On 05/26/2015 11:21 AM, Oleg Fayans wrote:
Thanks Petr!
Did I understand correctly, that the master branch does not yet contain
patches 0005 and 0006 from Ludwig, only the 0003 patch has been merged?
I must apply them manually to get the full plugin functionality, right?
No, today I've pushed 0003 and 0005 to master.
0006 was replaced by my patches 855 and 857 which depends on tbabej's
325-9+ (domain level feature)
On 05/26/2015 11:00 AM, Petr Vobornik wrote:
On 05/25/2015 03:56 PM, Oleg Fayans wrote:
Hi,
Playing around with the replication topology plugin, I've noticed a
couple of issues:
1. around 50% of attempts to setup a replica of a freeipa master with
topology plugin enabled (domain level set to 1.0) end up with the
following error message in the stdoutput:
[error] RuntimeError: One of the ldap service principals is missing.
Replication agreement cannot be converted.
Replication error message: Unable to acquire replicaLDAP error: No such
object
I am not sure whether the reason is in the Topology Plugin itself or in
some of the latest changes in upstream, though.
I have the same experience. It seems that data from master were
replicated to new replica but new replica entries(host, services) were
not replicated back to master.
The installation then hangs on replica's check if its ldap service
principal is on master.
New ticket: https://fedorahosted.org/freeipa/ticket/5035
2. Whenever this happens, master retains the information about the new
topology segment, even despite the replica setup was unsuccessful. IMHO,
we should have a way to notify the master about replica setup
faiures/aborts so that the master would automatically erase the
corresponding freshly-created segments in such cases.
Not sure if we can rely on that because the chosen communication
mechanism(what ever it might be) might suffer from the same root cause
as the replica installation.
3. After this happens user is unable to delete the replication agreement
with the standard `ipa-replica-manage del` way:
$ ipa-replica-manage del replica1.pesen.net --force
Connection to 'replica1.pesen.net' failed: [Errno -2] Name or service
not known
Forcing removal of replica1.pesen.net
Skipping calculation to determine if one or more masters would be
orphaned.
Deleting replication agreements between replica1.pesen.net and
newmaster.pesen.net
Failed to get list of agreements from 'replica1.pesen.net': [Errno -2]
Name or service not known
Forcing removal on 'newmaster.pesen.net'
Any DNA range on 'replica1.pesen.net' will be lost
There were issues removing a connection for replica1.pesen.net from
newmaster.pesen.net: Server is unwilling to perform: Entry is managed by
topology plugin.Deletion not allowed.
Failed to cleanup replica1.pesen.net entries: Not allowed on non-leaf
entry
this line was fixed by https://fedorahosted.org/freeipa/ticket/5019 .
When this succeeds (master entry is deleted), topology plugin should
delete the rest. I.e., with this patch I was able to delete the replica.
That said, the output might want some love.
You may need to manually remove them from the tree
Failed to cleanup replica1.pesen.net DNS entries: no matching entry
found
You may need to manually remove them from the tree
IIRC upon one of the early discussions with Ludwig, this is yet to be
implemented.
--
Petr Vobornik
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
