On 06/12/2015 09:24 AM, Ludwig Krispenz wrote:
Hi Petr,
On 06/11/2015 06:34 PM, Petr Vobornik wrote:
Attaching a wip patch for `ipa-replica-manage del` to work with
managed topology.

There are two prerequisite patches, they add following commands. All
commands has NO_CLI flag which means they are hidden in CLI.
- server-del
- serverservice-add, mod, del, show, find

serverservice is object name for server "services" in cn=masters. I
don't like the "service" name much but it's already been used in
general discussions.

The main patch introduces two distinct methods for deleting servers,
one for managed topology another for the old method. They share some

There are some differences in behavior.

1. the original 'del' worked also with winsync agreements. I'm not
sure why is that. Shouldn't 'disconnect' be used for winsync
agreements? At least man page says that.

2. options --clean and --force aren't used in the new method. I don't
think that they are required. They serve for deleting the server entry
in cn=masters.  The new method is build around this deletion so that
it's always done which also means the cleanup is done.

3. Clean RUV task is run after deleting server entry and related
cleanup. I don't think it works well. From observing the changes, it
looks like it's executed before topology plugin manages to delete the
agreements. This task then doesn't want to end and it reports that it
has not finished somewhere. It finishes successfully if dirsrv is
restarted. Agreements are then removed as well and all is fine.

Ludwig, should the clean RUV step be done differently? E.g. somewhere
else or after something finishes?
good question, investigateing the cleanallruv problems was on my agenda
after the topology plugin is "stable". We have seen many issues (eg
corrupted ruvs), where we don't know why they exist in DS and if
anything in the management code of ipa is contributing to this. So I can
not really recommend a "best practice" at the moment.
Regarding required changes in the manage-del, I think the problem is
that without the topo plugin the agreement was deleted, then cleanallruv
was started (it no longer tried to contact the removed replica and
didn't get contacted by that replica). Now the direct deletion of the
agreement is rejected and the cleanallruv will act in the full topology,
so it probably should be done after the server was removed.

Would it be sufficient to check deletion of related segments? Deletion check of rep. agreement seems error prone to me (this server doesn't have to have any and must contact different server...).

You call server_del before calling replica_cleanup (which also deletes
the server). I don't see the deletion of the services before server_del,
so this should fail since it has children.

It won't fail, server_del inherits from LDAPDelete which deletes the children on errors.NotAllowedOnNonLeaf and then it retries the deletion.

replica cleanup tries to do it again but if the server entry is not there, it continue without raising error. This is fine. The logic was kept there for the old del method.
Petr Vobornik

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to