[Freeipa-devel] [draft] Fate of ipa-replica-manage and ipa-csreplica-manage tools

Petr Vobornik pvoborni at redhat.com
Tue Oct 27 14:54:27 UTC 2015 

Both tools serve primarily for managing replication agreements and 
replicas. ipa-replica-manage also manages winsync agreements and DNA 
ranges.

FreeIPA 4.3 will introduce managed topology which affects these tools.

Let's go trough all sub-commands of both tools and decide what is the 
fate of them/how they should be replaced. Comments are welcome.

In text, term 'disable' means: print an error message with help what is 
the new alternative.

For domain level == 0 all sub-commands should behave the same way as 
before. Proposals are for domain level 1 if not stated otherwise.

== ipa-replica-manage ==
=== list ===
Lists all IPA server or replication agreements of a specific IPA server 
including winsync agreements.

Server list is replaced by
   ipa server-find
Replication agreements by:
   ipa topologysegment-find realm

I see following paths:
1. do not change (current state)
2. list only winsync agreements - IMO it will be easier to maintain

If winsync was not in play we could 'disable' it but winsync is not 
planned to be centrally managed. Mainly because the preferred 
alternative is trust.

=== connect ===
Allow for winsync, disable for REALM agmts. (current state)

=== disconenct ===
Allow for winsync, disable for REALM agmts. (current state)

=== del ===
(current state)
With domain level 0:
- removes replica and repl. agmts for REALM suffix and winsync
With domain level 1:
- removes replica entry and therefore repl. agmts for all 
suffices(REALM, CS)
- ensure last services, e.g. sets renewal master
- does additional cleanup

I'm not aware of any operation which needs directory manager. IMO it can 
be moved to API in future release(e.g. 4.4), especially if 
ipa-server-install --uninstall is modified to do most of the cleanup.

=== re-initialize ===
Not changed.

Can be disabled (long-term solution)

Same capability is in topologysegment_reinitialize API command. The only 
difference is that no API command shows state of the pending operation. 
Should we transform presence of 'start' and 'stop' in 
nsds5beginreplicarefresh;left|right attribute into an output of 
topologysegment_show, e.g.: 'initialization in progress', 'cancellation 
of re-initialization requested'.

=== force-sync ===
no change yet

Currently done by setting nsDS5ReplicaUpdateSchedule attribute of repl. 
agreement.

1. Is it required?
2. Should the functionality be transferred to topologysegment/topology 
plugin?
3. Is current approach good?

IMO if we want to preserve the possibility then the long-term solution 
is to move it to topology plugin.

=== list-ruv, clean-ruv, abort-clean-ruv, list-clean-ruv ===
Commands manages clean-all-ruv operations on REALM suffix. 
ipa-csreplica-manage doesn't have these commands #4987. These operations 
are meant for removal of dangling ruvs but they can also remove 
"correct" RUV which is not desired.

The UX is not the best because if replica still exists it won't tell the 
admin what is the correct RUV and which are the dangling one(s) and 
therefore admin must get the info in cn=replica,cn=$SUFFIX,cn=mapping 
tree,cn=config

We have a ticket to automate it: 
https://fedorahosted.org/freeipa/ticket/5411

Is it possible to manage it in topology plugin in centralized manner?

I see $5411 as short-term solution for 4.3 or 4.4. + 
{list|clean|abort-clean-list-clean}-ruv sub-commands should be extended 
to work with all suffices.

Long term solution not in 4.3 is to move it to topology plugin.

=== dna(next)range-{show|set} commands
No change in 4.3.

Long term solution is to make it centrally manageable. Not sure if by 
topo plugin or something else.


== ipa-csreplica-manage ==
This tool manages only CS replication agreements.

=== list ===
Not needed. We have `ipa server-find` and `ipa topologysegment-find 
ipaca` commands.

Should be disabled, add to #5405

=== connect and disconnect ===
Replaced by `ipa topologysegment-{add,del}` commands.

disable #5405

=== del ===
The work is done in `ipa-replica-manage del` therefore disable #5405

=== re-initialize ===
Same as in ipa-replica-manage - can be disabled. No ticket yet.

=== force-sync ===
Same as in ipa-replica-manage - decide what to do. No ticket yet.

=== set-renewal-master ===
AFAIK it's only update in cn=masters so could be moved to API then this 
could be disabled.

The change is simple enough for changing in 4.3. No ticket yet.

== Conclusion ==
ipa-csreplica-manage could be abandoned in 4.3 which plays well with 
topic "simplify management of CA replication agreements".

ipa-replica-manage is still needed for RUV handling and removal of 
replicas in 4.3. This can change in a future. Same situation with DNA 
ranges handling.

There is no future plan for winsync agreements and ipa-replica-manage 
can remain solely for this purpose in environments with managed topology.
-- 
Petr Vobornik

More information about the Freeipa-devel mailing list