica 6 ldap://f22replica3.bagam.net:389}
55800e1b000000060000 5
5800f44000400060000
nsds50ruv: {replica 5 ldap://f22replica2.bagam.net:389}
557fed70000000050000 5
5800553000300050000
nsds50ruv: {replica 3 ldap://f22replica1.bagam.net:389}
557fdffa000000030000 5
58009b4000200030000
nsds5ReplicaStripAttrs: modifiersName modifyTimestamp
internalModifiersName in
ternalModifyTimestamp
nsds5replicaTimeout: 120
nsruvReplicaLastModified: {replica 4 ldap://f22master.bagam.net:389}
00000000
nsruvReplicaLastModified: {replica 6 ldap://f22replica3.bagam.net:389}
0000000
0
nsruvReplicaLastModified: {replica 5 ldap://f22replica2.bagam.net:389}
0000000
0
nsruvReplicaLastModified: {replica 3 ldap://f22replica1.bagam.net:389}
0000000
0
objectClass: nsds5replicationagreement
objectClass: top
objectClass: ipaReplTopoManagedAgreement
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 20150617151930Z
nsds5replicaLastUpdateEnd: 20150617151930Z
nsds5replicaChangesSentSinceStartup:: Njo1LzMzNCA=
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully:
Incremental upd
ate succeeded
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 19700101000000Z
nsds5replicaLastInitEnd: 19700101000000Z
dn:
cn=cloneAgreement1-f22replica3.bagam.net-pki-tomcat,cn=replica,cn=o\3Dipac
a,cn=mapping tree,cn=config
cn: cloneAgreement1-f22replica3.bagam.net-pki-tomcat
description: cloneAgreement1-f22replica3.bagam.net-pki-tomcat
nsDS5ReplicaBindDN: cn=Replication Manager
masterAgreement1-f22replica3.bagam.
net-pki-tomcat,ou=csusers,cn=config
nsDS5ReplicaBindMethod: Simple
nsDS5ReplicaCredentials:
{AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
RERBNEJDUTRZbVk0TUdFM1l5MHpZV1F4TTJFeg0KTnkwNE5HVXhNamczTmkxak1qSmtNalkwTndBQ
0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQmxGYWZ1U3ROY2pNbV
J4NFNUc2pBcQ==}j+d3WWGnksSdSnVQ2S0irQ==
nsDS5ReplicaHost: f22master.bagam.net
nsDS5ReplicaPort: 389
nsDS5ReplicaRoot: o=ipaca
nsDS5ReplicaTransportInfo: TLS
nsds50ruv: {replicageneration} 557fe04c000000600000
nsds50ruv: {replica 96 ldap://f22master.bagam.net:389}
557fe05b000000600000 55
800ea7000000600000
nsds50ruv: {replica 86 ldap://f22replica3.bagam.net:389}
55800eb4000000560000
55800eb6000200560000
nsds50ruv: {replica 91 ldap://f22replica2.bagam.net:389}
557fede80000005b0000
557fedea0002005b0000
nsds50ruv: {replica 97 ldap://f22replica1.bagam.net:389}
557fe06c000000610000
557fe326000000610000
nsruvReplicaLastModified: {replica 96 ldap://f22master.bagam.net:389}
00000000
nsruvReplicaLastModified: {replica 86 ldap://f22replica3.bagam.net:389}
000000
00
nsruvReplicaLastModified: {replica 91 ldap://f22replica2.bagam.net:389}
000000
00
nsruvReplicaLastModified: {replica 97 ldap://f22replica1.bagam.net:389}
000000
00
objectClass: top
objectClass: nsds5replicationagreement
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 20150617150850Z
nsds5replicaLastUpdateEnd: 20150617150850Z
nsds5replicaChangesSentSinceStartup:
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully:
Incremental upd
ate succeeded
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 19700101000000Z
nsds5replicaLastInitEnd: 19700101000000Z
>
> would like to see the raw data.
>>
>>
>>>
>>>> It reproduces though even in a situation with the topology
>>>> replica3 <-> master <-> replica1 <-> replica2 and you disable the
>>>> replica1-replica2 segment on replica3 (quite expectedly)
>>>>>> and disable one of the segments, one would expect the changes
>>>>>> implemented on master would not be replicated to other nodes (or
>>>>>> do I misunderstand the concept of disabling a segment?). However,
>>>>>> in reality any changes in master do get replicated despite the
>>>>>> segment is disabled.
>>>>>>
>>>>>> Is it a correct behavior?
>>>>>>
>>>>>> The second question is: if disabled segments should not let the
>>>>>> changes through, then we probably should implement a check for
>>>>>> topology disconnection in similar way as `ipa
>>>>>> topologysegment-del` does. I mean, whenever a user tries to
>>>>>> disable a segment, the plugin should probably check whether it
>>>>>> disconnects any of the nodes.
>>>>> well, I think disabling should be temporary, you want to
>>>>> disconnect for some time. eg for debugging, not deleting the
>>>>> agreement completely, I would allow this.
>>>>>
>>>>
>>>
>>
>
--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.