Re: [Freeipa-devel] [PATCH] 873-874 ipa-replica-manage: adjust del to work with managed topology
On 06/12/2015 04:18 PM, Petr Vobornik wrote: Some notes: 1. As mentioned in the WIP patch thread: original 'del' worked also with winsync agreements. I'm not sure why is that. Shouldn't 'disconnect' be used for winsync agreements? At least man page says that. This patch doesn't support it if domain level 0. Is it a blocker? Following should be addressed in beta: 2. If `ipa-replica-manage del` is run before `ipa-csreplica-manage del` then the `ipa-csreplica-manage del` will fail unless run with --force options. 3. Check for orphaned server is missing. I want to use proper graph traversing algorithm for that given that we have the whole topology. 4. Probably a work for topology plugin: I've seen that the removed master doesn't remove its segments and agreements even though that it knows about its removal (doesn't have its own entry in cn=masters). It leads to failed replication connection attempts. Not a big issue, but also not wanted. Martin3 found that there is wrong hostname in one error message. Fixed. Patch 873 rebased. -- Petr Vobornik From 4456f0a8b515a2b1db1b0e1a0725394150a1dce4 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Thu, 11 Jun 2015 15:38:32 +0200 Subject: [PATCH] server: add del command this command is internal and is supposed to be used by ipa-replica-managed to delete replica. --- API.txt | 8 VERSION | 4 ++-- ipalib/plugins/server.py | 7 +++ 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/API.txt b/API.txt index 853d26a59bb5bb1ebff698924a36a30b7757c398..ff53e9457ebaa36004556feebd88515aea2a7a8d 100644 --- a/API.txt +++ b/API.txt @@ -3799,6 +3799,14 @@ option: Str('version?', exclude='webui') output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (type 'unicode', type 'NoneType'), None) output: PrimaryKey('value', None, None) +command: server_del +args: 1,2,3 +arg: Str('cn', attribute=True, cli_name='name', multivalue=True, primary_key=True, query=True, required=True) +option: Flag('continue', autofill=True, cli_name='continue', default=False) +option: Str('version?', exclude='webui') +output: Output('result', type 'dict', None) +output: Output('summary', (type 'unicode', type 'NoneType'), None) +output: ListOfPrimaryKeys('value', None, None) command: server_find args: 1,10,4 arg: Str('criteria?', noextrawhitespace=False) diff --git a/VERSION b/VERSION index 741d50f2d9b7e564b6a480c73a378500e8d1aca1..2a835122143aa3a2e7c02a888f638ce5e5fcdf83 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412 # # IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=132 -# Last change: dkupka: User life cycle permissions naming and split +IPA_API_VERSION_MINOR=133 +# Last change: pvoborni - add server-del internal command diff --git a/ipalib/plugins/server.py b/ipalib/plugins/server.py index d22f1ea368ad09ab2cff00429f509c99d92f0f60..7fc44197343dbb651782fbf79993cbbe8818efed 100644 --- a/ipalib/plugins/server.py +++ b/ipalib/plugins/server.py @@ -87,3 +87,10 @@ class server_find(LDAPSearch): @register() class server_show(LDAPRetrieve): __doc__ = _('Show IPA server.') + + +@register() +class server_del(LDAPDelete): +__doc__ = _('Delete IPA server.') +NO_CLI = True +msg_summary = _('Deleted IPA server %(value)s') -- 2.1.0 From 402bd94281fd3d654d019f18536e09cdbb8e9781 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Fri, 12 Jun 2015 15:56:30 +0200 Subject: [PATCH] ipa-replica-manage: adjust del to work with managed topology Introduces new method for deletion of replica. This method is used if managed topology is enabled. part of https://fedorahosted.org/freeipa/ticket/4302 --- install/tools/ipa-replica-manage | 228 --- 1 file changed, 165 insertions(+), 63 deletions(-) diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index a2b2c820d8e25a2587358e00dc4afc54b309d77b..1c82a6aa6f2c014f2238626435c5002c6b823bab 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -25,6 +25,7 @@ import traceback from urllib2 import urlparse import ldap import socket +import time from ipapython import ipautil from ipaserver.install import replication, dsinstance, installutils @@ -560,6 +561,13 @@ def check_last_link(delrepl, realm, dirman_passwd, force): else: return None +def check_last_link_managed(api, masters, hostname, force): +# segments = api.Command.topologysegment_find(u'realm', sizelimit=0).get('result') +# replica_names = [m.single_value('cn') for m in masters] +# orphaned = [] +# TODO add proper graph traversing algorithm here +return None + def enforce_host_existence(host, message=None): if host
Re: [Freeipa-devel] [PATCH] 873-874 ipa-replica-manage: adjust del to work with managed topology
On 06/15/2015 10:57 AM, Petr Vobornik wrote: On 06/12/2015 04:18 PM, Petr Vobornik wrote: Some notes: 1. As mentioned in the WIP patch thread: original 'del' worked also with winsync agreements. I'm not sure why is that. Shouldn't 'disconnect' be used for winsync agreements? At least man page says that. This patch doesn't support it if domain level 0. Is it a blocker? Following should be addressed in beta: 2. If `ipa-replica-manage del` is run before `ipa-csreplica-manage del` then the `ipa-csreplica-manage del` will fail unless run with --force options. 3. Check for orphaned server is missing. I want to use proper graph traversing algorithm for that given that we have the whole topology. 4. Probably a work for topology plugin: I've seen that the removed master doesn't remove its segments and agreements even though that it knows about its removal (doesn't have its own entry in cn=masters). It leads to failed replication connection attempts. Not a big issue, but also not wanted. Martin3 found that there is wrong hostname in one error message. Fixed. Patch 873 rebased. Sorry but NACK. When I try to test the removal of last CA master I get a generic error like this: unexpected error: no such entry Traceback leading to this error is here: http://pastebin.test.redhat.com/290131 This is caused by the following test which assumes that 'master' is a string, but this is in fact the whole result dictionary returned by api.Command.server_find +if master == hostname: +this_services = services_cns the following quick hack fixes this: +if str(master['dn'][0]['cn']) == hostname: +this_services = services_cn but there is certainly a more elegant approach, like transforming the results to a list of master FQDNs directly after calling API command on line 679. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 873-874 ipa-replica-manage: adjust del to work with managed topology
On 06/15/2015 02:44 PM, Martin Babinsky wrote: On 06/15/2015 02:15 PM, Petr Vobornik wrote: On 06/15/2015 01:46 PM, Martin Babinsky wrote: On 06/15/2015 10:57 AM, Petr Vobornik wrote: On 06/12/2015 04:18 PM, Petr Vobornik wrote: Some notes: 1. As mentioned in the WIP patch thread: original 'del' worked also with winsync agreements. I'm not sure why is that. Shouldn't 'disconnect' be used for winsync agreements? At least man page says that. This patch doesn't support it if domain level 0. Is it a blocker? Following should be addressed in beta: 2. If `ipa-replica-manage del` is run before `ipa-csreplica-manage del` then the `ipa-csreplica-manage del` will fail unless run with --force options. 3. Check for orphaned server is missing. I want to use proper graph traversing algorithm for that given that we have the whole topology. 4. Probably a work for topology plugin: I've seen that the removed master doesn't remove its segments and agreements even though that it knows about its removal (doesn't have its own entry in cn=masters). It leads to failed replication connection attempts. Not a big issue, but also not wanted. Martin3 found that there is wrong hostname in one error message. Fixed. Patch 873 rebased. Sorry but NACK. When I try to test the removal of last CA master I get a generic error like this: unexpected error: no such entry Traceback leading to this error is here: http://pastebin.test.redhat.com/290131 This is caused by the following test which assumes that 'master' is a string, but this is in fact the whole result dictionary returned by api.Command.server_find +if master == hostname: +this_services = services_cns the following quick hack fixes this: +if str(master['dn'][0]['cn']) == hostname: +this_services = services_cn but there is certainly a more elegant approach, like transforming the results to a list of master FQDNs directly after calling API command on line 679. ah, had this originally when serverservice object was used instead of direct ldap find in the WIP patch. Dict allow us to get dn directly for the service search. CN is also in the dict: master['cn'][0] so not need to get it from dn. Thanks for finding it. Updated patch attached. Everything seems to work as expected. ACK. pushed to master * d58bdf29a514a7868c63b767f4954891b10a574d server: add del command * e9e4509b10e5064556f0aa9a6f0124f38f14b31b ipa-replica-manage: adjust del to work with managed topology -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 873-874 ipa-replica-manage: adjust del to work with managed topology
On 06/15/2015 01:46 PM, Martin Babinsky wrote: On 06/15/2015 10:57 AM, Petr Vobornik wrote: On 06/12/2015 04:18 PM, Petr Vobornik wrote: Some notes: 1. As mentioned in the WIP patch thread: original 'del' worked also with winsync agreements. I'm not sure why is that. Shouldn't 'disconnect' be used for winsync agreements? At least man page says that. This patch doesn't support it if domain level 0. Is it a blocker? Following should be addressed in beta: 2. If `ipa-replica-manage del` is run before `ipa-csreplica-manage del` then the `ipa-csreplica-manage del` will fail unless run with --force options. 3. Check for orphaned server is missing. I want to use proper graph traversing algorithm for that given that we have the whole topology. 4. Probably a work for topology plugin: I've seen that the removed master doesn't remove its segments and agreements even though that it knows about its removal (doesn't have its own entry in cn=masters). It leads to failed replication connection attempts. Not a big issue, but also not wanted. Martin3 found that there is wrong hostname in one error message. Fixed. Patch 873 rebased. Sorry but NACK. When I try to test the removal of last CA master I get a generic error like this: unexpected error: no such entry Traceback leading to this error is here: http://pastebin.test.redhat.com/290131 This is caused by the following test which assumes that 'master' is a string, but this is in fact the whole result dictionary returned by api.Command.server_find +if master == hostname: +this_services = services_cns the following quick hack fixes this: +if str(master['dn'][0]['cn']) == hostname: +this_services = services_cn but there is certainly a more elegant approach, like transforming the results to a list of master FQDNs directly after calling API command on line 679. ah, had this originally when serverservice object was used instead of direct ldap find in the WIP patch. Dict allow us to get dn directly for the service search. CN is also in the dict: master['cn'][0] so not need to get it from dn. Thanks for finding it. Updated patch attached. -- Petr Vobornik From 40c0886df6a958a757eebd221863911acea8b98f Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Fri, 12 Jun 2015 15:56:30 +0200 Subject: [PATCH] ipa-replica-manage: adjust del to work with managed topology Introduces new method for deletion of replica. This method is used if managed topology is enabled. part of https://fedorahosted.org/freeipa/ticket/4302 --- install/tools/ipa-replica-manage | 229 --- 1 file changed, 166 insertions(+), 63 deletions(-) diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index a2b2c820d8e25a2587358e00dc4afc54b309d77b..1b93166bce5c1d1fa6cba41cd87bc0833b2efe57 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -25,6 +25,7 @@ import traceback from urllib2 import urlparse import ldap import socket +import time from ipapython import ipautil from ipaserver.install import replication, dsinstance, installutils @@ -560,6 +561,13 @@ def check_last_link(delrepl, realm, dirman_passwd, force): else: return None +def check_last_link_managed(api, masters, hostname, force): +# segments = api.Command.topologysegment_find(u'realm', sizelimit=0).get('result') +# replica_names = [m.single_value('cn') for m in masters] +# orphaned = [] +# TODO add proper graph traversing algorithm here +return None + def enforce_host_existence(host, message=None): if host is not None and not ipautil.host_exists(host): if message is None: @@ -567,8 +575,161 @@ def enforce_host_existence(host, message=None): sys.exit(message) +def ensure_last_services(conn, hostname, masters, options): + +1. When deleting master, check if there will be at least one remaining + DNS and CA server. +2. Pick CA renewal master + +Return this_services, other_services, ca_hostname + + +this_services = [] +other_services = [] +ca_hostname = None + +for master in masters: +master_cn = master['cn'][0] +try: +services = conn.get_entries(master['dn'], conn.SCOPE_ONELEVEL) +except errors.NotFound: +continue +services_cns = [s.single_value['cn'] for s in services] +if master_cn == hostname: +this_services = services_cns +else: +other_services.append(services_cns) +if ca_hostname is None and 'CA' in services_cns: +ca_hostname = master_cn + +if 'CA' in this_services and not any(['CA' in o for o in other_services]): +print Deleting this server is not allowed as it would leave your installation without a CA. +sys.exit(1) + +other_dns = True +if 'DNS' in this_services and not any(['DNS' in o for o in
Re: [Freeipa-devel] [PATCH] 873-874 ipa-replica-manage: adjust del to work with managed topology
On 06/15/2015 02:15 PM, Petr Vobornik wrote: On 06/15/2015 01:46 PM, Martin Babinsky wrote: On 06/15/2015 10:57 AM, Petr Vobornik wrote: On 06/12/2015 04:18 PM, Petr Vobornik wrote: Some notes: 1. As mentioned in the WIP patch thread: original 'del' worked also with winsync agreements. I'm not sure why is that. Shouldn't 'disconnect' be used for winsync agreements? At least man page says that. This patch doesn't support it if domain level 0. Is it a blocker? Following should be addressed in beta: 2. If `ipa-replica-manage del` is run before `ipa-csreplica-manage del` then the `ipa-csreplica-manage del` will fail unless run with --force options. 3. Check for orphaned server is missing. I want to use proper graph traversing algorithm for that given that we have the whole topology. 4. Probably a work for topology plugin: I've seen that the removed master doesn't remove its segments and agreements even though that it knows about its removal (doesn't have its own entry in cn=masters). It leads to failed replication connection attempts. Not a big issue, but also not wanted. Martin3 found that there is wrong hostname in one error message. Fixed. Patch 873 rebased. Sorry but NACK. When I try to test the removal of last CA master I get a generic error like this: unexpected error: no such entry Traceback leading to this error is here: http://pastebin.test.redhat.com/290131 This is caused by the following test which assumes that 'master' is a string, but this is in fact the whole result dictionary returned by api.Command.server_find +if master == hostname: +this_services = services_cns the following quick hack fixes this: +if str(master['dn'][0]['cn']) == hostname: +this_services = services_cn but there is certainly a more elegant approach, like transforming the results to a list of master FQDNs directly after calling API command on line 679. ah, had this originally when serverservice object was used instead of direct ldap find in the WIP patch. Dict allow us to get dn directly for the service search. CN is also in the dict: master['cn'][0] so not need to get it from dn. Thanks for finding it. Updated patch attached. Everything seems to work as expected. ACK. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH] 873-874 ipa-replica-manage: adjust del to work with managed topology
Some notes: 1. As mentioned in the WIP patch thread: original 'del' worked also with winsync agreements. I'm not sure why is that. Shouldn't 'disconnect' be used for winsync agreements? At least man page says that. This patch doesn't support it if domain level 0. Is it a blocker? Following should be addressed in beta: 2. If `ipa-replica-manage del` is run before `ipa-csreplica-manage del` then the `ipa-csreplica-manage del` will fail unless run with --force options. 3. Check for orphaned server is missing. I want to use proper graph traversing algorithm for that given that we have the whole topology. 4. Probably a work for topology plugin: I've seen that the removed master doesn't remove its segments and agreements even though that it knows about its removal (doesn't have its own entry in cn=masters). It leads to failed replication connection attempts. Not a big issue, but also not wanted. -- Petr Vobornik From 8cb9cce314b97c785c7ea2bbadaf7d98c8c4f228 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Fri, 12 Jun 2015 15:56:30 +0200 Subject: [PATCH] ipa-replica-manage: adjust del to work with managed topology Introduces new method for deletion of replica. This method is used if managed topology is enabled. part of https://fedorahosted.org/freeipa/ticket/4302 --- install/tools/ipa-replica-manage | 228 --- 1 file changed, 165 insertions(+), 63 deletions(-) diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index a2b2c820d8e25a2587358e00dc4afc54b309d77b..132ba914d586de640d4829612fe6b7bf2abc9a67 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -25,6 +25,7 @@ import traceback from urllib2 import urlparse import ldap import socket +import time from ipapython import ipautil from ipaserver.install import replication, dsinstance, installutils @@ -560,6 +561,13 @@ def check_last_link(delrepl, realm, dirman_passwd, force): else: return None +def check_last_link_managed(api, masters, hostname, force): +# segments = api.Command.topologysegment_find(u'realm', sizelimit=0).get('result') +# replica_names = [m.single_value('cn') for m in masters] +# orphaned = [] +# TODO add proper graph traversing algorithm here +return None + def enforce_host_existence(host, message=None): if host is not None and not ipautil.host_exists(host): if message is None: @@ -567,8 +575,160 @@ def enforce_host_existence(host, message=None): sys.exit(message) +def ensure_last_services(conn, hostname, masters, options): + +1. When deleting master, check if there will be at least one remaining + DNS and CA server. +2. Pick CA renewal master + +Return this_services, other_services, ca_hostname + + +this_services = [] +other_services = [] +ca_hostname = None + +for master in masters: +try: +services = conn.get_entries(master['dn'], conn.SCOPE_ONELEVEL) +except errors.NotFound: +continue +services_cns = [s.single_value['cn'] for s in services] +if master == hostname: +this_services = services_cns +else: +other_services.append(services_cns) +if ca_hostname is None and 'CA' in services_cns: +ca_hostname = master + +if 'CA' in this_services and not any(['CA' in o for o in other_services]): +print Deleting this server is not allowed as it would leave your installation without a CA. +sys.exit(1) + +other_dns = True +if 'DNS' in this_services and not any(['DNS' in o for o in other_services]): +other_dns = False +print Deleting this server will leave your installation without a DNS. +if not options.force and not ipautil.user_input(Continue to delete?, False): +sys.exit(Deletion aborted) + +# test if replica is not DNSSEC master +# allow to delete it if is last DNS server +if 'DNS' in this_services and other_dns and not options.force: +dnssec_masters = opendnssecinstance.get_dnssec_key_masters(conn) +if hostname in dnssec_masters: +print Replica is active DNSSEC key master. Uninstall could break your DNS system. +sys.exit(Deletion aborted) + +ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) +if ca.is_renewal_master(hostname): +try: +ca.set_renewal_master(options.host) +except errors.NotFound: +ca.set_renewal_master(ca_hostname) + +return this_services, other_services, ca_hostname + + +def cleanup_server_dns_entries(realm, hostname, suffix, options): +try: +if bindinstance.dns_container_exists(options.host, suffix, + dm_password=options.dirman_passwd): +bind = bindinstance.BindInstance() +bind.remove_master_dns_records(hostname, realm,
Re: [Freeipa-devel] [PATCH] 873-874 ipa-replica-manage: adjust del to work with managed topology
On 06/12/2015 04:18 PM, Petr Vobornik wrote: Some notes: 1. As mentioned in the WIP patch thread: original 'del' worked also with winsync agreements. I'm not sure why is that. Shouldn't 'disconnect' be used for winsync agreements? At least man page says that. This patch doesn't support it if domain level 0. Is it a blocker? Following should be addressed in beta: 2. If `ipa-replica-manage del` is run before `ipa-csreplica-manage del` then the `ipa-csreplica-manage del` will fail unless run with --force options. 3. Check for orphaned server is missing. I want to use proper graph traversing algorithm for that given that we have the whole topology. 4. Probably a work for topology plugin: I've seen that the removed master doesn't remove its segments and agreements even though that it knows about its removal (doesn't have its own entry in cn=masters). It leads to failed replication connection attempts. Not a big issue, but also not wanted. 4. is tough. it also depends on where you remove the master entry. the removal of the master entry triggers the removal of the segments, which triggers the removal of the agreement, and the agreement could be removed before the segment removal is replicated (it is a race). So, on purpose, the removal of the segments is only triggered on the servers in the remaining topology, it also will remove the credentials of the removed replica, so it will no longer be able to replicate back into the remaining topology. The assumption was that a removed replica will be really removed and focus was, remove any info on the removed replica from the remaining topology and prevent any updates from the removed replica. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 873-874 ipa-replica-manage: adjust del to work with managed topology
On 06/12/2015 04:45 PM, Ludwig Krispenz wrote: On 06/12/2015 04:18 PM, Petr Vobornik wrote: Some notes: 1. As mentioned in the WIP patch thread: original 'del' worked also with winsync agreements. I'm not sure why is that. Shouldn't 'disconnect' be used for winsync agreements? At least man page says that. This patch doesn't support it if domain level 0. Is it a blocker? Following should be addressed in beta: 2. If `ipa-replica-manage del` is run before `ipa-csreplica-manage del` then the `ipa-csreplica-manage del` will fail unless run with --force options. 3. Check for orphaned server is missing. I want to use proper graph traversing algorithm for that given that we have the whole topology. 4. Probably a work for topology plugin: I've seen that the removed master doesn't remove its segments and agreements even though that it knows about its removal (doesn't have its own entry in cn=masters). It leads to failed replication connection attempts. Not a big issue, but also not wanted. 4. is tough. it also depends on where you remove the master entry. the removal of the master entry triggers the removal of the segments, which triggers the removal of the agreement, and the agreement could be removed before the segment removal is replicated (it is a race). So, on purpose, the removal of the segments is only triggered on the servers in the remaining topology, it also will remove the credentials of the removed replica, so it will no longer be able to replicate back into the remaining topology. The assumption was that a removed replica will be really removed and focus was, remove any info on the removed replica from the remaining topology and prevent any updates from the removed replica. OK. `ipa-server-install --uninstall` needs some information to know that the replica was removed properly and then not to complain about remaining replication agreements. Is there such information on the deleted replica which we can rely on? -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code