On 9.6.2015 15:06, Simo Sorce wrote: > On Tue, 2015-06-09 at 10:30 +0200, Petr Spacek wrote: >> Hello, >> >> I would like to discuss >> https://bugzilla.redhat.com/show_bug.cgi?id=1211366 >> "Error creating a user when jumping from an original server to replica". >> >> Currently the DNA ranges are distributed from master to other replicas on >> first attempt to get a number from particular range. >> >> This works well as long as the original master is reachable but fails >> miserably when the master is not reachable for any reason. >> >> It is apparently confusing to users  because it is counter-intuitive. >> They have created a replica to be sure that everything will work when the >> first server is down, right? >> >> Remediation is technically simple  (just assign a range to the new >> replica) >> but it is confusing to the users, error-prone, and personally I feel that >> this >> is an unnecessary obstacle. >> >> It seems to me that the original motivation for this behavior was that the >> masters were not able to request range back from other replicas when a local >> range was depleted. >> >> This deficiency is tracked as >> https://bugzilla.redhat.com/show_bug.cgi?id=1029640 and it is slated for fix >> in 4.2.x time frame. >> >> Can we distribute ranges to the replicas during ipa-replica-install when we >> fix bug 1029640? > > That was not the only reason, another reason is that you do not want to > distribute and fragment ranges to replicas that will never be used to > create users. What we should do perhaps, is to automatically give a > range to CA enabled masters so that at least those servers have a range. > If all your CAs are unavailable you have major issues anyway. > > Though it is a bit bad to have magic behaviors, maybe we should have a > "main DNA range holder" role that can be assigned to arbitrary servers > (maybe the first replica gets it by default), and when done the server > acquire part of the range if it has none.
This concept sounds good to me! I would only reverse the default, i.e. distribute ranges by default to all replicas and let admin to toggle a knob if he feels that his case really needs to limit range distribution. > Another option is that a replica can instantiate a whole new range if > all the range bearing servers are not around, but that also comes with > its own issues. > > In general I wouldn't want to split by default, because in domains with > *many* replicas most of them are used for load balancing and will never > be used to create users, so the range would be wasted. This should not be an issue when https://bugzilla.redhat.com/show_bug.cgi?id=1029640 is fixed because replicas will be able to request range back if the local chunk is depleted. Is that correct? Petr^2 Spacek > Simo. > >> >>  https://bugzilla.redhat.com/show_bug.cgi?id=1211366#c0 >>  https://www.redhat.com/archives/freeipa-users/2015-May/msg00515.html >>  http://blog-rcritten.rhcloud.com/?p=50 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code