Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1398670
Description of problem: we can see at some customer's deployment the following issue: ipa topologysuffix-verify domain ======================================================== Replication topology of suffix "domain" contains errors. ======================================================== ------------------------------------------------------------- Recommended maximum number of agreements per replica exceeded ------------------------------------------------------------- Maximum number of agreements per replica: 4 Server "server1" has 5 agreements with servers: server2 server3 server4 server5 server4 So, we see server4 twice ! When inspecting cn=topology tree, we can see the following entries: dn: cn=server1-to-server4,cn=domain,cn=topology,cn=ipa,cn=etc,dc=unix,dc=local objectClass: iparepltoposegment objectClass: top cn: server1-to-server4 ipaReplTopoSegmentLeftNode: server1 ipaReplTopoSegmentRightNode: server4 ipaReplTopoSegmentDirection: left-right ipaReplTopoSegmentStatus: autogen But also: dn: cn=server4-to-server1,cn=domain,cn=topology,cn=ipa,cn=etc,dc=unix,dc=local objectClass: iparepltoposegment objectClass: top cn: server4-to-server1 ipaReplTopoSegmentLeftNode: server4 ipaReplTopoSegmentRightNode: server1 ipaReplTopoSegmentDirection: both ipaReplTopoSegmentStatus: autogen even if this could be valid as setting, I think in IPA we should not allow to have a "both" direction and a "left right" or "right left" direction between the same nodes simultaneously. What would be the point of having redundant replication conflicts. Note that the DN is different because in one case is node1 -> node2 "both" and in the other node2 -> node1 "left right". Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
A fix in DS will prevent the creation of visible conflicts and so prevent follow up errors, but in a deployment where the conflicts already exist the raising of the domain level can cause the problems with segments.
So I suggest to add a check to the "ipa domainlevel-set" command to check if there are conflicts below cn=topology and reject raising the domainlevel.
more details in https://bugzilla.redhat.com/show_bug.cgi?id=1398670#c19
The fix is very valuable for 4.4 - can prevent from doing long manual error-prone procedure.
A limitation of checking the conflict before upgrading the domainlevel is that conflict happen only after a replication session. If the domainlevel is upgraded soon after upgrading to >= 4.3 and before a replication session reveal the conflict, domainlevel can be set.
but the other check for domain level upgrade is that all masters need to support the new domainlevel, this requires already a replication session from the other upgraded masters
ipa-4-4:
master:
Replying to [comment:4 lkrispen]:
After testing I confirm you are right, upgrading domainlevel immediately after startup (after upgrade to >=4.3) occurs after conflict/replication_session occurred. So for upgrading domainlevel there is no window it will miss conflict.
Metadata Update from @pvoborni: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.4.3
Log in to comment on this ticket.