[Freeipa-devel] Domain level for topology plugin = 2

Petr Spacek pspacek at redhat.com
Thu May 28 12:11:57 UTC 2015 

On 28.5.2015 10:49, Martin Kosek wrote:
> On 05/28/2015 09:05 AM, Petr Spacek wrote:
>> On 28.5.2015 08:55, Jan Cholasta wrote:
>>> Dne 26.5.2015 v 16:32 Petr Spacek napsal(a):
>>>> On 26.5.2015 16:16, Martin Kosek wrote:
>>>>> On 05/26/2015 04:13 PM, thierry bordaz wrote:
>>>>>> On 05/26/2015 02:12 PM, Petr Spacek wrote:
>>>>>>> Hello,
>>>>>>>
>>>>>>> it came to my mind that domain level for topology plugin should actually be
>>>>>>> number 2, not 1.
>>>>>>>
>>>>>>> We already used number 1 for incompatible changes in DNS tree and I believe
>>>>>>> that it is not a good idea to have two places which say 'version 1' but and
>>>>>>> actually mean two different things. (DNS tree version 1 + domain level 1)
>>>>>>>
>>>>>>> Patch is attached.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Hello,
>>>>>> The fix looks good but that seems strange to have to set the initial
>>>>>> version of
>>>>>> the topology plugin to 2.0. (IIUC That is the version that will be written in
>>>>>> dse.ldif)
>>>>>> I would rather expects that topology plugin 1.0, would activate itself if the
>>>>>> DomainLevel is 2.0 or more.
>>>>>> If topology plugin 1.0 sets an internal DomainLevel_trigger=2.0 then activate
>>>>>> itself if DomainLevel >= DomainLevel_trigger.
>>>>>>
>>>>>> Let's wait for Ludwig feedback.
>>>>>>
>>>>>> thanks
>>>>>> thierry
>>>>>
>>>>> My personal opinion on this is to start with Domain Level 1 regardless. We
>>>>> already "solved" the DNS forwarders otherwise, with docs, async updates etc. I
>>>>> do not think we will be returning to implementing proper Domain Level support
>>>>> for that anyway.
>>>>>
>>>>> So I rather think that all the "Domain Level starts with 0, 1 is unused, 2 is
>>>>> the top one" will cause unforeseen issues I would rather like to avoid.
>>>>
>>>> I'm more worried about confusion in future. To to me it simply seems easier to
>>>> bump one integer now than to document and explain (to users & new developers)
>>>> why we have two "ones" which mean something else.
>>>>
>>>> Code-wise it is just an integer.
>>>>
>>>> Also, it can simplify logic in future when we decide to do another
>>>> incompatible change in DNS tree because we will have only one integer to test
>>>> (instead of checking two separate version attribute in DNS tree & domain
>>>> level).
>>>
>>> +1, but I think the minimum supported domain level should be 1, not 0, because
>>> 0 means the server uses the old DNS schema, which we do not support anymore,
>>> right?
>>
>> Good point!
>>
> 
> It may be a good point, but it does not make the situation easier. You still
> have RHEL/CentOS 6.x IPA out there, where some of them already support the new
> DNS forwarders and some don't - and neither of them support Domain Levels -
> i.e. have Domain Level 0.
> 
> As I said, I still see more complications with this proposals than benefits...

I would argue that it actually helps.

If domain level = 1 then we can be *sure* that all replicas support the new
DNS semantics.

If domain level = 0 then we know nothing (because of patched RHEL 6) and it is
a warning sign for diagnostic tools and also us when it comes to debugging.

-- 
Petr^2 Spacek

More information about the Freeipa-devel mailing list