[Freeipa-users] Fwd: Scorched earth
Simo Sorce
simo at redhat.com
Thu Aug 29 13:21:50 UTC 2013
On Thu, 2013-08-29 at 09:14 -0400, Bret Wortman wrote:
> On Thu, Aug 29, 2013 at 9:09 AM, Simo Sorce <simo at redhat.com> wrote:
> On Thu, 2013-08-29 at 08:07 -0400, Bret Wortman wrote:
> > Okay, I have a replica built and running. My original,
> "sick" server
> > is ipamaster and the new one is ipamaster2. All I've done
> thus far on
> > ipamaster2 is run ipa-replica-install --setup-dns
> --no-forwarders
> > replica-info-ipamaster2.foo.net.gpg.
> >
> >
> > What additional steps do I need to take to ensure that the
> process of
> > shutting down ipamaster, wiping it out, building it up fresh
> and then
> > replicating ipamaster2 back to ipamaster and making
> ipamaster again
> > the center of the universe and my certificate authority work
> > correctly, cleanly, and with minimal fuss? Given the mess I
> got our
> > servers already, I figured I should ask before I start
> messing about
> > today.
> >
> >
> > I think the process should look something like this (I don't
> want you
> > all thinking I'm looking for someone to do all my thinking
> for me):
> >
> >
> > 1. Take snapshot of ipamaster (just in case)
> > 2. [ipamaster2]#
> >
> ipa-ca-install /var/lib/ipa/replica-info-ipamaster2.foo.net.gpg (I
> > should've done this during the ipa-ca-install, but since the
> ca step
> > is so rare, I didn't have it in my wiki notes).
> > 3. [ipamaster]# reboot
> >
> >
> > This reboot will trigger a Cobbler & Puppet-based wipe of
> the system
> > and reinstallation of F18 and freeipa-server. While that's
> going on:
> >
> >
> > 4. [ipamaster2]# ipa-replica-prepare ipamaster.foo.net
> 1.2.3.4
>
>
> You need to use ipa-replica-manage to remove the original
> ipamaster
> before you can prepare to add a new one.
>
> After it is fully removed and replica file generated you need
> to restart
> at yleast 389ds on ipamaster2 this is due to the fact that DS
> does nto
> purge valid tickets, and it holds a ticket valid for the old
> ipamaster,
> however when you reinstall the new the name will match so
> replication
> between ipamaster2 -> ipamaster may fail because ipamsater2
> has a wrong
> ticket (using old key you just nuked before the reinstall).
> >
>
>
>
> Got it. Glad I asked! I'll add these steps to my procedure.
>
> > When ipamaster is back up:
> >
> >
> > 5. [ipamaster]# cd /var/lib/ipa && scp
>
>
> You can copy in /root
>
>
> I usually do it in /var/lib/ipa I guess because that's where the
> server puts the file, so it makes it easy for me to remember that's
> where it is. But point taken.
>
> >
> ipamaster2:/var/lib/ipa/replica-info-ipamaster.foo.net.gpg .
> > 6. [ipamaster]# ipa-replica-install --setup-dns
> --no-forwarders
> > --setup-ca replica-info-ipamaster.foo.net.gpg
> >
> >
> > Usually, there's some reason I need to go back to ipamaster2
> and
> > either delete a dns entry or ipa host-del the system.
>
>
> Uh ? Sound like this is going to screw up things, why should
> you delete
> DNS entries ?
> ipa host-del of a master is *certainly* going to break
> replication and
> basically everything. Is this what you did in your old setup ?
>
>
> Only if ipa-replica-install said I needed to.
ok this means you previously uninstalled a replica directly on the
machine but tdid not remove it from the domain, this is bad practice.
you should use ipa-replica-manage before you retire a machine if
possible, otherwise you leave dangling replication agreements, DNS
names, ID ranges (this means you loose ID space), and keys.
> > After the replica install is done:
> >
> >
> > 7. Shut down and delete the ipamaster2 VM.
>
>
> Do not forget to ipa-replica-manage remove it first.
>
>
> Awesome. This is why I asked.
>
> > 8. Upgrade existing "replicas" to F18 and latest IPA
> version.
> > 9. Establish replication agreements with now-functioning
> ipamaster.
> >
> >
> > Does that sound right?
> >
> >
>
> See above.
>
> Simo.
>
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
>
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list