[Freeipa-devel] Replication Topology plugin issues
Oleg Fayans
ofayans at redhat.com
Tue May 26 09:21:17 UTC 2015
Thanks Petr!
Did I understand correctly, that the master branch does not yet contain
patches 0005 and 0006 from Ludwig, only the 0003 patch has been merged?
I must apply them manually to get the full plugin functionality, right?
On 05/26/2015 11:00 AM, Petr Vobornik wrote:
> On 05/25/2015 03:56 PM, Oleg Fayans wrote:
>> Hi,
>>
>> Playing around with the replication topology plugin, I've noticed a
>> couple of issues:
>> 1. around 50% of attempts to setup a replica of a freeipa master with
>> topology plugin enabled (domain level set to 1.0) end up with the
>> following error message in the stdoutput:
>>
>> [error] RuntimeError: One of the ldap service principals is missing.
>> Replication agreement cannot be converted.
>> Replication error message: Unable to acquire replicaLDAP error: No such
>> object
>>
>> I am not sure whether the reason is in the Topology Plugin itself or in
>> some of the latest changes in upstream, though.
>
> I have the same experience. It seems that data from master were
> replicated to new replica but new replica entries(host, services) were
> not replicated back to master.
>
> The installation then hangs on replica's check if its ldap service
> principal is on master.
>
> New ticket: https://fedorahosted.org/freeipa/ticket/5035
>
>
>>
>> 2. Whenever this happens, master retains the information about the new
>> topology segment, even despite the replica setup was unsuccessful. IMHO,
>> we should have a way to notify the master about replica setup
>> faiures/aborts so that the master would automatically erase the
>> corresponding freshly-created segments in such cases.
>
> Not sure if we can rely on that because the chosen communication
> mechanism(what ever it might be) might suffer from the same root cause
> as the replica installation.
>
>>
>> 3. After this happens user is unable to delete the replication agreement
>> with the standard `ipa-replica-manage del` way:
>> $ ipa-replica-manage del replica1.pesen.net --force
>> Connection to 'replica1.pesen.net' failed: [Errno -2] Name or service
>> not known
>> Forcing removal of replica1.pesen.net
>> Skipping calculation to determine if one or more masters would be
>> orphaned.
>> Deleting replication agreements between replica1.pesen.net and
>> newmaster.pesen.net
>> Failed to get list of agreements from 'replica1.pesen.net': [Errno -2]
>> Name or service not known
>> Forcing removal on 'newmaster.pesen.net'
>> Any DNA range on 'replica1.pesen.net' will be lost
>> There were issues removing a connection for replica1.pesen.net from
>> newmaster.pesen.net: Server is unwilling to perform: Entry is managed by
>> topology plugin.Deletion not allowed.
>> Failed to cleanup replica1.pesen.net entries: Not allowed on non-leaf
>> entry
>
> this line was fixed by https://fedorahosted.org/freeipa/ticket/5019 .
> When this succeeds (master entry is deleted), topology plugin should
> delete the rest. I.e., with this patch I was able to delete the replica.
>
> That said, the output might want some love.
>
>> You may need to manually remove them from the tree
>> Failed to cleanup replica1.pesen.net DNS entries: no matching entry
>> found
>> You may need to manually remove them from the tree
>>
>> IIRC upon one of the early discussions with Ludwig, this is yet to be
>> implemented.
>>
--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
More information about the Freeipa-devel
mailing list