On 07/13/2012 04:00 PM, Rob Crittenden wrote: > Martin Kosek wrote: >> On 07/12/2012 07:46 AM, Martin Kosek wrote: >>> On 07/11/2012 09:27 PM, Rob Crittenden wrote: >>>> Martin Kosek wrote: >>>>> IPA 3.0 introduced range ID objects in replicated space which specify >>>>> a range of IDs assigned via DNA plugin. ipa-ldap-updater generates the >>>>> default ID range which should correspond with IDs assigned to IPA >>>>> users. >>>>> >>>>> However, since correct range size is not known, we should at least >>>>> warn that a range with invalid size was created so that user can >>>>> amend it. >>>>> >>>>> >>>>> I created 2 new tickets to add further improve this area: >>>>> >>>>> 1) #2918: [doc] Upgrade procedure section should mention ipa-ldap-updater >>>>> 2) #2919: Improve safety checks in range command >>>>> >>>>> >>>>> To test this patch, you can: >>>>> 1) Install unpatched IPA server (and you may install replicas too) with >>>>> custom >>>>> --idstart and --idmax options where difference is greater then 200000 >>>>> 2) Remove default range with range-del command (will be restored during >>>>> upgrade) >>>>> 3) Run RPM upgrade with RPMs built from patched sources - ERROR should >>>>> now be >>>>> printed during update stating that a new range was created but its size is >>>>> not >>>>> right >>>> >>>> I don't understand step 2, why would someone remove their range before >>>> upgrading? >>>> >>>> I installed with a 50k range, didn't remove it, then upgraded with no >>>> warning. >>>> I deleted the range and re-installed the packages again, still no warning >>>> but a >>>> new 200k range was created for me. >>>> >>>> rob >>> >>> The step 2 is artificial and is only done to force the default_range update >>> plugin to create/restore the default IPA range. The plugin would just be >>> skipped otherwise. >>> >>> We can only detect ranges larger than 200k - judging just from the number of >>> free IDs. Thus, 50k range will pass without any warning or error. If you >>> create >>> a bigger range (this can be detected unless you deplete all IDs below 200k >>> mark), you will receive the warning. All this procedure will not handle all >>> situations ATM, its just heuristics to cover most cases... >>> >>> Martin >> >> Sending an updated patch with 2 small changes: >> 1) Console error formatting was changed similar to ipa-client-install >> 2) ipa-ldap-updater does not print information message when IPA is not >> configured to stderr so that rpm update output stays clean when updating rpms >> in machine without IPA installed >> >> This is the output of RPM with the new patch set: >> >> # ipa range-del IDM.LAB.BOS.REDHAT.COM_id_range >> -------------------------------------------------- >> Deleted ID range "IDM.LAB.BOS.REDHAT.COM_id_range" >> -------------------------------------------------- >> # rpm -Uvh --force freeipa-* >> Preparing... ########################################### >> [100%] >> 1:freeipa-python ########################################### [ >> 14%] >> 2:freeipa-client ########################################### [ >> 29%] >> 3:freeipa-admintools ########################################### [ >> 43%] >> 4:freeipa-server ########################################### [ >> 57%] >> 5:freeipa-server-selinux ########################################### [ >> 71%] >> 6:freeipa-server-trust-ad########################################### [ >> 86%] >> 7:freeipa-debuginfo ########################################### >> [100%] >> ERROR: default_range: could not verify default ID range size >> Please use the following command to set correct ID range size >> $ ipa range-mod IDM.LAB.BOS.REDHAT.COM_id_range --range-size=RANGE_SIZE >> RANGE_SIZE may be computed from --idstart and --idmax options used during IPA >> server installation: >> RANGE_SIZE = (--idmax) - (--idstart) + 1 >> >> Martin >> > > Your sys.exit() changes to ipa-ldap-updater cause the return val to be 0 when > IPA is not configured. It should return 1. > > Fix that and ACK. > > rob
Fixed and pushed all 3 to master. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
