On Tue, 2015-06-09 at 10:30 +0200, Petr Spacek wrote: > Hello, > > I would like to discuss > https://bugzilla.redhat.com/show_bug.cgi?id=1211366 > "Error creating a user when jumping from an original server to replica". > > Currently the DNA ranges are distributed from master to other replicas on > first attempt to get a number from particular range. > > This works well as long as the original master is reachable but fails > miserably when the master is not reachable for any reason. > > It is apparently confusing to users  because it is counter-intuitive. > They have created a replica to be sure that everything will work when the > first server is down, right? > > Remediation is technically simple  (just assign a range to the new replica) > but it is confusing to the users, error-prone, and personally I feel that this > is an unnecessary obstacle. > > It seems to me that the original motivation for this behavior was that the > masters were not able to request range back from other replicas when a local > range was depleted. > > This deficiency is tracked as > https://bugzilla.redhat.com/show_bug.cgi?id=1029640 and it is slated for fix > in 4.2.x time frame. > > Can we distribute ranges to the replicas during ipa-replica-install when we > fix bug 1029640?
That was not the only reason, another reason is that you do not want to distribute and fragment ranges to replicas that will never be used to create users. What we should do perhaps, is to automatically give a range to CA enabled masters so that at least those servers have a range. If all your CAs are unavailable you have major issues anyway. Though it is a bit bad to have magic behaviors, maybe we should have a "main DNA range holder" role that can be assigned to arbitrary servers (maybe the first replica gets it by default), and when done the server acquire part of the range if it has none. Another option is that a replica can instantiate a whole new range if all the range bearing servers are not around, but that also comes with its own issues. In general I wouldn't want to split by default, because in domains with *many* replicas most of them are used for load balancing and will never be used to create users, so the range would be wasted. Simo. > >  https://bugzilla.redhat.com/show_bug.cgi?id=1211366#c0 >  https://www.redhat.com/archives/freeipa-users/2015-May/msg00515.html >  http://blog-rcritten.rhcloud.com/?p=50 > > -- > Petr^2 Spacek > -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code