[Freeipa-users] Re: Best practices for upgrading when running dockerized FreeIPA
On to, 04 touko 2023, Sebastiano Pomata wrote: El 04/05/2023 a las 7:59, Alexander Bokovoy escribió: FreeIPA container is supposed to run upgrade on the data volume when you do upgrade images. This is one of scenarios tested by the upstream CI. This is documented in the upstream documentation: https://github.com/freeipa/freeipa-container/blob/master/README#L183-L189 -- If you have existing container with data volume, it should be safe to shut it down and run new one based on newer image, with the same data directory bind-mounted to /data. The container logic will detect that it is running with data produced by different image and attempt to upgrade the configuration and data. Of course, keeping backup of the data directory for cases when the upgrade process fails is recommended. -- What probably would be good to do is to simulate incremental version upgrades here -- if you are going up from Fedora 36, step up to Fedora 36:latest first, then Fedora 37:latest, then Fedora 38:latest. I indeed already tried an upgrade of a minor version on the same base distro and it worked fine, so probably I can give it a go at jumping the base distro version as well, following the path you suggested. This github action in upstream tests upgrade scenarios: https://github.com/freeipa/freeipa-container/blob/master/.github/workflows/build-test.yaml#L245 There is one specifically for fedora-36 to fedora 38. Latest run is succeeding: https://github.com/freeipa/freeipa-container/actions/runs/4868306151/jobs/8681769706 You can look at the logs in 'Run master and replica' section on to what to expect. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Best practices for upgrading when running dockerized FreeIPA
El 04/05/2023 a las 7:59, Alexander Bokovoy escribió: FreeIPA container is supposed to run upgrade on the data volume when you do upgrade images. This is one of scenarios tested by the upstream CI. This is documented in the upstream documentation: https://github.com/freeipa/freeipa-container/blob/master/README#L183-L189 -- If you have existing container with data volume, it should be safe to shut it down and run new one based on newer image, with the same data directory bind-mounted to /data. The container logic will detect that it is running with data produced by different image and attempt to upgrade the configuration and data. Of course, keeping backup of the data directory for cases when the upgrade process fails is recommended. -- What probably would be good to do is to simulate incremental version upgrades here -- if you are going up from Fedora 36, step up to Fedora 36:latest first, then Fedora 37:latest, then Fedora 38:latest. I indeed already tried an upgrade of a minor version on the same base distro and it worked fine, so probably I can give it a go at jumping the base distro version as well, following the path you suggested. As you said keeping a backup of the ipa-data directory should prevent any major headache in case things go wrong. Thanks for the reply, Sebastiano ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: ACME client certificate request from FreeIPA with DNS-01 challenge
> > I hope this has clarified the situation for you. Perfectly, thank you! Thanks, Djerk ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] SSSD Log stops working - Backtrafe dump ends here
I've tried to install and re-install the IPAserver on my node. Even tried to re-provision it. When I look in the SSSD log for my domain I get the following: * (2023-05-04 6:30:59): [be[lab.local]] [sdap_get_generic_ext_step] (0x2000): [RID#16] ldap_search_ext called, msgid = 48 * (2023-05-04 6:30:59): [be[lab.local]] [sdap_op_add] (0x2000): [RID#16] New operation 48 timeout 60 * (2023-05-04 6:30:59): [be[lab.local]] [sdap_process_result] (0x2000): Trace: sh[0x560c8dff6e30], connected[1], ops[0x560c8e064050], ldap[0x560c8e0abcc0] * (2023-05-04 6:30:59): [be[lab.local]] [sdap_process_result] (0x2000): Trace: end of ldap_result list * (2023-05-04 6:30:59): [be[lab.local]] [sdap_process_result] (0x2000): Trace: sh[0x560c8dff6e30], connected[1], ops[0x560c8e064050], ldap[0x560c8e0abcc0] * (2023-05-04 6:30:59): [be[lab.local]] [sdap_process_message] (0x4000): [RID#16] Message type: [LDAP_RES_SEARCH_RESULT] * (2023-05-04 6:30:59): [be[lab.local]] [sdap_get_generic_op_finished] (0x0400): [RID#16] Search result: Success(0), no errmsg set * (2023-05-04 6:30:59): [be[lab.local]] [sdap_get_generic_op_finished] (0x2000): [RID#16] Total count [0] * (2023-05-04 6:30:59): [be[lab.local]] [sdap_op_destructor] (0x2000): [RID#16] Operation 48 finished * (2023-05-04 6:30:59): [be[lab.local]] [ipa_hbac_rule_info_done] (0x0400): [RID#16] No rules apply to this host * (2023-05-04 6:30:59): [be[lab.local]] [sdap_id_op_done] (0x4000): [RID#16] releasing operation connection * (2023-05-04 6:30:59): [be[lab.local]] [ipa_pam_access_handler_done] (0x0020): [RID#16] No HBAC rules found, denying access ** BACKTRACE DUMP ENDS HERE * (2023-05-04 6:39:00): [be[lab.local]] [orderly_shutdown] (0x3f7c0): SIGTERM: killing children (2023-05-04 6:39:00): [be[lab.local]] [orderly_shutdown] (0x3f7c0): Shutting down (status = 0)(2023-05-04 6:39:00): [be[lab.local]] [server_setup] (0x3f7c0): Starting with debug level = 0x0070 (2023-05-04 6:41:04): [be[lab.local]] [orderly_shutdown] (0x3f7c0): SIGTERM: killing children (2023-05-04 6:41:04): [be[lab.local]] [orderly_shutdown] (0x3f7c0): Shutting down (status = 0)(2023-05-04 6:41:04): [be[lab.local]] [server_setup] (0x3f7c0): Starting with debug level = 0x0070 (2023-05-04 6:43:33): [be[lab.local]] [orderly_shutdown] (0x3f7c0): SIGTERM: killing children (2023-05-04 6:43:33): [be[lab.local]] [orderly_shutdown] (0x3f7c0): Shutting down (status = 0)(2023-05-04 6:43:33): [be[lab.local]] [server_setup] (0x3f7c0): Starting with debug level = 0x0070 I tried to turn the debug_level = 8 and 9, without any good results. The look doesn't change when I try to login or run any "privileged" commands. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
