#6534 topology should not include A<->B segment "both" and B->A "left right" at the same time.
Closed: Fixed None Opened 3 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1398670

Description of problem:

we can see at some customer's deployment the following issue:

ipa topologysuffix-verify domain
========================================================
Replication topology of suffix "domain" contains errors.
========================================================
-------------------------------------------------------------
Recommended maximum number of agreements per replica exceeded
-------------------------------------------------------------
  Maximum number of agreements per replica: 4
  Server "server1" has 5 agreements with servers:
    server2
    server3
    server4
    server5
    server4


So, we see server4 twice !

When inspecting cn=topology tree, we can see the following entries:

dn: cn=server1-to-server4,cn=domain,cn=topology,cn=ipa,cn=etc,dc=unix,dc=local
 objectClass: iparepltoposegment
 objectClass: top
 cn: server1-to-server4
 ipaReplTopoSegmentLeftNode: server1
 ipaReplTopoSegmentRightNode: server4
 ipaReplTopoSegmentDirection: left-right
 ipaReplTopoSegmentStatus: autogen


But also:

dn: cn=server4-to-server1,cn=domain,cn=topology,cn=ipa,cn=etc,dc=unix,dc=local
 objectClass: iparepltoposegment
 objectClass: top
 cn: server4-to-server1
 ipaReplTopoSegmentLeftNode: server4
 ipaReplTopoSegmentRightNode: server1
 ipaReplTopoSegmentDirection: both
 ipaReplTopoSegmentStatus: autogen

even if this could be valid as setting, I think in IPA we should not allow to
have a "both" direction and a "left right" or "right left" direction between
the same nodes simultaneously. What would be the point of having redundant
replication conflicts.

Note that the DN is different because in one case is node1 -> node2 "both" and
in the other node2 -> node1 "left right".





Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

A fix in DS will prevent the creation of visible conflicts and so prevent follow up errors, but in a deployment where the conflicts already exist the raising of the domain level can cause the problems with segments.

So I suggest to add a check to the "ipa domainlevel-set" command to check if there are conflicts below cn=topology and reject raising the domainlevel.

more details in https://bugzilla.redhat.com/show_bug.cgi?id=1398670#c19

The fix is very valuable for 4.4 - can prevent from doing long manual error-prone procedure.

A limitation of checking the conflict before upgrading the domainlevel is that conflict happen only after a replication session. If the domainlevel is upgraded soon after upgrading to >= 4.3 and before a replication session reveal the conflict, domainlevel can be set.

but the other check for domain level upgrade is that all masters need to support the new domainlevel, this requires already a replication session from the other upgraded masters

ipa-4-4:

  • d028d23 Check for conflict entries before raising domain level

master:

  • 26bd7eb Check for conflict entries before raising domain level

Replying to [comment:4 lkrispen]:

but the other check for domain level upgrade is that all masters need to support the new domainlevel, this requires already a replication session from the other upgraded masters

After testing I confirm you are right, upgrading domainlevel immediately after startup (after upgrade to >=4.3) occurs after conflict/replication_session occurred. So for upgrading domainlevel there is no window it will miss conflict.

Metadata Update from @pvoborni:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.4.3

2 years ago

Login to comment on this ticket.

Metadata