Hi Oleg,
On 06/22/2015 02:49 PM, Oleg Fayans wrote:
Hi Ludwig,

Could you please clarify how should `ipa topologysegment-mod --enabled=off` work? My initial understanding was that it disables any changes to go through the disabled segment, but as it turns out, it does let the topology-related info through, and filters out all the rest.
What I mean, is that having a line topology like this:

master - rep1 - rep2 - rep3 - rep4

When I disable rep2-rep3 segment, then:
1. any user created on master does not appear on rep3 and rep4 (as expected), but
2. changes in topology, made on rep4 do get replicated to master

Is it an expected behavior?
expected: yes, intended: no

if you disable rep2-rep3 on master or repl1 or repl2 this change arrives at repl2 and will disable the agreement to repl3. This can happen before the change is replicated to repl3 and so the setting to off does not arrive at repl3 and it will still replicate back to repl2. In a previous discussion there was agreement that we do not want to support disablement of a segment, but it is not yet enforced.

This problem is similar to the one where a master is removed, the segments connecting it (and the repl agmts) are removed and these changes do not arrive at the removed master. To handle this either a check if changes have been received at other servers, or the removal would have to be done by some delay,... This was not pursued since the removed master would be gone, and in the remaining topology connections to it are removed and also its credentials are removed, so even if it has a leftover agreement it will not be able to replicate back into the remaining topology

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to