Re: [Freeipa-devel] [PATCH 0291, 0292] Limit max age of replication changelog

Wed, 22 Jul 2015 08:05:54 -0700 

On 20/07/15 19:04, Mark Reynolds wrote:



On 07/20/2015 12:50 PM, Martin Basti wrote:

On 20/07/15 17:48, Petr Vobornik wrote:

On 07/20/2015 05:24 PM, Rob Crittenden wrote:

Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/5086

Patch attached.



Is this going to be a shock on upgrades for people who until now 
may be

relying on the fact that there is no limit?



Not making any point, but have to note: Ludwig raised a question on 
users list but there was no feedback from users.


https://www.redhat.com/archives/freeipa-users/2015-July/msg00022.html




Should there be a way for an admin to manage this, via the config 
module

perhaps?

IMHO this is a significant change and red flags need to be raised so
users are aware of it.

rob







IIUC there is purge delay 7 days, so if changelog max age is 7 or 
more days, it will not break replication.

The issue is if somebody uses changelog for different purpose, right?

Well the replication changelog can not be used for anything else but 
the multimaster replication plugin.  If a customer increased the 
replication purge delay you could potentially run into issues, but 
again this only comes into play when a replica is down for a very long 
time.  I'm not sure if IPA even provides the option to adjust the 
replication purge delay, but that doesn't mean a customer can not 
adjust these settings on their own.


Mark




I'm attaching new patch, that modifies behavior of 'addifnew' keyword in 
update files.

addifnew will no create new entry if doesn't exist.
This is required for proper working of patch 292


Rob are you okay with these patches, as Mark wrote, changelog is used 
only for replication plugins, so it should not cause any issues to users.


Martin^2

--
Martin Basti


From 257a3d77fe25e47b944978ff9aab77d56465cc1f Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Mon, 20 Jul 2015 16:36:45 +0200
Subject: [PATCH] Limit max age of replication changelog

Limit max age of replication changelog to seven days, instead of grow to
unlimited size.

https://fedorahosted.org/freeipa/ticket/5086
---
 install/updates/20-replication.update | 4 ++++
 ipaserver/install/replication.py      | 1 +
 2 files changed, 5 insertions(+)

diff --git a/install/updates/20-replication.update b/install/updates/20-replication.update
index 066b9fcd4933864cdcbc451897c98063bdf55bbe..83d5d1f0c7c083e0c55c3e38a5be729d55b4e828 100644
--- a/install/updates/20-replication.update
+++ b/install/updates/20-replication.update
@@ -27,3 +27,7 @@ default: objectclass: top
 default: objectclass: iparepltopoconf
 default: ipaReplTopoConfRoot: $SUFFIX
 default: cn: realm
+
+# Set replication changelog limit (#5086)
+dn: cn=changelog5,cn=config
+addifnew: nsslapd-changelogmaxage: 7d
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index e9af88dc4356d4fd5495f4fea399ab09c75db953..b3c391383352970d2ca89e1a333315ed1a47dea1 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -466,6 +466,7 @@ class ReplicationManager(object):
                 'objectclass': ["top", "extensibleobject"],
                 'cn': ["changelog5"],
                 'nsslapd-changelogdir': [os.path.join(dbdir, "cldb")],
+                'nsslapd-changelogmaxage': ['7d'],
             }
         )
         try:
-- 
2.4.3


From 5901a61d995dbed500fe728b45a89a1c96a1f06e Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Tue, 21 Jul 2015 18:13:44 +0200
Subject: [PATCH] Server Upgrade: addifnew should not create entry

addifnew should add value only if entry exists, instead of creating
entry.
---
 ipaserver/install/ldapupdate.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py
index 6f796dfdc8bbac1bb99a8b5a1bd5a6aaa778db16..eaef77b2cd215a946c30787aa32e939bd9c297a7 100644
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -669,8 +669,8 @@ class LDAPUpdate:
             elif action == 'addifnew':
                 self.debug("addifnew: '%s' to %s, current value %s", safe_output(attr, update_value), attr, safe_output(attr, entry_values))
                 # Only add the attribute if it doesn't exist. Only works
-                # with single-value attributes.
-                if len(entry_values) == 0:
+                # with single-value attributes. Entry must exist.
+                if entry.get('objectclass') and len(entry_values) == 0:
                     entry_values.append(update_value)
                     self.debug('addifnew: set %s to %s', attr, safe_output(attr, entry_values))
                     entry[attr] = entry_values
-- 
2.4.3


-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code





















					Reply via email to