Petr Vobornik wrote: > On 04/09/2015 04:05 PM, Rob Crittenden wrote: >> Right now when a new master is installed it is not configured with a CA >> unless one passes in --setup-ca (or afterward runs ipa-ca-install). >> >> Over and over we've seen people who have multiple masters and a single >> CA, in some cases that CA machine is gone, leaving the realm with no CA >> at all. >> >> I think this is due to the fact that CA replicas are not created by >> default and the users are not aware of the implications of a single >> point-of-failure since things otherwise seem to be working. >> >> So perhaps the default should be to install a CA unless the user >> requests one not be installed. A related task may be to create an >> uninstaller for just the CA. >> >> rob >> > > From a general perspective: > > When I hear "replica" it evokes a "clone", something equal/identical. > > Based on this, the expected behavior for me would be that: > > - if master has DNS and CA, then the new replica would also have DNS and > CA (without any configuration option needed). > - if an optional service is missing then replica wouldn't have it as > well by default > > This would required reverse options like: --no-dns.
Pretty much exactly what I was thinking. For the option I think we should go with a more generic --ca, --dns, with the default value matching what the remote master has configured. But that's bike shedding. The real question is, what do others think? Is this worth filing a ticket for? It would be a subtle but significant change. This might tie in nicely with planned topology management too. rob -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code