hi everyone,
I wanted to ask about number of segments after a clean IPA setup with 3 servers.
I see for both 'domain' & 'ca' two segments created by master/replica installations, which makes me wonder - should there not be three? no/yes & why?
many thanks, L.
On ti, 29 loka 2019, lejeczek via FreeIPA-users wrote:
hi everyone,
I wanted to ask about number of segments after a clean IPA setup with 3 servers.
I see for both 'domain' & 'ca' two segments created by master/replica installations, which makes me wonder - should there not be three? no/yes & why?
You really need to show what you have rather than assume we know what you have.
For three masters, there are several ways of connecting them so that there are two segments. Or may be you connected all three in a triangle.
For example: A <-> B <-> C, B <-> A <-> C, A <-> B <-> C <-> A
Without knowing your topology it is not possible to say what is correct and what is not.
On 29/10/2019 08:51, Alexander Bokovoy wrote:
On ti, 29 loka 2019, lejeczek via FreeIPA-users wrote:
hi everyone,
I wanted to ask about number of segments after a clean IPA setup with 3 servers.
I see for both 'domain' & 'ca' two segments created by master/replica installations, which makes me wonder - should there not be three? no/yes & why?
You really need to show what you have rather than assume we know what you have.
For three masters, there are several ways of connecting them so that there are two segments. Or may be you connected all three in a triangle.
For example: A <-> B <-> C, B <-> A <-> C, A <-> B <-> C <-> A
Without knowing your topology it is not possible to say what is correct and what is not.
sorry was being vague. Question was not about correct or not but rather I sought to confirm that what IPA replicas (3 masters in total) installers created in topology - which was two segments - was what IPA does by default (and not seek to create every every possible chain in topology, in my case it'd be that triangle) and not a result of some error/problem.
I now assume that it simply is - each replica installation process creates just one segment: new-replica <-> used_master ?
many thanks, L.
Just some user notes
I really like the IPA server topology graph through the web front end, visualising the agreements between servers is really useful. You can add or remove agreements here too, for both domain and CA (for servers that have CA enabled)
I've deployed 6 IPA servers equally across our three main sites and enabled CA on all of them, this seems to work fine and I've succefully moved the CA renewal master twice (due to external reasons.)
Check the red hat documentation on replication agreements, I recall there are some useful notes there on planning.
Regards Angus
________________________________ From: lejeczek via FreeIPA-users freeipa-users@lists.fedorahosted.org Sent: Tuesday, 29 October 2019, 14:24 To: FreeIPA users list Cc: lejeczek Subject: [Freeipa-users] Re: number of topology segments for 3 servers clean setup?
On 29/10/2019 08:51, Alexander Bokovoy wrote:
On ti, 29 loka 2019, lejeczek via FreeIPA-users wrote:
hi everyone,
I wanted to ask about number of segments after a clean IPA setup with 3 servers.
I see for both 'domain' & 'ca' two segments created by master/replica installations, which makes me wonder - should there not be three? no/yes & why?
You really need to show what you have rather than assume we know what you have.
For three masters, there are several ways of connecting them so that there are two segments. Or may be you connected all three in a triangle.
For example: A <-> B <-> C, B <-> A <-> C, A <-> B <-> C <-> A
Without knowing your topology it is not possible to say what is correct and what is not.
sorry was being vague. Question was not about correct or not but rather I sought to confirm that what IPA replicas (3 masters in total) installers created in topology - which was two segments - was what IPA does by default (and not seek to create every every possible chain in topology, in my case it'd be that triangle) and not a result of some error/problem.
I now assume that it simply is - each replica installation process creates just one segment: new-replica <-> used_master ?
many thanks, L.
On ti, 29 loka 2019, lejeczek via FreeIPA-users wrote:
On 29/10/2019 08:51, Alexander Bokovoy wrote:
On ti, 29 loka 2019, lejeczek via FreeIPA-users wrote:
hi everyone,
I wanted to ask about number of segments after a clean IPA setup with 3 servers.
I see for both 'domain' & 'ca' two segments created by master/replica installations, which makes me wonder - should there not be three? no/yes & why?
You really need to show what you have rather than assume we know what you have.
For three masters, there are several ways of connecting them so that there are two segments. Or may be you connected all three in a triangle.
For example: A <-> B <-> C, B <-> A <-> C, A <-> B <-> C <-> A
Without knowing your topology it is not possible to say what is correct and what is not.
sorry was being vague. Question was not about correct or not but rather I sought to confirm that what IPA replicas (3 masters in total) installers created in topology - which was two segments - was what IPA does by default (and not seek to create every every possible chain in topology, in my case it'd be that triangle) and not a result of some error/problem.
I now assume that it simply is - each replica installation process creates just one segment: new-replica <-> used_master ?
Yes, you are proceeding with one replica at a time and for that pair (master,replica) there is a topology segment being created.
I followed the thread, and I’m not sure you ever got an answer. Generally ipa replica install seems to create one replication agreement. The exact relationships for 3 servers depends upon which master the replica was created from. It could be 2 replicas talking to the original, or 3 in a line. But either way there’s two replication agreements. The obvious thing for 3 servers is a complete triangle. Without that, failure of the wrong node could cause the other two to become disconnected from each other, which is probably not desirable. So you’d want to add the third node. Whichever one is missing.
I assume the reason they don’t add more replicas by default is that in larger configurations you probably don’t want a fully-connected mesh. ipa-replica-install has no way of knowing what your final topology is going to be, and no way to guess what replication agreements you really need. So it does the minimal necessary to maintain connectivity.
On Oct 29, 2019, at 4:44 AM, lejeczek via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
hi everyone,
I wanted to ask about number of segments after a clean IPA setup with 3 servers.
I see for both 'domain' & 'ca' two segments created by master/replica installations, which makes me wonder - should there not be three? no/yes & why?
many thanks, L.
<pEpkey.asc>_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Angus Clarke -
Charles Hedrick -
lejeczek