Re: [Freeipa-devel] Topology plugin quirks
On 06/03/2015 11:37 AM, Martin Babinsky wrote: Hi everyone, I have been playing with the topology related patches and I have encountered a few issues that I would like to address in this thread: 1.) When replica install for whatever reason crashes _after_ the setup of replication agreements etc., it leaves the topology plugin with dangling segment pointing to the dysfunctional node. An attempt to delete it leads to: ipa: ERROR: Server is unwilling to perform: Removal of Segment disconnects topology.Deletion not allowed. if the endpoints of the segments are still in the managed master list and there is no other path connecting these two nodes the behaviour is correct. you need to remove the master first, teh segment should be removed automatically. ipa-replica-manage del should do this, it worked for me with the latest patches. can you provide a scenario where it fails ? And you cannot reinstall the crashed replica because it complains about existing replication agreements. It would probably help to be able to force-remove the segments if one of the endpoints doesn't exist/respond. 2.) I was not able to figure out a way remove replica from the topology without explosions or tampering 'cn=masters,cn=ipa,cn=etc,$SUFFIX'. Obviously ipa-replica-manage del doesn't work anymore (I have tried just for fun, it leads to SIGSEGV of the host's dirsrv and leaves dangling segments to offending replica, leading to point 1). I managed to remove replica from the topology only by directly uninstalling FreeIPA on the node and then deleting its' host entry from 'cn=masters'. Only after this was the plugin able to automagically removed the segments pointing to/from removed node. The design page suggests that it should be enough to uninstall IPA server on the replica. The plugin would then pick-up the dangling segments and remove them automatically. However, this behavior seems to require additional modification of the uninstall procedure (e.g. the uninstalling replica should remove its' entry from cn=masters). 3.) It seems that the removal of topology suffixes containing functioning segments is not handled well. I once tried to do this and it led to segmentation fault on the dirsrv instance. What is the expected behavior in this scenario? -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Topology plugin quirks
On 06/03/2015 01:32 PM, Oleg Fayans wrote: Hi Ludwig On 06/03/2015 12:23 PM, Ludwig Krispenz wrote: On 06/03/2015 11:51 AM, Oleg Fayans wrote: I confirm every point of this. did you test with all the latest patches applied ? In your issues you refer to crashes, the crashes reported should be resolved, if you still have crashes, pleas provide a core dump or scenario to reproduce the crash. With patch0009 ipa-replica-manage del worked for me Yep, patch 0009 is applied. The full list of patches applied on top of the master branch (at it's state yesterday at 10 PM) is as follows: freeipa-lkrispen-0007-replica-install-fails-with-domain-level-1.patch freeipa-lkrispen-0008-plugin-uses-1-as-minimum-domain-level-to-become-acti.patch freeipa-lkrispen-0009-crash-when-removing-a-replica.patch freeipa-mbasti-0262-Installers-fix-remove-temporal-ccache.patch freeipa-pvoborni-0857-1-topology-ipa-management-commands.patch freeipa-pvoborni-0858-1-webui-IPA.command_dialog-a-new-dialog-base-class.patch freeipa-pvoborni-0859-1-webui-use-command_dialog-as-a-base-class-for-passwor.patch freeipa-pvoborni-0860-1-webui-make-usage-of-all-in-details-facet-optional.patch freeipa-pvoborni-0861-2-webui-topology-plugin.patch freeipa-pvoborni-0862-webui-configurable-refresh-command.patch The scenario is pretty basic: 1. 3 fedora-21 vms with the latest directory server packages from mreynolds repo: 389-ds-base-2015_06_02-1.fc21.x86_64 2. setup master on one of them, prepare gpg files for two replicas 3. setup replicas using these gpg files. 4. Try to remove one of the replicas using command `ipa topologysegment-del` this should remove a segment, not a replica and it should be rejected 5. Try to create a new user via web UI on any of the replicas On 06/03/2015 11:37 AM, Martin Babinsky wrote: Hi everyone, I have been playing with the topology related patches and I have encountered a few issues that I would like to address in this thread: 1.) When replica install for whatever reason crashes _after_ the setup of replication agreements etc., it leaves the topology plugin with dangling segment pointing to the dysfunctional node. An attempt to delete it leads to: ipa: ERROR: Server is unwilling to perform: Removal of Segment disconnects topology.Deletion not allowed. Furthermore, any attempts to delete a segment (even a properly setup one) lead to the same very error. And you cannot reinstall the crashed replica because it complains about existing replication agreements. It would probably help to be able to force-remove the segments if one of the endpoints doesn't exist/respond. 2.) I was not able to figure out a way remove replica from the topology without explosions or tampering 'cn=masters,cn=ipa,cn=etc,$SUFFIX'. Obviously ipa-replica-manage del doesn't work anymore (I have tried just for fun, it leads to SIGSEGV of the host's dirsrv and leaves dangling segments to offending replica, leading to point 1). I managed to remove replica from the topology only by directly uninstalling FreeIPA on the node and then deleting its' host entry from 'cn=masters'. Only after this was the plugin able to automagically removed the segments pointing to/from removed node. The design page suggests that it should be enough to uninstall IPA server on the replica. The plugin would then pick-up the dangling segments and remove them automatically. However, this behavior seems to require additional modification of the uninstall procedure (e.g. the uninstalling replica should remove its' entry from cn=masters). 3.) It seems that the removal of topology suffixes containing functioning segments is not handled well. I once tried to do this and it led to segmentation fault on the dirsrv instance. What is the expected behavior in this scenario? -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Topology plugin quirks
I confirm every point of this. On 06/03/2015 11:37 AM, Martin Babinsky wrote: Hi everyone, I have been playing with the topology related patches and I have encountered a few issues that I would like to address in this thread: 1.) When replica install for whatever reason crashes _after_ the setup of replication agreements etc., it leaves the topology plugin with dangling segment pointing to the dysfunctional node. An attempt to delete it leads to: ipa: ERROR: Server is unwilling to perform: Removal of Segment disconnects topology.Deletion not allowed. Furthermore, any attempts to delete a segment (even a properly setup one) lead to the same very error. And you cannot reinstall the crashed replica because it complains about existing replication agreements. It would probably help to be able to force-remove the segments if one of the endpoints doesn't exist/respond. 2.) I was not able to figure out a way remove replica from the topology without explosions or tampering 'cn=masters,cn=ipa,cn=etc,$SUFFIX'. Obviously ipa-replica-manage del doesn't work anymore (I have tried just for fun, it leads to SIGSEGV of the host's dirsrv and leaves dangling segments to offending replica, leading to point 1). I managed to remove replica from the topology only by directly uninstalling FreeIPA on the node and then deleting its' host entry from 'cn=masters'. Only after this was the plugin able to automagically removed the segments pointing to/from removed node. The design page suggests that it should be enough to uninstall IPA server on the replica. The plugin would then pick-up the dangling segments and remove them automatically. However, this behavior seems to require additional modification of the uninstall procedure (e.g. the uninstalling replica should remove its' entry from cn=masters). 3.) It seems that the removal of topology suffixes containing functioning segments is not handled well. I once tried to do this and it led to segmentation fault on the dirsrv instance. What is the expected behavior in this scenario? -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Topology plugin quirks
On 06/03/2015 12:23 PM, Ludwig Krispenz wrote: On 06/03/2015 11:51 AM, Oleg Fayans wrote: I confirm every point of this. did you test with all the latest patches applied ? In your issues you refer to crashes, the crashes reported should be resolved, if you still have crashes, pleas provide a core dump or scenario to reproduce the crash. With patch0009 ipa-replica-manage del worked for me I thing I have missed this patch before, I will test it again with patch 0009 applied. On 06/03/2015 11:37 AM, Martin Babinsky wrote: Hi everyone, I have been playing with the topology related patches and I have encountered a few issues that I would like to address in this thread: 1.) When replica install for whatever reason crashes _after_ the setup of replication agreements etc., it leaves the topology plugin with dangling segment pointing to the dysfunctional node. An attempt to delete it leads to: ipa: ERROR: Server is unwilling to perform: Removal of Segment disconnects topology.Deletion not allowed. Furthermore, any attempts to delete a segment (even a properly setup one) lead to the same very error. And you cannot reinstall the crashed replica because it complains about existing replication agreements. It would probably help to be able to force-remove the segments if one of the endpoints doesn't exist/respond. 2.) I was not able to figure out a way remove replica from the topology without explosions or tampering 'cn=masters,cn=ipa,cn=etc,$SUFFIX'. Obviously ipa-replica-manage del doesn't work anymore (I have tried just for fun, it leads to SIGSEGV of the host's dirsrv and leaves dangling segments to offending replica, leading to point 1). I managed to remove replica from the topology only by directly uninstalling FreeIPA on the node and then deleting its' host entry from 'cn=masters'. Only after this was the plugin able to automagically removed the segments pointing to/from removed node. The design page suggests that it should be enough to uninstall IPA server on the replica. The plugin would then pick-up the dangling segments and remove them automatically. However, this behavior seems to require additional modification of the uninstall procedure (e.g. the uninstalling replica should remove its' entry from cn=masters). 3.) It seems that the removal of topology suffixes containing functioning segments is not handled well. I once tried to do this and it led to segmentation fault on the dirsrv instance. What is the expected behavior in this scenario? -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Topology plugin quirks
On 06/03/2015 11:37 AM, Martin Babinsky wrote: Hi everyone, I have been playing with the topology related patches and I have encountered a few issues that I would like to address in this thread: Additional stuff: 1. was able to add duplicate segment - same left and right node - same direction - different cn It did not allow me to remove it: Server is unwilling to perform: Removal of Segment disconnects topology.Deletion not allowed. 2. topology plugin allows to create reflexive relation from the invalid duplicates(#1): A - B A - B to A - A B - B I.E. effective disconnect it is forbidden in `ipa topologysegment-mod` but I think that even the plugin should not allow that 3. attempt to delete the invalid reflexive or duplicate segment ends with: Server is unwilling to perform: Removal of Segment disconnects topology.Deletion not allowed. -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Topology plugin quirks
Hi Ludwig On 06/03/2015 12:23 PM, Ludwig Krispenz wrote: On 06/03/2015 11:51 AM, Oleg Fayans wrote: I confirm every point of this. did you test with all the latest patches applied ? In your issues you refer to crashes, the crashes reported should be resolved, if you still have crashes, pleas provide a core dump or scenario to reproduce the crash. With patch0009 ipa-replica-manage del worked for me Yep, patch 0009 is applied. The full list of patches applied on top of the master branch (at it's state yesterday at 10 PM) is as follows: freeipa-lkrispen-0007-replica-install-fails-with-domain-level-1.patch freeipa-lkrispen-0008-plugin-uses-1-as-minimum-domain-level-to-become-acti.patch freeipa-lkrispen-0009-crash-when-removing-a-replica.patch freeipa-mbasti-0262-Installers-fix-remove-temporal-ccache.patch freeipa-pvoborni-0857-1-topology-ipa-management-commands.patch freeipa-pvoborni-0858-1-webui-IPA.command_dialog-a-new-dialog-base-class.patch freeipa-pvoborni-0859-1-webui-use-command_dialog-as-a-base-class-for-passwor.patch freeipa-pvoborni-0860-1-webui-make-usage-of-all-in-details-facet-optional.patch freeipa-pvoborni-0861-2-webui-topology-plugin.patch freeipa-pvoborni-0862-webui-configurable-refresh-command.patch The scenario is pretty basic: 1. 3 fedora-21 vms with the latest directory server packages from mreynolds repo: 389-ds-base-2015_06_02-1.fc21.x86_64 2. setup master on one of them, prepare gpg files for two replicas 3. setup replicas using these gpg files. 4. Try to remove one of the replicas using command `ipa topologysegment-del` 5. Try to create a new user via web UI on any of the replicas On 06/03/2015 11:37 AM, Martin Babinsky wrote: Hi everyone, I have been playing with the topology related patches and I have encountered a few issues that I would like to address in this thread: 1.) When replica install for whatever reason crashes _after_ the setup of replication agreements etc., it leaves the topology plugin with dangling segment pointing to the dysfunctional node. An attempt to delete it leads to: ipa: ERROR: Server is unwilling to perform: Removal of Segment disconnects topology.Deletion not allowed. Furthermore, any attempts to delete a segment (even a properly setup one) lead to the same very error. And you cannot reinstall the crashed replica because it complains about existing replication agreements. It would probably help to be able to force-remove the segments if one of the endpoints doesn't exist/respond. 2.) I was not able to figure out a way remove replica from the topology without explosions or tampering 'cn=masters,cn=ipa,cn=etc,$SUFFIX'. Obviously ipa-replica-manage del doesn't work anymore (I have tried just for fun, it leads to SIGSEGV of the host's dirsrv and leaves dangling segments to offending replica, leading to point 1). I managed to remove replica from the topology only by directly uninstalling FreeIPA on the node and then deleting its' host entry from 'cn=masters'. Only after this was the plugin able to automagically removed the segments pointing to/from removed node. The design page suggests that it should be enough to uninstall IPA server on the replica. The plugin would then pick-up the dangling segments and remove them automatically. However, this behavior seems to require additional modification of the uninstall procedure (e.g. the uninstalling replica should remove its' entry from cn=masters). 3.) It seems that the removal of topology suffixes containing functioning segments is not handled well. I once tried to do this and it led to segmentation fault on the dirsrv instance. What is the expected behavior in this scenario? -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Topology plugin quirks
Hi Petr, good catch. I didn't check for self referential segments. There is a check for existing segments, but unfortuantely the entry lookup in the pblock was incorrect and the test always passed. For the removal, there is teh assumption that no duplicate segments exist and so removal of A-B only succeeds if there is another path from A to B. I'm building a patch and will sen to the list soon Ludwig On 06/03/2015 12:51 PM, Petr Vobornik wrote: On 06/03/2015 11:37 AM, Martin Babinsky wrote: Hi everyone, I have been playing with the topology related patches and I have encountered a few issues that I would like to address in this thread: Additional stuff: 1. was able to add duplicate segment - same left and right node - same direction - different cn It did not allow me to remove it: Server is unwilling to perform: Removal of Segment disconnects topology.Deletion not allowed. 2. topology plugin allows to create reflexive relation from the invalid duplicates(#1): A - B A - B to A - A B - B I.E. effective disconnect it is forbidden in `ipa topologysegment-mod` but I think that even the plugin should not allow that 3. attempt to delete the invalid reflexive or duplicate segment ends with: Server is unwilling to perform: Removal of Segment disconnects topology.Deletion not allowed. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Topology plugin quirks
On Wed, 2015-06-03 at 11:37 +0200, Martin Babinsky wrote: 3.) It seems that the removal of topology suffixes containing functioning segments is not handled well. I once tried to do this and it led to segmentation fault on the dirsrv instance. What is the expected behavior in this scenario? Dirsrv crashes are always critical bugs, please file tickets if you see any. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Topology plugin quirks
On Wed, 2015-06-03 at 12:51 +0200, Petr Vobornik wrote: On 06/03/2015 11:37 AM, Martin Babinsky wrote: Hi everyone, I have been playing with the topology related patches and I have encountered a few issues that I would like to address in this thread: Additional stuff: 1. was able to add duplicate segment - same left and right node - same direction - different cn It did not allow me to remove it: Server is unwilling to perform: Removal of Segment disconnects topology.Deletion not allowed. Odd, I would think that if you have 2 segments then either one would satisfy the topology requirement. Ludwig, why is the plugin allowing 2 segments and then does not recognize there is another one at removal time ? 2. topology plugin allows to create reflexive relation from the invalid duplicates(#1): A - B A - B to A - A B - B I.E. effective disconnect it is forbidden in `ipa topologysegment-mod` but I think that even the plugin should not allow that Yes, the plugin must forbid this case on its own. 3. attempt to delete the invalid reflexive or duplicate segment ends with: Server is unwilling to perform: Removal of Segment disconnects topology.Deletion not allowed. The plugin should not allow duplicates or reflexive segments in the first place, so this should never be required then. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
