[Freeipa-users] CentOS 6 -> 7 migration

Sun Feb 26 12:47:55 UTC 2017

I've had success going from RHEL6 to RHEL7 and IPA 3.0 to 4.4, without
losing any data/objects/clients. It is as you found though, through
replication.

I've followed this guide for IPA upgrade:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html#migrating-ipa-proc

And this guide for in-situ RHEL6 to 7 upgrade, not sure if/how applicable
that is to CentOS, but if you can get away doing fresh OS installs, that's
always better (I couldn't, very limited access to hardware/BIOS):

https://access.redhat.com/solutions/637583

For IPA upgrade, you definitely want a replica. Well, just another machine
on the same network really to help you migrate and you can later go back to
using just the one IPA server. As suggested by Rob, you could nominate one
of your IPA clients as a replica temporarily (though if that's CentOS 6,
it'd need OS upgrade too).

In my case I already had two replicas, and I had done the following
(deviating slightly from Redhat's guide, that says use 3rd/fresh machine,
then decomm old ones):

- Removed one RHEL6 replica, uninstalled IPA 3.0 on it, trashed the config
etc, made it into as clean RHEL 6 as possible (even yum remove ipa-server
etc).
- Upgraded that cleaned up RHEL6 ex-replica to RHEL7 in-situ, and installed
IPA 4.4 server.
- Joined the freshly upgraded and empty RHEL7/IPA4.4 to existing realm and
moved CA renewal service to it (important).
- Repeated the steps on the other replica (remove from replication,
uninstall/trash everything to have as clean RHEL6 as possible, upgraded to
RHEL7, install IPA 4.4, re-join).

In a way your steps would be even easier, cause you can ignore step 1, and
just use a fresh machine. If you still want to end up with just 1 IPA
server, then you'd introduce new CentOS 7 / IPA 4.4 replica (new machine on
the same network, or existing client nominated to be a server for duration
of migration), make sure clients can connect to it / are aware of it, move
CA renewal to it, remove existing/old IPA from replication, clean it,
upgrade to CentOS 7 / IPA 4.4 (or re-install OS from scratch), re-introduce
into replication, move CA renewal back to it, and finally remove the new
machine replica, so that you're left with your original machine in an
upgraded state.

Hope that makes sense. If you can avoid in-situ 6 to7 OS upgrade and do
fresh OS installs between the replica migrations, all the better, as it can
be a bit of an added nuisance (trawling all the *.rpmnew config files and
making sure everything is correct).

--
Thanks,

Greg Kubok.

On 26 February 2017 at 11:08, Rob Verduijn <rob.verduijn at gmail.com> wrote:

> Upgrading centos6 to 7 is not a smart thing, unless you like to suffer a
> lot of issues.
>
> Then there are many comaptibility issues regarding the upgrade from ipa3.3
> to 4.4
>
> You should consider setting up a temporary vm to migrate from.
> On one of your client systems, I assume you got at least 1 ipa client
>
> Try looking at http://libguestfs.org/virt-p2v.1.html to migrate your
> current system to a vm  (side effect : instant full backup)
>
> When you got the vm up and running you can reinstall your main system with
> the new os and ipa.
> Then replicate the old ipa to the new one.
>
> Rob Verduijn
>
>
>
> 2017-02-26 0:45 GMT+01:00 Ian Pilcher <arequipeno at gmail.com>:
>
>> Is there any way to migrate an IPA server from 6 -> 7 without losing all
>> of the IPA configuration and data?  All of the documentation I can find
>> involves setting up a replica, replicating the data over, and then
>> decommissioning the old system; not exactly an option with a single
>> system.
>>
>> --
>> ========================================================================
>> Ian Pilcher                                         arequipeno at gmail.com
>> -------- "I grew up before Mark Zuckerberg invented friendship" --------
>> ========================================================================
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>

-- 
Thanks,

Greg.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170226/3dfc0957/attachment.htm>