[Freeipa-users] Please help: How to restore IPA Master/Replicas from daily IPA Replica setup???

Dmitri Pal dpal at redhat.com
Mon May 14 20:20:07 UTC 2012 

On 05/14/2012 03:48 PM, Robinson Tiemuqinke wrote:
> Hi Dmitri, Rich and all,
>
>  I am a newbie to Redhat IPA, It looks like pretty cool compared with
> other solutions I've tried before. Thanks a lot for this great product! :)
>
>  But there are still some things I needs your help. My main question
> is: How to restore the IPA setup with a daily machine-level IPA
> Replica backup?
>
>  Please let me explain my IPA setup background and backup/restore
> goals trying to reach:
>
>  I'm running IPA 2.1.3 on Redhat Enterprise 6.2. The IPA master is
> setup with Dogtag CA system. It is installed first. Then two IPA
> replicas are installed -- with '--setup-ca' options -- for load
> balancing and failover purposes.
>
>  To describe my problems/objectives, I'll name the IPA Master as
> machine A, IPA replicas as B and C. and now I've one more extra IPA
> replica 'D' (virtual machine) setup ONLY for backup purposes.
>   
>   The setup looks like the following, A is the configuration Hub.
> B,C,D are siblings.
>
>     A
>    /  |  \   
>  B  C  D
>
>  The following are the steps I backup IPA setups and LDAP backends
> daily -- it is a whole machine-level backup (through virtual machine D).
>
> 1, First, IPA replica D is backed up daily. The backup happens like this: 
>
>    1.1 on IP replica D, run 'service IPA stop'. Then run 'shutdown -h
> <D>'.  On the Hypervisor which holds virtual machine D, do a daily
> backup of the whole virtual disk that D is on. 
>    1.2 turn on the IP replica D again.
>    1.3 after virtual machine D is up, on D optionally run a
> 'ipa-replica-manage --force-sync --from <A>' to sync the IPA databases
> forcibly.
>
> Now comes to restore part, which is pretty confusing to me. I've tried
> several times, and every times it comes this or that kinds of issues
> and so I am wondering that correct steps/ineraction of IPA
> Master/replicas are the king :(
>
>  2, case #1, A is broken, like disc failure, and then re-imaged after
> several days.
>
>    2.1  How to rebuild the IPA Master/Hub A after A is re-imaged, with
> the daily backup from IPA replica D?
>    2.2  do I have to check some files on A into subversion immediately
> after A was initially installed?
>    2.3  Please describe the steps. I'll follow exactly and report the
> results.
>
> 3, case #2, A is working, but either B, or C is broken.
>
>   3.1 It looks that I don't need the daily backup of D to kick in, is
> that right?
>   3.2 What are the correct steps on A; and B after it is re-imaged?
>   3.3  Please describe the steps. I'll follow exactly and report the
> results.
>
> 4, case #3, If  some un-expected IPA changes happens on A -- like all
> users are deleted by human mistakes --, and even worse, all the
> changes are propagated to B and C in minutes.
>
>   4.1 How can I recover the IPA setup from daily backup from D?
>   4.2 which IPA master/replicas I should recover first? IPA master A,
> or IPA replicas B/C? and then how to recover others left one by one?
>   4.3 Do I have to disconnect replication agreement of B,C,D from A
> first?  
>   4.4  Please describe the steps. I'll follow exactly and report the
> results.
>
>  I've heard something about tombstone records too, Not sure whether
> the problem still exists in 2.1.3, or 2.2.0(on 6.3Beta)? If so, How
> can I avoid it with correct recovery steps/interactions.
>
> Thanks a lot. 
>
> --Gelen.

I can explain it conceptually. Rob is probably best to define the exact
sequence and commands.

If you A is broken you reinstall it, make it connect to D and init
(force sync) A from D. Now you have a new A.

If B or C dies you just re-install B or C and init from A.

If you lost a lot of data I suggest you start a saved D instance and
force-sync A from it and then force sync B and C from A.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120514/f3b972a8/attachment.htm>

More information about the Freeipa-users mailing list