On 04/15/2013 12:31 PM, Jan Cholasta wrote:
On 12.4.2013 16:55, Simo Sorce wrote:
----- Original Message -----
On 04/12/2013 03:50 PM, Petr Viktorin wrote:
A question: do we support users that *want* a CNAME in ipa-ca? AFAIK
that
is
the usual way to do load-balancing, which is the recommended setup
for big
installations.
Given that CNAME can only point to one host, I do not know how can it
be used
to load balance.
The idea with ipa-ca was to contain a number of A records, which
would create
a
load balancer to some extent as client software checking the OCSP/CRL
would
run
the request against one random A record and thus distribute the load
among
all
FreeIPA CAs.
As A cannot coexist with CNAME, we need to delete it. But it is true
that it
may be good idea to produce upgrade warning about it.
We should not delete it.
If the admin consciously changed the A name to a CNAME we should
respect that decision.
The problem is on upgrade I guess.
I think on upgrade from 3.1 we just need to document admins should
manually fix the record.
After the upgrade he'll remove the CNAME and instead add an A name
pointing to all the CA replicas manually ?
Simo.
I have changed the patch so that the CNAMEs are replaced with A/AAAA if
and only if they all point to IPA masters, otherwise a warning is
printed. Is that OK?
OK with me, patch works well.
ACK unless Simo really wants to always skip the update.
--
PetrĀ³
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
