[Freeipa-users] Replacing the primary IPA server

Simo Sorce simo at redhat.com
Mon Feb 13 23:31:33 UTC 2012 

On Tue, 2012-02-14 at 00:14 +0100, Sigbjorn Lie wrote:
> On 02/13/2012 09:43 PM, Simo Sorce wrote:
> > On Mon, 2012-02-13 at 21:37 +0100, Sigbjorn Lie wrote:
> >> On 02/13/2012 08:55 PM, Simo Sorce wrote:
> >>> On Mon, 2012-02-13 at 20:43 +0100, Sigbjorn Lie wrote:
> >>>> On 02/13/2012 08:16 PM, Rob Crittenden wrote:
> >>>>> Sigbjorn Lie wrote:
> >>>>>> Hi,
> >>>>>>
> >>>>>> What precautions need to be taken when replacing the primary/first IPA
> >>>>>> server?
> >>>>>>
> >>>>>> Is it enough to reinstall the server and run a ipa-replica-install from
> >>>>>> one of the other replicas?
> >>>>> It depends on what type of CA installation you have. Did you install
> >>>>> with dogtag or with a selfsign CA?
> >>>>>
> >>>>> rob
> >>>>>
> >>>> Dogtag
> >>> If you installed the CA on more than one replica, then you can remove
> >>> the first master, all the info is replicated on the other replicas that
> >>> have a clone of the CA. Note that the CA is not replicated by default
> >>> see the --setup-ca option or ipa-ca-install
> >> Excellent. Yes, I've used --setup-ca when I created the replicas. :)
> >>
> >> What if I have 3 IPA servers. 2 being replicated off the first master.
> >> The master is re-installed and re-setup using ipa-replica-install from
> >> one of the 2 other IPA servers.
> >>
> >> Will not the 3rd server be left without a sync agreement? Does the 3rd
> >> server need to be manually added back in with a sync agreement?
> > Before removing any server you should make sure it will not break the
> > topology.
> >
> > You can use ipa-replica-manage and ipa-ca-replica-manage to create links
> > between the 2 other servers before you retire the hub.
> >
> > You have to use both the commands as CA replication agreements are
> > distinct from IPA replication agreements.
> >
> >
> 1. Let's say the server has crashed. Unrecoverable. Can new replication 
> agreements still be set up between the remaining hosts?

Yes, you should be able to change the agreements, as all the principals
already exists so there is no need to replicate through the old hub just
to set the m up.

> 2. I do not see a way for displaying relationships between the IPA hosts 
> when viewing the replicas with ipa-replica-manage list. I see the same 
> output on all the IPA hosts.

ipa-replica-manage list shows all servers
ipa-replica-manage list servername shows the replication agreements that
server uses

If they all look the same it means you have a full mesh :)

> So if I was not the one who set up IPA, and did not have the 
> documentation handy available, is there a command provided with IPA 
> where I can figure out how the existing replication agreements are set 
> up between the hosts?
> 
> ...except of looking in the LDAP tree under 
> cn=replicaname,cn=replica,cn=domain,cn=mapping tree,cn=config?

See above.

> 3. Perhaps this was discussed earlier: Can there be configured a ring of 
> replicas with IPA?

If by ring you mean A <-> B <-> C <-> A then yes. In general we
recommend to not have more than 4 replication agreements per server, but
that's more of a rule of thumb than a hard limit.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list