On 9.6.2015 15:06, Simo Sorce wrote:
> On Tue, 2015-06-09 at 10:30 +0200, Petr Spacek wrote:
>> Hello,
>> I would like to discuss
>> https://bugzilla.redhat.com/show_bug.cgi?id=1211366
>> "Error creating a user when jumping from an original server to replica".
>> Currently the DNA ranges are distributed from master to other replicas on
>> first attempt to get a number from particular range.
>> This works well as long as the original master is reachable but fails
>> miserably when the master is not reachable for any reason.
>> It is apparently confusing to users [1][2] because it is counter-intuitive.
>> They have created a replica to be sure that everything will work when the
>> first server is down, right?
>> Remediation is technically simple [3] (just assign a range to the new 
>> replica)
>> but it is confusing to the users, error-prone, and personally I feel that 
>> this
>> is an unnecessary obstacle.
>> It seems to me that the original motivation for this behavior was that the
>> masters were not able to request range back from other replicas when a local
>> range was depleted.
>> This deficiency is tracked as
>> https://bugzilla.redhat.com/show_bug.cgi?id=1029640 and it is slated for fix
>> in 4.2.x time frame.
>> Can we distribute ranges to the replicas during ipa-replica-install when we
>> fix bug 1029640?
> That was not the only reason, another reason is that you do not want to
> distribute and fragment ranges to replicas that will never be used to
> create users. What we should do perhaps, is to automatically give a
> range to CA enabled masters so that at least those servers have a range.
> If all your CAs are unavailable you have major issues anyway.
> Though it is a bit bad to have magic behaviors, maybe we should have a
> "main DNA range holder" role that can be assigned to arbitrary servers
> (maybe the first replica gets it by default), and when done the server
> acquire part of the range if it has none.

This concept sounds good to me!

I would only reverse the default, i.e. distribute ranges by default to all
replicas and let admin to toggle a knob if he feels that his case really needs
to limit range distribution.

> Another option is that a replica can instantiate a whole new range if
> all the range bearing servers are not around, but that also comes with
> its own issues.
> In general I wouldn't want to split by default, because in domains with
> *many* replicas most of them are used for load balancing and will never
> be used to create users, so the range would be wasted.

This should not be an issue when
https://bugzilla.redhat.com/show_bug.cgi?id=1029640 is fixed because replicas
will be able to request range back if the local chunk is depleted.

Is that correct?

Petr^2 Spacek

> Simo.
>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1211366#c0
>> [2] https://www.redhat.com/archives/freeipa-users/2015-May/msg00515.html
>> [3] http://blog-rcritten.rhcloud.com/?p=50

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to