12:32 p.m.
Hey folks,
Running a 3-node FreeIPA Installation. All is well, but I am now
upgrading all VMs, including my three IPA Servers from Centos 7 to 8.
As the Upgrade for Centos 7 to 8 is a complete reinstall I would need
to, one at a time, upgrade an IPA server. The IP and FQDN would remain
the same.
- I read several documents out there and some say decommission one,
reinstall and add it again.
- Others go for replica-prepare and go from there.
- What about simply backup up the data direcory and restore that?
Maybe there is a recommended way?
I tried doing this some months ago for a failed server, and I got an
issue about replication agreement already existing which I only was able
to resolve by reinstalling. The proposed "modify ldap" was way, way
above me ;)
Thank you all
and stay healthy!
--
with kind regards,
mit freundlichen Gruessen,
Christian Reiss
1:15 p.m.
Christian Reiss via FreeIPA-users wrote:
Hey folks,
Running a 3-node FreeIPA Installation. All is well, but I am now
upgrading all VMs, including my three IPA Servers from Centos 7 to 8.
As the Upgrade for Centos 7 to 8 is a complete reinstall I would need
to, one at a time, upgrade an IPA server. The IP and FQDN would remain
the same.
- I read several documents out there and some say decommission one,
reinstall and add it again.
- Others go for replica-prepare and go from there.
- What about simply backup up the data direcory and restore that?
Maybe there is a recommended way?
I tried doing this some months ago for a failed server, and I got an
issue about replication agreement already existing which I only was able
to resolve by reinstalling. The proposed "modify ldap" was way, way
above me ;)
The recommended way is your first point: decommission one, reinstall
with new OS, add back to the pool. Rinse and repeat.
Things to remember:
- ensuring that the DNA range is preserved (it can be automagic but
watch out for it). See the ipa-replica-manage command for showing the
ranges.
- ensure that one master is defined as the CRL generator (and only one)
- ensure that one master is defined as the CA renewal master
- ensure you maintain the roles (and have at least 2 of everything)
- watch the replication topology when it's done and adjust as needed
We generally recommend that this transition happen over a fairly short
period of time, week(s) not months.
rob
4:48 a.m.
Hey,
I converted my 3 server setup within a day and without any (visible)
hiccup(s). Thank you for that!
The only issue is that I do not have any CA or CRL Server anymore. The
first Server (no1, updated last) warned me, but I was unable to
designate any other to this role.
Any pointer on how to remedy this situation?
Cheers,
Chris.
On 02/04/2020 20:15, Rob Crittenden wrote:
The recommended way is your first point: decommission one, reinstall
with new OS, add back to the pool. Rinse and repeat.
Things to remember:
- ensuring that the DNA range is preserved (it can be automagic but
watch out for it). See the ipa-replica-manage command for showing the
ranges.
- ensure that one master is defined as the CRL generator (and only one)
- ensure that one master is defined as the CA renewal master
- ensure you maintain the roles (and have at least 2 of everything)
- watch the replication topology when it's done and adjust as needed
We generally recommend that this transition happen over a fairly short
period of time, week(s) not months.
--
with kind regards,
mit freundlichen Gruessen,
Christian Reiss
7:15 a.m.
On 4/7/20 11:48 AM, Christian Reiss via FreeIPA-users wrote:
Hey,
I converted my 3 server setup within a day and without any (visible)
hiccup(s). Thank you for that!
The only issue is that I do not have any CA or CRL Server anymore. The
first Server (no1, updated last) warned me, but I was unable to
designate any other to this role.
Any pointer on how to remedy this situation?
You can use
$ ipa config-mod --ca-renewal-master=xxx
for the CA renewal master and
$ ipa-crlgen-manage enable
for the CRL generation master. The second command needs to be run on the
host that you want to use as CRL generation master.
The doc is available at
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
You need to pick a server that hosts the CA role, ie was installed with
--setup-ca.
HTH,
flo
Cheers,
Chris.
On 02/04/2020 20:15, Rob Crittenden wrote:
> The recommended way is your first point: decommission one, reinstall
> with new OS, add back to the pool. Rinse and repeat.
>
> Things to remember:
>
> - ensuring that the DNA range is preserved (it can be automagic but
> watch out for it). See the ipa-replica-manage command for showing the
> ranges.
> - ensure that one master is defined as the CRL generator (and only one)
> - ensure that one master is defined as the CA renewal master
> - ensure you maintain the roles (and have at least 2 of everything)
> - watch the replication topology when it's done and adjust as needed
>
> We generally recommend that this transition happen over a fairly short
> period of time, week(s) not months.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
7:20 a.m.
Ugh,
there is even a document for my *precise* issue. I feel special now.
Anyway, your commands helped and everything is workin a-o-kay.
Thank you folks soo much!
-Chris.
On 07/04/2020 14:15, Florence Blanc-Renaud wrote:
>
You can use
$ ipa config-mod --ca-renewal-master=xxx
for the CA renewal master and
$ ipa-crlgen-manage enable
for the CRL generation master. The second command needs to be run on the
host that you want to use as CRL generation master.
The doc is available at
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
You need to pick a server that hosts the CA role, ie was installed with
--setup-ca.
HTH,
flo
--
with kind regards,
mit freundlichen Gruessen,
Christian Reiss
1474
days inactive
1479
days old
freeipa-users@lists.fedorahosted.org
4 comments
3 participants
participants (3)
-
Christian Reiss -
Florence Blanc-Renaud -
Rob Crittenden