[Freeipa-devel] [PATCH 0208] Respect --test option in upgrade plugins

Martin Basti mbasti at redhat.com
Fri Mar 13 12:46:05 UTC 2015 

On 13/03/15 12:50, Jan Cholasta wrote:
> Dne 13.3.2015 v 12:08 Petr Spacek napsal(a):
>> On 13.3.2015 12:01, Martin Basti wrote:
>>> On 13/03/15 11:55, Petr Spacek wrote:
>>>> On 13.3.2015 11:34, Jan Cholasta wrote:
>>>>> Dne 13.3.2015 v 11:17 Martin Kosek napsal(a):
>>>>>> On 03/13/2015 11:00 AM, Petr Spacek wrote:
>>>>>>> On 13.3.2015 10:42, Alexander Bokovoy wrote:
>>>>>>>> On Fri, 13 Mar 2015, Petr Spacek wrote:
>>>>>>>>> On 13.3.2015 10:18, Martin Kosek wrote:
>>>>>>>>>> On 03/12/2015 05:10 PM, Rob Crittenden wrote:
>>>>>>>>>>> Petr Spacek wrote:
>>>>>>>>>>>> On 12.3.2015 16:23, Rob Crittenden wrote:
>>>>>>>>>>>>> David Kupka wrote:
>>>>>>>>>>>>>> On 03/06/2015 06:00 PM, Martin Basti wrote:
>>>>>>>>>>>>>>> Upgrade plugins which modify LDAP data directly should 
>>>>>>>>>>>>>>> not be
>>>>>>>>>>>>>>> executed
>>>>>>>>>>>>>>> in --test mode.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> This patch is a workaround, to ensure update with --test
>>>>>>>>>>>>>>> option will not
>>>>>>>>>>>>>>> modify any LDAP data.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/3448
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Patch attached.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Ideally we want to fix all plugins to dry-run the upgrade 
>>>>>>>>>>>>>> not
>>>>>>>>>>>>>> just skip
>>>>>>>>>>>>>> when there is '--test' option but it is a good first step.
>>>>>>>>>>>>>> Works for me, ACK.
>>>>>>>>>>>>>>
>>>>>>>>>>>>> I agree that this breaks the spirit of --test and think it
>>>>>>>>>>>>> should be
>>>>>>>>>>>>> fixed before committing.
>>>>>>>>>>>> Considering how often is the option is used ... I do not think
>>>>>>>>>>>> that this
>>>>>>>>>>>> requires 'proper' fix now. It was broken for *years* so this
>>>>>>>>>>>> patch is a huge
>>>>>>>>>>>> improvement and IMHO should be commited in current form. We 
>>>>>>>>>>>> can
>>>>>>>>>>>> re-visit it
>>>>>>>>>>>> later on, open a ticket :-)
>>>>>>>>>>>>
>>>>>>>>>>> No. There is no rush for this, at least not for the promise 
>>>>>>>>>>> of a
>>>>>>>>>>> future
>>>>>>>>>>> fix that will never come.
>>>>>>>>>> I checked the code and to me, the proper fix looks like 
>>>>>>>>>> instrumenting
>>>>>>>>>> ldap.update_entry calls in upgrade plugins with
>>>>>>>>>>
>>>>>>>>>> if options.test:
>>>>>>>>>>       log message
>>>>>>>>>> else
>>>>>>>>>>       do the update
>>>>>>>>>>
>>>>>>>>>> right? I see just couple places that would need to be updated:
>>>>>>>>>>
>>>>>>>>>> $ git grep -E "(ldap|conn).update_entry" 
>>>>>>>>>> ipaserver/install/plugins
>>>>>>>>>> ipaserver/install/plugins/dns.py:
>>>>>>>>>> ldap.update_entry(container_entry)
>>>>>>>>>> ipaserver/install/plugins/fix_replica_agreements.py:
>>>>>>>>>> repl.conn.update_entry(replica)
>>>>>>>>>> ipaserver/install/plugins/fix_replica_agreements.py:
>>>>>>>>>> repl.conn.update_entry(replica)
>>>>>>>>>> ipaserver/install/plugins/update_idranges.py: 
>>>>>>>>>> ldap.update_entry(entry)
>>>>>>>>>> ipaserver/install/plugins/update_idranges.py: 
>>>>>>>>>> ldap.update_entry(entry)
>>>>>>>>>> ipaserver/install/plugins/update_managed_permissions.py:
>>>>>>>>>> ldap.update_entry(base_entry)
>>>>>>>>>> ipaserver/install/plugins/update_managed_permissions.py:
>>>>>>>>>> ldap.update_entry(entry)
>>>>>>>>>> ipaserver/install/plugins/update_pacs.py:
>>>>>>>>>> ldap.update_entry(entry)
>>>>>>>>>> ipaserver/install/plugins/update_referint.py:
>>>>>>>>>> ldap.update_entry(entry)
>>>>>>>>>> ipaserver/install/plugins/update_services.py: 
>>>>>>>>>> ldap.update_entry(entry)
>>>>>>>>>> ipaserver/install/plugins/update_uniqueness.py:
>>>>>>>>>> ldap.update_entry(uid_uniqueness_plugin)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> So from my POV, very quick fix. In that case, I would also 
>>>>>>>>>> prefer a
>>>>>>>>>> fix now
>>>>>>>>>> than a ticket that would never be done.
>>>>>>>>> I really dislike this approach because I consider it flawed by
>>>>>>>>> design. Plugin
>>>>>>>>> author has to think about it all the time and do not forget to 
>>>>>>>>> add if
>>>>>>>>> otherwise ... too bad.
>>>>>>>>>
>>>>>>>>> I can see two 'safer' ways to do that:
>>>>>>>>> - LDAP transactions :-)
>>>>>>>>> - 'mock_writes=True' option in LDAP backend which would print
>>>>>>>>> modlists instead
>>>>>>>>> of applying them (and return success to the caller).
>>>>>>>>>
>>>>>>>>> Both cases eliminate the need to scatter 'ifs' all over update
>>>>>>>>> plugins and do
>>>>>>>>> not add risk of forgetting about one of them when adding/changing
>>>>>>>>> plugin code.
>>>>>>>> I like idea about mock_writes=True. However, I think we still 
>>>>>>>> need to
>>>>>>>> make
>>>>>>>> sure plugin writers rely on options.test value to see that we 
>>>>>>>> aren't
>>>>>>>> going to write the data. The reason for it is that we might get 
>>>>>>>> into
>>>>>>>> configurations where plugins would be doing updates based on 
>>>>>>>> earlier
>>>>>>>> performed tasks.  If task configuration is not going to be 
>>>>>>>> written, its
>>>>>>>> status will never be correct and plugin would get an error.
>>>>>>> That is exactly why I mentioned LDAP transactions. There is no 
>>>>>>> other
>>>>>>> way how
>>>>>>> to test complex plugins which actually read own writes (except 
>>>>>>> mocking
>>>>>>> the
>>>>>>> whole LDAP interface somewhere).
>>>>>> While this may be a good idea long term, I do not think any of us is
>>>>>> considering implementing the LDAP transaction support within work on
>>>>>> this refactoring.
>>>>>>
>>>>>> So in this thread, let us focus on how to fix options.test 
>>>>>> mid-term. I
>>>>>> currently see 2 proposed ways:
>>>>>> - Making the plugins aware of options.test
>>>>>> - Make ldap2 write operations only print the update and not do it.
>>>>>> Although thinking of this approach, I think it may make some plugins
>>>>>> like DNS loop forever. IIRC, at least DNS upgrade plugin have loop
>>>>>>      - search for all unfixed DNS zones
>>>>>>      - fix them with ldap update
>>>>>>      - was the search truncated, i.e.  are there more zones to 
>>>>>> update?
>>>>>>        if yes, go back to start
>>>>>    - Make the plugins not call {add,update,delete}_entry 
>>>>> themselves but rather
>>>>> return the updates like they should. This is what the ticket
>>>>> (<https://fedorahosted.org/freeipa/ticket/3448>) requests and what 
>>>>> should be
>>>>> done to make --test work for them.
>>>> How do you propose to handle iterative updates like the DNS upgrade 
>>>> mentioned
>>>> by Martin^1? Return set of updates along with boolean 'call me again'?
>>>> Something else?
>>>>
>>> So instead of DNS commands logic, which can be used in plugin, we 
>>> should
>>> reimplement the dnzone commands in upgrade plugin, to get modlist? 
>>> And keep
>>> watching it and do same modifications for upgrade plugin as are done 
>>> in DNS
>>> plugin.
>
> Yes, this is how it currently works and how it is done in other update 
> plugins. For proper command support some serious changes will have to 
> be done in the framework.
>
>>
>> Again, I think we are investing to much effort into an option which 
>> is almost
>> never used. Let it die in Git history. After all, it can be revived 
>> at any
>> time when needed or when we have proper support in DS.
>>
>
> +1
>
Updated patch attached.

-- 
Martin Basti

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbasti-0208.2-Server-Upgrade-respect-test-option-in-plugins.patch
Type: text/x-patch
Size: 15371 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150313/f0d2f36e/attachment.bin>

More information about the Freeipa-devel mailing list