Re: [Freeipa-devel] [PATCH] 0335 ipa-replica-install: Move check for existing host before DNS resolution check

2014-01-23 Thread Petr Viktorin

On 01/22/2014 08:00 PM, Rob Crittenden wrote:

Petr Viktorin wrote:

On 01/14/2014 07:59 PM, Rob Crittenden wrote:

Petr Viktorin wrote:

On 01/13/2014 05:19 PM, Rob Crittenden wrote:

Petr Viktorin wrote:

See commit message  ticket for details.

https://fedorahosted.org/freeipa/ticket/3889


If memory serves this was done so that both the replication and the
host
checks would be done so the admin wouldn't die a death of a thousand
cuts.

If a leftover agreement exists then the replica install will fail. You
delete the agreement. The next install may fail too if the host
exists.
We should check for both before quitting.


AFAIK nowadays ipa-replica-manage del should also remove the host
entry,
so it's correct to suggest just that.



I couldn't find any place in the code the host is removed. This would
have to be a pretty specialized case because you'd only remove the host
if you were also deleting the last agreement.


Well, `ipa-replica-manage del` does remove all agreements. So if we
suggest deleting the replica, it makes no sense to suggest running `ipa
host-del` after it.


The replica_cleanup() function removes all principals associated to the
master you're deleting, effectively deleting the host. That's what you
saw in your reproduction (and why on a cursory look I couldn't find
anywhere we explicitly delete the host).

I still have the feeling one might see this two-step delete agreement,
delete host, particularly when installs go sideways, but we're talking a
rare case of running one extra command at worst. I wasn't able to force
it to happen so my concerns are likely unwarranted.


I'd like to see the situation where that happens. I'd consider it a bug 
in ipe-replica-manage.



Given the patch fixes a real, rather that my potentially imaginary
issue, ACK. We can always revisit it if needed.


Thanks, pushed to master: b4401a17706176ed7a82d82ad559f30c78a37ab2

--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 0335 ipa-replica-install: Move check for existing host before DNS resolution check

2014-01-22 Thread Rob Crittenden

Petr Viktorin wrote:

On 01/14/2014 07:59 PM, Rob Crittenden wrote:

Petr Viktorin wrote:

On 01/13/2014 05:19 PM, Rob Crittenden wrote:

Petr Viktorin wrote:

See commit message  ticket for details.

https://fedorahosted.org/freeipa/ticket/3889


If memory serves this was done so that both the replication and the
host
checks would be done so the admin wouldn't die a death of a thousand
cuts.

If a leftover agreement exists then the replica install will fail. You
delete the agreement. The next install may fail too if the host exists.
We should check for both before quitting.


AFAIK nowadays ipa-replica-manage del should also remove the host entry,
so it's correct to suggest just that.



I couldn't find any place in the code the host is removed. This would
have to be a pretty specialized case because you'd only remove the host
if you were also deleting the last agreement.


Well, `ipa-replica-manage del` does remove all agreements. So if we
suggest deleting the replica, it makes no sense to suggest running `ipa
host-del` after it.


The replica_cleanup() function removes all principals associated to the 
master you're deleting, effectively deleting the host. That's what you 
saw in your reproduction (and why on a cursory look I couldn't find 
anywhere we explicitly delete the host).


I still have the feeling one might see this two-step delete agreement, 
delete host, particularly when installs go sideways, but we're talking a 
rare case of running one extra command at worst. I wasn't able to force 
it to happen so my concerns are likely unwarranted.


Given the patch fixes a real, rather that my potentially imaginary 
issue, ACK. We can always revisit it if needed.


rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 0335 ipa-replica-install: Move check for existing host before DNS resolution check

2014-01-16 Thread Petr Viktorin

On 01/14/2014 07:59 PM, Rob Crittenden wrote:

Petr Viktorin wrote:

On 01/13/2014 05:19 PM, Rob Crittenden wrote:

Petr Viktorin wrote:

See commit message  ticket for details.

https://fedorahosted.org/freeipa/ticket/3889


If memory serves this was done so that both the replication and the host
checks would be done so the admin wouldn't die a death of a thousand
cuts.

If a leftover agreement exists then the replica install will fail. You
delete the agreement. The next install may fail too if the host exists.
We should check for both before quitting.


AFAIK nowadays ipa-replica-manage del should also remove the host entry,
so it's correct to suggest just that.



I couldn't find any place in the code the host is removed. This would
have to be a pretty specialized case because you'd only remove the host
if you were also deleting the last agreement.


Well, `ipa-replica-manage del` does remove all agreements. So if we 
suggest deleting the replica, it makes no sense to suggest running `ipa 
host-del` after it.



$ ipa host-find
---
3 hosts matched
---
  Host name: vm-183.idm.lab.eng.brq.redhat.com
  Principal name: 
host/vm-183.idm.lab.eng.brq.redhat@idm.lab.eng.brq.redhat.com

  Password: False
  Keytab: True
  Managed by: vm-183.idm.lab.eng.brq.redhat.com

  Host name: vm-221.idm.lab.eng.brq.redhat.com
  Principal name: 
host/vm-221.idm.lab.eng.brq.redhat@idm.lab.eng.brq.redhat.com

  Password: False
  Keytab: True
  Managed by: vm-221.idm.lab.eng.brq.redhat.com
  SSH public key fingerprint: 
35:59:48:7F:EA:A5:FC:CF:AA:93:7E:F0:BE:29:EC:A6 (ssh-rsa), 
A7:8A:B4:99:61:FC:C6:1A:B5:62:CD:56:F4:BD:49:CA (ecdsa-sha2-nistp256)


  Host name: vm-223.idm.lab.eng.brq.redhat.com
  Principal name: 
host/vm-223.idm.lab.eng.brq.redhat@idm.lab.eng.brq.redhat.com

  Password: False
  Keytab: True
  Managed by: vm-223.idm.lab.eng.brq.redhat.com
  SSH public key fingerprint: 
7B:D1:4D:3E:5D:45:78:6D:4E:0A:4C:F4:DF:D9:7D:CE (ssh-rsa)


Number of entries returned 3


$ ipa-replica-manage list vm-223.idm.lab.eng.brq.redhat.com
vm-183.idm.lab.eng.brq.redhat.com: replica
vm-221.idm.lab.eng.brq.redhat.com: replica

$ ipa-replica-manage del vm-223.idm.lab.eng.brq.redhat.com 




Deleting a master is irreversible.
To reconnect to the remote master you will need to prepare a new replica 
file

and re-install.
Continue to delete? [no]: y
Deleting replication agreements between 
vm-223.idm.lab.eng.brq.redhat.com and vm-183.idm.lab.eng.brq.redhat.com, 
vm-221.idm.lab.eng.brq.redhat.com
ipa: INFO: Setting agreement 
cn=meTovm-183.idm.lab.eng.brq.redhat.com,cn=replica,cn=dc\=idm\,dc\=lab\,dc\=eng\,dc\=brq\,dc\=redhat\,dc\=com,cn=mapping 
tree,cn=config schedule to 2358-2359 0 to force synch
ipa: INFO: Deleting schedule 2358-2359 0 from agreement 
cn=meTovm-183.idm.lab.eng.brq.redhat.com,cn=replica,cn=dc\=idm\,dc\=lab\,dc\=eng\,dc\=brq\,dc\=redhat\,dc\=com,cn=mapping 
tree,cn=config
ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica 
acquired successfully: Incremental update succeeded: start: 0: end: 0
Deleted replication agreement from 'vm-183.idm.lab.eng.brq.redhat.com' 
to 'vm-223.idm.lab.eng.brq.redhat.com'
ipa: INFO: Setting agreement 
cn=meTovm-221.idm.lab.eng.brq.redhat.com,cn=replica,cn=dc\=idm\,dc\=lab\,dc\=eng\,dc\=brq\,dc\=redhat\,dc\=com,cn=mapping 
tree,cn=config schedule to 2358-2359 0 to force synch
ipa: INFO: Deleting schedule 2358-2359 0 from agreement 
cn=meTovm-221.idm.lab.eng.brq.redhat.com,cn=replica,cn=dc\=idm\,dc\=lab\,dc\=eng\,dc\=brq\,dc\=redhat\,dc\=com,cn=mapping 
tree,cn=config
ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica 
acquired successfully: Incremental update succeeded: start: 0: end: 0
Deleted replication agreement from 'vm-221.idm.lab.eng.brq.redhat.com' 
to 'vm-223.idm.lab.eng.brq.redhat.com'

Background task created to clean replication data. This may take a while.
This may be safely interrupted with Ctrl+C

$ ipa host-find
---
2 hosts matched
---
  Host name: vm-183.idm.lab.eng.brq.redhat.com
  Principal name: 
host/vm-183.idm.lab.eng.brq.redhat@idm.lab.eng.brq.redhat.com

  Password: False
  Keytab: True
  Managed by: vm-183.idm.lab.eng.brq.redhat.com

  Host name: vm-221.idm.lab.eng.brq.redhat.com
  Principal name: 
host/vm-221.idm.lab.eng.brq.redhat@idm.lab.eng.brq.redhat.com

  Password: False
  Keytab: True
  Managed by: vm-221.idm.lab.eng.brq.redhat.com
  SSH public key fingerprint: 
35:59:48:7F:EA:A5:FC:CF:AA:93:7E:F0:BE:29:EC:A6 (ssh-rsa), 
A7:8A:B4:99:61:FC:C6:1A:B5:62:CD:56:F4:BD:49:CA (ecdsa-sha2-nistp256)


Number of entries returned 2


$ ipa host-del vm-223.idm.lab.eng.brq.redhat.com
ipa: ERROR: vm-223.idm.lab.eng.brq.redhat.com: host not found

$



--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com

Re: [Freeipa-devel] [PATCH] 0335 ipa-replica-install: Move check for existing host before DNS resolution check

2014-01-14 Thread Petr Viktorin

On 01/13/2014 05:19 PM, Rob Crittenden wrote:

Petr Viktorin wrote:

See commit message  ticket for details.

https://fedorahosted.org/freeipa/ticket/3889


If memory serves this was done so that both the replication and the host
checks would be done so the admin wouldn't die a death of a thousand cuts.

If a leftover agreement exists then the replica install will fail. You
delete the agreement. The next install may fail too if the host exists.
We should check for both before quitting.


AFAIK nowadays ipa-replica-manage del should also remove the host entry, 
so it's correct to suggest just that.


--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 0335 ipa-replica-install: Move check for existing host before DNS resolution check

2014-01-14 Thread Rob Crittenden

Petr Viktorin wrote:

On 01/13/2014 05:19 PM, Rob Crittenden wrote:

Petr Viktorin wrote:

See commit message  ticket for details.

https://fedorahosted.org/freeipa/ticket/3889


If memory serves this was done so that both the replication and the host
checks would be done so the admin wouldn't die a death of a thousand
cuts.

If a leftover agreement exists then the replica install will fail. You
delete the agreement. The next install may fail too if the host exists.
We should check for both before quitting.


AFAIK nowadays ipa-replica-manage del should also remove the host entry,
so it's correct to suggest just that.



I couldn't find any place in the code the host is removed. This would 
have to be a pretty specialized case because you'd only remove the host 
if you were also deleting the last agreement.


rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 0335 ipa-replica-install: Move check for existing host before DNS resolution check

2014-01-13 Thread Rob Crittenden

Petr Viktorin wrote:

See commit message  ticket for details.

https://fedorahosted.org/freeipa/ticket/3889


If memory serves this was done so that both the replication and the host 
checks would be done so the admin wouldn't die a death of a thousand cuts.


If a leftover agreement exists then the replica install will fail. You 
delete the agreement. The next install may fail too if the host exists. 
We should check for both before quitting.


rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


[Freeipa-devel] [PATCH] 0335 ipa-replica-install: Move check for existing host before DNS resolution check

2013-12-10 Thread Petr Viktorin

See commit message  ticket for details.

https://fedorahosted.org/freeipa/ticket/3889

--
Petr³
From 0c159673b1df2b31ce693398536ff31ebf4bb53a Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Tue, 10 Dec 2013 13:00:16 +0100
Subject: [PATCH] ipa-replica-install: Move check for existing host before DNS
 resolution check

The checks for existing host and existing replication agreement
set a flag that caused an exit() if any of them failed.

Between these checks there was an unrelated check, DNS resolution.
If the host and DNS checks both failed, this made it look like
the DNS check was the cause of failed install. Especially if the user
ignored the DNS check in unattended mode, the output was confusing.

Remove the flag and fail directly.
Do the replication agreement check first; fixing this with
ipa-replica-manage del will also remove the host entry.

Also, use the logger for error messages so they appear in the log
file as well as on the console.

https://fedorahosted.org/freeipa/ticket/3889
---
 install/tools/ipa-replica-install | 41 ---
 1 file changed, 25 insertions(+), 16 deletions(-)

diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 0e7aefef48d47fefa290607e0604c014d9469fdd..462526bb456c6b8f80812cd061db26f590c8059d 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -606,14 +606,34 @@ def main():
  tls_cacertfile=CACERT)
 replman = ReplicationManager(config.realm_name, config.master_host_name,
  config.dirman_password)
-found = False
+
+# Check that we don't already have a replication agreement
+try:
+(agreement_cn, agreement_dn) = replman.agreement_dn(host)
+entry = conn.get_entry(agreement_dn, ['*'])
+except errors.NotFound:
+pass
+else:
+root_logger.info('Error: A replication agreement for this host '
+'already exists.')
+print ('A replication agreement for this host already exists. '
+   'It needs to be removed.')
+print Run this on the master that generated the info file:
+print %% ipa-replica-manage del %s --force % host
+exit(3)
+
+# Check pre-existing host entry
 try:
 entry = conn.find_entries(u'fqdn=%s' % host, ['fqdn'], DN(api.env.container_host, api.env.basedn))
-print The host %s already exists on the master server.\nYou should remove it before proceeding: % host
+except errors.NotFound:
+pass
+else:
+root_logger.info(
+'Error: Host %s already exists on the master server.' % host)
+print 'The host %s already exists on the master server.' % host
+print You should remove it before proceeding:
 print %% ipa host-del %s % host
-found = True
-except errors.NotFound:
-pass
+exit(3)
 
 # If remote host has DNS, check forward/reverse resolution
 with temporary_ldap2_connection(
@@ -633,17 +653,6 @@ def main():
 root_logger.debug('No IPA DNS servers, '
 'skipping forward/reverse resolution check')
 
-# Check that we don't already have a replication agreement
-try:
-(agreement_cn, agreement_dn) = replman.agreement_dn(host)
-entry = conn.get_entry(agreement_dn, ['*'])
-print A replication agreement for this host already exists. It needs to be removed. Run this on the master that generated the info file:
-print %% ipa-replica-manage del %s --force % host
-found = True
-except errors.NotFound:
-pass
-if found:
-sys.exit(3)
 except errors.ACIError:
 sys.exit(\nThe password provided is incorrect for LDAP server %s % config.master_host_name)
 except errors.LDAPError:
-- 
1.8.3.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel