On Аўт, 04 ліп 2023, Tomasz Torcz via FreeIPA-users wrote:
On Thu, Jun 29, 2023 at 03:26:40PM -0500, Ian Pilcher via FreeIPA-users wrote:
I am currently running FreeIPA on CentOS 7, and I am considering moving
it to Fedora.
On RHEL and derivatives, in-place upgrades are not supported. It is
necessary to provision a new server, running the new OS version, add it
as a FreeIPA replica, and then decommission the old system.
In-place upgrades seem to be support since RHEL7, but maybe IPA there
is more problematic?
https://access.redhat.com/articles/4263361
It is way more complex in RHEL 7 to 8 and in RHEL 8 to 9 because of
modularity introduction and phasing out. That and FIPS requirements.
We do not support in-place RHEL 7 to RHEL 8 upgrade because IPA server
packages moved into a modular stream that is not enabled by default. IPA
client packages are in a modular stream that is enabled by default so
they behave as if they are not in a module at all. The latter allows to
upgrade IPA clients inplace.
We also do not support in-place RHEL 8 to RHEL 9 upgrade because IPA
server packages were moved out of a modular stream and dnf is not really
helpful in solving that.
The reality is complicated by the fact that we use intra-modular
dependencies (idm:DL1 stream depends on 389-ds and pki-core modules,
some of 389-ds and pki code also depends on healthcheck code provided by
both idm:client and idm:DL1).
Leapp tool was instructed to prevent in-place upgrades of IPA servers
accordingly.
There are also complications due to FIPS 140-2 to FIPS 140-3 changes
which make it more complex even with non-modular setup. Technically, you
cannot even upgrade in-place FIPS 140-2 to FIPS 140-3 certified
environments without violating the previous audit results.
How does this work on Fedora? Will I be able to use dnf system-upgrade,
or will I find myself having to use the process described above?
On Fedora, doing dnf system-upgrade is official way to upgrade,
including FreeIPA. No need for special steps.
You can even skip a version (for example, Fedora 38->40 is/will be
tested and supported), so you can upgrade once per year.
It is easier on Fedora due to organizational reasons, not technical
ones.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
