[Freeipa-users] Fwd: Scorched earth
Simo Sorce
simo at redhat.com
Thu Aug 29 13:09:18 UTC 2013
On Thu, 2013-08-29 at 08:07 -0400, Bret Wortman wrote:
> Okay, I have a replica built and running. My original, "sick" server
> is ipamaster and the new one is ipamaster2. All I've done thus far on
> ipamaster2 is run ipa-replica-install --setup-dns --no-forwarders
> replica-info-ipamaster2.foo.net.gpg.
>
>
> What additional steps do I need to take to ensure that the process of
> shutting down ipamaster, wiping it out, building it up fresh and then
> replicating ipamaster2 back to ipamaster and making ipamaster again
> the center of the universe and my certificate authority work
> correctly, cleanly, and with minimal fuss? Given the mess I got our
> servers already, I figured I should ask before I start messing about
> today.
>
>
> I think the process should look something like this (I don't want you
> all thinking I'm looking for someone to do all my thinking for me):
>
>
> 1. Take snapshot of ipamaster (just in case)
> 2. [ipamaster2]#
> ipa-ca-install /var/lib/ipa/replica-info-ipamaster2.foo.net.gpg (I
> should've done this during the ipa-ca-install, but since the ca step
> is so rare, I didn't have it in my wiki notes).
> 3. [ipamaster]# reboot
>
>
> This reboot will trigger a Cobbler & Puppet-based wipe of the system
> and reinstallation of F18 and freeipa-server. While that's going on:
>
>
> 4. [ipamaster2]# ipa-replica-prepare ipamaster.foo.net 1.2.3.4
You need to use ipa-replica-manage to remove the original ipamaster
before you can prepare to add a new one.
After it is fully removed and replica file generated you need to restart
at yleast 389ds on ipamaster2 this is due to the fact that DS does nto
purge valid tickets, and it holds a ticket valid for the old ipamaster,
however when you reinstall the new the name will match so replication
between ipamaster2 -> ipamaster may fail because ipamsater2 has a wrong
ticket (using old key you just nuked before the reinstall).
>
> When ipamaster is back up:
>
>
> 5. [ipamaster]# cd /var/lib/ipa && scp
You can copy in /root
> ipamaster2:/var/lib/ipa/replica-info-ipamaster.foo.net.gpg .
> 6. [ipamaster]# ipa-replica-install --setup-dns --no-forwarders
> --setup-ca replica-info-ipamaster.foo.net.gpg
>
>
> Usually, there's some reason I need to go back to ipamaster2 and
> either delete a dns entry or ipa host-del the system.
Uh ? Sound like this is going to screw up things, why should you delete
DNS entries ?
ipa host-del of a master is *certainly* going to break replication and
basically everything. Is this what you did in your old setup ?
> After the replica install is done:
>
>
> 7. Shut down and delete the ipamaster2 VM.
Do not forget to ipa-replica-manage remove it first.
> 8. Upgrade existing "replicas" to F18 and latest IPA version.
> 9. Establish replication agreements with now-functioning ipamaster.
>
>
> Does that sound right?
>
>
See above.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list