[Freeipa-users] Replica re-initialization

thierry bordaz tbordaz at redhat.com
Fri Dec 12 13:53:12 UTC 2014


On 12/12/2014 02:00 PM, Martin Kosek wrote:
> On 12/11/2014 06:19 PM, Matt Chesler wrote:
>> I have a cluster of four IPA masters that should be performing fully 
>> meshed
>> replication.  I discovered yesterday that a recently created user 
>> only existed
>> on a single master.  After looking through all four masters, it 
>> appears that
>> several recent updates only exist on one of the masters.  I do not 
>> see any
>> replication errors in any of the logs, but I'm not 100% sure how far 
>> back this
>> issue goes.
>
> That's really strange, because AFAIK, DS replication module yells 
> periodically if it cannot replicate so you should see it on the last 
> errors log page.

That should not occur. I remember a test case 
(https://fedorahosted.org/389/ticket/47788) where a transient error 
could conduct to an update being skipped.
Do you have access/errors logs since the missing entry was added.
Also would you dump the RUV on each of the masters (ldapsearch -D 
"cn=directory manager" -w xxx -b "<your 
suffix>"(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))" 


Are you able to reproduce this problem ?
>
>> I do believe the one master with up-to-date data is a reliable
>> representation of what the LDAP directory should look like.  I ran a
>> reinitialize command (ipa-replica-manage re-initialize --from
>> reliable-server.fqdn) on two of the out-of-date masters yesterday 
>> around 4pm
>> EST.  It's now a little after 12pm EST and the "Update in progress" 
>> message is
>> still scrolling by once a second on both terminals.  I'd greatly 
>> appreciate
>> suggestions about a) how to determine the status of the reinitialize 
>> command
>> and b) any other ideas about how to resolve this issue and monitor 
>> for it
>> better in the future.  Thanks in advance for your help!
>
> Thierry or Ludwig, any idea?

The replica agreement on the master should say when the total update is 
completed. But after 12h it looks very long.
You may monitor the number of sent entries (grep -c 
'2.16.840.1.113730.3.5.6' <replica log>/access) to see if it progressing.
If it is not progressing for several minutes, would you get a pstack of 
the master .

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141212/baee6211/attachment.htm>


More information about the Freeipa-users mailing list