On 05/25/2015 03:56 PM, Oleg Fayans wrote:

Playing around with the replication topology plugin, I've noticed a
couple of issues:
1. around 50% of attempts to setup a replica of a freeipa master with
topology plugin enabled (domain level set to 1.0) end up with the
following error message in the stdoutput:

   [error] RuntimeError: One of the ldap service principals is missing.
Replication agreement cannot be converted.
Replication error message: Unable to acquire replicaLDAP error: No such

I am not sure whether the reason is in the Topology Plugin itself or in
some of the latest changes in upstream, though.

I have the same experience. It seems that data from master were replicated to new replica but new replica entries(host, services) were not replicated back to master.

The installation then hangs on replica's check if its ldap service principal is on master.

New ticket: https://fedorahosted.org/freeipa/ticket/5035

2. Whenever this happens, master retains the information about the new
topology segment, even despite the replica setup was unsuccessful. IMHO,
we should have a way to notify the master about replica setup
faiures/aborts so that the master would automatically erase the
corresponding freshly-created segments in such cases.

Not sure if we can rely on that because the chosen communication mechanism(what ever it might be) might suffer from the same root cause as the replica installation.

3. After this happens user is unable to delete the replication agreement
with the standard `ipa-replica-manage del` way:
$ ipa-replica-manage del replica1.pesen.net --force
Connection to 'replica1.pesen.net' failed: [Errno -2] Name or service
not known
Forcing removal of replica1.pesen.net
Skipping calculation to determine if one or more masters would be orphaned.
Deleting replication agreements between replica1.pesen.net and
Failed to get list of agreements from 'replica1.pesen.net': [Errno -2]
Name or service not known
Forcing removal on 'newmaster.pesen.net'
Any DNA range on 'replica1.pesen.net' will be lost
There were issues removing a connection for replica1.pesen.net from
newmaster.pesen.net: Server is unwilling to perform: Entry is managed by
topology plugin.Deletion not allowed.
Failed to cleanup replica1.pesen.net entries: Not allowed on non-leaf entry

this line was fixed by https://fedorahosted.org/freeipa/ticket/5019 . When this succeeds (master entry is deleted), topology plugin should delete the rest. I.e., with this patch I was able to delete the replica.

That said, the output might want some love.

You may need to manually remove them from the tree
Failed to cleanup replica1.pesen.net DNS entries: no matching entry found
You may need to manually remove them from the tree

IIRC upon one of the early discussions with Ludwig, this is yet to be

Petr Vobornik

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to