I have successfully utilized a similar procedure. The restoration process is the same for both though.
I would be willing to accept the tickets and document the various backup and recovery methods. Though, I'd like Dmitri's feedback on whether or not the team approves of making the "official" method of recovery from catastrophic failure be the use of frozen vm images. "Keeping your head in the cloud" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jr Aquino | Sr. Information Security Specialist GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 jr.aqu...@citrix.com http://www.citrixonline.com On May 15, 2012, at 2:16 AM, "Petr Spacek" <pspa...@redhat.com> wrote: > Hello, > > IMHO it *must* be documented very well. Thank for scenario proposal! > > There is a new documentation ticket: > https://fedorahosted.org/freeipa/ticket/2758 > > Another ticket exists for CA master recovery procedure: > https://fedorahosted.org/freeipa/ticket/2749 > > Petr^2 Spacek > > On 05/15/2012 01:19 AM, Gelen James wrote: >> Hi Dimitri, >> >> thanks a lot for your offer. It will be more than appreciated if Rob, or some >> other talented genius could wiki the steps. The more details, the sooner, and >> the better. It will help IPA projects and its users dramatically, especially >> for newbies like me. :) >> >> Thanks again for you, Rob and others for the coming documentation work. >> >> >> --Gelen. >> >> ------------------------------------------------------------------------------ >> *From:* Dmitri Pal <d...@redhat.com> >> *To:* Robinson Tiemuqinke <hahaha_...@yahoo.com> >> *Cc:* "Freeipaemail@example.com" <Freeipafirstname.lastname@example.org>; Rich Megginson >> <rmegg...@redhat.com> >> *Sent:* Monday, May 14, 2012 1:20 PM >> *Subject:* Re: Please help: How to restore IPA Master/Replicas from daily IPA >> Replica setup??? >> >> On 05/14/2012 03:48 PM, Robinson Tiemuqinke wrote: >>> Hi Dmitri, Rich and all, >>> >>> I am a newbie to Redhat IPA, It looks like pretty cool compared with other >>> solutions I've tried before. Thanks a lot for this great product! :) >>> >>> But there are still some things I needs your help. My main question is: How >>> to restore the IPA setup with a daily machine-level IPA Replica backup? >>> >>> Please let me explain my IPA setup background and backup/restore goals >>> trying to reach: >>> >>> I'm running IPA 2.1.3 on Redhat Enterprise 6.2. The IPA master is setup with >>> Dogtag CA system. It is installed first. Then two IPA replicas are installed >>> -- with '--setup-ca' options -- for load balancing and failover purposes. >>> >>> To describe my problems/objectives, I'll name the IPA Master as machine A, >>> IPA replicas as B and C. and now I've one more extra IPA replica 'D' >>> (virtual machine) setup ONLY for backup purposes. >>> The setup looks like the following, A is the configuration Hub. B,C,D are >>> siblings. >>> >>> A >>> / | \ >>> B C D >>> >>> The following are the steps I backup IPA setups and LDAP backends daily -- >>> it is a whole machine-level backup (through virtual machine D). >>> >>> 1, First, IPA replica D is backed up daily. The backup happens like this: >>> >>> 1.1 on IP replica D, run 'service IPA stop'. Then run 'shutdown -h <D>'. On >>> the Hypervisor which holds virtual machine D, do a daily backup of the whole >>> virtual disk that D is on. >>> 1.2 turn on the IP replica D again. >>> 1.3 after virtual machine D is up, on D optionally run a 'ipa-replica-manage >>> --force-sync --from <A>' to sync the IPA databases forcibly. >>> >>> Now comes to restore part, which is pretty confusing to me. I've tried >>> several times, and every times it comes this or that kinds of issues and so >>> I am wondering that correct steps/ineraction of IPA Master/replicas are the >>> king :( >>> >>> 2, case #1, A is broken, like disc failure, and then re-imaged after several >>> days. >>> >>> 2.1 How to rebuild the IPA Master/Hub A after A is re-imaged, with the daily >>> backup from IPA replica D? >>> 2.2 do I have to check some files on A into subversion immediately after A >>> was initially installed? >>> 2.3 Please describe the steps. I'll follow exactly and report the results. >>> >>> 3, case #2, A is working, but either B, or C is broken. >>> >>> 3.1 It looks that I don't need the daily backup of D to kick in, is that >>> right? >>> 3.2 What are the correct steps on A; and B after it is re-imaged? >>> 3.3 Please describe the steps. I'll follow exactly and report the results. >>> >>> 4, case #3, If some un-expected IPA changes happens on A -- like all users >>> are deleted by human mistakes --, and even worse, all the changes are >>> propagated to B and C in minutes. >>> >>> 4.1 How can I recover the IPA setup from daily backup from D? >>> 4.2 which IPA master/replicas I should recover first? IPA master A, or IPA >>> replicas B/C? and then how to recover others left one by one? >>> 4.3 Do I have to disconnect replication agreement of B,C,D from A first? >>> 4.4 Please describe the steps. I'll follow exactly and report the results. >>> >>> I've heard something about tombstone records too, Not sure whether the >>> problem still exists in 2.1.3, or 2.2.0(on 6.3Beta)? If so, How can I avoid >>> it with correct recovery steps/interactions. >>> >>> Thanks a lot. >>> >>> --Gelen. >> >> I can explain it conceptually. Rob is probably best to define the exact >> sequence and commands. >> >> If you A is broken you reinstall it, make it connect to D and init (force >> sync) A from D. Now you have a new A. >> >> If B or C dies you just re-install B or C and init from A. >> >> If you lost a lot of data I suggest you start a saved D instance and >> force-sync A from it and then force sync B and C from A. >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IPA project, >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/> >> >> >> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipaemail@example.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipafirstname.lastname@example.org > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users