Hey Finn, for our replications where we don't have any CA installed i'm using the following ipabackup options to have proper backup:
ipa-backup --disable-role-check --logs --quiet As I had to prepare a disaster recovery plan, I've tested both masters and replicas in a lab in order to evaluate the backup procedures. On Tue, Jan 30, 2024 at 1:56 PM Finn Fysj via FreeIPA-users < [email protected]> wrote: > Have a cluster setup with is setup using Ansible FreeIPA roles ipaserver & > ipareplica. > Running ipabackup using script as the ipabackup role doesn't work as > wanted or intended, meaning not able to take backup of data. > > Multiple master, only one with CA installed. > When I run ipabackup to backup data I get the following: > > Error: Local roles do not match globally used roles CA. A backup done on > this host would not be complete enough to restore a fully functional, > identical cluster. > The ipa-backup command failed. See /var/log/ipabackup.log for more > information. > > The error message is somewhat understandable. We don't use FreeIPA CA > capabilities, so that's the reason we don't have it installed on replicas, > unless you guys would recommend otherwise? > > > I've tried to test a little using these ansible roles. What happens if my > Master with the only backup goes down? Yes, I'll have a replica making sure > everything works as normal, so I can scrap the master, rebuild it and > restore the data backup I took. > However, once the node is restored, there's still not any connection > between the two nodes now, since a re-run of the ipareplica won't do > anything since it's already installed. Does that mean we need to rebuild > this node as well? > > A normal data restore of a node will stop the replication connection > between the two nodes, meaning it needs to be "re-connected", this is also > not something that can be done using these roles? > > One final question: If we have a working cluster setup, and some sausage > fingers manages to delete the replica from the "CA node". How can I > re-initalize this with the ansible replica role, or is rebuild the only > option? > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
