[Freeipa-users] Fwd: Scorched earth
Bret Wortman
bret.wortman at damascusgrp.com
Thu Aug 29 13:24:48 UTC 2013
Agreed, but not always possible. I had a replica crash hard and it wasn't
possible to remove it.
In other news:
[ipamaster2]# ipa-ca-install replica-info-ipamaster2.spx.net.gpg
A selfsign CA can not be added
Is there a way around this? How can I ensure that I can transfer the CA
back to ipamaster after it's been erased & reinstalled?
*
*
*Bret Wortman*
http://damascusgrp.com/
http://about.me/wortmanbret
On Thu, Aug 29, 2013 at 9:21 AM, Simo Sorce <simo at redhat.com> wrote:
> On Thu, 2013-08-29 at 09:14 -0400, Bret Wortman wrote:
> > On Thu, Aug 29, 2013 at 9:09 AM, Simo Sorce <simo at redhat.com> wrote:
> > On Thu, 2013-08-29 at 08:07 -0400, Bret Wortman wrote:
> > > Okay, I have a replica built and running. My original,
> > "sick" server
> > > is ipamaster and the new one is ipamaster2. All I've done
> > thus far on
> > > ipamaster2 is run ipa-replica-install --setup-dns
> > --no-forwarders
> > > replica-info-ipamaster2.foo.net.gpg.
> > >
> > >
> > > What additional steps do I need to take to ensure that the
> > process of
> > > shutting down ipamaster, wiping it out, building it up fresh
> > and then
> > > replicating ipamaster2 back to ipamaster and making
> > ipamaster again
> > > the center of the universe and my certificate authority work
> > > correctly, cleanly, and with minimal fuss? Given the mess I
> > got our
> > > servers already, I figured I should ask before I start
> > messing about
> > > today.
> > >
> > >
> > > I think the process should look something like this (I don't
> > want you
> > > all thinking I'm looking for someone to do all my thinking
> > for me):
> > >
> > >
> > > 1. Take snapshot of ipamaster (just in case)
> > > 2. [ipamaster2]#
> > >
> > ipa-ca-install /var/lib/ipa/replica-info-ipamaster2.foo.net.gpg
> (I
> > > should've done this during the ipa-ca-install, but since the
> > ca step
> > > is so rare, I didn't have it in my wiki notes).
> > > 3. [ipamaster]# reboot
> > >
> > >
> > > This reboot will trigger a Cobbler & Puppet-based wipe of
> > the system
> > > and reinstallation of F18 and freeipa-server. While that's
> > going on:
> > >
> > >
> > > 4. [ipamaster2]# ipa-replica-prepare ipamaster.foo.net
> > 1.2.3.4
> >
> >
> > You need to use ipa-replica-manage to remove the original
> > ipamaster
> > before you can prepare to add a new one.
> >
> > After it is fully removed and replica file generated you need
> > to restart
> > at yleast 389ds on ipamaster2 this is due to the fact that DS
> > does nto
> > purge valid tickets, and it holds a ticket valid for the old
> > ipamaster,
> > however when you reinstall the new the name will match so
> > replication
> > between ipamaster2 -> ipamaster may fail because ipamsater2
> > has a wrong
> > ticket (using old key you just nuked before the reinstall).
> > >
> >
> >
> >
> > Got it. Glad I asked! I'll add these steps to my procedure.
> >
> > > When ipamaster is back up:
> > >
> > >
> > > 5. [ipamaster]# cd /var/lib/ipa && scp
> >
> >
> > You can copy in /root
> >
> >
> > I usually do it in /var/lib/ipa I guess because that's where the
> > server puts the file, so it makes it easy for me to remember that's
> > where it is. But point taken.
> >
> > >
> > ipamaster2:/var/lib/ipa/replica-info-ipamaster.foo.net.gpg .
> > > 6. [ipamaster]# ipa-replica-install --setup-dns
> > --no-forwarders
> > > --setup-ca replica-info-ipamaster.foo.net.gpg
> > >
> > >
> > > Usually, there's some reason I need to go back to ipamaster2
> > and
> > > either delete a dns entry or ipa host-del the system.
> >
> >
> > Uh ? Sound like this is going to screw up things, why should
> > you delete
> > DNS entries ?
> > ipa host-del of a master is *certainly* going to break
> > replication and
> > basically everything. Is this what you did in your old setup ?
> >
> >
> > Only if ipa-replica-install said I needed to.
>
> ok this means you previously uninstalled a replica directly on the
> machine but tdid not remove it from the domain, this is bad practice.
> you should use ipa-replica-manage before you retire a machine if
> possible, otherwise you leave dangling replication agreements, DNS
> names, ID ranges (this means you loose ID space), and keys.
>
> > > After the replica install is done:
> > >
> > >
> > > 7. Shut down and delete the ipamaster2 VM.
> >
> >
> > Do not forget to ipa-replica-manage remove it first.
> >
> >
> > Awesome. This is why I asked.
> >
> > > 8. Upgrade existing "replicas" to F18 and latest IPA
> > version.
> > > 9. Establish replication agreements with now-functioning
> > ipamaster.
> > >
> > >
> > > Does that sound right?
> > >
> > >
> >
> > See above.
> >
> > Simo.
> >
> >
> > --
> > Simo Sorce * Red Hat, Inc * New York
> >
> >
> >
>
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130829/4a1841f3/attachment.htm>
More information about the Freeipa-users
mailing list