On 06/17/2015 04:31 PM, Simo Sorce wrote:
On Wed, 2015-06-17 at 16:15 +0200, Ludwig Krispenz wrote:
On 06/17/2015 03:37 PM, Oleg Fayans wrote:
Hi Ludwig, Petr,

Presently I have noticed that disabling a segment, using `ipa
topologysegment-mod realm replica1-to-replica2
--enabled=off` does not have effect on the way the data is replicated.

I mean that if we have the following tolopogy:
master <-> replica1 <-> replica2
on which server did you apply the mod ?
and disable one of the segments, one would expect the changes
implemented on master would not be replicated to other nodes (or do I
misunderstand the concept of disabling a segment?). However, in
reality any changes in master do get replicated despite the segment is

Is it a correct behavior?

The second question is: if disabled segments should not let the
changes through, then we probably should implement a check for
topology disconnection in similar way as `ipa topologysegment-del`
does. I mean, whenever a user tries to disable a segment, the plugin
should probably check whether it disconnects any of the nodes.
well, I think disabling should be temporary, you want to disconnect for
some time. eg for debugging, not deleting the agreement completely, I
would allow this.
Too dangerous, I would honestly not even offer the option to disable
anything via the framework for now.
Anyway, if the feature does not work as expected for now, I would disable it rather than fixing, as it's not a critical functionality for alpha.

Do we really want to allow an admin to cause split brains ?
If an admin forgets to re-enable a segment pretty quickly you get in a
very undesirable state if that segment caused a split brain.

It may make sense if it were some time-based command, where you must
enter a (short) time period when the segment is disabled, so that it
re-enabled automatically when the window expires, but that is not
something we are getting in the short term.

My 2c,

+ 1 for implementing time-based segment disabling.

Oleg Fayans
Quality Engineer
FreeIPA team

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to