Okay, I have a replica built and running. My original, "sick" server is
ipamaster and the new one is ipamaster2. All I've done thus far on
ipamaster2 is run ipa-replica-install --setup-dns --no-forwarders

What additional steps do I need to take to ensure that the process of
shutting down ipamaster, wiping it out, building it up fresh and then
replicating ipamaster2 back to ipamaster and making ipamaster again the
center of the universe and my certificate authority work correctly,
cleanly, and with minimal fuss? Given the mess I got our servers already, I
figured I should ask *before* I start messing about today.

I *think* the process should look something like this (I don't want you all
thinking I'm looking for someone to do *all* my thinking for me):

1. Take snapshot of ipamaster (just in case)
2. [ipamaster2]# ipa-ca-install
should've done this during the ipa-ca-install, but since the ca step
so rare, I didn't have it in my wiki notes).
3. [ipamaster]# reboot

This reboot will trigger a Cobbler & Puppet-based wipe of the system and
reinstallation of F18 and freeipa-server. While that's going on:

4. [ipamaster2]# ipa-replica-prepare

When ipamaster is back up:

5. [ipamaster]# cd /var/lib/ipa && scp
6. [ipamaster]# ipa-replica-install --setup-dns --no-forwarders --setup-ca

Usually, there's some reason I need to go back to ipamaster2 and either
delete a dns entry or ipa host-del the system. After the replica install is

7. Shut down and delete the ipamaster2 VM.
8. Upgrade existing "replicas" to F18 and latest IPA version.
9. Establish replication agreements with now-functioning ipamaster.

Does that sound right?

*Bret Wortman*


On Wed, Aug 28, 2013 at 10:01 PM, Bret Wortman <bret.wort...@damascusgrp.com
> wrote:

> I was actually considering something like a few hours ago. It's a VM, so
> making another isn't that hard. Replication is the source of all my
> problems, though, so I'm concerned about whether it will work. Certainly
> worth the attempt!
> I'll report back later tomorrow.
> On Wed, Aug 28, 2013 at 8:56 PM, Jatin Nansi <jna...@redhat.com> wrote:
>> On 08/29/2013 12:16 AM, Bret Wortman wrote:
>> > Ugh. Well that certainly hurts, but I just don't see an alternative. I
>> > hope Puppet can at least make the re-enrollment a bit easier.
>> >
>> > I'm still hand-copying some of the configuration and user group
>> > details and crafting the load scripts so if anyone has a bright idea
>> > in the next few hours, I'd love to hear it!
>> Is there a reason why you must scorch earth? You could try a rolling
>> update approach first - install a fresh IPA system, make it a replica of
>> the existing IPA setup. Then reinstall existing IPA systems and use the
>> updated system to set them up.
>> Jatin
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
Freeipa-users mailing list

Reply via email to