On Tue, 12 Jan 2010 15:01:32 -0800 root <free...@voidembraced.net> wrote:
> Thinking outside of the box for a moment, is it possible to divorce > the FreeIPA "master" feature of deploying FreeIPA servers from the > FreeIPA cluster which handles everything else? Keeps it safe and out > of harms way, especially considering it has the CA key on it. > > This could be done a couple of different ways. One would be to just > have the master FreeIPA "server" deployed as a VM instance -- we only > dust it off and start it up when a new server needs deployment, and > shut it back down after it's generated the replica file. While crude > for my environment, this would work really well for a VM based shop. No, I think you can't "start it up" only "when needed". Replication would be compromised, the backlog window is about a week IIRC. But what you could do is to keep the first master reachable only by other replicas through firewalling/vpn/vlans your choice. And expose to the real world only the replicas. In this scenario you can shut it down without much care because it is not serving clients. But you cannot keep it shut for long times or it will get completely out of sync with the other replicas. Of course, as Rob already pointed out, you may want to add replication channels between replicas so that your master server is not critical for replication if you have to shut it down. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users