[Freeipa-devel] [draft] Fate of ipa-replica-manage and ipa-csreplica-manage tools
Petr Vobornik
pvoborni at redhat.com
Tue Oct 27 14:54:27 UTC 2015
Both tools serve primarily for managing replication agreements and
replicas. ipa-replica-manage also manages winsync agreements and DNA
ranges.
FreeIPA 4.3 will introduce managed topology which affects these tools.
Let's go trough all sub-commands of both tools and decide what is the
fate of them/how they should be replaced. Comments are welcome.
In text, term 'disable' means: print an error message with help what is
the new alternative.
For domain level == 0 all sub-commands should behave the same way as
before. Proposals are for domain level 1 if not stated otherwise.
== ipa-replica-manage ==
=== list ===
Lists all IPA server or replication agreements of a specific IPA server
including winsync agreements.
Server list is replaced by
ipa server-find
Replication agreements by:
ipa topologysegment-find realm
I see following paths:
1. do not change (current state)
2. list only winsync agreements - IMO it will be easier to maintain
If winsync was not in play we could 'disable' it but winsync is not
planned to be centrally managed. Mainly because the preferred
alternative is trust.
=== connect ===
Allow for winsync, disable for REALM agmts. (current state)
=== disconenct ===
Allow for winsync, disable for REALM agmts. (current state)
=== del ===
(current state)
With domain level 0:
- removes replica and repl. agmts for REALM suffix and winsync
With domain level 1:
- removes replica entry and therefore repl. agmts for all
suffices(REALM, CS)
- ensure last services, e.g. sets renewal master
- does additional cleanup
I'm not aware of any operation which needs directory manager. IMO it can
be moved to API in future release(e.g. 4.4), especially if
ipa-server-install --uninstall is modified to do most of the cleanup.
=== re-initialize ===
Not changed.
Can be disabled (long-term solution)
Same capability is in topologysegment_reinitialize API command. The only
difference is that no API command shows state of the pending operation.
Should we transform presence of 'start' and 'stop' in
nsds5beginreplicarefresh;left|right attribute into an output of
topologysegment_show, e.g.: 'initialization in progress', 'cancellation
of re-initialization requested'.
=== force-sync ===
no change yet
Currently done by setting nsDS5ReplicaUpdateSchedule attribute of repl.
agreement.
1. Is it required?
2. Should the functionality be transferred to topologysegment/topology
plugin?
3. Is current approach good?
IMO if we want to preserve the possibility then the long-term solution
is to move it to topology plugin.
=== list-ruv, clean-ruv, abort-clean-ruv, list-clean-ruv ===
Commands manages clean-all-ruv operations on REALM suffix.
ipa-csreplica-manage doesn't have these commands #4987. These operations
are meant for removal of dangling ruvs but they can also remove
"correct" RUV which is not desired.
The UX is not the best because if replica still exists it won't tell the
admin what is the correct RUV and which are the dangling one(s) and
therefore admin must get the info in cn=replica,cn=$SUFFIX,cn=mapping
tree,cn=config
We have a ticket to automate it:
https://fedorahosted.org/freeipa/ticket/5411
Is it possible to manage it in topology plugin in centralized manner?
I see $5411 as short-term solution for 4.3 or 4.4. +
{list|clean|abort-clean-list-clean}-ruv sub-commands should be extended
to work with all suffices.
Long term solution not in 4.3 is to move it to topology plugin.
=== dna(next)range-{show|set} commands
No change in 4.3.
Long term solution is to make it centrally manageable. Not sure if by
topo plugin or something else.
== ipa-csreplica-manage ==
This tool manages only CS replication agreements.
=== list ===
Not needed. We have `ipa server-find` and `ipa topologysegment-find
ipaca` commands.
Should be disabled, add to #5405
=== connect and disconnect ===
Replaced by `ipa topologysegment-{add,del}` commands.
disable #5405
=== del ===
The work is done in `ipa-replica-manage del` therefore disable #5405
=== re-initialize ===
Same as in ipa-replica-manage - can be disabled. No ticket yet.
=== force-sync ===
Same as in ipa-replica-manage - decide what to do. No ticket yet.
=== set-renewal-master ===
AFAIK it's only update in cn=masters so could be moved to API then this
could be disabled.
The change is simple enough for changing in 4.3. No ticket yet.
== Conclusion ==
ipa-csreplica-manage could be abandoned in 4.3 which plays well with
topic "simplify management of CA replication agreements".
ipa-replica-manage is still needed for RUV handling and removal of
replicas in 4.3. This can change in a future. Same situation with DNA
ranges handling.
There is no future plan for winsync agreements and ipa-replica-manage
can remain solely for this purpose in environments with managed topology.
--
Petr Vobornik
More information about the Freeipa-devel
mailing list