[Freeipa-devel] [WIP PATCH] server-del: perform full master removal in managed topology

Jan Cholasta jcholast at redhat.com
Thu Apr 21 07:19:47 UTC 2016 

On 19.4.2016 13:49, Martin Babinsky wrote:
> On 04/14/2016 10:48 AM, Martin Babinsky wrote:
>> On 04/14/2016 08:42 AM, Jan Cholasta wrote:
>>> Hi,
>>>
>>> On 13.4.2016 16:49, Martin Babinsky wrote:
>>>> This is a WIP patch which moves the `ipa-replica-manage del` subcommand
>>>> to the 'server-del' API method and exposes it as CLI command[1]. A CI
>>>> test suite is also included.
>>>
>>>> `server-del` now accepts the following options:
>>>> * `--cleanup`: perform a cleanup after an already deleted master
>>>
>>> I would prefer if this was actually called --force, for reasons
>>> explained in the design thread:
>>> <https://www.redhat.com/archives/freeipa-devel/2016-April/msg00010.html>.
>>>
>>>
>>>> * `--force-removal`: force master removal, i.e. ignore topology errors
>>>
>>> So, this is actually the all-powerful --force option we always try to
>>> avoid, but with a different name (and not very good one - if you are
>>> removing something, what other than removal would you need to force?).
>>>
>>> Could you split this into separate options?
>>>
>> There are actually two checks that we need to pass/bypass before we can
>> remove the master entry and run all the cleanup shenanigans:
>>
>> 1.) the topology is not disconnected already or is not being
>> disconnected by the action
>>
>> 2.) the action does leave at least one CA/DNS server, does not remove
>> DNSSec keymaster and we can promote other master to CA renewal master
>>
>> So IIUC we would need three options actually:
>>
>> * one that bypasses topology checks ('--ignore-topology-disconnect')
>> * one that bypasses the check for remaining services
>> ('--ignore-last-services?')
>> * one that will cleanup leftovers only, ignoring NotFound error
>> ('--cleanup'), this one is already there
>
> Actually '--force' should replace '--cleanup' as it does basically the
> same job.

Right.

> What about the remaining two proposed options?

--ignore-topology-disconnect is good. The other one should use "role" 
rather than "service", e.g. --ignore-last-of-role.

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list