[Freeipa-devel] topologysegment-mod question

Petr Vobornik pvoborni at redhat.com
Wed Jun 24 14:26:09 UTC 2015 

On 06/24/2015 04:19 PM, Oleg Fayans wrote:
>
>
> On 06/24/2015 02:35 PM, Ludwig Krispenz wrote:
>>
>> On 06/24/2015 02:30 PM, Oleg Fayans wrote:
>>>
>>>
>>> On 06/24/2015 02:25 PM, Ludwig Krispenz wrote:
>>>>
>>>> On 06/24/2015 01:59 PM, Oleg Fayans wrote:
>>>>> Hi Petr,
>>>>>
>>>>> Thanks for clarification! It seems though, that all possible
>>>>> attributes are already mapped to the topologysegment-mod options:
>>>>>
>>>>> [13:42:45]ofayans at vm-244:~]$  ipa show-mappings topologysegment-mod
>>>>> Parameter      : LDAP attribute
>>>>> =========      : ==============
>>>>> stripattrs     : nsds5replicastripattrs
>>>>> replattrs      : nsds5replicatedattributelist
>>>>> replattrstotal : nsds5replicatedattributelisttotal
>>>>> timeout        : nsds5replicatimeout
>>>>> enabled        : nsds5replicaenabled
>>>>> rights         : rights
>>>>> [13:47:41]ofayans at vm-244:~]$ ipa help topologysegment-mod
>>>>> Usage: ipa [global-options] topologysegment-mod TOPOLOGYSUFFIX NAME
>>>>> [options]
>>>>>
>>>>> Modify a segment.
>>>>> Options:
>>>>>   -h, --help            show this help message and exit
>>>>>   --stripattrs=STR      A space separated list of attributes which
>>>>> are removed
>>>>>                         from replication updates.
>>>>>   --replattrs=STR       Attributes that are not replicated to a
>>>>> consumer
>>>>>                         server during a fractional update. E.g.,
>>>>>                         `(objectclass=*) $ EXCLUDE accountlockout
>>>>> memberof
>>>>>   --replattrstotal=STR  Attributes that are not replicated to a
>>>>> consumer
>>>>>                         server during a total update. E.g.
>>>>> (objectclass=*) $
>>>>>                         EXCLUDE accountlockout
>>>>>   --timeout=INT         Number of seconds outbound LDAP operations
>>>>> waits for a
>>>>>                         response from the remote replica before
>>>>> timing out and
>>>>>                         failing
>>>>>   --enabled=['on', 'off']
>>>>>                         Whether a replication agreement is active,
>>>>> meaning
>>>>>                         whether replication is occurring per that
>>>>> agreement
>>>>>   --setattr=STR         Set an attribute to a name/value pair.
>>>>> Format is
>>>>>                         attr=value. For multi-valued attributes,
>>>>> the command
>>>>>                         replaces the values already present.
>>>>>   --addattr=STR         Add an attribute/value pair. Format is
>>>>> attr=value. The
>>>>>                         attribute must be part of the schema.
>>>>>   --delattr=STR         Delete an attribute/value pair. The option
>>>>> will be
>>>>>                         evaluated last, after all sets and adds.
>>>>>   --rights              Display the access rights of this entry
>>>>> (requires
>>>>>                         --all). See ipa man page for details.
>>>>>   --all                 Retrieve and print all attributes from the
>>>>> server.
>>>>>                         Affects command output.
>>>>>   --raw                 Print entries as stored on the server. Only
>>>>> affects
>>>>>                         output format.
>>>>>
>>>>> So, setattr, addattr and delattr should, I think, be explained in
>>>>> the design document, with example usage.
>>>>>
>>>>> Another question that I have:
>>>>> In order to test topologysegment-reinitialize, I need to set the
>>>>> replica timeout to, say, 1, then turn this replica off, then make
>>>>> some changes on master and turn on the replica? I mean, my goal is
>>>>> to make master to give up attempts to synchronize with replica, is
>>>>> that correct?
>>>> I don't see why you want to do all these steps, initialize means
>>>> that the database of B is overwritten by the database of A, so you
>>>> could check that the content is the same. But to simulate a
>>>> situation where init is required is not so easy, if you turn the
>>>> replica on again, the changes could be normally replicated before
>>>> you start the init
>>> The question is: how do I make sure that the content on node /a /is
>>> overwritten with the content of node /b/? I kind of need the two
>>> nodes to have different content and not trying to synchronize
>>> automatically
>> you could combine this with a backup test. On server A make a backup,
>> make some changes on any node and wait until it is replicated
>> everywhere. restore A from the backup and reinitialize the complete
>> topology. It should be enough with 2 or three servers

> Will the changes introduced by restoring from backup not get replicated
> automatically?

This is a good scenario to test. ipa-restore tries to disable all 
replication agreements of other servers with the to-be-restored replica 
prior the restore..

It announces it with:
   Each master will individually need to be re-initialized or
   re-created from this one. The replication agreements on
   masters running IPA 3.1 or earlier will need to be manually
   re-enabled. See the man page for details.

>>>>>
>>>>> On 06/24/2015 12:28 PM, Petr Vobornik wrote:
>>>>>> On 06/24/2015 12:19 PM, Oleg Fayans wrote:
>>>>>>> Hi Ludwig,
>>>>>>>
>>>>>>> I see some contradictions in the way the segment modification cli is
>>>>>>> implemented:
>>>>>>>
>>>>>>> 1.
>>>>>>> $ ipa help topologysegment-mod
>>>>>>> Usage: ipa [global-options] topologysegment-mod TOPOLOGYSUFFIX NAME
>>>>>>> [options]
>>>>>>>
>>>>>>> $ ipa topologysegment-mod realm 127-to-244 --setattr=Segment
>>>>>>> name=test
>>>>>>> ipa: ERROR: command 'topologysegment_mod' takes at most 2 arguments
>>>>>>>
>>>>>>> (suffix + name + options = 3, not 2)
>>>>>>
>>>>>> 'Segment name' is not correct attribute name. More below.
>>>>>>
>>>>>>>
>>>>>>> 2.
>>>>>>> Is there a way to list all possible attributes available for
>>>>>>> modification?
>>>>>>> When do topologysegment-show --all, I get quite a small number of
>>>>>>> them,
>>>>>>> and even them I am unable to modify:
>>>>>>>
>>>>>>> $ ipa topologysegment-show realm 127-to-244 --all
>>>>>>>    dn:
>>>>>>> cn=127-to-244,cn=realm,cn=topology,cn=ipa,cn=etc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
>>>>>>>
>>>>>>>
>>>>>>>    Segment name: 127-to-244
>>>>>>>    Left node: vm-127.idm.lab.eng.brq.redhat.com
>>>>>>>    Right node: vm-244.idm.lab.eng.brq.redhat.com
>>>>>>>    Connectivity: both
>>>>>>>    objectclass: top, iparepltoposegment
>>>>>>>
>>>>>>> $ ipa topologysegment-mod realm 127-to-244
>>>>>>> --setattr=connectivity=left-right
>>>>>>> ipa: ERROR: attribute "connectivity" not allowed
>>>>>>> $ ipa topologysegment-mod realm 127-to-244
>>>>>>> --setattr=direction=left-right
>>>>>>> ipa: ERROR: attribute "direction" not allowed
>>>>>>>
>>>>>>
>>>>>> --XXXattr options work with LDAP attributes names. 'direction' is
>>>>>> the option name but not attribute name. Attribute name is
>>>>>> iparepltoposegmentdirection.
>>>>>>
>>>>>> You can see the mappings in, e.g.,:
>>>>>>   ipa show-mappings topologysegment-mod


-- 
Petr Vobornik

More information about the Freeipa-devel mailing list