Description of problem:
in ipa environments, we need the least delay in replication, particularly when we install a replica. We have seen that in environments of only 4 replicas, the monopolization of consumers is already taking place and sometimes preventing the replica to be installed.
Particularly we can see failures in custodia component that adds keys in one node and checks the keys have been updated in the other node. This is failing by timeout.
We can workaround this issue by setting "nsds5ReplicaReleaseTimeout: 60" at replica level in all the replicas.
We need this set by default. I could provide more details if needed.
Version-Release number of selected component (if applicable): RHEL7.4
How reproducible: at least two customers are having this issue while installing a replica.
The solution is to add this attribute at replica level.
More information here:
Upstream ticket: https://pagure.io/freeipa/issue/7488
The patch adds nsds5ReplicaReleaseTimeout on installation and server upgrade to replication settings on all databases.
Ganna has created an integration test for the issue, https://pagure.io/freeipa/c/84ae625fe2c3786f7c5430f23a55c171ff54e110
Ganna added a reproducer test to upstream in commit https://github.com/freeipa/freeipa/commit/84ae625fe2c3786f7c5430f23a55c171ff54e110#diff-f6f37f4dcea301557db7e120b956c7f2
Proposing for 7.5.z as 7.4.z hotfix is being requested by Nokia.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.