Tamas Papp wrote:
On 11/05/2013 03:17 PM, Rich Megginson wrote:
2. What is the difference between 'primary' and 'secondary'. What does
happen, if the primary machine gets destroyed?
In IPA all replicas are the same, they only would differ by the paths
they sync with each other and by presence of integrated CA (if any).
Do I need CA in normal cases or is it just an additional and optional
service? In other words is this CA the same as used by replicas and
clients and the UI..etc?
Yes and since you are planning for replication you should plan to have
at least one of the replica have a CA on it as well to avoid a single
point of failure.
If you have deployed original IPA server with integrated CA, then your
other replicas better to have at least one with CA configured to allow
proper recovery in case primary one is destroyed.
Is there any caveats to not deploy CA on all replicas as a simples solution?
You don't need a CA on every single replica, but you probably want at
least two.
4. How many "master" can I use?
Technically there could be 65536 different masters in 389-ds replication
topology.
Perfect!
The 389-ds team has fully QA'd 20 masters at a time, so keep that in mind.
Also, replication is not free. It requires space to store the changes to
send out, CPU time to calculate whom to send what and network bandwidth
to share the data. Each master you add increases this workload.
Not to mention any administrative burden of running a lot of masters.
5. If I have a network like this:
A1______B1
A2 B2
A2 and B1,2 are replicated from A1
If the connection gets lost between A and B site, are B1 and 2 (and
A1,2) replicated fine?
I assume from the above that B1 does not know about B2 (and vice versa)?
Well, that is actually one of the questions. B1 and B2 are on the same
sites and failover nodes from point of view of clients.
You can manage the replication topology with ipa-replica-manage connect
and disconnect. So if you want B1 and B2 connected you can do that.
Once connectivity between sites A and B restored, all unreplicated data
will be replicated. There could be conflicts if there were changes on
both sides during the split but majority of them are solved
automatically by 389-ds.
The main question is that B1 and B2 are not replicated to each other
automatically? What about the case if
A1 -- replication -- A2 --- replication --- B1 -- replication -- B2
If B1 gets destroyed, how B2 and A2 (and A1) gets synchronized?
Especially automatically...?
Is there such a failover configuration?
No, the masters only replicate to the ones you tell them to, so if B1
went away forever then B2 would never get any other updates unless you
explicitly made a connection to A1 or A2.
6. If a client is installed with ipa-client-install using A1 and A1
gets
lost, does the client know, where it needs to connect (failover..)?
IPA server which was used to enroll the host will be primary one (A1 in
your example). There is failover in sssd.conf to use SRV records of the
domain, and trying servers in the order returned by the SRV records.
Ahh. Then if I use external DNS, I need to configure these srv records
manually, that's all, right?
Right.
7. Can I install slave (read-only) replicas so clients access them only
for queries and for changes (like pw change) they access master
servers?
No read-only replicas available for IPA. All replicas are read-write and
propagate changes across replication paths as defined in replication
agreements. All IPA servers are really masters, thus we have
multi-master replication rather than master-slave.
Perfect, thanks for the clarification!
Thanks,
tamas
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
