URL: https://github.com/freeipa/freeipa/pull/1155
Author: abbra
 Title: #1155: Time skew fixes during initial replication
Action: opened

PR body:
"""
This patchset implements time skew fixes for initial replication as required in 
the bug https://bugzilla.redhat.com/show_bug.cgi?id=1493150. This approach 
allows creating or re-initializing replicas in the situation when there are 
time differences between data centers.

Note that by default 389-ds does not allow for time skew in replication, this 
is generally a good approach and should be our default state. This patchset 
makes possible to unlock an impasse with cases where one would get replication 
state out of control due to various external reasons like a failed attempt at a 
parallel IPA upgrade.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1155/head:pr1155
git checkout pr1155
From 951e66ca886adfe2332381af71360cc1ba26822a Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Mon, 16 Oct 2017 13:32:38 +0300
Subject: [PATCH 1/2] ds: ignore time skew during initial replication step

Initial replica creation can go with ignoring time skew checks.
We should, however, force time skew checks during normal operation.

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1493150
---
 install/share/Makefile.am                    | 2 ++
 install/share/replica-ignore-time-skew.ldif  | 4 ++++
 install/share/replica-prevent-time-skew.ldif | 4 ++++
 ipaserver/install/dsinstance.py              | 8 ++++++++
 4 files changed, 18 insertions(+)
 create mode 100644 install/share/replica-ignore-time-skew.ldif
 create mode 100644 install/share/replica-prevent-time-skew.ldif

diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 41fdae4ac4..5d58a92029 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -38,6 +38,8 @@ dist_app_DATA =				\
 	default-trust-view.ldif		\
 	delegation.ldif			\
 	replica-acis.ldif		\
+	replica-prevent-time-skew.ldif  \
+	replica-ignore-time-skew.ldif   \
 	ds-nfiles.ldif			\
 	dns.ldif			\
 	dnssec.ldif			\
diff --git a/install/share/replica-ignore-time-skew.ldif b/install/share/replica-ignore-time-skew.ldif
new file mode 100644
index 0000000000..a3d959d827
--- /dev/null
+++ b/install/share/replica-ignore-time-skew.ldif
@@ -0,0 +1,4 @@
+dn: cn=config
+changetype: modify
+add: nsslapd-ignore-time-skew
+nsslapd-ignore-time-skew: on
diff --git a/install/share/replica-prevent-time-skew.ldif b/install/share/replica-prevent-time-skew.ldif
new file mode 100644
index 0000000000..3310ab76d7
--- /dev/null
+++ b/install/share/replica-prevent-time-skew.ldif
@@ -0,0 +1,4 @@
+dn: cn=config
+changetype: modify
+replace: nsslapd-ignore-time-skew
+nsslapd-ignore-time-skew: off
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 4ec6ceed5a..c076cb852e 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -394,6 +394,7 @@ def create_replica(self, realm_name, master_fqdn, fqdn,
         self.step("restarting directory server", self.__restart_instance)
 
         self.step("creating DS keytab", self.request_service_keytab)
+        self.step("ignore time skew for initial replication", self.replica_ignore_initial_time_skew)
         self.step("setting up initial replication", self.__setup_replica)
         self.step("adding sasl mappings to the directory", self.__configure_sasl_mappings)
         self.step("updating schema", self.__update_schema)
@@ -402,6 +403,7 @@ def create_replica(self, realm_name, master_fqdn, fqdn,
         self.step("enabling S4U2Proxy delegation", self.__setup_s4u2proxy)
 
         self.__common_post_setup()
+        self.step("prevent time skew after initial replication", self.replica_prevent_time_skew)
 
         self.start_creation(runtime=30)
 
@@ -934,6 +936,12 @@ def __add_delegation_layout(self):
     def __add_replication_acis(self):
         self._ldap_mod("replica-acis.ldif", self.sub_dict)
 
+    def replica_ignore_initial_time_skew(self):
+        self._ldap_mod("replica-ignore-time-skew.ldif", self.sub_dict)
+
+    def replica_prevent_time_skew(self):
+        self._ldap_mod("replica-prevent-time-skew.ldif", self.sub_dict)
+
     def __setup_s4u2proxy(self):
         self._ldap_mod("replica-s4u2proxy.ldif", self.sub_dict)
 

From 78789f96dcb0a8f384515e59627b9c16239b4a21 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Mon, 16 Oct 2017 13:46:38 +0300
Subject: [PATCH 2/2] ipa-replica-manage: implicitly ignore initial time skew
 in force-sync

When performing force synchronization, implicitly ignore initial
time skew (if any) and restore it afterwards.

This also changes semantics of force-sync by waiting until the end of
the initial replication.

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1493150
---
 install/tools/ipa-replica-manage | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index 102addbdbd..748a998fc9 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -1229,6 +1229,11 @@ def force_sync(realm, thishost, fromhost, dirman_passwd, nolookup=False):
     agreement = thisrepl.get_replication_agreement(fromhost)
     if agreement is None:
         sys.exit("'%s' has no replication agreement for '%s'" % (thishost, fromhost))
+
+    ds = dsinstance.DsInstance(realm_name=realm)
+    ds.ldapi = os.getegid() == 0
+    ds.replica_ignore_initial_time_skew()
+
     repltype = thisrepl.get_agreement_type(fromhost)
     if repltype == replication.WINSYNC:
         # With winsync we don't have a "remote" agreement, it is all local
@@ -1238,6 +1243,9 @@ def force_sync(realm, thishost, fromhost, dirman_passwd, nolookup=False):
         repl = replication.ReplicationManager(realm, fromhost, dirman_passwd)
         repl.force_sync(repl.conn, thishost)
 
+    repl.wait_for_repl_init(repl.conn, agreement.dn)
+    ds.replica_prevent_time_skew()
+
 def show_DNA_ranges(hostname, master, realm, dirman_passwd, nextrange=False,
                     nolookup=False):
     """
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to