On 3/3/21 10:24 AM, Ronald Wimmer via FreeIPA-users wrote:
On 03.03.21 10:13, Alexander Bokovoy wrote:
On ke, 03 maalis 2021, Ronald Wimmer via FreeIPA-users wrote:
Some time ago we upgraded our IPA servers from CentOS 7.x to Oracle
Linux 8.3. We did it exactly as recommended in the respective
documentation.
A few days ago we found out that two out of our eight servers do not
work as they should. On both of them pki-tomcatd refuses to start.
The two servers are ipa2 and ipa6 - both have the CA feature
installed. Additionally, on ipa6 configuration is not replicated to
the other servers. ipa2 seems to have even more problems. kinit does
not work, neither does the WebGUI.
My first question is addressed to Rob. Is ipa-healthcheck checking
the whole IPA server landscape or does it check only the server where
the command is issued?
AFAIK, ipa-healthcheck only evaluates the single machine. You need to
run it on each system to produce a report for that system. There are
plans to be able to run on multiple machines and combine the report
together but there is no tests that use the reports from individual
replicas yet.
What would probably be the best way to make these two servers work
normal again? (I am thinking of just ripping these two servers out of
the topology and setting them up from scratch again?)
It heavily depends on what are the problems. Removing a replica is
always a hammer but if you don't want to investigate it, sure.
Preferably I would like to investigate. How could I prevent IPA clients
from contacting one of the two erroneous servers? (Regarding the WebUI I
configured a loadbalancer in front of the Apaches.) I did an "ipactl
stop" on both servers - but for investigating ipa will most likely need
to run on these servers...
Hi,
you can have a look at the "hidden replica" feature [1]. If you switch
the replicas under investigation into hidden mode, they won't be used by
clients any more.
flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/planning_identity_management/planning-the-replica-topology_planning-dns-and-host-names#the-hidden-replica-mode_planning-the-replica-topology
Cheers,
Ronald
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
