John Dennis wrote:
On 02/19/2013 10:43 PM, Rob Crittenden wrote:
I've looked into some basic backup and restore procedures for IPA. My
findings are here: http://freeipa.org/page/V3/Backup_and_Restore
Good write up Rob!
It seems to me there are two critical sub-issues to solve first that
could benefit us in the long run anyway.
1) Replacing certs. This has been a pain point for many admins who for
various reasons now have invalid certs and need to redeploy all certs to
bring back up our integrated web of services. Can this be a separate
work item? It would be generally useful in contexts other than backups.
This is definitely something we need, but yeah, it's a bit out of my
scope here. There are lots of reasons to replace the CA but we don't
really have any way to do that currently.
I did find a sort of poor-man's way of replacing the CA and documented
that, but I'm not sure I'd want to do that with live data. It was sort
of a "gee, I wonder what would happen..." sort of thing.
2) Tracking every file we modify. Aren't we already a good way there
with the sysrestore functionality already in use in the install tools?
It is just a matter of enhancing it a bit and being diligent about
making sure it's used in every modification we make? Actually I'm not
thinking we track every modification, rather we keep a manifest of
everything we've touched and then just snapshot those files during
backup, this would capture any modifications not made by us but perhaps
are critical to restoring a working system (i.e. puppet modifications).
The sysrestore module could provide the manifest, right?
The problem is we also need to back up a lot of files we don't otherwise
track (or probably want to). For example, the entire CA instance, the
entire 389-ds instances, etc. My goal for the data backup was to be able
to drop the file onto a brand new machine, with the right rpms installed
and be able to do a restore and start everything up. To do that we have
to restore a whole ton of things that we don't necessarily touch in our
installer so is beyond the scope of sysrestore.
That and we already herd cats. It would require us to be more
responsible for files provided by other apps. So if 389-ds or dogtag
decided to ship a new file, we'd have to update our sysrestore stuff to
capture that, or we'd have to loop over the directories to make sure we
had everything tracked.
Thanks for the feedback.
Freeipa-devel mailing list