[Freeipa-devel] [PATCH 0024] ipa-replica-manage: added --suffix option for certain commands
Petr Vobornik
pvoborni at redhat.com
Mon Mar 14 15:26:25 UTC 2016
On 03/14/2016 12:57 PM, Jan Cholasta wrote:
> On 14.3.2016 12:50, Martin Basti wrote:
>>
>>
>> On 14.03.2016 12:05, Jan Cholasta wrote:
>>> Hi,
>>>
>>> On 11.3.2016 10:39, Stanislav Laznicka wrote:
>>>> Hi,
>>>>
>>>> Please see the patch attached. Contrary to the discussion at
>>>> https://fedorahosted.org/freeipa/ticket/4987 I also added the suffix
>>>> option for clean_ruv command. If this command is available for normal
>>>> RUVs, it should probably be available for CS-RUVs as well (or
>>>> deprecated
>>>> for both with advised use of clean_dangling_ruv).
>>>
>>> ipa-csreplica-manage is used to manage the CA suffix, so
>>> ipa-csreplica-manage should be extended instead of adding --suffix
>>> option to ipa-replica-manage. Having half of the CA suffix managed by
>>> ipa-replica-manage and the other half by ipa-replica-manage is
>>> confusing.
>>>
>>> Honza
>>>
>> There is a design document about deprecating ipa-csreplica-manage and
>> move part of its responsibilities to ipa-replica-manage.
>>
>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4#ipa.28cs.29replica_manange_changes
>>
>>
>>
>> So patch is compatible with design.
>
> The design is wrong then.
I don't agree.
>
> Either do it in ipa-csreplica-manage, or make *all* ipa-replica-manage
> sub-commands respect the --suffix option. Anything else is inconsistent
> mess.
That's the idea for domain level 1. There is little value in extending
behavior(managing replication agreements) in domain level 0.
Main idea is to not care about suffixes and work with all suffixes right
away. This is reflected in clean-dangling-ruv command and these
extensions are its counterpart - to enable disabling the run. We mostly
care about replica IDs not suffixes they belong to. IMO --suffix option
is not necessary and is mostly for debugging.
One of the reasons why we have all the RUV commands is a mess after
uninstallation when somebody forgets/ignores to run
`ipa-csreplica-manage del $server` or also `ipa-replica-manage del
$server` before uninstallation of replica. Users then usually run
`ipa-replica-manage del $server` --force --clean` but
`ipa-csreplica-manage del $server` can't be run after it. Changes in
4.3 and 4.4 tries to prevent this situation (e.g. by calling equivalent
of `ipa-cs+replica-manage del` from `ipa-server-install --uninstall`).
But until then mess is cleaned on all servers, we should deal with it
with the most convenient way - hiding implementation details.
--
Petr Vobornik
More information about the Freeipa-devel
mailing list