[Freeipa-users] Difference between Masters and Replicas?

Rob Crittenden rcritten at redhat.com
Wed Jul 16 13:52:23 UTC 2014 

Bill Peck wrote:
> 
> 
> 
> On Wed, Jul 16, 2014 at 9:03 AM, Petr Viktorin <pviktori at redhat.com
> <mailto:pviktori at redhat.com>> wrote:
> 
>     On 07/16/2014 02:34 PM, Choudhury, Suhail wrote:
> 
>         Hi,
> 
>         I'd like some clarification on what a "master" and "replica" is
>         please.
> 
> 
>     Once installed, all masters are identical (except some might have a
>     CA and some not).
>     The distinction is useful when installing a replica, where "master"
>     and "replica" generally mean "existing master" and "new master",
>     respectively.
> 
> 
>         This doc suggests you start with 1 master and a replica can be
>         promoted
>         to a master by changing "/var/lib/pki-ca/conf/CS.cfg":
>         http://docs.fedoraproject.org/__en-US/Fedora/15/html/FreeIPA___Guide/promoting-replica.html
>         <http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/promoting-replica.html>
> 
> 
>     That doc is ancient (Fedora 15), don't use it.
> 
> 
>         However IPA is supposed to be multi-master replication, and
>         replication
>         agreements appears to be two ways when checking
>         "ipa-replica-manage list
>         hostname" on a given IPA server.
> 
>         So when creating a replica using:
> 
>         ipa-replica-install --setup-ca --setup-dns --forwarder=172.20.220.25
>         --forwarder=172.20.220.27 /root/replica-info-ipa01.__domain.com.gpg
> 
>         am I creating another "master replica"?
> 
> 
>     Yes, you're creating a new master; since you gave --setup-ca the two
>     masters will be equivalent.
> 
> 
> So you no longer need to do anything to promote a replica to be a CA
> master?  Another way to ask the question, can I remove the original
> master and everything will still work?

All masters are equal is a bit of a loaded term. From the NSS data
perspective that is true, including DNS data whether a given master
actually runs bind or not.

The distinction comes in with the CA. It has its own replication
topology and not every master needs to run one. We recommend at least two.

There are two things that are only done on one IPA master with a CA:
generating the CRL and managing renewal of the CA subsystem certificates.

The initial IPA server installed is picked as the one to do these two
tasks but it can be done by any of them. How to change it is documented
at http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master

rob

More information about the Freeipa-users mailing list