Re: [Freeipa-users] IPA RUV unable to decode
On 05/05/2015 04:49 PM, Mark Reynolds wrote:
On 05/05/2015 07:49 AM, Ludwig Krispenz wrote:
On 05/05/2015 01:27 PM, Martin Kosek wrote:
On 05/05/2015 12:38 PM, Vaclav Adamec wrote:
Hi,
I tried migrate to newest version IPA, but result is quite unstable and
removing old replicas ends with RUV which cannot be decoded (it stucked in
queue forever):
ipa-replica-manage del ipa-master-dmz002.test.com -fc
Cleaning a master is irreversible.
This should not normally be require, so use cautiously.
Continue to clean master? [no]: yes
ipa-replica-manage list-ruv
unable to decode: {replica 8} 5509123900040008 5509123900040008
unable to decode: {replica 7} 552f84cd00030007 552f84cd00030007
unable to decode: {replica 11} 551a42f7000b 551aa3140001000b
unable to decode: {replica 15} 551e82e10001000f 551e82e10001000f
unable to decode: {replica 14} 551e82ec0001000e 551e82ec0001000e
unable to decode: {replica 20} 552f4b7200060014 552f4b7200060014
unable to decode: {replica 10} 551a25af0001000a 551a25af0001000a
unable to decode: {replica 3} 551e864c00030003 551e864c00030003
unable to decode: {replica 5} 55083ad200030005 55083ad200030005
unable to decode: {replica 9} 550913e70009 550913e70009
unable to decode: {replica 19} 5521019300030013 5521019300030013
unable to decode: {replica 12} 551a4829000c 551a48c5000c
ipa-master-dmz001.test.com:389: 25
ipa-master-dmz002.test.com:389: 21
it is possible to clear this queue and leave only valid servers ?
Thanks in advance
ipa-client-4.1.0-18.el7_1.3.x86_64
ipa-server-4.1.0-18.el7_1.3.x86_64
Ludwig or Thierry, do you know? The questions about RUV cleaning seems to be
recurring, I suspect there will be a pattern (bug) and not just
configuration
issue.
we have seen this in a recent thread, and it is clear that the RUV is
corrupted and cannot be decoded, but we don't have a scenario how this is
state is reached.
The cleaning task (cleanAllRUV) can remove these invalid replica RUVs (RUV's
missing the ldap URL). To reproduce these invalid RUV's it requires
replication being disabled and re-enabled with a different replica id.
To manually clean these invalid RUV elements, outside of using the IPA CLI,
you
can directly issue the cleanAllRUV task to the Directory Server using
ldapmodify:
# ldapmodify -D cn=directory manager -W -a
dn: cn=clean 8, cn=cleanallruv, cn=tasks, cn=config
objectclass: extensibleObject
replica-base-dn: dc=example,dc=com
replica-id: 8
cn: clean 8
Run these one at a time, as there is a current limit of running 4 concurrent
tasks. It is best to monitor the Directory Server errors log, or search on
the
task entry itself, to see when it has finished before firing off the next
task.
For more on using cleanAllRUV see:
http://www.port389.org/docs/389ds/howto/howto-cleanruv.html#cleanallruv
http://www.port389.org/docs/389ds/design/cleanallruv-design.html
Regards,
Mark
Just for the record, ipa-replica-manage has a CLI for the CleanAllRUV task
management:
# man ipa-replica-manage
...
list-ruv
- List the replication IDs on this server.
clean-ruv [REPLICATION_ID]
- Run the CLEANALLRUV task to remove a replication ID.
abort-clean-ruv [REPLICATION_ID]
- Abort a running CLEANALLRUV task.
list-clean-ruv
- List all running CLEANALLRUV and abort CLEANALLRUV tasks.
...
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA RUV unable to decode
This tool cannot clear undecoded RUVs, I had sucess only with cleanallruv.pl
script. Btw anybody know about some IDM training in Europe (RedHat/FreeIPA)
?
Vasek
On Wed, May 6, 2015 at 8:22 AM, Martin Kosek mko...@redhat.com wrote:
On 05/05/2015 04:49 PM, Mark Reynolds wrote:
On 05/05/2015 07:49 AM, Ludwig Krispenz wrote:
On 05/05/2015 01:27 PM, Martin Kosek wrote:
On 05/05/2015 12:38 PM, Vaclav Adamec wrote:
Hi,
I tried migrate to newest version IPA, but result is quite unstable
and
removing old replicas ends with RUV which cannot be decoded (it
stucked in
queue forever):
ipa-replica-manage del ipa-master-dmz002.test.com -fc
Cleaning a master is irreversible.
This should not normally be require, so use cautiously.
Continue to clean master? [no]: yes
ipa-replica-manage list-ruv
unable to decode: {replica 8} 5509123900040008
5509123900040008
unable to decode: {replica 7} 552f84cd00030007
552f84cd00030007
unable to decode: {replica 11} 551a42f7000b
551aa3140001000b
unable to decode: {replica 15} 551e82e10001000f
551e82e10001000f
unable to decode: {replica 14} 551e82ec0001000e
551e82ec0001000e
unable to decode: {replica 20} 552f4b7200060014
552f4b7200060014
unable to decode: {replica 10} 551a25af0001000a
551a25af0001000a
unable to decode: {replica 3} 551e864c00030003
551e864c00030003
unable to decode: {replica 5} 55083ad200030005
55083ad200030005
unable to decode: {replica 9} 550913e70009
550913e70009
unable to decode: {replica 19} 5521019300030013
5521019300030013
unable to decode: {replica 12} 551a4829000c
551a48c5000c
ipa-master-dmz001.test.com:389: 25
ipa-master-dmz002.test.com:389: 21
it is possible to clear this queue and leave only valid servers ?
Thanks in advance
ipa-client-4.1.0-18.el7_1.3.x86_64
ipa-server-4.1.0-18.el7_1.3.x86_64
Ludwig or Thierry, do you know? The questions about RUV cleaning seems
to be
recurring, I suspect there will be a pattern (bug) and not just
configuration
issue.
we have seen this in a recent thread, and it is clear that the RUV is
corrupted and cannot be decoded, but we don't have a scenario how this
is
state is reached.
The cleaning task (cleanAllRUV) can remove these invalid replica RUVs
(RUV's
missing the ldap URL). To reproduce these invalid RUV's it requires
replication being disabled and re-enabled with a different replica id.
To manually clean these invalid RUV elements, outside of using the IPA
CLI, you
can directly issue the cleanAllRUV task to the Directory Server using
ldapmodify:
# ldapmodify -D cn=directory manager -W -a
dn: cn=clean 8, cn=cleanallruv, cn=tasks, cn=config
objectclass: extensibleObject
replica-base-dn: dc=example,dc=com
replica-id: 8
cn: clean 8
Run these one at a time, as there is a current limit of running 4
concurrent
tasks. It is best to monitor the Directory Server errors log, or search
on the
task entry itself, to see when it has finished before firing off the
next task.
For more on using cleanAllRUV see:
http://www.port389.org/docs/389ds/howto/howto-cleanruv.html#cleanallruv
http://www.port389.org/docs/389ds/design/cleanallruv-design.html
Regards,
Mark
Just for the record, ipa-replica-manage has a CLI for the CleanAllRUV task
management:
# man ipa-replica-manage
...
list-ruv
- List the replication IDs on this server.
clean-ruv [REPLICATION_ID]
- Run the CLEANALLRUV task to remove a replication ID.
abort-clean-ruv [REPLICATION_ID]
- Abort a running CLEANALLRUV task.
list-clean-ruv
- List all running CLEANALLRUV and abort CLEANALLRUV tasks.
...
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
-- May the fox be with you ...
/\
(~(
) ) /\_/\
(_=---_(@ @)
( \ /
/|/\|\ V
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA RUV unable to decode
On 05/05/2015 12:38 PM, Vaclav Adamec wrote:
Hi,
I tried migrate to newest version IPA, but result is quite unstable and
removing old replicas ends with RUV which cannot be decoded (it stucked in
queue forever):
ipa-replica-manage del ipa-master-dmz002.test.com -fc
Cleaning a master is irreversible.
This should not normally be require, so use cautiously.
Continue to clean master? [no]: yes
ipa-replica-manage list-ruv
unable to decode: {replica 8} 5509123900040008 5509123900040008
unable to decode: {replica 7} 552f84cd00030007 552f84cd00030007
unable to decode: {replica 11} 551a42f7000b 551aa3140001000b
unable to decode: {replica 15} 551e82e10001000f 551e82e10001000f
unable to decode: {replica 14} 551e82ec0001000e 551e82ec0001000e
unable to decode: {replica 20} 552f4b7200060014 552f4b7200060014
unable to decode: {replica 10} 551a25af0001000a 551a25af0001000a
unable to decode: {replica 3} 551e864c00030003 551e864c00030003
unable to decode: {replica 5} 55083ad200030005 55083ad200030005
unable to decode: {replica 9} 550913e70009 550913e70009
unable to decode: {replica 19} 5521019300030013 5521019300030013
unable to decode: {replica 12} 551a4829000c 551a48c5000c
ipa-master-dmz001.test.com:389: 25
ipa-master-dmz002.test.com:389: 21
it is possible to clear this queue and leave only valid servers ?
Thanks in advance
ipa-client-4.1.0-18.el7_1.3.x86_64
ipa-server-4.1.0-18.el7_1.3.x86_64
Ludwig or Thierry, do you know? The questions about RUV cleaning seems to be
recurring, I suspect there will be a pattern (bug) and not just configuration
issue.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA RUV unable to decode
On 05/05/2015 01:27 PM, Martin Kosek wrote:
On 05/05/2015 12:38 PM, Vaclav Adamec wrote:
Hi,
I tried migrate to newest version IPA, but result is quite unstable and
removing old replicas ends with RUV which cannot be decoded (it stucked in
queue forever):
ipa-replica-manage del ipa-master-dmz002.test.com -fc
Cleaning a master is irreversible.
This should not normally be require, so use cautiously.
Continue to clean master? [no]: yes
ipa-replica-manage list-ruv
unable to decode: {replica 8} 5509123900040008 5509123900040008
unable to decode: {replica 7} 552f84cd00030007 552f84cd00030007
unable to decode: {replica 11} 551a42f7000b 551aa3140001000b
unable to decode: {replica 15} 551e82e10001000f 551e82e10001000f
unable to decode: {replica 14} 551e82ec0001000e 551e82ec0001000e
unable to decode: {replica 20} 552f4b7200060014 552f4b7200060014
unable to decode: {replica 10} 551a25af0001000a 551a25af0001000a
unable to decode: {replica 3} 551e864c00030003 551e864c00030003
unable to decode: {replica 5} 55083ad200030005 55083ad200030005
unable to decode: {replica 9} 550913e70009 550913e70009
unable to decode: {replica 19} 5521019300030013 5521019300030013
unable to decode: {replica 12} 551a4829000c 551a48c5000c
ipa-master-dmz001.test.com:389: 25
ipa-master-dmz002.test.com:389: 21
it is possible to clear this queue and leave only valid servers ?
Thanks in advance
ipa-client-4.1.0-18.el7_1.3.x86_64
ipa-server-4.1.0-18.el7_1.3.x86_64
Ludwig or Thierry, do you know? The questions about RUV cleaning seems to be
recurring, I suspect there will be a pattern (bug) and not just configuration
issue.
we have seen this in a recent thread, and it is clear that the RUV is
corrupted and cannot be decoded, but we don't have a scenario how this
is state is reached.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA RUV unable to decode
On 05/05/2015 07:49 AM, Ludwig Krispenz wrote:
On 05/05/2015 01:27 PM, Martin Kosek wrote:
On 05/05/2015 12:38 PM, Vaclav Adamec wrote:
Hi,
I tried migrate to newest version IPA, but result is quite
unstable and
removing old replicas ends with RUV which cannot be decoded (it
stucked in
queue forever):
ipa-replica-manage del ipa-master-dmz002.test.com -fc
Cleaning a master is irreversible.
This should not normally be require, so use cautiously.
Continue to clean master? [no]: yes
ipa-replica-manage list-ruv
unable to decode: {replica 8} 5509123900040008 5509123900040008
unable to decode: {replica 7} 552f84cd00030007 552f84cd00030007
unable to decode: {replica 11} 551a42f7000b
551aa3140001000b
unable to decode: {replica 15} 551e82e10001000f
551e82e10001000f
unable to decode: {replica 14} 551e82ec0001000e
551e82ec0001000e
unable to decode: {replica 20} 552f4b7200060014
552f4b7200060014
unable to decode: {replica 10} 551a25af0001000a
551a25af0001000a
unable to decode: {replica 3} 551e864c00030003 551e864c00030003
unable to decode: {replica 5} 55083ad200030005 55083ad200030005
unable to decode: {replica 9} 550913e70009 550913e70009
unable to decode: {replica 19} 5521019300030013
5521019300030013
unable to decode: {replica 12} 551a4829000c
551a48c5000c
ipa-master-dmz001.test.com:389: 25
ipa-master-dmz002.test.com:389: 21
it is possible to clear this queue and leave only valid servers ?
Thanks in advance
ipa-client-4.1.0-18.el7_1.3.x86_64
ipa-server-4.1.0-18.el7_1.3.x86_64
Ludwig or Thierry, do you know? The questions about RUV cleaning
seems to be
recurring, I suspect there will be a pattern (bug) and not just
configuration
issue.
we have seen this in a recent thread, and it is clear that the RUV is
corrupted and cannot be decoded, but we don't have a scenario how this
is state is reached.
The cleaning task (cleanAllRUV) can remove these invalid replica RUVs
(RUV's missing the ldap URL). To reproduce these invalid RUV's it
requires replication being disabled and re-enabled with a different
replica id.
To manually clean these invalid RUV elements, outside of using the IPA
CLI, you can directly issue the cleanAllRUV task to the Directory Server
using ldapmodify:
# ldapmodify -D cn=directory manager -W -a
dn: cn=clean 8, cn=cleanallruv, cn=tasks, cn=config
objectclass: extensibleObject
replica-base-dn: dc=example,dc=com
replica-id: 8
cn: clean 8
Run these one at a time, as there is a current limit of running 4
concurrent tasks. It is best to monitor the Directory Server errors
log, or search on the task entry itself, to see when it has finished
before firing off the next task.
For more on using cleanAllRUV see:
http://www.port389.org/docs/389ds/howto/howto-cleanruv.html#cleanallruv
http://www.port389.org/docs/389ds/design/cleanallruv-design.html
Regards,
Mark
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA RUV unable to decode
Ok, so removing all replicas + uninstall and remove all ruv (except master)
via cleanruv script seems to works. Thanks everybody for help, I'll try it
in production now
Vasek
On Tue, May 5, 2015 at 4:49 PM, Mark Reynolds marey...@redhat.com wrote:
On 05/05/2015 07:49 AM, Ludwig Krispenz wrote:
On 05/05/2015 01:27 PM, Martin Kosek wrote:
On 05/05/2015 12:38 PM, Vaclav Adamec wrote:
Hi,
I tried migrate to newest version IPA, but result is quite unstable
and
removing old replicas ends with RUV which cannot be decoded (it stucked
in
queue forever):
ipa-replica-manage del ipa-master-dmz002.test.com -fc
Cleaning a master is irreversible.
This should not normally be require, so use cautiously.
Continue to clean master? [no]: yes
ipa-replica-manage list-ruv
unable to decode: {replica 8} 5509123900040008 5509123900040008
unable to decode: {replica 7} 552f84cd00030007 552f84cd00030007
unable to decode: {replica 11} 551a42f7000b 551aa3140001000b
unable to decode: {replica 15} 551e82e10001000f 551e82e10001000f
unable to decode: {replica 14} 551e82ec0001000e 551e82ec0001000e
unable to decode: {replica 20} 552f4b7200060014 552f4b7200060014
unable to decode: {replica 10} 551a25af0001000a 551a25af0001000a
unable to decode: {replica 3} 551e864c00030003 551e864c00030003
unable to decode: {replica 5} 55083ad200030005 55083ad200030005
unable to decode: {replica 9} 550913e70009 550913e70009
unable to decode: {replica 19} 5521019300030013 5521019300030013
unable to decode: {replica 12} 551a4829000c 551a48c5000c
ipa-master-dmz001.test.com:389: 25
ipa-master-dmz002.test.com:389: 21
it is possible to clear this queue and leave only valid servers ?
Thanks in advance
ipa-client-4.1.0-18.el7_1.3.x86_64
ipa-server-4.1.0-18.el7_1.3.x86_64
Ludwig or Thierry, do you know? The questions about RUV cleaning seems
to be
recurring, I suspect there will be a pattern (bug) and not just
configuration
issue.
we have seen this in a recent thread, and it is clear that the RUV is
corrupted and cannot be decoded, but we don't have a scenario how this is
state is reached.
The cleaning task (cleanAllRUV) can remove these invalid replica RUVs
(RUV's missing the ldap URL). To reproduce these invalid RUV's it
requires replication being disabled and re-enabled with a different replica
id.
To manually clean these invalid RUV elements, outside of using the IPA
CLI, you can directly issue the cleanAllRUV task to the Directory Server
using ldapmodify:
# ldapmodify -D cn=directory manager -W -a
dn: cn=clean 8, cn=cleanallruv, cn=tasks, cn=config
objectclass: extensibleObject
replica-base-dn: dc=example,dc=com
replica-id: 8
cn: clean 8
Run these one at a time, as there is a current limit of running 4
concurrent tasks. It is best to monitor the Directory Server errors log,
or search on the task entry itself, to see when it has finished before
firing off the next task.
For more on using cleanAllRUV see:
http://www.port389.org/docs/389ds/howto/howto-cleanruv.html#cleanallruv
http://www.port389.org/docs/389ds/design/cleanallruv-design.html
Regards,
Mark
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
-- May the fox be with you ...
/\
(~(
) ) /\_/\
(_=---_(@ @)
( \ /
/|/\|\ V
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
