[Freeipa-devel] IPA 4.2 server upgrade refactoring - summary

Martin Kosek mkosek at redhat.com
Fri Mar 6 13:16:39 UTC 2015 

On 03/04/2015 07:04 PM, Martin Basti wrote:
> Summary extracted from thread "[Freeipa-devel] IPA Server upgrade 4.2 design"
>
> Design page: http://www.freeipa.org/page/V4/Server_Upgrade_Refactoring
>
> * ipa-server-upgrade will not allow to use DM password, only LDAPI will be used
> for upgrade
> * upgrade files will be executed in alphabetical order, updater will not
> require number in update file name. But we should still keep the numbering in
> new upgrade files.
> * LDAP updates will be applied per file, in order specified in file (from top
> to bottom)
> * new directive in update files *"plugin:<plugin-name>"* will execute update
> plugins (renamed form "update-plugin" to "plugin")
> * option "--skip-version-check" will override version check in ipactl and
> ipa-server-upgrade commands (was --force before, but this collides with
> existing --force option in ipactl)
> * huge warning, "this may broke everything", in help, man, or CLI for
> --skip-version-check option
> * ipa-upgradeconfig will be removed
> * ipa-ldap-updater will be changed to not allow overall update. It stays as
> util for execute particular update files.

Makes sense to me. Everyone ok with above so that Martin can start working on 
the changes?

> How and when execute upgrades (after discussion with Honza) -- not updated in
> design page yet
> A) ipactl*:
> A.1) compare build platform and platform from last upgrade/installation  (based
> on used ipaplatform file)
> A.1.i) if platform mismatch, raise error and prevent to start services
> A.2)  version of LDAP data(+schema included) compared to current version
> (VENDOR_VERSION will be used)
> A.2.i) if version of LDAP data is newer than version of build, raise error and
> prevent services to start
> A.2.ii) if version of LDAP data is older than version of build, upgrade is required
> A.2.iii) if versions are the same, continue
> A.3) check if services requires update (this should be available after
> installer refactoring)**
> A.3.i) if any service requires configuration upgrade, upgrade is required
> A.3.ii) if any service raises an error about wrong configuration (which cannot
> be automatically fixed and requires manual fix by user), raise error and
> prevent to start services
> A.4.i) if upgrade is needed, ipactl will prevent to start services, and promt
> user to run ipa-server-upgrade manually (ipactl will not execute upgrade itself)
> A.4.ii) otherwise start services
>
>
> B) ipa-server-upgrade*
> B.0) services should be in shutdown state, if not, stop services (services will
> be started during upgrade on demand, then stopped)
> B.1) compare build platform and platform from last upgrade/installation  (based
> on used ipaplatform file)
> B.1.i) if platform mismatch, raise error stop upgrade
> B.2) check version of LDAP data
> B.2.i) if LDAP data version is newer than build version, raise error stop upgrade
> B.2.ii) if LDAP data version is the same as build version, skip schema and LDAP
> data upgrade
> B.2.iii) if LDAP data version is older than build version --> data upgrade required
> B.3) Check if services require upgrade, detect errors as in A.3) (?? this step
> may not be there)**
> B.4) if data upgrade required, upgrade schema, then upgrade data, if successful
> store current build version as data version
> B.5) Run service upgrade (if needed?)**
> B.6) if upgrade is successful, inform user that the one can now start IPA
> (upgrade will not start IPA after it is done)
>
> * with --skip-version-check option, ipactl will start services,
> ipa-server-upgrade will upgrade everything
> ** services will handle local configuration upgrade by themselves. They will
> not use data version to decide if upgrade is required (TODO implementation
> details, Honza wants it in this way - sharing code with installers)
>
>
> Upgrade in different enviroments:
> 1) Upgrade during RPM transaction (as we do now) -- if it is possible, upgrade
> will be executed during RPM transaction, service will be started after upgrade
> (+ add messages "IPA is currently upgrading, please wait")
> 2) Upgrade cannot be executed during RPM transaction (fedup, --no-script,
> containers) -- IPA will not start if update is required, user have to run
> upgrade manually, using ipa-server-upgrade command (+ log/print errors that
> there is upgrade required)
>
> Martin^2
>
> --
> Martin Basti
>

More information about the Freeipa-devel mailing list