Hi,
On Wed, Aug 5, 2020 at 1:34 PM Boris Behrens via FreeIPA-users
<freeipa-users@lists.fedorahosted.org> wrote:
> I have two freeipa servers which are running on an old operating system (Fedora26) and I want to migrate it to centos8.
Are these two hosts identical in terms of roles? E.g. if you use the
integrated CA, do you have the CA installed on both?
Yes, both IPA servers hold the CA. AFAIK both system work in a master-master construct.
> Because there are not enough resources in our mgmt cluster I need to shut one of them down and reinstall with the new OS (while keeping the name), let them sync and so on.
Keeping the name will probably not work as-is. You would need to
remove it from the cluster first and make sure you have no objects in
the LDAP tree referencing it before adding a new one with the same
name.
Oh, that sounds not that easy, but I think it is doable for me.
However, it is dangerous to remove one of your two servers before
having added a complete third member for data loss reasons: having a
single copy of your data at any point in time is not reasonable.
This is one of my troubling points, but I think I could take the risk. Both are KVM virtualized, so I could create regular snapshots of the qemu image and move it elsewhere. There aren't many changes. We use it primarily for SSSD authentication dns DNS.
> But here is the issue: We have systems that talk only to ipa1 and systems that talk only to ipa2. I would like to add the IP address of ipa2 to ipa1 and then proceed with the migration.
I don't think this would work OOTB for the reason you expose below.
> There is no option to make changes to those systems. They will get removed from our infrastructure but this may take another year, and I don't want to wait any longer with the migration.
"to those systems" = to the client systems right?
yes.
> Is this even possible? I can think of problems with certificates that say "I am ipa1" when a systems asks expects ipa2 to answer.
>
> I would be really nice if someone could help me solve the problem.
Your constraints are too strict for this migration.
Pardon? I don't understand? My constraints are:
* ipa1 and ipa2 need to be reachable while we migrate (the could live on one single instance for the migration time)
* I have not enough hardware to afford another IPA VM with 8GB RAM (you wouldn't believe how tight the mgmt hardware is packed)
First, do you have full backups (ipa-backup) of both replicas?
Not yet. This is something I plan to implement ASAP.
ipa-restore cannot restore these on anything but identical OS images
than the backup they were taken on, but this would add some safety to
what you will be attempting.
It would if it could. It would make the migration super easy, if I understand it correctly.
Then, to do this safely you will have to add a new CentOS8 replica
(ipa3) to your cluster, make sure it has all the roles (CA, KRA if
you're using it, DNS, etc), promote the new replica's CA to Renewal
and CRL Master, then remove one of the Fedora 26 replicas, replace it
with a CentOS8 replica, same with the last Fedora 26 instance. Thus
you would end up with ipa1 and ipa2 again, plus ipa3 if you care to
keep it. If you do not, remember to promote the new ipa1 to Renewal
and CRL Master first.
Is it possible to rename the IPA server afterwards?
Maybe I could shrink the memory size from 8GB to 4GB while I am migrating. This would solve some of the "not enough hardware"-issues. A colleague told me that IPA is very memory hungry, and in fact it uses the whole memory the VM provides.
But you probably knew that and it is not the "help" you were looking
for, considering your hardware constraints.
:-)