[Freeipa-devel] IPA 4.2 server upgrade refactoring - summary

Wed Mar 4 18:04:14 UTC 2015

Summary extracted from thread "[Freeipa-devel] IPA Server upgrade 4.2 
design"

Design page: http://www.freeipa.org/page/V4/Server_Upgrade_Refactoring

* ipa-server-upgrade will not allow to use DM password, only LDAPI will 
be used for upgrade
* upgrade files will be executed in alphabetical order, updater will not 
require number in update file name. But we should still keep the 
numbering in new upgrade files.
* LDAP updates will be applied per file, in order specified in file 
(from top to bottom)
* new directive in update files *"plugin:<plugin-name>"* will execute 
update plugins (renamed form "update-plugin" to "plugin")
* option "--skip-version-check" will override version check in ipactl 
and ipa-server-upgrade commands (was --force before, but this collides 
with existing --force option in ipactl)
* huge warning, "this may broke everything", in help, man, or CLI for 
--skip-version-check option
* ipa-upgradeconfig will be removed
* ipa-ldap-updater will be changed to not allow overall update. It stays 
as util for execute particular update files.

How and when execute upgrades (after discussion with Honza) -- not 
updated in design page yet
A) ipactl*:
A.1) compare build platform and platform from last upgrade/installation  
(based on used ipaplatform file)
A.1.i) if platform mismatch, raise error and prevent to start services
A.2)  version of LDAP data(+schema included) compared to current version 
(VENDOR_VERSION will be used)
A.2.i) if version of LDAP data is newer than version of build, raise 
error and prevent services to start
A.2.ii) if version of LDAP data is older than version of build, upgrade 
is required
A.2.iii) if versions are the same, continue
A.3) check if services requires update (this should be available after 
installer refactoring)**
A.3.i) if any service requires configuration upgrade, upgrade is required
A.3.ii) if any service raises an error about wrong configuration (which 
cannot be automatically fixed and requires manual fix by user), raise 
error and prevent to start services
A.4.i) if upgrade is needed, ipactl will prevent to start services, and 
promt user to run ipa-server-upgrade manually (ipactl will not execute 
upgrade itself)
A.4.ii) otherwise start services

B) ipa-server-upgrade*
B.0) services should be in shutdown state, if not, stop services 
(services will be started during upgrade on demand, then stopped)
B.1) compare build platform and platform from last upgrade/installation  
(based on used ipaplatform file)
B.1.i) if platform mismatch, raise error stop upgrade
B.2) check version of LDAP data
B.2.i) if LDAP data version is newer than build version, raise error 
stop upgrade
B.2.ii) if LDAP data version is the same as build version, skip schema 
and LDAP data upgrade
B.2.iii) if LDAP data version is older than build version --> data 
upgrade required
B.3) Check if services require upgrade, detect errors as in A.3) (?? 
this step may not be there)**
B.4) if data upgrade required, upgrade schema, then upgrade data, if 
successful store current build version as data version
B.5) Run service upgrade (if needed?)**
B.6) if upgrade is successful, inform user that the one can now start 
IPA (upgrade will not start IPA after it is done)

* with --skip-version-check option, ipactl will start services, 
ipa-server-upgrade will upgrade everything
** services will handle local configuration upgrade by themselves. They 
will not use data version to decide if upgrade is required (TODO 
implementation details, Honza wants it in this way - sharing code with 
installers)

Upgrade in different enviroments:
1) Upgrade during RPM transaction (as we do now) -- if it is possible, 
upgrade will be executed during RPM transaction, service will be started 
after upgrade (+ add messages "IPA is currently upgrading, please wait")
2) Upgrade cannot be executed during RPM transaction (fedup, 
--no-script, containers) -- IPA will not start if update is required, 
user have to run upgrade manually, using ipa-server-upgrade command (+ 
log/print errors that there is upgrade required)

Martin^2

-- 
Martin Basti

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150304/e021b16d/attachment.htm>