Martin Kosek wrote:
On 07/12/2012 07:46 AM, Martin Kosek wrote:
On 07/11/2012 09:27 PM, Rob Crittenden wrote:
Martin Kosek wrote:
IPA 3.0 introduced range ID objects in replicated space which specify
a range of IDs assigned via DNA plugin. ipa-ldap-updater generates the
default ID range which should correspond with IDs assigned to IPA
users.
However, since correct range size is not known, we should at least
warn that a range with invalid size was created so that user can
amend it.
I created 2 new tickets to add further improve this area:
1) #2918: [doc] Upgrade procedure section should mention ipa-ldap-updater
2) #2919: Improve safety checks in range command
To test this patch, you can:
1) Install unpatched IPA server (and you may install replicas too) with custom
--idstart and --idmax options where difference is greater then 200000
2) Remove default range with range-del command (will be restored during upgrade)
3) Run RPM upgrade with RPMs built from patched sources - ERROR should now be
printed during update stating that a new range was created but its size is not
right
I don't understand step 2, why would someone remove their range before
upgrading?
I installed with a 50k range, didn't remove it, then upgraded with no warning.
I deleted the range and re-installed the packages again, still no warning but a
new 200k range was created for me.
rob
The step 2 is artificial and is only done to force the default_range update
plugin to create/restore the default IPA range. The plugin would just be
skipped otherwise.
We can only detect ranges larger than 200k - judging just from the number of
free IDs. Thus, 50k range will pass without any warning or error. If you create
a bigger range (this can be detected unless you deplete all IDs below 200k
mark), you will receive the warning. All this procedure will not handle all
situations ATM, its just heuristics to cover most cases...
Martin
Sending an updated patch with 2 small changes:
1) Console error formatting was changed similar to ipa-client-install
2) ipa-ldap-updater does not print information message when IPA is not
configured to stderr so that rpm update output stays clean when updating rpms
in machine without IPA installed
This is the output of RPM with the new patch set:
# ipa range-del IDM.LAB.BOS.REDHAT.COM_id_range
--------------------------------------------------
Deleted ID range "IDM.LAB.BOS.REDHAT.COM_id_range"
--------------------------------------------------
# rpm -Uvh --force freeipa-*
Preparing... ########################################### [100%]
1:freeipa-python ########################################### [ 14%]
2:freeipa-client ########################################### [ 29%]
3:freeipa-admintools ########################################### [ 43%]
4:freeipa-server ########################################### [ 57%]
5:freeipa-server-selinux ########################################### [ 71%]
6:freeipa-server-trust-ad########################################### [ 86%]
7:freeipa-debuginfo ########################################### [100%]
ERROR: default_range: could not verify default ID range size
Please use the following command to set correct ID range size
$ ipa range-mod IDM.LAB.BOS.REDHAT.COM_id_range --range-size=RANGE_SIZE
RANGE_SIZE may be computed from --idstart and --idmax options used during IPA
server installation:
RANGE_SIZE = (--idmax) - (--idstart) + 1
Martin
Your sys.exit() changes to ipa-ldap-updater cause the return val to be 0
when IPA is not configured. It should return 1.
Fix that and ACK.
rob
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
