[Freeipa-users] ui login error and questions about replication

Rob Crittenden rcritten at redhat.com
Wed Nov 6 03:16:56 UTC 2013 

Tamas Papp wrote:
>
> On 11/05/2013 03:17 PM, Rich Megginson wrote:
>>
>>>> 2. What is the difference between 'primary' and 'secondary'. What does
>>>> happen, if the primary machine gets destroyed?
>>> In IPA all replicas are the same, they only would differ by the paths
>>> they sync with each other and by presence of integrated CA (if any).
>
> Do I need CA in normal cases or is it just an additional and optional
> service? In other words is this CA the same as used by replicas and
> clients and the UI..etc?

Yes and since you are planning for replication you should plan to have 
at least one of the replica have a CA on it as well to avoid a single 
point of failure.

>
>>> If you have deployed original IPA server with integrated CA, then your
>>> other replicas better to have at least one with CA configured to allow
>>> proper recovery in case primary one is destroyed.
>
> Is there any caveats to not deploy CA on all replicas as a simples solution?

You don't need a CA on every single replica, but you probably want at 
least two.

>
>>>> 4. How many "master" can I use?
>>> Technically there could be 65536 different masters in 389-ds replication
>>> topology.
>
> Perfect!

The 389-ds team has fully QA'd 20 masters at a time, so keep that in mind.

Also, replication is not free. It requires space to store the changes to 
send out, CPU time to calculate whom to send what and network bandwidth 
to share the data. Each master you add increases this workload.

Not to mention any administrative burden of running a lot of masters.

>
>>>
>>>> 5. If I have a network like this:
>>>>
>>>> A1______B1
>>>> A2          B2
>>>>
>>>> A2 and B1,2 are replicated from A1
>>>>
>>>> If the connection gets lost between A and B site, are B1 and 2 (and
>>>> A1,2) replicated fine?
>>> I assume from the above that B1 does not know about B2 (and vice versa)?
>
> Well, that is actually one of the questions. B1 and B2 are on the same
> sites and failover nodes from point of view of clients.

You can manage the replication topology with ipa-replica-manage connect 
and disconnect.  So if you want B1 and B2 connected you can do that.

>
>>> Once connectivity between sites A and B restored, all unreplicated data
>>> will be replicated. There could be conflicts if there were changes on
>>> both sides during the split but majority of them are solved
>>> automatically by 389-ds.
>
> The main question is that B1 and B2 are not replicated to each other
> automatically? What about the case if
>
> A1 -- replication -- A2 --- replication --- B1 -- replication -- B2
>
> If B1 gets destroyed, how B2 and A2 (and A1) gets synchronized?
> Especially automatically...?
> Is there such a failover configuration?

No, the masters only replicate to the ones you tell them to, so if B1 
went away forever then B2 would never get any other updates unless you 
explicitly made a connection to A1 or A2.

>
>>>> 6. If a client is installed with ipa-client-install using A1 and A1
>>>> gets
>>>> lost, does the client know, where it needs to connect (failover..)?
>>> IPA server which was used to enroll the host will be primary one (A1 in
>>> your example). There is failover in sssd.conf to use SRV records of the
>>> domain, and trying servers in the order returned by the SRV records.
>
> Ahh. Then if I use external DNS, I need to configure these srv records
> manually, that's all, right?

Right.

>
>>>> 7. Can I install slave (read-only) replicas so clients access them only
>>>> for queries and for changes (like pw change) they access master
>>>> servers?
>>> No read-only replicas available for IPA. All replicas are read-write and
>>> propagate changes across replication paths as defined in replication
>>> agreements. All IPA servers are really masters, thus we have
>>> multi-master replication rather than master-slave.
>
>
> Perfect, thanks for the clarification!
>
> Thanks,
> tamas
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

More information about the Freeipa-users mailing list