On 06/19/2013 02:09 AM, Joshua J. Kugler wrote: > We are migrating from an ancient FreeIPA 2.0 server to a 3.1.5 server. Is > there a documented procedure to export all the data from the 2.0 server and > import it into the 3.1.5 server?
Not yet (but there will be till the end of June) - you can help us with the guide by providing your feedback on current outline. > > If I copy files over (PKI DB, main IPA DB, Kerberos stuff), will they be > upgraded on next restart, or is it much, much, more complicated than that. There are dragons hidden in procedures like this one - you can easily forget copy something. > > So far, I have the rough steps (see attached). But I don't know for sure if > that will work. > > Any ideas or insights? This is the migration plan that should work: 0) We have IPA server(s) of aging version (2.0 in your case) 1) On one of your servers, create a replica (ipa-replica-prepare) and copy the replica file to the new server/VM which will host the updated IPA version 2) You install the up-to-date FreeIPA server (ipa-replica-install). It should have all the services as the original server had, i.e. - if original server had CA installed (it probably did), you will also add "--setup-ca" option - if original server had DNS installed , you will also add "--setup-dns" option The new server should now have all the capability of the aging servers + it will have features introduced in the new version. 4) (Optional but recommended) If the installation went well and you are satisfied with the new server and plan to migrate, you may also spin off some replicas from it just to keep the redundancy in case this server break in any way. 5) If the new server was properly installed, you stop all the old IPA servers: # ipactl stop - this step is important, this will prevent loosing data in case the new server misses something and let you test the new server 6) On your client(s), you verify that they continue to function as before. If you use DNS with IPA, this should be easy as they should fallback to the new IPA servers automatically simply by reading new server address from DNS SRV records. If you do not use automatic DNS discovery and you use a fixed list of servers, you would have to update these lists in /etc/sssd/sssd.conf and /etc/krb5.conf and other configuration files you used. 7) When you verify that clients keep functioning properly, you remove the old IPA servers, i.e: - log in to the new ipa server and delete the old servers $ ipa-replica-manage list $ ipa-replica-manage del old.ipa.server.fqdn 8) You can now uninstall old IPA servers (ipa-server-install --uninstall) or discard their VMs/machines 9) You successfully migrated! Please note that this procedure works only if your FreeIPA basic settings (like REALM) stays intact. If you would want to create a whole new deployment using different settings, the following RFE would need to be finished first: https://fedorahosted.org/freeipa/ticket/3656 Any comments? Does this procedure make sense to you? Martin _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users