On Tue, 2013-02-19 at 22:43 -0500, Rob Crittenden wrote:
> I've looked into some basic backup and restore procedures for IPA. My 
> findings are here: http://freeipa.org/page/V3/Backup_and_Restore

Great summary!

For the catastrofic failure scenario, should we mention how to put back
a full failed and restored machine online ? I am thinking the restored
server may be behind (even if only by a few entries) in the replication,
so the CSNs in the other replicas will not match.
I guess we should mention a full resync may be needed ? Or is there a
way to bring back CSNs on replicas ?

In the 'Returning to a good state' case, can we consider some split
brain approach, were we sever replication and rebuild one server at a
time ?
Maybe we can think of a way to 'mark' all server as 'bad' so that on
restore the replication agreements do not need to be changed but changes
from 'bad' servers will not be accepted ?
I guess this crosses also a request by someone to be able to 'pause'
replication, would use the same mechanism I guess.

Full system backup:
in the first part it is said the process is offline, but in the 'LDAP'
section you say ldapi is used, but that would mean DS is running ?
Also are we sure we can get all data we need via ldapi ? Are we going to
miss any "operational" attribute ?
For restore are we sure we can reload data w/o alterations ? What about
plugins ? will we have to disable all plugins during a restore ?

For the open questions.

Size of backup:
I think we should make it easy to configure the system to use a custom
directory to dump the backups. This way admins can make sure it is on a
different partition/disk or even over NFS and that the backup will not
fill up the disk on which DS is running.

We should definitely allow to encrypt backup files, a gpg public key
would be sufficient.

For replica cases, maybe we can create a command that dumps the
changelog from a good replica and then allow us to reply all changes
that are missing from the backup to bring the server up to the last
minute ?


Simo Sorce * Red Hat, Inc * New York

Freeipa-devel mailing list

Reply via email to