On 08/20/2014 02:55 PM, Petr Spacek wrote:
On 20.8.2014 10:58, Dmitri Pal wrote:
On 08/19/2014 07:55 PM, Joshua J. Kugler wrote:
A replica must connect to the master for initial setup; after that, the master
pushes to the replica.

j

On Tuesday, August 19, 2014 09:26:11 Ludwig Krispenz wrote:
What's wrong with your scenario B: master(s) in internal network, they
can contact consumers in DMZ and remote rack and replicate to them.
What do you mean by "to contact for setup" ?

Ludwig

On 08/19/2014 03:12 AM, Joshua J. Kugler wrote:
So, we have a need for replication, but the existing push-only methodology doesn't work for us. I suppose our problems could be attributed to over- zealous network rules, but it is what it is. :) I'd love to change our network policy, but we aren't in charge of network policy, and there is
no way I'm swaying the person that is.

Topology:
1) DMZ environments 1,...,n
2) An Internal network
3) A remote rack in a data center.

Rules (by "talk" I mean initiate connections to):
1) DMZs can talk to each other, somewhat.
2) The Internal network can talk to the DMZs
3) The DMZ *cannot* connect to the Internal network
4) The remote rack of course cannot contact the Internal network, but can
contact the DMZs.

Scenario A, Master in a DMZ:
- Slave in the Internal network could contact the DMZ master for replica

setup, but the Master could not contact the slave to push updates

- Slave in the remote rack could contact master in DMZ, but incoming to

remote rack is very restrictive, so it is possible that master couldn't
push.

Scenario B: Master in the Internal network.

   - Slaves in DMZ and remote rack couldn't contact master for setup,
   although

the master could contact the slaves to push updates.

Scenario C: Master in remote rack

- Not acceptable as remote rack is a testing rack, and may go down at
   any

time.

So, the best solution, from my current understanding is being able to
somehow>
do pull-updates for replicas, because then we could have this:
   - Master in DMZs
- Slaves in Internal network can contact Master in DMZ for replica setup
   and>
updates

- Slaves in remote rack can contact Master in DMZ for replica setup and

updates

Any feedback is appreciated, especially if I'm missing something...obvious
or minor.

j
I think you capture the problem correctly. There is unfortunately no solution
for this at the moment.
We considered looking into read only replicas but this is not exactly what would help here either since changes to RO replicas would be rerouted to the real masters and thos need to be accessible from DMZ or remote req in your
case - so it will be inbound connection here.
I am not sure there is a way to help you here with the current software. The only option I see is a two different domains - internal and external with some manually set trust in between. You bight be able to sync people in some way
with some scripts but still that would be quite fragile.
Are the users operating inside the FW and in DMZ/remote are really same users?

Or IPA-to-IPA trust? :-)

Joshua, if you want to experiment:

Ludwig said earlier in this thread that 389 replication will work fine if master is inside internal network (and thus able to contact other replicas in DMZ or external network).

It seems to me that main *technical* problem is "replica setup" phase where replica contacts the original master and not the other way around.
yes, and you make it a read only consumer, otherwise it would try to establish a replication connection. So it ends all up in setting this up 'manually'.

You can use e.g. SSH from master to replica and do some tricks with port forwarding and iptables/routing table so the replica will be able to contact the master inside internal network. (That will breach all policies you have, of course.)

If you want to experiment even more, you can try to use port forwarding for replica setup and then close the hole. 389 replication should work because master will connect to replica and not the other way around. I'm not sure what else will break...


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to