#3053 [RFE] Simplify replication management of main and CS database
Closed: Invalid None Opened 7 years ago by dpal.

With the merge of the two DS instances we can potentially significantly simplify the replication management procedures used to deal with the replication agreements between the servers. Right now the main instance replication agreements and CS replication agreements are independent. It is useful in very advanced configurations when the deployment uses different replication topology for CS and identity data. To simplify replication management i suggest the following scheme.

  1. Add a replicated bool configuration attribute "singleTopology". By default it will be set to true.
  2. If it is set to true the ipa-replica-manage will create/update/delete the pairs replication agreements for main instance and CS. Attempts to use ipa-csreplica-manage will return something like: "By default the CS replication agreements are managed automatically when you create replication agreements using ipa-replica-manage. To decouple the two and create independent topology for the CS and main DS instances use ipa-csreplica-manage --decouple. This is a irreversible operation."
  3. Once decoupled the replication agreements can be manages independently as it is possible now.

There is no way to get back.
The whole feature is similar to the managed entries approach and can be explained in the documentation in the similar terms.


We may be enabled to do this effort when #4302 is implemented. Moving to respective milestone.

with the implementation of the topology plugin #4302, this is feature is available. The current design of the topology plugins configures the topology (segments) of a replicated suffix either directly - or by a reference to another managed suffix. So initially a replication configuration can be setup by referencing an existing one.
The initialization of the databases has still to be triggered, there is no automatism planned yet.

Postponed, see freeipa-devel for reasoning.

today I did a quick test of what is possible with the current version of the topology plugin and the current replica-install process.

  1. install master and 2 replicas with --setup-ca
  2. add topology suffix for o=ipaca (needs to be done via ldapmodify, ipa topology-suffix add doesn't yet exist
  3. add ipaReplTopoManagedSuffix: o=ipaca to each master entry (again via ldapmodify, should be done during install or via a new command
  4. edit TopoPluginConf in cn=config to manage o=ipaca
  5. restart servers. All replication agreements are transformed into segments and managed by the topo plugin
  6. add a new segment, replication agreements are generated, but as gssapi agreements, authentication does not work

For 6. we need to decide what type of repl agmts we want to use for dogtag database, if it should be different we could add the type and other data to the topology suffix entry and derive defaults from there

for 4/5. I think we do not need this information in the cn=config topo plugin config, the presence of a topology suffix in the shared tree should be enough

In 4.3 CA and Domain agreements are centrally managed using new managed topology feature.

But they are not managed "together" which is the subject of this ticket. This ticket is out of scope of 4.3 release. Moving to 4.4 backlog for future triage, but it's probable that it is out of scope of 4.4 as well.

I think this ticket is now obsolete since we moved agreement management into the topology plugin.
I propose to close it.

triage result: With topology graph in Web UI, topology structure is clear. Therefore this improvement is no longer needed.

Feedback about the topology graph is welcome.

Metadata Update from @dpal:
- Issue assigned to lkrispen
- Issue set to the milestone: 0.0 NEEDS_TRIAGE

2 years ago

Login to comment on this ticket.

Metadata