On 14.3.2016 16:26, Petr Vobornik wrote:
On 03/14/2016 12:57 PM, Jan Cholasta wrote:
On 14.3.2016 12:50, Martin Basti wrote:

On 14.03.2016 12:05, Jan Cholasta wrote:

On 11.3.2016 10:39, Stanislav Laznicka wrote:

Please see the patch attached. Contrary to the discussion at
https://fedorahosted.org/freeipa/ticket/4987 I also added the suffix
option for clean_ruv command. If this command is available for normal
RUVs, it should probably be available for CS-RUVs as well (or
for both with advised use of clean_dangling_ruv).

ipa-csreplica-manage is used to manage the CA suffix, so
ipa-csreplica-manage should be extended instead of adding --suffix
option to ipa-replica-manage. Having half of the CA suffix managed by
ipa-replica-manage and the other half by ipa-replica-manage is


There is a design document about deprecating ipa-csreplica-manage and
move part of its responsibilities to ipa-replica-manage.


So patch is compatible with design.

The design is wrong then.

I don't agree.

Either do it in ipa-csreplica-manage, or make *all* ipa-replica-manage
sub-commands respect the --suffix option. Anything else is inconsistent

That's the idea for domain level 1. There is little value in extending
behavior(managing replication agreements) in domain level 0.

Domain level 0 is still relevant, it won't go away anytime soon.

Main idea is to not care about suffixes and work with all suffixes right
away. This is reflected in clean-dangling-ruv command and these
extensions are its counterpart - to enable disabling the run. We mostly
care about replica IDs not suffixes they belong to. IMO --suffix option
is not necessary and is mostly for debugging.

One of the reasons why we have all the RUV commands is a mess after
uninstallation when somebody forgets/ignores to run
`ipa-csreplica-manage del $server` or also `ipa-replica-manage del
$server` before uninstallation of replica. Users then usually run
`ipa-replica-manage del $server` --force --clean` but
`ipa-csreplica-manage del $server` can't be run after it.  Changes in
4.3 and 4.4 tries to prevent this situation (e.g. by calling equivalent
of `ipa-cs+replica-manage del` from `ipa-server-install  --uninstall`).
But until then mess is cleaned on all servers, we should deal with it
with the most convenient way - hiding implementation details.

This is actually exposing implementation details by forcing the user to use a different command based on the domain level.

Please explain to me how any of the above requires us to introduce additional inconsistencies and bad UX to IPA.

Jan Cholasta

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to