[Freeipa-devel] disabling topology segment has no effect
Ludwig Krispenz
lkrispen at redhat.com
Wed Jun 17 15:34:15 UTC 2015
On 06/17/2015 05:26 PM, Oleg Fayans wrote:
> Hi Ludwig,
>
> On 06/17/2015 05:13 PM, Ludwig Krispenz wrote:
>> Hi,
>> On 06/17/2015 05:07 PM, Oleg Fayans wrote:
>>>
>>>
>>> On 06/17/2015 04:59 PM, Ludwig Krispenz wrote:
>>>>
>>>> On 06/17/2015 04:46 PM, Oleg Fayans wrote:
>>>>> Hi Ludwig,
>>>>>
>>>>> On 06/17/2015 04:15 PM, Ludwig Krispenz wrote:
>>>>>>
>>>>>> On 06/17/2015 03:37 PM, Oleg Fayans wrote:
>>>>>>> Hi Ludwig, Petr,
>>>>>>>
>>>>>>> Presently I have noticed that disabling a segment, using `ipa
>>>>>>> topologysegment-mod realm replica1-to-replica2
>>>>>>> --enabled=off` does not have effect on the way the data is
>>>>>>> replicated.
>>>>>>>
>>>>>>> I mean that if we have the following tolopogy:
>>>>>>> master <-> replica1 <-> replica2
>>>>>> on which server did you apply the mod ?
>>>>> On master.
>>>> just to be clear, you have master <-> replica1 <-> replica2
>>>> on master you disable replica1-replica2
>>>> why would you expect mods on master not to be replicated ? at least
>>>> to replica1 ?
>>>> the disable should only effect the connection between r1 and r2.
>>>> There is one problem in this linear topology, the disable reaches
>>>> r1, it disables the agmt to r2 and so fails to replicate the
>>>> disable to r2.
>>>
>>> To be precise, my topology is as follows
>>>
>>> master <-> replica3 <-> replica2 <-> replica1
>>> And I disabled the replica3 <-> replica2. So I expected the changes
>>> on master to be only visible on master and replica3, but actually it
>>> kept replicating to all nodes.
>>>
>>> root at f22replica1:/home/ofayans]$ ipa topologysegment-find realm
>>> ------------------
>>> 3 segments matched
>>> ------------------
>>> Segment name: f22master.bagam.net-to-f22replica3.bagam.net
>>> Left node: f22master.bagam.net
>>> Right node: f22replica3.bagam.net
>>> Connectivity: both
>>>
>>> Segment name: replica1-to-replica2
>>> Left node: f22replica1.bagam.net
>>> Right node: f22replica2.bagam.net
>>> Connectivity: both
>>>
>>> Segment name: replica3-to-replica2
>>> Left node: f22replica3.bagam.net
>>> Right node: f22replica2.bagam.net
>>> Connectivity: both
>>> ----------------------------
>>> Number of entries returned 3
>>> ----------------------------
>>> root at f22replica1:/home/ofayans]$ ipa topologysegment-show realm
>>> replica3-to-replica2
>>> Segment name: replica3-to-replica2
>>> Left node: f22replica3.bagam.net
>>> Right node: f22replica2.bagam.net
>>> Connectivity: both
>>> Replication agreement enabled: off
>> can you do a ldapsearch on cn=realm,cn=topology, ......
> $ ldapsearch -LLL -b
> "cn=realm,cn=topology,cn=ipa,cn=etc,dc=bagam,dc=net" -D "cn=Directory
> Manager" -w '<password>'
> dn: cn=realm,cn=topology,cn=ipa,cn=etc,dc=bagam,dc=net
> cn: realm
> ipaReplTopoConfRoot: dc=bagam,dc=net
> objectClass: top
> objectClass: iparepltopoconf
>
> dn:
> cn=replica1-to-replica2,cn=realm,cn=topology,cn=ipa,cn=etc,dc=bagam,dc=net
> ipaReplTopoSegmentRightNode: f22replica2.bagam.net
> ipaReplTopoSegmentDirection: both
> cn: replica1-to-replica2
> ipaReplTopoSegmentLeftNode: f22replica1.bagam.net
> objectClass: iparepltoposegment
> objectClass: top
replica1 - replica2
>
> dn:
> cn=f22master.bagam.net-to-f22replica3.bagam.net,cn=realm,cn=topology,cn=ip
> a,cn=etc,dc=bagam,dc=net
> ipaReplTopoSegmentDirection: both
> objectClass: iparepltoposegment
> objectClass: top
> cn: f22master.bagam.net-to-f22replica3.bagam.net
> ipaReplTopoSegmentLeftNode: f22master.bagam.net
> ipaReplTopoSegmentRightNode: f22replica3.bagam.net
> ipaReplTopoSegmentStatus: autogen
master - replica3
>
> dn:
> cn=f22replica3.bagam.net-f22replica1.bagam.net,cn=realm,cn=topology,cn=ipa
> ,cn=etc,dc=bagam,dc=net
> objectClass: iparepltoposegment
> objectClass: top
> ipaReplTopoSegmentLeftNode: f22replica3.bagam.net
> cn: f22replica3.bagam.net-f22replica1.bagam.net
> ipaReplTopoSegmentDirection: both
> ipaReplTopoSegmentRightNode: f22replica1.bagam.net
replica3 - replica1
but this does not match your segment-find output, there is no segment
replica2 - replica3
>
>>
>> and on replica3 do a search -b "cn=config"
>> "objectclass=nsds5replicationagreement"
> $ ldapsearch -LLL -b "cn=config"
> "objectclass=nsds5replicationagreement" -D "cn=Directory Manager" -w
> '<password>'
> dn:
> cn=f22replica3.bagam.net-to-f22replica1.bagam.net,cn=replica,cn=dc\3Dbagam
> \2Cdc\3Dnet,cn=mapping tree,cn=config
> objectClass: nsds5replicationagreement
> objectClass: ipaReplTopoManagedAgreement
> objectClass: top
> cn: f22replica3.bagam.net-to-f22replica1.bagam.net
> nsDS5ReplicaHost: f22replica1.bagam.net
> nsDS5ReplicaPort: 389
> nsds5replicaTimeout: 300
> nsDS5ReplicaRoot: dc=bagam,dc=net
> description: f22replica3.bagam.net to f22replica1.bagam.net
> ipaReplTopoManagedAgreementState: managed agreement - generated by
> topology pl
> ugin
> nsDS5ReplicaTransportInfo: LDAP
> nsDS5ReplicaBindMethod: SASL/GSSAPI
> nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof
> idnssoaserial
> entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
> nsds5ReplicaStripAttrs: modifiersName modifyTimestamp
> internalModifiersName in
> ternalModifyTimestamp
> nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn
> krblasts
> uccessfulauth krblastfailedauth krbloginfailedcount
> nsds5replicareapactive: 0
> nsds5replicaLastUpdateStart: 20150617151930Z
> nsds5replicaLastUpdateEnd: 20150617151930Z
> nsds5replicaChangesSentSinceStartup:: Njo1LzMyOSA0OjcvMCA=
> nsds5replicaLastUpdateStatus: 0 Replica acquired successfully:
> Incremental upd
> ate succeeded
> nsds5replicaUpdateInProgress: FALSE
> nsds5replicaLastInitStart: 19700101000000Z
> nsds5replicaLastInitEnd: 19700101000000Z
>
> dn:
> cn=meTof22master.bagam.net,cn=replica,cn=dc\3Dbagam\2Cdc\3Dnet,cn=mapping
> tree,cn=config
> cn: meTof22master.bagam.net
> description: me to f22master.bagam.net
> ipaReplTopoManagedAgreementState: managed agreement - controlled by
> topology p
> lugin
> nsDS5ReplicaBindMethod: SASL/GSSAPI
> nsDS5ReplicaHost: f22master.bagam.net
> nsDS5ReplicaPort: 389
> nsDS5ReplicaRoot: dc=bagam,dc=net
> nsDS5ReplicaTransportInfo: LDAP
> nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof
> idnssoaserial
> entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
> nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn
> krblasts
> uccessfulauth krblastfailedauth krbloginfailedcount
> nsds50ruv: {replicageneration} 557fdff1000000040000
> nsds50ruv: {replica 4 ldap://f22master.bagam.net:389}
> 557fdffc000100040000 558
> 00f44000300040000
> nsds50ruv: {replica 6 ldap://f22replica3.bagam.net:389}
> 55800e1b000000060000 5
> 5800f44000400060000
> nsds50ruv: {replica 5 ldap://f22replica2.bagam.net:389}
> 557fed70000000050000 5
> 5800553000300050000
> nsds50ruv: {replica 3 ldap://f22replica1.bagam.net:389}
> 557fdffa000000030000 5
> 58009b4000200030000
> nsds5ReplicaStripAttrs: modifiersName modifyTimestamp
> internalModifiersName in
> ternalModifyTimestamp
> nsds5replicaTimeout: 120
> nsruvReplicaLastModified: {replica 4 ldap://f22master.bagam.net:389}
> 00000000
> nsruvReplicaLastModified: {replica 6 ldap://f22replica3.bagam.net:389}
> 0000000
> 0
> nsruvReplicaLastModified: {replica 5 ldap://f22replica2.bagam.net:389}
> 0000000
> 0
> nsruvReplicaLastModified: {replica 3 ldap://f22replica1.bagam.net:389}
> 0000000
> 0
> objectClass: nsds5replicationagreement
> objectClass: top
> objectClass: ipaReplTopoManagedAgreement
> nsds5replicareapactive: 0
> nsds5replicaLastUpdateStart: 20150617151930Z
> nsds5replicaLastUpdateEnd: 20150617151930Z
> nsds5replicaChangesSentSinceStartup:: Njo1LzMzNCA=
> nsds5replicaLastUpdateStatus: 0 Replica acquired successfully:
> Incremental upd
> ate succeeded
> nsds5replicaUpdateInProgress: FALSE
> nsds5replicaLastInitStart: 19700101000000Z
> nsds5replicaLastInitEnd: 19700101000000Z
>
> dn:
> cn=cloneAgreement1-f22replica3.bagam.net-pki-tomcat,cn=replica,cn=o\3Dipac
> a,cn=mapping tree,cn=config
> cn: cloneAgreement1-f22replica3.bagam.net-pki-tomcat
> description: cloneAgreement1-f22replica3.bagam.net-pki-tomcat
> nsDS5ReplicaBindDN: cn=Replication Manager
> masterAgreement1-f22replica3.bagam.
> net-pki-tomcat,ou=csusers,cn=config
> nsDS5ReplicaBindMethod: Simple
> nsDS5ReplicaCredentials:
> {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
> RERBNEJDUTRZbVk0TUdFM1l5MHpZV1F4TTJFeg0KTnkwNE5HVXhNamczTmkxak1qSmtNalkwTndBQ
>
> 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQmxGYWZ1U3ROY2pNbV
>
> J4NFNUc2pBcQ==}j+d3WWGnksSdSnVQ2S0irQ==
> nsDS5ReplicaHost: f22master.bagam.net
> nsDS5ReplicaPort: 389
> nsDS5ReplicaRoot: o=ipaca
> nsDS5ReplicaTransportInfo: TLS
> nsds50ruv: {replicageneration} 557fe04c000000600000
> nsds50ruv: {replica 96 ldap://f22master.bagam.net:389}
> 557fe05b000000600000 55
> 800ea7000000600000
> nsds50ruv: {replica 86 ldap://f22replica3.bagam.net:389}
> 55800eb4000000560000
> 55800eb6000200560000
> nsds50ruv: {replica 91 ldap://f22replica2.bagam.net:389}
> 557fede80000005b0000
> 557fedea0002005b0000
> nsds50ruv: {replica 97 ldap://f22replica1.bagam.net:389}
> 557fe06c000000610000
> 557fe326000000610000
> nsruvReplicaLastModified: {replica 96 ldap://f22master.bagam.net:389}
> 00000000
> nsruvReplicaLastModified: {replica 86
> ldap://f22replica3.bagam.net:389} 000000
> 00
> nsruvReplicaLastModified: {replica 91
> ldap://f22replica2.bagam.net:389} 000000
> 00
> nsruvReplicaLastModified: {replica 97
> ldap://f22replica1.bagam.net:389} 000000
> 00
> objectClass: top
> objectClass: nsds5replicationagreement
> nsds5replicareapactive: 0
> nsds5replicaLastUpdateStart: 20150617150850Z
> nsds5replicaLastUpdateEnd: 20150617150850Z
> nsds5replicaChangesSentSinceStartup:
> nsds5replicaLastUpdateStatus: 0 Replica acquired successfully:
> Incremental upd
> ate succeeded
> nsds5replicaUpdateInProgress: FALSE
> nsds5replicaLastInitStart: 19700101000000Z
> nsds5replicaLastInitEnd: 19700101000000Z
>
>>
>> would like to see the raw data.
>>>
>>>
>>>>
>>>>> It reproduces though even in a situation with the topology
>>>>> replica3 <-> master <-> replica1 <-> replica2 and you disable the
>>>>> replica1-replica2 segment on replica3 (quite expectedly)
>>>>>>> and disable one of the segments, one would expect the changes
>>>>>>> implemented on master would not be replicated to other nodes (or
>>>>>>> do I misunderstand the concept of disabling a segment?).
>>>>>>> However, in reality any changes in master do get replicated
>>>>>>> despite the segment is disabled.
>>>>>>>
>>>>>>> Is it a correct behavior?
>>>>>>>
>>>>>>> The second question is: if disabled segments should not let the
>>>>>>> changes through, then we probably should implement a check for
>>>>>>> topology disconnection in similar way as `ipa
>>>>>>> topologysegment-del` does. I mean, whenever a user tries to
>>>>>>> disable a segment, the plugin should probably check whether it
>>>>>>> disconnects any of the nodes.
>>>>>> well, I think disabling should be temporary, you want to
>>>>>> disconnect for some time. eg for debugging, not deleting the
>>>>>> agreement completely, I would allow this.
>>>>>>
>>>>>
>>>>
>>>
>>
>
More information about the Freeipa-devel
mailing list