[Freeipa-users] Replacing the "master"
Rob Crittenden
rcritten at redhat.com
Fri Sep 4 13:16:50 UTC 2015
Martin Kosek wrote:
> On 09/04/2015 12:00 AM, Rob Crittenden wrote:
>> Steven Jones wrote:
>>> I have a 3 node IPA cluster, I have replaced the 2 "slaves" however when I
>>> try and remove the last one the master? it says,
>>>
>>> "[root at vuwunicoipam001 thing]# ipa-replica-manage del vuwunicoipam002.xxxxxxxx
>>> Directory Manager password:
>>>
>>> Deleting a master is irreversible.
>>> To reconnect to the remote master you will need to prepare a new replica file
>>> and re-install.
>>> Continue to delete? [no]: yes
>>> Deleting this server will orphan 'vuwunicoipam001xxxxxxxxx and
>>> vuwunicoipam003.xxxxxxxxx
>>> You will need to reconfigure your replication topology to delete this server.
>>> [root at vuwunicoipam001 thing]# ipa-replica-manage list
>>> Directory Manager password:
>>>
>>> vuwunicoipam002.xxxxxxxx master
>>> vuwunicoipam003.xxxxxxxx master
>>> vuwunicoipam001.xxxxxxxx master
>>> [root at vuwunicoipam001 thing]#"
>>>
>>> So how do I re-configure?
>>
>> Every server is a master. The only differences may be the services running (CA
>> and/or DNS) and only one generates the CRL and manages certificate renewal.
>> Otherwise they are all equal masters.
>>
>> This doesn't show the topology. Were I to guess it looks like:
>>
>> 001
>> / \
>> 002 003
>>
>> So you need to run ipa-replica-manage connect vuwunicoipam002 vuwunicoipam003
>>
>> Then you should be able to delete 0001. Just be sure at least one of those
>> other masters has a CA, if not both of them. You may need ipa-csreplica-manage
>> connect to connect that topology.
>>
>> Also be aware of the DNA config. A master doesn't automatically get one. It
>> only gets it when it creates an entry that needs a range.
>
> However, in this case this should not be a problem AFAIK, given that
> ipa-replica-manage tries to preserve the DNA range, from FreeIPA 3.2:
>
> https://fedorahosted.org/freeipa/ticket/3321
Well, Steven didn't mention his version so I assumed 3.0. It doesn't
hurt to double-check the ranges in advance.
It can still be an issue if one of the masters lacks a DNA range. My
patch harvests the DNA range but IIRC doesn't reset the DNA master
server on all other masters. So one may still be pointing to nowhere and
fail to get a range when needed.
rob
More information about the Freeipa-users
mailing list