[Freeipa-users] Fwd: Scorched earth

Bret Wortman bret.wortman at damascusgrp.com
Thu Aug 29 13:14:47 UTC 2013 

On Thu, Aug 29, 2013 at 9:09 AM, Simo Sorce <simo at redhat.com> wrote:

> On Thu, 2013-08-29 at 08:07 -0400, Bret Wortman wrote:
> > Okay, I have a replica built and running. My original, "sick" server
> > is ipamaster and the new one is ipamaster2. All I've done thus far on
> > ipamaster2 is run ipa-replica-install --setup-dns --no-forwarders
> > replica-info-ipamaster2.foo.net.gpg.
> >
> >
> > What additional steps do I need to take to ensure that the process of
> > shutting down ipamaster, wiping it out, building it up fresh and then
> > replicating ipamaster2 back to ipamaster and making ipamaster again
> > the center of the universe and my certificate authority work
> > correctly, cleanly, and with minimal fuss? Given the mess I got our
> > servers already, I figured I should ask before I start messing about
> > today.
> >
> >
> > I think the process should look something like this (I don't want you
> > all thinking I'm looking for someone to do all my thinking for me):
> >
> >
> > 1. Take snapshot of ipamaster (just in case)
> > 2. [ipamaster2]#
> > ipa-ca-install /var/lib/ipa/replica-info-ipamaster2.foo.net.gpg (I
> > should've done this during the ipa-ca-install, but since the ca step
> > is so rare, I didn't have it in my wiki notes).
> > 3. [ipamaster]# reboot
> >
> >
> > This reboot will trigger a Cobbler & Puppet-based wipe of the system
> > and reinstallation of F18 and freeipa-server. While that's going on:
> >
> >
> > 4. [ipamaster2]# ipa-replica-prepare ipamaster.foo.net 1.2.3.4
>
> You need to use ipa-replica-manage to remove the original ipamaster
> before you can prepare to add a new one.
>
> After it is fully removed and replica file generated you need to restart
> at yleast 389ds on ipamaster2 this is due to the fact that DS does nto
> purge valid tickets, and it holds a ticket valid for the old ipamaster,
> however when you reinstall the new the name will match so replication
> between ipamaster2 -> ipamaster may fail because ipamsater2 has a wrong
> ticket (using old key you just nuked before the reinstall).
> >
>

Got it. Glad I asked! I'll add these steps to my procedure.


> > When ipamaster is back up:
> >
> >
> > 5. [ipamaster]# cd /var/lib/ipa && scp
>
> You can copy in /root
>
> I usually do it in /var/lib/ipa I guess because that's where the server
puts the file, so it makes it easy for me to remember that's where it is.
But point taken.


> >  ipamaster2:/var/lib/ipa/replica-info-ipamaster.foo.net.gpg .
> > 6. [ipamaster]# ipa-replica-install --setup-dns --no-forwarders
> > --setup-ca replica-info-ipamaster.foo.net.gpg
> >
> >
> > Usually, there's some reason I need to go back to ipamaster2 and
> > either delete a dns entry or ipa host-del the system.
>
> Uh ? Sound like this is going to screw up things, why should you delete
> DNS entries ?
> ipa host-del of a master is *certainly* going to break replication and
> basically everything. Is this what you did in your old setup ?
>

Only if ipa-replica-install said I needed to.

>
> >  After the replica install is done:
> >
> >
> > 7. Shut down and delete the ipamaster2 VM.
>
> Do not forget to ipa-replica-manage remove it first.
>

Awesome. This is why I asked.

>
> > 8. Upgrade existing "replicas" to F18 and latest IPA version.
> > 9. Establish replication agreements with now-functioning ipamaster.
> >
> >
> > Does that sound right?
> >
> >
> See above.
>
> Simo.
>
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130829/5715f967/attachment.htm>

More information about the Freeipa-users mailing list