[Freeipa-users] IPA RUV unable to decode

Tue May 5 14:49:10 UTC 2015

On 05/05/2015 07:49 AM, Ludwig Krispenz wrote:
>
> On 05/05/2015 01:27 PM, Martin Kosek wrote:
>> On 05/05/2015 12:38 PM, Vaclav Adamec wrote:
>>> Hi,
>>>   I tried migrate to newest version IPA, but result is quite 
>>> unstable and
>>> removing old replicas ends with RUV which cannot be decoded (it 
>>> stucked in
>>> queue forever):
>>>
>>> ipa-replica-manage del ipa-master-dmz002.test.com -fc
>>> Cleaning a master is irreversible.
>>> This should not normally be require, so use cautiously.
>>> Continue to clean master? [no]: yes
>>>
>>> ipa-replica-manage list-ruv
>>> unable to decode: {replica 8} 55091239000400080000 55091239000400080000
>>> unable to decode: {replica 7} 552f84cd000300070000 552f84cd000300070000
>>> unable to decode: {replica 11} 551a42f70000000b0000 
>>> 551aa3140001000b0000
>>> unable to decode: {replica 15} 551e82e10001000f0000 
>>> 551e82e10001000f0000
>>> unable to decode: {replica 14} 551e82ec0001000e0000 
>>> 551e82ec0001000e0000
>>> unable to decode: {replica 20} 552f4b72000600140000 
>>> 552f4b72000600140000
>>> unable to decode: {replica 10} 551a25af0001000a0000 
>>> 551a25af0001000a0000
>>> unable to decode: {replica 3} 551e864c000300030000 551e864c000300030000
>>> unable to decode: {replica 5} 55083ad2000300050000 55083ad2000300050000
>>> unable to decode: {replica 9} 550913e7000000090000 550913e7000000090000
>>> unable to decode: {replica 19} 55210193000300130000 
>>> 55210193000300130000
>>> unable to decode: {replica 12} 551a48290000000c0000 
>>> 551a48c50000000c0000
>>> ipa-master-dmz001.test.com:389: 25
>>> ipa-master-dmz002.test.com:389: 21
>>>
>>> it is possible to clear this queue and leave only valid servers ?
>>>
>>> Thanks in advance
>>>
>>> ipa-client-4.1.0-18.el7_1.3.x86_64
>>> ipa-server-4.1.0-18.el7_1.3.x86_64
>> Ludwig or Thierry, do you know? The questions about RUV cleaning 
>> seems to be
>> recurring, I suspect there will be a pattern (bug) and not just 
>> configuration
>> issue.
> we have seen this in a recent thread, and it is clear that the RUV is 
> corrupted and cannot be decoded, but we don't have a scenario how this 
> is state is reached.
The cleaning task (cleanAllRUV) can remove these invalid replica RUVs 
(RUV's missing the ldap URL).  To reproduce these "invalid" RUV's it 
requires replication being disabled and re-enabled with a different 
replica id.

To manually clean these invalid RUV elements, outside of using the IPA 
CLI, you can directly issue the cleanAllRUV task to the Directory Server 
using ldapmodify:

# ldapmodify -D "cn=directory manager" -W -a
dn: cn=clean 8, cn=cleanallruv, cn=tasks, cn=config
objectclass: extensibleObject
replica-base-dn: dc=example,dc=com
replica-id: 8
cn: clean 8

Run these one at a time, as there is a current limit of running 4 
concurrent tasks.  It is best to monitor the Directory Server errors 
log, or search on the task entry itself, to see when it has finished 
before firing off the next task.

For more on using cleanAllRUV see:

http://www.port389.org/docs/389ds/howto/howto-cleanruv.html#cleanallruv
http://www.port389.org/docs/389ds/design/cleanallruv-design.html

Regards,
Mark