On 9.6.2015 15:06, Simo Sorce wrote:
> On Tue, 2015-06-09 at 10:30 +0200, Petr Spacek wrote:
>> Hello,
>>
>> I would like to discuss
>> https://bugzilla.redhat.com/show_bug.cgi?id=1211366
>> "Error creating a user when jumping from an original server to replica".
>>
>> Currently the DNA ranges are distributed from master to other replicas on
>> first attempt to get a number from particular range.
>>
>> This works well as long as the original master is reachable but fails
>> miserably when the master is not reachable for any reason.
>>
>> It is apparently confusing to users [1][2] because it is counter-intuitive.
>> They have created a replica to be sure that everything will work when the
>> first server is down, right?
>>
>> Remediation is technically simple [3] (just assign a range to the new 
>> replica)
>> but it is confusing to the users, error-prone, and personally I feel that 
>> this
>> is an unnecessary obstacle.
>>
>> It seems to me that the original motivation for this behavior was that the
>> masters were not able to request range back from other replicas when a local
>> range was depleted.
>>
>> This deficiency is tracked as
>> https://bugzilla.redhat.com/show_bug.cgi?id=1029640 and it is slated for fix
>> in 4.2.x time frame.
>>
>> Can we distribute ranges to the replicas during ipa-replica-install when we
>> fix bug 1029640?
> 
> That was not the only reason, another reason is that you do not want to
> distribute and fragment ranges to replicas that will never be used to
> create users. What we should do perhaps, is to automatically give a
> range to CA enabled masters so that at least those servers have a range.
> If all your CAs are unavailable you have major issues anyway.
> 
> Though it is a bit bad to have magic behaviors, maybe we should have a
> "main DNA range holder" role that can be assigned to arbitrary servers
> (maybe the first replica gets it by default), and when done the server
> acquire part of the range if it has none.

This concept sounds good to me!

I would only reverse the default, i.e. distribute ranges by default to all
replicas and let admin to toggle a knob if he feels that his case really needs
to limit range distribution.

> Another option is that a replica can instantiate a whole new range if
> all the range bearing servers are not around, but that also comes with
> its own issues.
> 
> In general I wouldn't want to split by default, because in domains with
> *many* replicas most of them are used for load balancing and will never
> be used to create users, so the range would be wasted.

This should not be an issue when
https://bugzilla.redhat.com/show_bug.cgi?id=1029640 is fixed because replicas
will be able to request range back if the local chunk is depleted.

Is that correct?

Petr^2 Spacek

> Simo.
> 
>>
>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1211366#c0
>> [2] https://www.redhat.com/archives/freeipa-users/2015-May/msg00515.html
>> [3] http://blog-rcritten.rhcloud.com/?p=50

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to