Hello
Our environment has grown and as additional IPA servers have been added, different
versions have been deployed. I am looking to bring IPA servers up to the latest version
for EL7 and wanted some guidance or reassurance.
Here are my versions, they are all VMWare VMs:
idm001 ipa-server-4.5.4-10.0.1.el7.x86_64 Red Hat Enterprise Linux Server release 7.4
(Maipo) * UPGRADED *
idm002 ipa-server-4.5.0-22.0.1.el7_4.x86_64 Red Hat Enterprise Linux Server release 7.4
(Maipo) * CA MASTER *
idm003 ipa-server-4.5.0-22.0.1.el7_4.x86_64 Red Hat Enterprise Linux Server release 7.4
(Maipo)
idm004 ipa-server-4.5.0-22.0.1.el7_4.x86_64 Red Hat Enterprise Linux Server release 7.4
(Maipo)
idm005 ipa-server-4.6.5-11.0.1.el7_7.4.x86_64 Red Hat Enterprise Linux Server release 7.7
(Maipo)
idm006 ipa-server-4.6.5-11.0.1.el7_7.4.x86_64 Red Hat Enterprise Linux Server release 7.7
(Maipo)
idm007 ipa-server-4.6.5-11.0.1.el7_7.3.x86_64 Red Hat Enterprise Linux Server release 7.7
(Maipo)
idm008 ipa-server-4.6.5-11.0.1.el7_7.3.x86_64 Red Hat Enterprise Linux Server release 7.7
(Maipo)
idm009 ipa-server-4.6.4-10.0.1.el7_6.6.x86_64 Red Hat Enterprise Linux Server release 7.6
(Maipo)
idm010 ipa-server-4.6.4-10.0.1.el7_6.6.x86_64 Red Hat Enterprise Linux Server release 7.6
(Maipo)
I have upgraded idm001 without issue, the path was:
1) take VMWare snapshot
2) ipactl stop
3) yum update (channel with latest EL versions)
4) reboot
5) after a day or so, remove VMWare snapshot
and it now shows:
idm001 ipa-server-4.6.5-11.0.1.el7_7.4.x86_64 Red Hat Enterprise Linux Server release 7.7
(Maipo)
Post upgrade checks on idm001:
I see network connections to port 88 and 389
I can obtain a kerberos ticket through kinit
I can login through the web interface and issue ipa commands.
I don't see anything particularly alarming in log files.
I understand the distributed LDAP schema was already up-to-date due to the roll out of
idm005-006 on EL7.7/ipa-server-4.6.5-11.0.1.el7_7.4.
I'm particularly concerned about upgrading idm002, my CA server - perhaps I should
upgrade through each EL iteration? Are VMWare snapshots a suitable roll back mechanism for
IPA (and IPA CA master) server upgrades?
I was reading Rob's reply to Christian Reiss regarding his upgrade path to EL8
(bookmarked for future reference,) I don't have the ipa-crlgen-manage command on my CA
server (presumably due to older version) to check if it is the CRL generator - I assume it
is though, although in any case I'm unsure of the relevance with this EL7 series of
ipa-server.
All my IPA servers have CA capability except for idm001 - I presume I deployed it
incorrectly in the first place. I would like to add CA facility to it, perhaps this is for
a different thread though ...
Thank you for any feedback.
Regards
Angus
Show replies by date