[Freeipa-devel] Understanding FreeIPA replica internals

[James]

On Fri, 2014-05-23 at 15:44 +0200, Martin Kosek wrote:
> One cannot easily improve ipa-replica-prepare to work through LDAPI as
> we also
> need to encypher the replica info package - and we cannot do that
> without clear
> text DM password.
> 
> The right way seems to be rather the RFE you filed:
> https://fedorahosted.org/freeipa/ticket/2888
> 
> Martin

Here is the model I am considering:

Since each replica in a multi-master cluster is said to be functionally
"identical" once they're all setup, I'd actually like to try and match
this elegant symmetry that you've provided with an equally symmetrical
(or homogeneous, rather) design. That's to say I want the config
management parts to "be identical" on each host.

What this means:
* It should be possible to parallelize a good chunk of the setup, if I
were to bring up a cluster of four hosts at the same time.

* It's convenient if each individual host follows the same initial
ipa-server-install process, but that there is a secondary "join with my
peer" process.

* In theory, if I set up two identical freeipa servers with the same
options (but different hostnames) I would like to be able to introduce
them to each other at a later date and join them (even if this means
that we pick one as the source of the data and the others data gets
overwritten)

Does this help explain the need? For an example of peering that works
this way and is symmetrical with configuration management, my
puppet-gluster module does this.

Cheers, and thanks for reading.
James

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140523/348d65c5/attachment.sig>