We have 4 IPA servers setup in a circular replication (each server can
replicate to 2 other servers), which created a replication that looks like
an 'O' .. but we have some replication issues:

note: we are using freeIPA as DNS and Users authentication and
authorization.

1. some records do not seem to get replicated when they get updated to all
other nodes
2. almost weekly replication stops with many open files, ldapwhoami
processes, etc.
    - replication-status.html usually will show Update Status = 'Error (1)
Can't acquire busy server'
    - A restart of directory services sometimes fixes this, and sometimes a
server reboot is required
    - no indication of failure in log files, other than 'can not contact
ldap server'
    - sometimes restart of named-pkcs11 clears replication
    - The Max CSN number on all nodes has a timestamp that is consistently
in the future. Which is very odd, and might be related.          Easy to
check by making a change on one of them, and then checking the CSN from the
config.

Our architecture is 2 data centers, with a pair of servers in each. For
reliability we want to make all servers available to each data center. We
are running on Centos 7.3.

It seems were are missing something somewhere to help make this reliable.
Errors 2-3 times a week is becoming a support nightmare.

Questions are:

1. should we have a different architecture (eg, 1 master, multiple slaves,
multi-master)?
2. should we replicate less frequently? (what is best practice)
3. currently known issues with replication on Centos 7.3?


Thanks,

-lance


-- 

*Lance Murray* | Senior Systems Admin | *SBI BITS*

Roppongi T-Cube 20F, 3-1-1 Roppongi, Minato-ku, Tokyo 106-0032 Japan

*T* +81-3-4510-7000 | *M* +81-070-1529-1960 | *E*
<firstname.lastn...@sbibits.com>lance.mur...@sbibits.com
<firstname.lastn...@sbibits.com>

-- 
*This correspondence (including any attachments) is for the intended 
recipient(s) only. It may contain confidential or privileged information or 
both. No confidentiality or privilege is waived or lost by any 
mis-transmission. If you receive this correspondence by mistake, please 
contact the sender immediately, delete this correspondence (and all 
attachments) and destroy any hard copies. You must not use, disclose, copy, 
distribute or rely on any part of this correspondence (including any 
attachments) if you are not the intended 
recipient(s).本メッセージに記載および添付されている情報(以下、総称して「本情報」といいます。)は、本来の受信者による使用のみを意図しています。誤送信等により本情報を取得された場合でも、本情報に係る秘密、または法律上の秘匿特権が失われるものではありません。本電子メールを受取られた方が、本来の受信者ではない場合には、本情報及びそのコピーすべてを削除・破棄し、本電子メールが誤って届いた旨を発信者宛てにご通知下さいますようお願いします。本情報の閲覧、発信または本情報に基づくいかなる行為も明確に禁止されていることをご了承ください。*
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to