[Freeipa-devel] Replication Topology plugin issues

Petr Vobornik pvoborni at redhat.com
Tue May 26 09:00:21 UTC 2015 

On 05/25/2015 03:56 PM, Oleg Fayans wrote:
> Hi,
>
> Playing around with the replication topology plugin, I've noticed a
> couple of issues:
> 1. around 50% of attempts to setup a replica of a freeipa master with
> topology plugin enabled (domain level set to 1.0) end up with the
> following error message in the stdoutput:
>
>    [error] RuntimeError: One of the ldap service principals is missing.
> Replication agreement cannot be converted.
> Replication error message: Unable to acquire replicaLDAP error: No such
> object
>
> I am not sure whether the reason is in the Topology Plugin itself or in
> some of the latest changes in upstream, though.

I have the same experience. It seems that data from master were 
replicated to new replica but new replica entries(host, services) were 
not replicated back to master.

The installation then hangs on replica's check if its ldap service 
principal is on master.

New ticket: https://fedorahosted.org/freeipa/ticket/5035


>
> 2. Whenever this happens, master retains the information about the new
> topology segment, even despite the replica setup was unsuccessful. IMHO,
> we should have a way to notify the master about replica setup
> faiures/aborts so that the master would automatically erase the
> corresponding freshly-created segments in such cases.

Not sure if we can rely on that because the chosen communication 
mechanism(what ever it might be) might suffer from the same root cause 
as the replica installation.

>
> 3. After this happens user is unable to delete the replication agreement
> with the standard `ipa-replica-manage del` way:
> $ ipa-replica-manage del replica1.pesen.net --force
> Connection to 'replica1.pesen.net' failed: [Errno -2] Name or service
> not known
> Forcing removal of replica1.pesen.net
> Skipping calculation to determine if one or more masters would be orphaned.
> Deleting replication agreements between replica1.pesen.net and
> newmaster.pesen.net
> Failed to get list of agreements from 'replica1.pesen.net': [Errno -2]
> Name or service not known
> Forcing removal on 'newmaster.pesen.net'
> Any DNA range on 'replica1.pesen.net' will be lost
> There were issues removing a connection for replica1.pesen.net from
> newmaster.pesen.net: Server is unwilling to perform: Entry is managed by
> topology plugin.Deletion not allowed.
> Failed to cleanup replica1.pesen.net entries: Not allowed on non-leaf entry

this line was fixed by https://fedorahosted.org/freeipa/ticket/5019 . 
When this succeeds (master entry is deleted), topology plugin should 
delete the rest. I.e., with this patch I was able to delete the replica.

That said, the output might want some love.

> You may need to manually remove them from the tree
> Failed to cleanup replica1.pesen.net DNS entries: no matching entry found
> You may need to manually remove them from the tree
>
> IIRC upon one of the early discussions with Ludwig, this is yet to be
> implemented.
>
-- 
Petr Vobornik

More information about the Freeipa-devel mailing list