[Freeipa-users] Fwd: Scorched earth
Bret Wortman
bret.wortman at damascusgrp.com
Thu Aug 29 12:07:00 UTC 2013
Okay, I have a replica built and running. My original, "sick" server is
ipamaster and the new one is ipamaster2. All I've done thus far on
ipamaster2 is run ipa-replica-install --setup-dns --no-forwarders
replica-info-ipamaster2.foo.net.gpg.
What additional steps do I need to take to ensure that the process of
shutting down ipamaster, wiping it out, building it up fresh and then
replicating ipamaster2 back to ipamaster and making ipamaster again the
center of the universe and my certificate authority work correctly,
cleanly, and with minimal fuss? Given the mess I got our servers already, I
figured I should ask *before* I start messing about today.
I *think* the process should look something like this (I don't want you all
thinking I'm looking for someone to do *all* my thinking for me):
1. Take snapshot of ipamaster (just in case)
2. [ipamaster2]# ipa-ca-install
/var/lib/ipa/replica-info-ipamaster2.foo.net.gpg<http://bl-1.com/click/load/UmNcb1c3BTVQNlMzBTU-b0231>(I
should've done this during the ipa-ca-install, but since the ca step
is
so rare, I didn't have it in my wiki notes).
3. [ipamaster]# reboot
This reboot will trigger a Cobbler & Puppet-based wipe of the system and
reinstallation of F18 and freeipa-server. While that's going on:
4. [ipamaster2]# ipa-replica-prepare
ipamaster.foo.net<http://bl-1.com/click/load/XWxZalAwUWFQNgdnBzY-b0231>1.2.3.4
When ipamaster is back up:
5. [ipamaster]# cd /var/lib/ipa && scp
ipamaster2:/var/lib/ipa/replica-info-ipamaster.foo.net.gpg<http://bl-1.com/click/load/UmMKOVw8AjICZAdnVGo-b0231>.
6. [ipamaster]# ipa-replica-install --setup-dns --no-forwarders --setup-ca
replica-info-ipamaster.foo.net.gpg<http://bl-1.com/click/load/Bjdcb1AwUGAEYgZmCTY-b0231>
Usually, there's some reason I need to go back to ipamaster2 and either
delete a dns entry or ipa host-del the system. After the replica install is
done:
7. Shut down and delete the ipamaster2 VM.
8. Upgrade existing "replicas" to F18 and latest IPA version.
9. Establish replication agreements with now-functioning ipamaster.
Does that sound right?
*
*
*Bret Wortman*
http://damascusgrp.com/
http://about.me/wortmanbret
On Wed, Aug 28, 2013 at 10:01 PM, Bret Wortman <bret.wortman at damascusgrp.com
> wrote:
> I was actually considering something like a few hours ago. It's a VM, so
> making another isn't that hard. Replication is the source of all my
> problems, though, so I'm concerned about whether it will work. Certainly
> worth the attempt!
>
> I'll report back later tomorrow.
>
>
> On Wed, Aug 28, 2013 at 8:56 PM, Jatin Nansi <jnansi at redhat.com> wrote:
>
>> On 08/29/2013 12:16 AM, Bret Wortman wrote:
>> > Ugh. Well that certainly hurts, but I just don't see an alternative. I
>> > hope Puppet can at least make the re-enrollment a bit easier.
>> >
>> > I'm still hand-copying some of the configuration and user group
>> > details and crafting the load scripts so if anyone has a bright idea
>> > in the next few hours, I'd love to hear it!
>> Is there a reason why you must scorch earth? You could try a rolling
>> update approach first - install a fresh IPA system, make it a replica of
>> the existing IPA setup. Then reinstall existing IPA systems and use the
>> updated system to set them up.
>>
>> Jatin
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130829/798f0fd3/attachment.htm>
More information about the Freeipa-users
mailing list