[Freeipa-devel] Replica files vs. upgrades
Rob Crittenden
rcritten at redhat.com
Thu Oct 25 13:37:30 UTC 2012
Petr Viktorin wrote:
> Hello,
> Can I use old replica files to install replicas? For example, is this
> supported?
>
> 1) Create replica file on master
> 2) Upgrade master
> 3) Use the (old) replica file to install a replica
The rule of thumb is (or should be): New replicas should be installed
from a file prepared on the highest available version in the chain, on
that same version
> Also: For ipa-ca-install, do I need to use the same replica file that
> was used to install the replica originally? Consider the following:
>
> 1) Create replica file on master
> 2) Install a replica
> 3) Upgrade the master
> 4) Install a CA on the replica
>
> Am I supposed to use the old file for (4), or a newly generated one?
I'm not sure I considered this case before. I think you'd probably be ok
using an old replica file. The downside of generating a new one is this
will generate new SSL certificates for the IPA services on that replica
which will go unused (but certs are cheap).
The place we would get into trouble is if at some point we change the
server cert profile and the cert in the old replica file was generated
before the change. This would mean we'd install an out-of-policy cert.
> I couldn't find clear answers in the documentation.
> I could test how this works now, but I'd rather ask if there's a clear
> idea of how it's supposed to work.
>
rob
More information about the Freeipa-devel
mailing list