[Freeipa-users] upgrade 3.0 -> 4.1

Martin Kosek mkosek at redhat.com
Wed Apr 8 06:41:22 UTC 2015 

On 04/07/2015 11:29 PM, Dmitri Pal wrote:
> On 04/07/2015 03:04 PM, Natxo Asenjo wrote:
>> hi,
>>
>> On Fri, Apr 3, 2015 at 4:41 PM, Dmitri Pal <dpal at redhat.com
>> <mailto:dpal at redhat.com>> wrote:
>>
>>     On 04/03/2015 09:46 AM, Brian Topping wrote:
>>>>     On Apr 3, 2015, at 6:48 AM, Tamas Papp<tompos at martos.bme.hu> 
>>>> <mailto:tompos at martos.bme.hu>  wrote:
>>>>
>>>>     hi All,
>>>>
>>>>     I have CentOS 6.6 server and want to upgrade to 7.1.
>>>>
>>>>     What is the upgrade path, can I do it directly or first I need to make
>>>> it to 3.3?
>>>>     Also is there any known issue I should expect with workarounds?
>>>     I just did this yesterday, so here's my experience. If you have a simple
>>> single-server installation with no custom LDAP DIT modifications, you should
>>> find "yum upgrade" does the right thing.
>>>
>>>     If you do have DIT mods, you should ask yourself why they are there and
>>> whether the data will still be accessible after the ACLs are changed. In my
>>> case, I had Postfix using a LDAP hash and mail delivery stopped working
>>> (although the domain data was still there just fine).
>>>
>>>     Note that the ACLs will propagate from the 4.1 server to your 3.0 if
>>> they are replicated. To be safe, back up all replicas (snapshot or whatnot)
>>> before the first upgrade and if you decide to restore any of them, be sure
>>> everything is shut down and restore all of them to avoid 4.x schema
>>> contaminating 3.0 as they come up.
>>
>>
>>     The general recommendation for 3.3 -> 4.1 migration is to start
>>     introducing 4.1 replicas into your 3.3 environment and then turn
>>     your 3.3 replicas off. Do not forget to install the CA component
>>     with one of your 4.1 replicas before removing all the 3.3
>>     instanced with CAs. With this procedure you would also need to
>>     move the CRL generation and cert tracking.
>>
>>     See details in migration section
>>    
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#migrating-ipa-proc
>>
>>
>>
>>  Will this excellent documentation work too on the migration from 3.0x (rhel
>> 6) to 4.1.x (rhel 7.1)?
>>
>> I will be migrating the coming months to 7.1 or 7.2 (whichever is the current
>> stable then), so just wondering.
> 
> Yes, though it is recommended to get to the latest 6.x first before you start
> introducing 7.x replicas.

Strongly recommended I would say. Before adding RHEL-7.1 replica, please update
to RHEL-6.6 + all it's z-streams to avoid compatibility issues in Directory
Server or bind-dyndb-ldap if you are using DNS forward zones.

HTH,
Martin

More information about the Freeipa-users mailing list