Hi, On Wed, Aug 5, 2020 at 1:34 PM Boris Behrens via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: > > Hi, > > upfront: please don't judge our setup. I know that the concept is an issue :-( > > I have two freeipa servers which are running on an old operating system > (Fedora26) and I want to migrate it to centos8.
Are these two hosts identical in terms of roles? E.g. if you use the integrated CA, do you have the CA installed on both? > Because there are not enough resources in our mgmt cluster I need to shut one > of them down and reinstall with the new OS (while keeping the name), let them > sync and so on. Keeping the name will probably not work as-is. You would need to remove it from the cluster first and make sure you have no objects in the LDAP tree referencing it before adding a new one with the same name. However, it is dangerous to remove one of your two servers before having added a complete third member for data loss reasons: having a single copy of your data at any point in time is not reasonable. > But here is the issue: We have systems that talk only to ipa1 and systems > that talk only to ipa2. I would like to add the IP address of ipa2 to ipa1 > and then proceed with the migration. I don't think this would work OOTB for the reason you expose below. > There is no option to make changes to those systems. They will get removed > from our infrastructure but this may take another year, and I don't want to > wait any longer with the migration. "to those systems" = to the client systems right? > Is this even possible? I can think of problems with certificates that say "I > am ipa1" when a systems asks expects ipa2 to answer. > > I would be really nice if someone could help me solve the problem. Your constraints are too strict for this migration. First, do you have full backups (ipa-backup) of both replicas? ipa-restore cannot restore these on anything but identical OS images than the backup they were taken on, but this would add some safety to what you will be attempting. Then, to do this safely you will have to add a new CentOS8 replica (ipa3) to your cluster, make sure it has all the roles (CA, KRA if you're using it, DNS, etc), promote the new replica's CA to Renewal and CRL Master, then remove one of the Fedora 26 replicas, replace it with a CentOS8 replica, same with the last Fedora 26 instance. Thus you would end up with ipa1 and ipa2 again, plus ipa3 if you care to keep it. If you do not, remember to promote the new ipa1 to Renewal and CRL Master first. But you probably knew that and it is not the "help" you were looking for, considering your hardware constraints. François > -- > Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im > groüen Saal. > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
