[Freeipa-devel] Understanding FreeIPA replica internals

James purpleidea at gmail.com
Fri May 23 21:05:44 UTC 2014 

On Fri, 2014-05-23 at 12:42 +0200, Martin Kosek wrote:
> On 05/23/2014 07:01 AM, James wrote:
> > I'm trying to understand some of the FreeIPA replication internals so
> > that I can better know how to do this properly in Puppet without
> > storing any secret information in Puppet, and so that automating
> > FreeIPA is awesome.
> > 
> > Please point me to any docs, if there is reading I could be doing :)
> > 
> > Here are some open questions I have:
> > 
> > 1) Is the GPG file created with ipa-replica-prepare using a symmetric
> > password and is that password equal to the dm_password ? If not, where
> > do the pub/priv key pairs come from and how do they get transferred to
> > the replica.
> 
> Yes. Grep for function expand_replica_info in FreeIPA git.
Found it, very helpful, thanks!

> 
> > 
> > 2) If I have root on the IPA server (actually all of them) how can I
> > run ipa-replica-prepare without needing interactive prompting for
> > entering the password. It's not possible with puppet. Is there another
> > (possibly less user friendly even) method to "prepare" the replica?
> > What is prepare actually doing?
> 
> For, you can for example use --password for passing the DM password.
Good to know, but I'd like to avoid knowing the password actually. More
in the other thread...

> 
> 
> > 3) With a multi master setup, what happens if I run the same action
> > (eg: user-mod or user-add or user-del) on more than one server.
> 
> I would not do that, you risk replication conflicts on entries or attributes.
> More here:
> 
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html
If the exact same action is run on different servers at the same time,
will it still cause a replication conflict, or will it auto-resolve ?

> 
> > Can I
> > run it on any server?
> 
> Yes.
> 
> > What if I run different user-mod commands of the
> > same user on different masters. Is there split brain?
> 
> Then you get a replication conflict. I think in case of attributes, last
> modification wins.
> 
> > Are all the
> > transactions and writes synchronous across the whole cluster?
> 
> They are not synchronous, it takes some time for a change to replica to all
> masters.
> 
> > Please
> > point me to a doc that explains this FAQ stuff if possible. Sorry for
> > the noise
> 
> You should be able to get a reasonable starting information here:
> 
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Deployment_Guide/Designing_the_Replication_Process.html
> 
> or here:
> 
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication.html

This is good information, thanks. I will have to do my homework and come
back when I have more questions.

Thanks again,
James

> 
> HTH,
> Martin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140523/486c6f31/attachment.sig>

More information about the Freeipa-devel mailing list