John Dennis wrote:
On 02/19/2013 10:43 PM, Rob Crittenden wrote:
I've looked into some basic backup and restore procedures for IPA. My
findings are here:

Good write up Rob!

It seems to me there are two critical sub-issues to solve first that
could benefit us in the long run anyway.

1) Replacing certs. This has been a pain point for many admins who for
various reasons now have invalid certs and need to redeploy all certs to
bring back up our integrated web of services. Can this be a separate
work item? It would be generally useful in contexts other than backups.

This is definitely something we need, but yeah, it's a bit out of my scope here. There are lots of reasons to replace the CA but we don't really have any way to do that currently.

I did find a sort of poor-man's way of replacing the CA and documented that, but I'm not sure I'd want to do that with live data. It was sort of a "gee, I wonder what would happen..." sort of thing.

2) Tracking every file we modify. Aren't we already a good way there
with the sysrestore functionality already in use in the install tools?
It is just a matter of enhancing it a bit and being diligent about
making sure it's used in every modification we make? Actually I'm not
thinking we track every modification, rather we keep a manifest of
everything we've touched and then just snapshot those files during
backup, this would capture any modifications not made by us but perhaps
are critical to restoring a working system (i.e. puppet modifications).
The sysrestore module could provide the manifest, right?

The problem is we also need to back up a lot of files we don't otherwise track (or probably want to). For example, the entire CA instance, the entire 389-ds instances, etc. My goal for the data backup was to be able to drop the file onto a brand new machine, with the right rpms installed and be able to do a restore and start everything up. To do that we have to restore a whole ton of things that we don't necessarily touch in our installer so is beyond the scope of sysrestore.

That and we already herd cats. It would require us to be more responsible for files provided by other apps. So if 389-ds or dogtag decided to ship a new file, we'd have to update our sysrestore stuff to capture that, or we'd have to loop over the directories to make sure we had everything tracked.

Thanks for the feedback.


Freeipa-devel mailing list

Reply via email to