[Freeipa-devel] [draft] Fate of ipa-replica-manage and ipa-csreplica-manage tools

Thu Oct 29 08:56:55 UTC 2015

On 27.10.2015 15:54, Petr Vobornik wrote:
> Both tools serve primarily for managing replication agreements and replicas.
> ipa-replica-manage also manages winsync agreements and DNA ranges.
> 
> FreeIPA 4.3 will introduce managed topology which affects these tools.
> 
> Let's go trough all sub-commands of both tools and decide what is the fate of
> them/how they should be replaced. Comments are welcome.
> 
> In text, term 'disable' means: print an error message with help what is the
> new alternative.
> 
> For domain level == 0 all sub-commands should behave the same way as before.
> Proposals are for domain level 1 if not stated otherwise.
> 
> == ipa-replica-manage ==
> === list ===
> Lists all IPA server or replication agreements of a specific IPA server
> including winsync agreements.
> 
> Server list is replaced by
>   ipa server-find
> Replication agreements by:
>   ipa topologysegment-find realm
> 
> I see following paths:
> 1. do not change (current state)
> 2. list only winsync agreements - IMO it will be easier to maintain
> 
> If winsync was not in play we could 'disable' it but winsync is not planned to
> be centrally managed. Mainly because the preferred alternative is trust.
> 
> === connect ===
> Allow for winsync, disable for REALM agmts. (current state)
> 
> === disconenct ===
> Allow for winsync, disable for REALM agmts. (current state)
> 
> === del ===
> (current state)
> With domain level 0:
> - removes replica and repl. agmts for REALM suffix and winsync
> With domain level 1:
> - removes replica entry and therefore repl. agmts for all suffices(REALM, CS)
> - ensure last services, e.g. sets renewal master
> - does additional cleanup
> 
> I'm not aware of any operation which needs directory manager. IMO it can be
> moved to API in future release(e.g. 4.4), especially if ipa-server-install
> --uninstall is modified to do most of the cleanup.
> 
> === re-initialize ===
> Not changed.
> 
> Can be disabled (long-term solution)
> 
> Same capability is in topologysegment_reinitialize API command. The only
> difference is that no API command shows state of the pending operation. Should
> we transform presence of 'start' and 'stop' in
> nsds5beginreplicarefresh;left|right attribute into an output of
> topologysegment_show, e.g.: 'initialization in progress', 'cancellation of
> re-initialization requested'.
> 
> === force-sync ===
> no change yet
> 
> Currently done by setting nsDS5ReplicaUpdateSchedule attribute of repl.
> agreement.
> 
> 1. Is it required?
> 2. Should the functionality be transferred to topologysegment/topology plugin?
> 3. Is current approach good?
> 
> IMO if we want to preserve the possibility then the long-term solution is to
> move it to topology plugin.
> 
> === list-ruv, clean-ruv, abort-clean-ruv, list-clean-ruv ===
> Commands manages clean-all-ruv operations on REALM suffix.
> ipa-csreplica-manage doesn't have these commands #4987. These operations are
> meant for removal of dangling ruvs but they can also remove "correct" RUV
> which is not desired.
> 
> The UX is not the best because if replica still exists it won't tell the admin
> what is the correct RUV and which are the dangling one(s) and therefore admin
> must get the info in cn=replica,cn=$SUFFIX,cn=mapping tree,cn=config
> 
> We have a ticket to automate it: https://fedorahosted.org/freeipa/ticket/5411
> 
> Is it possible to manage it in topology plugin in centralized manner?
> 
> I see $5411 as short-term solution for 4.3 or 4.4. +
> {list|clean|abort-clean-list-clean}-ruv sub-commands should be extended to
> work with all suffices.
> 
> Long term solution not in 4.3 is to move it to topology plugin.
> 
> === dna(next)range-{show|set} commands
> No change in 4.3.
> 
> Long term solution is to make it centrally manageable. Not sure if by topo
> plugin or something else.
> 
> 
> == ipa-csreplica-manage ==
> This tool manages only CS replication agreements.
> 
> === list ===
> Not needed. We have `ipa server-find` and `ipa topologysegment-find ipaca`
> commands.
> 
> Should be disabled, add to #5405
> 
> === connect and disconnect ===
> Replaced by `ipa topologysegment-{add,del}` commands.
> 
> disable #5405
> 
> === del ===
> The work is done in `ipa-replica-manage del` therefore disable #5405
> 
> === re-initialize ===
> Same as in ipa-replica-manage - can be disabled. No ticket yet.
> 
> === force-sync ===
> Same as in ipa-replica-manage - decide what to do. No ticket yet.
> 
> === set-renewal-master ===
> AFAIK it's only update in cn=masters so could be moved to API then this could
> be disabled.
> 
> The change is simple enough for changing in 4.3. No ticket yet.
> 
> == Conclusion ==
> ipa-csreplica-manage could be abandoned in 4.3 which plays well with topic
> "simplify management of CA replication agreements".
> 
> ipa-replica-manage is still needed for RUV handling and removal of replicas in
> 4.3. This can change in a future. Same situation with DNA ranges handling.
> 
> There is no future plan for winsync agreements and ipa-replica-manage can
> remain solely for this purpose in environments with managed topology.

Generally +1, we just need to make sure that ipa-{,cs}replica-manage print
useful help message if domainlevel != 0. We need to make migration for users
as easy as possible.

-- 
Petr^2 Spacek