[Freeipa-devel] topologysegment-mod question
Ludwig Krispenz
lkrispen at redhat.com
Mon Jun 22 14:15:39 UTC 2015
Hi Oleg,
On 06/22/2015 02:49 PM, Oleg Fayans wrote:
> Hi Ludwig,
>
> Could you please clarify how should `ipa topologysegment-mod
> --enabled=off` work?
> My initial understanding was that it disables any changes to go
> through the disabled segment, but as it turns out, it does let the
> topology-related info through, and filters out all the rest.
> What I mean, is that having a line topology like this:
>
> master - rep1 - rep2 - rep3 - rep4
>
> When I disable rep2-rep3 segment, then:
> 1. any user created on master does not appear on rep3 and rep4 (as
> expected), but
> 2. changes in topology, made on rep4 do get replicated to master
>
> Is it an expected behavior?
expected: yes, intended: no
if you disable rep2-rep3 on master or repl1 or repl2 this change arrives
at repl2 and will disable the agreement to repl3. This can happen before
the change is replicated to repl3 and so the setting to off does not
arrive at repl3 and it will still replicate back to repl2.
In a previous discussion there was agreement that we do not want to
support disablement of a segment, but it is not yet enforced.
This problem is similar to the one where a master is removed, the
segments connecting it (and the repl agmts) are removed and these
changes do not arrive at the removed master. To handle this either a
check if changes have been received at other servers, or the removal
would have to be done by some delay,...
This was not pursued since the removed master would be gone, and in the
remaining topology connections to it are removed and also its
credentials are removed, so even if it has a leftover agreement it will
not be able to replicate back into the remaining topology
More information about the Freeipa-devel
mailing list