[Freeipa-users] Replacing the "master"

Rob Crittenden rcritten at redhat.com
Fri Sep 4 13:16:50 UTC 2015 

Martin Kosek wrote:
> On 09/04/2015 12:00 AM, Rob Crittenden wrote:
>> Steven Jones wrote:
>>> I have a 3 node IPA cluster, I have replaced the 2 "slaves" however when I
>>> try and remove the last one the master? it says,
>>>
>>> "[root at vuwunicoipam001 thing]# ipa-replica-manage del vuwunicoipam002.xxxxxxxx
>>> Directory Manager password:
>>>
>>> Deleting a master is irreversible.
>>> To reconnect to the remote master you will need to prepare a new replica file
>>> and re-install.
>>> Continue to delete? [no]: yes
>>> Deleting this server will orphan 'vuwunicoipam001xxxxxxxxx  and
>>> vuwunicoipam003.xxxxxxxxx
>>> You will need to reconfigure your replication topology to delete this server.
>>> [root at vuwunicoipam001 thing]# ipa-replica-manage list
>>> Directory Manager password:
>>>
>>> vuwunicoipam002.xxxxxxxx master
>>> vuwunicoipam003.xxxxxxxx master
>>> vuwunicoipam001.xxxxxxxx master
>>> [root at vuwunicoipam001 thing]#"
>>>
>>> So how do I re-configure?
>>
>> Every server is a master. The only differences may be the services running (CA
>> and/or DNS) and only one generates the CRL and manages certificate renewal.
>> Otherwise they are all equal masters.
>>
>> This doesn't show the topology. Were I to guess it looks like:
>>
>>     001
>>    /  \
>> 002  003
>>
>> So you need to run ipa-replica-manage connect vuwunicoipam002 vuwunicoipam003
>>
>> Then you should be able to delete 0001. Just be sure at least one of those
>> other masters has a CA, if not both of them. You may need ipa-csreplica-manage
>> connect to connect that topology.
>>
>> Also be aware of the DNA config. A master doesn't automatically get one. It
>> only gets it when it creates an entry that needs a range.
>
> However, in this case this should not be a problem AFAIK, given that
> ipa-replica-manage tries to preserve the DNA range, from FreeIPA 3.2:
>
> https://fedorahosted.org/freeipa/ticket/3321

Well, Steven didn't mention his version so I assumed 3.0. It doesn't 
hurt to double-check the ranges in advance.

It can still be an issue if one of the masters lacks a DNA range. My 
patch harvests the DNA range but IIRC doesn't reset the DNA master 
server on all other masters. So one may still be pointing to nowhere and 
fail to get a range when needed.

rob

More information about the Freeipa-users mailing list