[Freeipa-users] Replacing the "master"

Martin Kosek mkosek at redhat.com
Tue Sep 8 14:39:51 UTC 2015


On 09/08/2015 04:23 PM, Martin Kosek wrote:
> On 09/06/2015 10:45 PM, Steven Jones wrote:
>>
>> Martin Kosek wrote:
>>> On 09/04/2015 12:00 AM, Rob Crittenden wrote:
>>>> Steven Jones wrote:
>>>>> I have a 3 node IPA cluster, I have replaced the 2 "slaves" however when I
>>>>> try and remove the last one the master? it says,
>>>>>
>>>>> "[root at vuwunicoipam001 thing]# ipa-replica-manage del vuwunicoipam002.xxxxxxxx
>>>>> Directory Manager password:
>>>>>
>>>>> Deleting a master is irreversible.
>>>>> To reconnect to the remote master you will need to prepare a new replica file
>>>>> and re-install.
>>>>> Continue to delete? [no]: yes
>>>>> Deleting this server will orphan 'vuwunicoipam001xxxxxxxxx  and
>>>>> vuwunicoipam003.xxxxxxxxx
>>>>> You will need to reconfigure your replication topology to delete this server.
>>>>> [root at vuwunicoipam001 thing]# ipa-replica-manage list
>>>>> Directory Manager password:
>>>>>
>>>>> vuwunicoipam002.xxxxxxxx master
>>>>> vuwunicoipam003.xxxxxxxx master
>>>>> vuwunicoipam001.xxxxxxxx master
>>>>> [root at vuwunicoipam001 thing]#"
>>>>>
>>>>> So how do I re-configure?
>>>>
>>>> Every server is a master. The only differences may be the services running (CA
>>>> and/or DNS) and only one generates the CRL and manages certificate renewal.
>>>> Otherwise they are all equal masters.
>>>>
>>>> This doesn't show the topology. Were I to guess it looks like:
>>>>
>>>>     001
>>>>    /  \
>>>> 002  003
>>>>
>>>> So you need to run ipa-replica-manage connect vuwunicoipam002 vuwunicoipam003
>>>>
>>
>> Did that,
>>
>> Topology is now, 
>>
>>       002
>>        /  \
>> 001 - 003
>>
>> We lost 001 so had to promote 002 to the "master".
>>
>> I dont recall nor can find anything in the docs on this process, maybe update you docs to reflect this essential step?
>>
>>> However, in this case this should not be a problem AFAIK, given that
>>> ipa-replica-manage tries to preserve the DNA range, from FreeIPA 3.2:
>>>
>>> https://fedorahosted.org/freeipa/ticket/3321
>>
>> RHEL6.7, IPA 3.0.
>>
>> I am trying to upgrade to RHEL7.1 and IPA4.1 and want to fix any mistakes made when the setup was first built in RHEL6.2

BTW, this depends on what type of mistakes you did. Not all can be easily fixed
(like wrong realm for example).

But overall, there is a decent HOWTO on the migration on these pages:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html

>>
>> "Also be aware of the DNA config"
>>
>> oh joy....all these hidden land mines to discover.
>>
>> :(
>>
>> I suppose the next Q is what queries do I have to run in order to collect all the relevant [mis-]config to compare against the ideal and then plan to fix these, and what is the ideal?
> 
> You can check "man ipa-replica-manage" for more practical information about DNA
> range updates and to see the commands that can be used to show or modify the
> DNA ranges with the servers in case something goes wrong.
> 
> I do not think this blocks the migration in any way, you should just be aware
> and know where to look in case user-add starts to fail because of depleted range.
> 
> Martin
> 




More information about the Freeipa-users mailing list