Hi Ludwig,
On 06/17/2015 05:13 PM, Ludwig Krispenz wrote:
Hi,
On 06/17/2015 05:07 PM, Oleg Fayans wrote:
On 06/17/2015 04:59 PM, Ludwig Krispenz wrote:
On 06/17/2015 04:46 PM, Oleg Fayans wrote:
Hi Ludwig,
On 06/17/2015 04:15 PM, Ludwig Krispenz wrote:
On 06/17/2015 03:37 PM, Oleg Fayans wrote:
Hi Ludwig, Petr,
Presently I have noticed that disabling a segment, using `ipa
topologysegment-mod realm replica1-to-replica2
--enabled=off` does not have effect on the way the data is
replicated.
I mean that if we have the following tolopogy:
master <-> replica1 <-> replica2
on which server did you apply the mod ?
On master.
just to be clear, you have master <-> replica1 <-> replica2
on master you disable replica1-replica2
why would you expect mods on master not to be replicated ? at least
to replica1 ?
the disable should only effect the connection between r1 and r2.
There is one problem in this linear topology, the disable reaches
r1, it disables the agmt to r2 and so fails to replicate the
disable to r2.
To be precise, my topology is as follows
master <-> replica3 <-> replica2 <-> replica1
And I disabled the replica3 <-> replica2. So I expected the changes
on master to be only visible on master and replica3, but actually it
kept replicating to all nodes.
root@f22replica1:/home/ofayans]$ ipa topologysegment-find realm
------------------
3 segments matched
------------------
Segment name: f22master.bagam.net-to-f22replica3.bagam.net
Left node: f22master.bagam.net
Right node: f22replica3.bagam.net
Connectivity: both
Segment name: replica1-to-replica2
Left node: f22replica1.bagam.net
Right node: f22replica2.bagam.net
Connectivity: both
Segment name: replica3-to-replica2
Left node: f22replica3.bagam.net
Right node: f22replica2.bagam.net
Connectivity: both
----------------------------
Number of entries returned 3
----------------------------
root@f22replica1:/home/ofayans]$ ipa topologysegment-show realm
replica3-to-replica2
Segment name: replica3-to-replica2
Left node: f22replica3.bagam.net
Right node: f22replica2.bagam.net
Connectivity: both
Replication agreement enabled: off
can you do a ldapsearch on cn=realm,cn=topology, ......
$ ldapsearch -LLL -b
"cn=realm,cn=topology,cn=ipa,cn=etc,dc=bagam,dc=net" -D "cn=Directory
Manager" -w '<password>'
dn: cn=realm,cn=topology,cn=ipa,cn=etc,dc=bagam,dc=net
cn: realm
ipaReplTopoConfRoot: dc=bagam,dc=net
objectClass: top
objectClass: iparepltopoconf
dn:
cn=replica1-to-replica2,cn=realm,cn=topology,cn=ipa,cn=etc,dc=bagam,dc=net
ipaReplTopoSegmentRightNode: f22replica2.bagam.net
ipaReplTopoSegmentDirection: both
cn: replica1-to-replica2
ipaReplTopoSegmentLeftNode: f22replica1.bagam.net
objectClass: iparepltoposegment
objectClass: top
dn:
cn=f22master.bagam.net-to-f22replica3.bagam.net,cn=realm,cn=topology,cn=ip
a,cn=etc,dc=bagam,dc=net
ipaReplTopoSegmentDirection: both
objectClass: iparepltoposegment
objectClass: top
cn: f22master.bagam.net-to-f22replica3.bagam.net
ipaReplTopoSegmentLeftNode: f22master.bagam.net
ipaReplTopoSegmentRightNode: f22replica3.bagam.net
ipaReplTopoSegmentStatus: autogen
dn:
cn=f22replica3.bagam.net-f22replica1.bagam.net,cn=realm,cn=topology,cn=ipa
,cn=etc,dc=bagam,dc=net
objectClass: iparepltoposegment
objectClass: top
ipaReplTopoSegmentLeftNode: f22replica3.bagam.net
cn: f22replica3.bagam.net-f22replica1.bagam.net
ipaReplTopoSegmentDirection: both
ipaReplTopoSegmentRightNode: f22replica1.bagam.net
and on replica3 do a search -b "cn=config"
"objectclass=nsds5replicationagreement"
$ ldapsearch -LLL -b "cn=config" "objectclass=nsds5replicationagreement"
-D "cn=Directory Manager" -w '<password>'
dn:
cn=f22replica3.bagam.net-to-f22replica1.bagam.net,cn=replica,cn=dc\3Dbagam
\2Cdc\3Dnet,cn=mapping tree,cn=config
objectClass: nsds5replicationagreement
objectClass: ipaReplTopoManagedAgreement
objectClass: top
cn: f22replica3.bagam.net-to-f22replica1.bagam.net
nsDS5ReplicaHost: f22replica1.bagam.net
nsDS5ReplicaPort: 389
nsds5replicaTimeout: 300
nsDS5ReplicaRoot: dc=bagam,dc=net
description: f22replica3.bagam.net to f22replica1.bagam.net
ipaReplTopoManagedAgreementState: managed agreement - generated by
topology pl
ugin
nsDS5ReplicaTransportInfo: LDAP
nsDS5ReplicaBindMethod: SASL/GSSAPI
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof
idnssoaserial
entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
nsds5ReplicaStripAttrs: modifiersName modifyTimestamp
internalModifiersName in
ternalModifyTimestamp
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn
krblasts
uccessfulauth krblastfailedauth krbloginfailedcount
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 20150617151930Z
nsds5replicaLastUpdateEnd: 20150617151930Z
nsds5replicaChangesSentSinceStartup:: Njo1LzMyOSA0OjcvMCA=
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully:
Incremental upd
ate succeeded
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 19700101000000Z
nsds5replicaLastInitEnd: 19700101000000Z
dn:
cn=meTof22master.bagam.net,cn=replica,cn=dc\3Dbagam\2Cdc\3Dnet,cn=mapping
tree,cn=config
cn: meTof22master.bagam.net
description: me to f22master.bagam.net
ipaReplTopoManagedAgreementState: managed agreement - controlled by
topology p
lugin
nsDS5ReplicaBindMethod: SASL/GSSAPI
nsDS5ReplicaHost: f22master.bagam.net
nsDS5ReplicaPort: 389
nsDS5ReplicaRoot: dc=bagam,dc=net
nsDS5ReplicaTransportInfo: LDAP
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof
idnssoaserial
entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn
krblasts
uccessfulauth krblastfailedauth krbloginfailedcount
nsds50ruv: {replicageneration} 557fdff1000000040000
nsds50ruv: {replica 4 ldap://f22master.bagam.net:389}
557fdffc000100040000 558
00f44000300040000
nsds50ruv: {replica 6 ldap://f22replica3.bagam.net:389}
55800e1b000000060000 5
5800f44000400060000
nsds50ruv: {replica 5 ldap://f22replica2.bagam.net:389}
557fed70000000050000 5
5800553000300050000
nsds50ruv: {replica 3 ldap://f22replica1.bagam.net:389}
557fdffa000000030000 5
58009b4000200030000
nsds5ReplicaStripAttrs: modifiersName modifyTimestamp
internalModifiersName in
ternalModifyTimestamp
nsds5replicaTimeout: 120
nsruvReplicaLastModified: {replica 4 ldap://f22master.bagam.net:389}
00000000
nsruvReplicaLastModified: {replica 6 ldap://f22replica3.bagam.net:389}
0000000
0
nsruvReplicaLastModified: {replica 5 ldap://f22replica2.bagam.net:389}
0000000
0
nsruvReplicaLastModified: {replica 3 ldap://f22replica1.bagam.net:389}
0000000
0
objectClass: nsds5replicationagreement
objectClass: top
objectClass: ipaReplTopoManagedAgreement
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 20150617151930Z
nsds5replicaLastUpdateEnd: 20150617151930Z
nsds5replicaChangesSentSinceStartup:: Njo1LzMzNCA=
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully:
Incremental upd
ate succeeded
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 19700101000000Z
nsds5replicaLastInitEnd: 19700101000000Z
dn:
cn=cloneAgreement1-f22replica3.bagam.net-pki-tomcat,cn=replica,cn=o\3Dipac
a,cn=mapping tree,cn=config
cn: cloneAgreement1-f22replica3.bagam.net-pki-tomcat
description: cloneAgreement1-f22replica3.bagam.net-pki-tomcat
nsDS5ReplicaBindDN: cn=Replication Manager
masterAgreement1-f22replica3.bagam.
net-pki-tomcat,ou=csusers,cn=config
nsDS5ReplicaBindMethod: Simple
nsDS5ReplicaCredentials:
{AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
RERBNEJDUTRZbVk0TUdFM1l5MHpZV1F4TTJFeg0KTnkwNE5HVXhNamczTmkxak1qSmtNalkwTndBQ
0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQmxGYWZ1U3ROY2pNbV
J4NFNUc2pBcQ==}j+d3WWGnksSdSnVQ2S0irQ==
nsDS5ReplicaHost: f22master.bagam.net
nsDS5ReplicaPort: 389
nsDS5ReplicaRoot: o=ipaca
nsDS5ReplicaTransportInfo: TLS
nsds50ruv: {replicageneration} 557fe04c000000600000
nsds50ruv: {replica 96 ldap://f22master.bagam.net:389}
557fe05b000000600000 55
800ea7000000600000
nsds50ruv: {replica 86 ldap://f22replica3.bagam.net:389}
55800eb4000000560000
55800eb6000200560000
nsds50ruv: {replica 91 ldap://f22replica2.bagam.net:389}
557fede80000005b0000
557fedea0002005b0000
nsds50ruv: {replica 97 ldap://f22replica1.bagam.net:389}
557fe06c000000610000
557fe326000000610000
nsruvReplicaLastModified: {replica 96 ldap://f22master.bagam.net:389}
00000000
nsruvReplicaLastModified: {replica 86 ldap://f22replica3.bagam.net:389}
000000
00
nsruvReplicaLastModified: {replica 91 ldap://f22replica2.bagam.net:389}
000000
00
nsruvReplicaLastModified: {replica 97 ldap://f22replica1.bagam.net:389}
000000
00
objectClass: top
objectClass: nsds5replicationagreement
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 20150617150850Z
nsds5replicaLastUpdateEnd: 20150617150850Z
nsds5replicaChangesSentSinceStartup:
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully:
Incremental upd
ate succeeded
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 19700101000000Z
nsds5replicaLastInitEnd: 19700101000000Z
would like to see the raw data.
It reproduces though even in a situation with the topology
replica3 <-> master <-> replica1 <-> replica2 and you disable the
replica1-replica2 segment on replica3 (quite expectedly)
and disable one of the segments, one would expect the changes
implemented on master would not be replicated to other nodes (or
do I misunderstand the concept of disabling a segment?). However,
in reality any changes in master do get replicated despite the
segment is disabled.
Is it a correct behavior?
The second question is: if disabled segments should not let the
changes through, then we probably should implement a check for
topology disconnection in similar way as `ipa
topologysegment-del` does. I mean, whenever a user tries to
disable a segment, the plugin should probably check whether it
disconnects any of the nodes.
well, I think disabling should be temporary, you want to
disconnect for some time. eg for debugging, not deleting the
agreement completely, I would allow this.
--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code