Ronald Wimmer via FreeIPA-users wrote: > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/migrate-7-to-8_migrating > states that the CA-Master should be replaced. > > How would you proceed if there were multiple servers that needed an > upgrade to 8? Do I need to stop the CA service and disable CRL > generation on three of my four CA servers and migrate the remaining > server from 7 to 8? > > Or could I > > 1) stop ipa servers 2 to 8 > 2) migrate ipa1 to RHEL8 > 3) deploy 7 RHEL8 machines > 4) setup replicas on these machines
Only one master should generate the CRL. You don't have to do the migration all in one fell swoop at the same time. But you don't want to drag it out forever either (life is a balance). What I'd do is create a new master in RHEL 8 with a CA. Set that as the CRL generator and CA Renewal Master. If you have physical machines then it's fine to remove one of the existing servers and re-create it with RHEL 8. Once things are working then create another RHEL 8 master, drop another RHEL 7. Rinse and repeat. Eventually you'll run out of RHEL 7 machines to migrate. This can happen over as long a period as you're comfortable with you just don't want to drag it out for months if you can avoid it. Watch the replication topology for both IPA and the CA. Remember to keep at least 2 CA masters and trust controller/agent (which you seem to have in good order now). _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
