[Freeipa-users] guidance and strategies for supporting production use including dev/test IPA systems?
Petr Vobornik
pvoborni at redhat.com
Thu Nov 10 17:48:49 UTC 2016
On 11/09/2016 02:39 PM, Chris Dagdigian wrote:
>
> Thanks to support from folks on this list I have a 3-node multi-site
> replicating FreeIPA system supporting a number of 1-way trusts to
> various AD Forests. Testing has gone well and it's clear that this "POC"
> will soon transition to production.
>
> Because of the importance of this system to our environment I'm trying
> to flesh out a proper strategy for testing upgrades and updates in a way
> that lets us keep our system highly available and online.
>
> And seeing how rapidly this software is being developed w/ new features
> and how dependent we are on the most recent version (or how badly I want
> to try the version in RHEL-BETA-3) I think this is a system we will
> possibly be upgrading somewhat often ...
>
> I understand that replicas can run newer versions of IPA/IDM than the
> master so that is one path by which we can carefully test updates and
> patches but I don't think that covers all the scenarios ...
But be careful how much you want to test using this method. Setting up a
new replica in prod environment should not be used as a playground.
Usually new version of IPA modify some existing data in LDAP - schema
change, add of some value here and there to support new features. Since
IPA use master-master replication then all these changes are replicated
to all other replicas(the older ones). It is fine because the changes
are backwards compatible but they cannot be undone by removing the new
replica.
>
> Can anyone share strategies or war stories for how testing is done in
> support of production IPA/IDM environments? Especially when Trusts need
> to be set up with many external AD systems?
>
> Do people run discrete standalone dev/test IPA domains/realms to create
> isolated environments or is there some other good strategy that allows
> testing to be done within the same domain/realm?
>
> Thanks!
>
> -Chris
>
--
Petr Vobornik
More information about the Freeipa-users
mailing list