[Freeipa-users] upgrade 3.0 -> 4.1
Martin Kosek
mkosek at redhat.com
Wed Apr 8 06:41:22 UTC 2015
On 04/07/2015 11:29 PM, Dmitri Pal wrote:
> On 04/07/2015 03:04 PM, Natxo Asenjo wrote:
>> hi,
>>
>> On Fri, Apr 3, 2015 at 4:41 PM, Dmitri Pal <dpal at redhat.com
>> <mailto:dpal at redhat.com>> wrote:
>>
>> On 04/03/2015 09:46 AM, Brian Topping wrote:
>>>> On Apr 3, 2015, at 6:48 AM, Tamas Papp<tompos at martos.bme.hu>
>>>> <mailto:tompos at martos.bme.hu> wrote:
>>>>
>>>> hi All,
>>>>
>>>> I have CentOS 6.6 server and want to upgrade to 7.1.
>>>>
>>>> What is the upgrade path, can I do it directly or first I need to make
>>>> it to 3.3?
>>>> Also is there any known issue I should expect with workarounds?
>>> I just did this yesterday, so here's my experience. If you have a simple
>>> single-server installation with no custom LDAP DIT modifications, you should
>>> find "yum upgrade" does the right thing.
>>>
>>> If you do have DIT mods, you should ask yourself why they are there and
>>> whether the data will still be accessible after the ACLs are changed. In my
>>> case, I had Postfix using a LDAP hash and mail delivery stopped working
>>> (although the domain data was still there just fine).
>>>
>>> Note that the ACLs will propagate from the 4.1 server to your 3.0 if
>>> they are replicated. To be safe, back up all replicas (snapshot or whatnot)
>>> before the first upgrade and if you decide to restore any of them, be sure
>>> everything is shut down and restore all of them to avoid 4.x schema
>>> contaminating 3.0 as they come up.
>>
>>
>> The general recommendation for 3.3 -> 4.1 migration is to start
>> introducing 4.1 replicas into your 3.3 environment and then turn
>> your 3.3 replicas off. Do not forget to install the CA component
>> with one of your 4.1 replicas before removing all the 3.3
>> instanced with CAs. With this procedure you would also need to
>> move the CRL generation and cert tracking.
>>
>> See details in migration section
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#migrating-ipa-proc
>>
>>
>>
>> Will this excellent documentation work too on the migration from 3.0x (rhel
>> 6) to 4.1.x (rhel 7.1)?
>>
>> I will be migrating the coming months to 7.1 or 7.2 (whichever is the current
>> stable then), so just wondering.
>
> Yes, though it is recommended to get to the latest 6.x first before you start
> introducing 7.x replicas.
Strongly recommended I would say. Before adding RHEL-7.1 replica, please update
to RHEL-6.6 + all it's z-streams to avoid compatibility issues in Directory
Server or bind-dyndb-ldap if you are using DNS forward zones.
HTH,
Martin
More information about the Freeipa-users
mailing list