On 05/19/2016 08:52 AM, Ludwig Krispenz wrote:

On 05/19/2016 08:02 AM, Stanislav Laznicka wrote:
On 05/18/2016 04:44 PM, Petr Vobornik wrote:
On 05/18/2016 04:36 PM, Stanislav Laznicka wrote:
There's no ticket for this patch but as there was a fix to 389-ds
mentioned in https://fedorahosted.org/freeipa/ticket/5396, the TODO
section in clean_dangling_ruvs could be removed.

What about using

every time?

Is there a drawback which we would like to avoid?

The DS website mentions two possible risks
- possible loss of changes on deleted replica should these have not been reflected to some other replicas
this is a theoretical concern that there might be changes from the replica to be removed which are not yet on all servers, but to me the problem that cleaning ruvs hangs because replicas cannot be reached is the worse scenario.
- if some offline replica comes back online, it may re-pollute the RUVs back

I'm not sure of the probability of the second scenario, in my rather simple environment the re-pollution did not happen.
there have been fixes in 389-ds to prevent the repollution, so it should no longer happen.

Thank you, Ludwig. It seems reasonable to have the option set to 'yes' all the time, then.
From f02fb50f5356642e82902cbce6753e1e61b1628f Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slazn...@redhat.com>
Date: Wed, 18 May 2016 16:27:26 +0200
Subject: [PATCH] Remove dangling RUVs even if replicas are offline

Previously, an offline replica would mean the RUVs cannot
be removed otherwise the task would be hanging in the DS.
This is fixed in 389-ds 1.3.5.

 freeipa.spec.in                  | 6 +++---
 install/tools/ipa-replica-manage | 4 ----
 ipaserver/install/replication.py | 1 +
 3 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 21426d2ef6e6a59e27cc9d46cce07cfd7409bf2b..b5c155bd6d2d90af4aecb4439c9a74e88be063bf 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -42,7 +42,7 @@ Source0:        freeipa-%{version}.tar.gz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 %if ! %{ONLY_CLIENT}
-BuildRequires:  389-ds-base-devel >=
+BuildRequires:  389-ds-base-devel >= 1.3.5
 BuildRequires:  svrcore-devel
 BuildRequires:  policycoreutils >= 2.1.12-5
 BuildRequires:  systemd-units
@@ -131,7 +131,7 @@ Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-admintools = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
 Requires: python2-ipaserver = %{version}-%{release}
-Requires: 389-ds-base >=
+Requires: 389-ds-base >= 1.3.5
 Requires: openldap-clients > 2.4.35-4
 Requires: nss >= 3.14.3-12.0
 Requires: nss-tools >= 3.14.3-12.0
@@ -163,7 +163,7 @@ Requires: zip
 Requires: policycoreutils >= 2.1.12-5
 Requires: tar
 Requires(pre): certmonger >= 0.78
-Requires(pre): 389-ds-base >=
+Requires(pre): 389-ds-base >= 1.3.5
 Requires: fontawesome-fonts
 Requires: open-sans-fonts
 Requires: openssl
diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index 14e768965601cef08f13792bb5cd086534199538..f6ec413a81cd7e311d64bdf89d87096da33bed50 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -753,10 +753,6 @@ def clean_dangling_ruvs(realm, host, options):
                 print('\t\tid: {id}, hostname: {host}'
                       .format(id=csruv[1], host=csruv[0]))
-    # TODO: this can be removed when #5396 is fixed
-    if offlines:
-        sys.exit("ERROR: All replicas need to be online to proceed.")
     if not options.force and not ipautil.user_input("Proceed with cleaning?", False):
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index dd9453ce4fdac5d1bc43335fca2d8a96da62ad61..e4cb26f888089e5b9cabffab93ee2aab02eb8c02 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -1353,6 +1353,7 @@ class ReplicationManager(object):
                 'cn': ['clean %d' % replicaId],
                 'replica-base-dn': [self.db_suffix],
                 'replica-id': [replicaId],
+                'replica-force-cleaning': ['yes'],

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to