[Freeipa-devel] Understanding FreeIPA replica internals
Martin Kosek
mkosek at redhat.com
Fri May 23 10:42:26 UTC 2014
On 05/23/2014 07:01 AM, James wrote:
> I'm trying to understand some of the FreeIPA replication internals so
> that I can better know how to do this properly in Puppet without
> storing any secret information in Puppet, and so that automating
> FreeIPA is awesome.
>
> Please point me to any docs, if there is reading I could be doing :)
>
> Here are some open questions I have:
>
> 1) Is the GPG file created with ipa-replica-prepare using a symmetric
> password and is that password equal to the dm_password ? If not, where
> do the pub/priv key pairs come from and how do they get transferred to
> the replica.
Yes. Grep for function expand_replica_info in FreeIPA git.
>
> 2) If I have root on the IPA server (actually all of them) how can I
> run ipa-replica-prepare without needing interactive prompting for
> entering the password. It's not possible with puppet. Is there another
> (possibly less user friendly even) method to "prepare" the replica?
> What is prepare actually doing?
For, you can for example use --password for passing the DM password.
> 3) With a multi master setup, what happens if I run the same action
> (eg: user-mod or user-add or user-del) on more than one server.
I would not do that, you risk replication conflicts on entries or attributes.
More here:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html
> Can I
> run it on any server?
Yes.
> What if I run different user-mod commands of the
> same user on different masters. Is there split brain?
Then you get a replication conflict. I think in case of attributes, last
modification wins.
> Are all the
> transactions and writes synchronous across the whole cluster?
They are not synchronous, it takes some time for a change to replica to all
masters.
> Please
> point me to a doc that explains this FAQ stuff if possible. Sorry for
> the noise
You should be able to get a reasonable starting information here:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Deployment_Guide/Designing_the_Replication_Process.html
or here:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication.html
HTH,
Martin
More information about the Freeipa-devel
mailing list