<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div><br>On May 29, 2015, at 00:41, thierry bordaz <<a href="mailto:tbordaz@redhat.com">tbordaz@redhat.com</a>> wrote:<br><br></div><blockquote type="cite"><div>
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
<div class="moz-cite-prefix">On 05/29/2015 08:16 AM, Christoph
Kaminski wrote:<br>
</div>
<blockquote cite="mid:OF2BC78040.A4664FCF-ONC1257E54.0020B1D9-C1257E54.00227497@biotronik.com" type="cite"><tt><font size="2"><a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a>
schrieb am 28.05.2015
13:23:26:<br>
<br>
> Von: Alexander Frolushkin
<a class="moz-txt-link-rfc2396E" href="mailto:Alexander.Frolushkin@megafon.ru"><Alexander.Frolushkin@megafon.ru></a></font></tt>
<br>
<tt><font size="2">> An: "'thierry bordaz'"
<a class="moz-txt-link-rfc2396E" href="mailto:tbordaz@redhat.com"><tbordaz@redhat.com></a></font></tt>
<br>
<tt><font size="2">> Kopie: <a class="moz-txt-link-rfc2396E" href="mailto:freeipa-users@redhat.com">"freeipa-users@redhat.com"</a>
<a class="moz-txt-link-rfc2396E" href="mailto:freeipa-users@redhat.com"><freeipa-users@redhat.com></a></font></tt>
<br>
<tt><font size="2">> Datum: 28.05.2015 13:24</font></tt>
<br>
<tt><font size="2">> Betreff: Re: [Freeipa-users] Haunted
servers?</font></tt>
<br>
<tt><font size="2">> Gesendet von:
<a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a></font></tt>
<br>
<tt><font size="2">> <br>
> Unfortunately, after a couple of minutes, on two of three
servers
<br>
> error comes back in little changed form:<br>
> # ipa-replica-manage list-ruv<br>
> unable to decode: {replica 16}<br>
> ....<br>
> <br>
> Before cleanruv it looked like:<br>
> # ipa-replica-manage list-ruv<br>
> unable to decode: {replica 16} 548a8126000000100000
548a8126000000100000<br>
> ....<br>
> <br>
> And one server seems to be fixed completely.<br>
> <br>
> WBR,<br>
> Alexander Frolushkin<br>
> <br>
> </font></tt>
<br>
<br>
<tt><font size="2">we had the same problem (and some more) and
yesterday
we have successfully cleaned the gohst rid's</font></tt>
<br>
<br>
<tt><font size="2">our fix:</font></tt>
<br>
</blockquote>
<br>
Hi Christoph,<br>
<br>
THanks for sharing this procedure. This bug is difficult to
workaround and that is a good idea to write it down.<br>
<br>
<blockquote cite="mid:OF2BC78040.A4664FCF-ONC1257E54.0020B1D9-C1257E54.00227497@biotronik.com" type="cite">
<br>
<tt><font size="2">1. stop all cleanallruv Tasks, if it works with
ipa-replica-manage
abort-clean-ruv. It hasnt worked here. We have done it
manually on ALL
replicas with:</font></tt>
<br>
<tt><font size="2"> a) replica stop</font></tt>
<br>
<tt><font size="2"> b) delete all
nsds5ReplicaClean from /etc/dirsrv/slapd-HSO/dse.ldif</font></tt>
<br>
<tt><font size="2"> c) replica start</font></tt>
<br>
<br>
</blockquote>
Yes the ability to abort clean ruv hits the same retry issue that
cleanallruv. It has been addressed with
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/389/ticket/48154">https://fedorahosted.org/389/ticket/48154</a><br>
<blockquote cite="mid:OF2BC78040.A4664FCF-ONC1257E54.0020B1D9-C1257E54.00227497@biotronik.com" type="cite"><tt><font size="2">2. prepare on EACH ipa a cleanruv
ldif file with ALL
ghost rids inside (really ALL from all ipa replicas, we has
had some rids
only on some replicas...)</font></tt>
<br>
<tt><font size="2">Example:</font></tt>
<br>
<br>
<tt><font size="2">dn: cn=replica,cn=dc\3Dexample,cn=mapping
tree,cn=config</font></tt>
<br>
<tt><font size="2">changetype: modify</font></tt>
<br>
<tt><font size="2">replace: nsds5task</font></tt>
<br>
<tt><font size="2">nsds5task:CLEANRUV11</font></tt>
<br>
<br>
<tt><font size="2">dn: cn=replica,cn=dc\3Dexample,cn=mapping
tree,cn=config</font></tt>
<br>
<tt><font size="2">changetype: modify</font></tt>
<br>
<tt><font size="2">replace: nsds5task</font></tt>
<br>
<tt><font size="2">nsds5task:CLEANRUV22</font></tt>
<br>
<br>
<tt><font size="2">dn: cn=replica,cn=dc\3Dexample,cn=mapping
tree,cn=config</font></tt>
<br>
<tt><font size="2">changetype: modify</font></tt>
<br>
<tt><font size="2">replace: nsds5task</font></tt>
<br>
<tt><font size="2">nsds5task:CLEANRUV37</font></tt>
<br>
<tt><font size="2">...</font></tt>
<br>
</blockquote>
<br>
It should work but I would prefer to do it in an other order.<br>
We need to clean a specific RID, on all replica, at the same time.
We do not need to clean all RIDs at the same time.<br>
Having several CLEANRUV in parallel for differents RID should work
but I do not know how much it has been tested that way.<br>
<br>
So I would recommend to clean, in parallel on all replicas, RID 11.
Then when it is completed, RID 22. Then RID 37.<br>
<br>
<blockquote cite="mid:OF2BC78040.A4664FCF-ONC1257E54.0020B1D9-C1257E54.00227497@biotronik.com" type="cite">
<br>
<tt><font size="2">3. do a "ldapmodify -h 127.0.0.1 -D
"cn=Directory
Manager" -W -x -f $your-cleanruv-file.ldif" on all replicas AT
THE SAME TIME :) we used terminator for it (</font></tt><a moz-do-not-send="true" href="https://launchpad.net/terminator"><tt><font color="blue" size="2">https://launchpad.net/terminator</font></tt></a><tt><font size="2">).
You can open multiple shell windows inside one window and send
to all at
the same time the same commands...</font></tt>
<br>
</blockquote>
<br>
same remark I would split <font size="2">your-cleanruv-file.ldif
into three files cleanruv-11-file<font size="2">.ldif,...</font><br>
</font>
<blockquote cite="mid:OF2BC78040.A4664FCF-ONC1257E54.0020B1D9-C1257E54.00227497@biotronik.com" type="cite">
<br>
<tt><font size="2">4. we have done a re-initialize of each IPA
from our
first master</font></tt>
<br>
</blockquote>
<br>
Do you mean a total init ? I do not see a real need for that.<br>
If you are ready to reinit all replicas, there is a very simple way
to get rid of all these ghost RIDs.<br>
<ul>
<li>Select the "good" master that is having all the updates<br>
</li>
<li>do a ldif export without the replication data</li>
<li>do a ldif import of exported file</li>
<li>do online reinit of the full topology, cascading from the
"good" master down to the "consumers"</li>
</ul>
<p>Most of the time we try to avoid asking a full reinit of the
topology because DB are large.<br>
</p>
<blockquote cite="mid:OF2BC78040.A4664FCF-ONC1257E54.0020B1D9-C1257E54.00227497@biotronik.com" type="cite">
<br>
<tt><font size="2">5. restart of all replicas</font></tt>
<br>
<br>
<tt><font size="2">we are not sure about the point 3 and 4. Maybe
they
are not necessary, but we have done it.</font></tt>
<br>
<br>
<tt><font size="2">If something fails look at defect LDAP entries
in
whole ldap, we have had some entries with 'nsunique-$HASH'
after the 'normal'
name. We have deleted them.</font></tt>
<br>
</blockquote>
do you mean entries with 'nsuniqueid' attribute in the RDN. This
could be create during replication conflicts when updates are
received in parallele on different replicas.<br>
<br>
<br>
thanks<br>
thierry<br>
<blockquote cite="mid:OF2BC78040.A4664FCF-ONC1257E54.0020B1D9-C1257E54.00227497@biotronik.com" type="cite"><tt><font size="2"><br>
</font></tt><font face="sans-serif" size="2">MfG<br>
Christoph Kaminski<br>
<br>
<br>
</font>
</blockquote>
<br>
</div></blockquote><blockquote type="cite"><div><span>-- </span><br><span>Manage your subscription for the Freeipa-users mailing list:</span><br><span><a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></span><br><span>Go to <a href="http://freeipa.org">http://freeipa.org</a> for more info on the project</span></div></blockquote><br><div>Looks like I'll be giving this a try. So glad someone else is seeing exactly the same issues. Hopefully soon we can find the cause.</div><div><br></div><div>~J</div></body></html>