Angus Clarke via FreeIPA-users wrote:
> Hello
>
> Our environment has grown and as additional IPA servers have been added,
> different versions have been deployed. I am looking to bring IPA servers
> up to the latest version for EL7 and wanted some guidance or reassurance.
>
> Here are my versions, they are all VMWare VMs:
>
> idm001 ipa-server-4.5.4-10.0.1.el7.x86_64     Red Hat Enterprise Linux
> Server release 7.4 (Maipo) * UPGRADED *
> idm002 ipa-server-4.5.0-22.0.1.el7_4.x86_64   Red Hat Enterprise Linux
> Server release 7.4 (Maipo) * CA MASTER *
> idm003 ipa-server-4.5.0-22.0.1.el7_4.x86_64   Red Hat Enterprise Linux
> Server release 7.4 (Maipo)
> idm004 ipa-server-4.5.0-22.0.1.el7_4.x86_64   Red Hat Enterprise Linux
> Server release 7.4 (Maipo)
> idm005 ipa-server-4.6.5-11.0.1.el7_7.4.x86_64 Red Hat Enterprise Linux
> Server release 7.7 (Maipo)
> idm006 ipa-server-4.6.5-11.0.1.el7_7.4.x86_64 Red Hat Enterprise Linux
> Server release 7.7 (Maipo)
> idm007 ipa-server-4.6.5-11.0.1.el7_7.3.x86_64 Red Hat Enterprise Linux
> Server release 7.7 (Maipo)
> idm008 ipa-server-4.6.5-11.0.1.el7_7.3.x86_64 Red Hat Enterprise Linux
> Server release 7.7 (Maipo)
> idm009 ipa-server-4.6.4-10.0.1.el7_6.6.x86_64 Red Hat Enterprise Linux
> Server release 7.6 (Maipo)
> idm010 ipa-server-4.6.4-10.0.1.el7_6.6.x86_64 Red Hat Enterprise Linux
> Server release 7.6 (Maipo)
>
> I have upgraded idm001 without issue, the path was:
>
> 1) take VMWare snapshot
> 2) ipactl stop
> 3) yum update (channel with latest EL versions)
> 4) reboot
> 5) after a day or so, remove VMWare snapshot
>
> and it now shows:
>
> idm001 ipa-server-4.6.5-11.0.1.el7_7.4.x86_64Red Hat Enterprise Linux
> Server release 7.7 (Maipo)
>
> Post upgrade checks on idm001:
>
> I see network connections to port 88 and 389
> I can obtain a kerberos ticket through kinit
> I can login through the web interface and issue ipa commands.
> I don't see anything particularly alarming in log files.
>
> I understand the distributed LDAP schema was already up-to-date due to
> the roll out of idm005-006 on EL7.7/ipa-server-4.6.5-11.0.1.el7_7.4.
>
> I'm particularly concerned about upgrading idm002, my CA server -
> perhaps I should upgrade through each EL iteration? Are VMWare snapshots
> a suitable roll back mechanism for IPA (and IPA CA master) server upgrades?

Yes and yes, especially given your already mixed versions.

Given you have other CAs in your network there is nothing too special
about idm002 other than it has the additional role as CA renewal master.

> I was reading Rob's reply to Christian Reiss regarding his upgrade path
> to EL8 (bookmarked for future reference,) I don't have the
> ipa-crlgen-manage command on my CA server (presumably due to older
> version) to check if it is the CRL generator - I assume it is though,
> although in any case I'm unsure of the relevance with this EL7 series of
> ipa-server.

There are instructions at
https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.freeipa.org%2Fpage%2FHowto%2FPromote_CA_to_Renewal_and_CRL_Master&data=02%7C01%7C%7C75670f0afb3741064fc808d7db068da0%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637218693507938594&sdata=dUzYXOIuVoXPWBTq4HsE2LEz8pMDRosrS362BEQ4CdA%3D&reserved=0
which can tell you which one is doing it. If you aren't using CRLs at
all then this is probably not super important but you want to avoid
having 2 or more masters generating one since there is a race condition
where separate CA's could generate different, but otherwise valid, CRLs.

> All my IPA servers have CA capability except for idm001 - I presume I
> deployed it incorrectly in the first place. I would like to add CA
> facility to it, perhaps this is for a different thread though ...

ipa-ca-install should do it but yeah, I'd probably focus on getting the
other masters up to 7.7 or 7.8 before trying to add on the CA. You don't
necessarily need a CA on every master. You want to avoid single point of
failure but you don't need it everywhere.

rob