[Freeipa-users] IPA Backup / Restore - Everyone's favourite problem child!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Howdy all We have had quite alot of discussions on the list about this process but I'd like to get some documentation together so we are all speaking the same language. So last night I wrote a script to backup IPA based on the below article. https://access.redhat.com/knowledge/solutions/67800 This is fine and dandy. I have an easy way where I end up with a config tarball, an LDIF export of Dogtag and an LDIF export of LDAP. Now my question is how on earth am I meant to restore it? My test scenario is as follows. And you'll have to humour me a bit with my imagination. Background: Customer has a very small environment. Single IPA server installation on a physical server. Several member servers and clients all pointing to that one server for IPA / CA and DNS. Incident: A very unhappy employee has just been fired for being a naughty boy and decided, for revenge to test how water tight the server was by filling the chassis with 5 litres of water. Result: Server is no longer happy either. A new server deployment is required to replace old server. Thoughts for restoration: My thinking was, to build a replacement server with all dependency packages and then: 1. restore config files in order to start IPA services 2. restore LDAP ldif file to ensure LDAP data was correct 3. restore Dogtag ldig file to ensure Dogtag data was correct. 4. restart IPA services to bring things back online smoothly. Of course Steps 2-4 didn't happen as they DEFINITELY were not happy to co-operate. I'm trying to get to a stage, where we have a method or procedure for simple restoration. Once we have the ability to restore everything, then we can move beyond that, and restore individual components. E.g OU / User / Group Data. Any takers for this one? Will be on IRC today if anyone fancies having a bun fight for bouncing ideas. Dale -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP6u4RAAoJEAJsWS61tB+q5p4QALg3rGAfh5eDzZPefJPMA9Um UsgPqahHbcwuYFR0t1HlBrbgo4HetEcK95VsOkHJTrqBRIuQTaBYHwoYcVDCgUlS 9HDyNXIqNRyhiJKb2F1Ahyh0lcPs/ZX7xwo0kWIr8CHo57BuPfCSh7YqPoCCLNnI o85S5Xt4fKUbHI1ioOPxV596lPDHgTzRRXLax6BtT5oF/KkB/9gxsc6hq9UIPfbj gjdBGxjd0F1It+gxZ5YAtTsYaAONr8n5yJStChJkC14E2l5xOroCePkx8oIowxCB DyG4ZT/AWWdEqCDohAYBZoIdxJODV30X/NJLekNd2tuOMQR1xbt/fvRJP5Ey2zSC 4yL1CRpQd+9JWrDiIsyeLoi/vnyZE8H5u4srvXdp5yVzNrEWoxGpt+WnfQCoEXTV ygXjRJcVIdkuEL+YKR4tTmuhNvEAOPeqyg/y91MbVMKa+hY+SilZa/LCgUkL8S+F Di1UwwyUvV4OsFCJpdkUrdS+hIYdXURzsQRI895PAZTZH1S1WmN+mPt1PHBRQAmM 3NC8iyQzeIPgyaf6+nuKu+Wr0+31WweVAhfRoWh8TzP05Skx11XZrf8m1HYPX7oh g2e64Ku0L0qGHkTcCQUBPZrfrSZVC23t5Bo4JdSkO1TJBdINYttbKXJf0t+z5pRF RHoSd77BcxF3B929Bi8P =3vaB -END PGP SIGNATURE- 0xB5B41FAA.asc Description: application/pgp-keys 0xB5B41FAA.asc.sig Description: PGP signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Backup / Restore - Everyone's favourite problem child!
Hi, I have successfully restored IPA servers from an ldif...more times than I care to recall in the last 2 months. In fact at one stage I took an ldif from the replica and used it to restore the masterso it seems pretty robust. In terms of filling with water, depends on how long for but the physical parts of the hds ie platters and arms should survive that.electronics might as well.in which case swapping one half (I assume you have a raid1) to a new box and syncing it might workthen drop out the old disk and slot in a new one...same with fire / smoke damage. NB One of the recommended ways to put out a fire in a server room is water misting using de-mineralised water 1 to 4 looks OK to mesomething I want to fully try. There are some interesting tech like gluster which give you a distributed raid1Im wondering on using virtualisation and gluster together...IPA for your scenario would be very small 1 core and 2gbnot much disk useuse kvm and gluster might work well. The second machine could be a reasonable spec'd desktoplike $2k should be good enough I have a single Esxi machine at home, when I get the chance and buy a second one then I want to try something along the above lines...the idea is to avoid having a NAS and that expenseso 2 ESXi boxes running a gluster node on each and then the rest of the VMware guests inside gluster's disk. Another way might be rsyncing the ldif over ssh to a remote site..maybe even email it to say googleit shouldnt be very big, ours is 400k at the moment. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dale Macartney [d...@themacartneyclan.com] Sent: Wednesday, 27 June 2012 11:27 p.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] IPA Backup / Restore - Everyone's favourite problem child! -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Howdy all We have had quite alot of discussions on the list about this process but I'd like to get some documentation together so we are all speaking the same language. So last night I wrote a script to backup IPA based on the below article. https://access.redhat.com/knowledge/solutions/67800 This is fine and dandy. I have an easy way where I end up with a config tarball, an LDIF export of Dogtag and an LDIF export of LDAP. Now my question is how on earth am I meant to restore it? My test scenario is as follows. And you'll have to humour me a bit with my imagination. Background: Customer has a very small environment. Single IPA server installation on a physical server. Several member servers and clients all pointing to that one server for IPA / CA and DNS. Incident: A very unhappy employee has just been fired for being a naughty boy and decided, for revenge to test how water tight the server was by filling the chassis with 5 litres of water. Result: Server is no longer happy either. A new server deployment is required to replace old server. Thoughts for restoration: My thinking was, to build a replacement server with all dependency packages and then: 1. restore config files in order to start IPA services 2. restore LDAP ldif file to ensure LDAP data was correct 3. restore Dogtag ldig file to ensure Dogtag data was correct. 4. restart IPA services to bring things back online smoothly. Of course Steps 2-4 didn't happen as they DEFINITELY were not happy to co-operate. I'm trying to get to a stage, where we have a method or procedure for simple restoration. Once we have the ability to restore everything, then we can move beyond that, and restore individual components. E.g OU / User / Group Data. Any takers for this one? Will be on IRC today if anyone fancies having a bun fight for bouncing ideas. Dale -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP6u4RAAoJEAJsWS61tB+q5p4QALg3rGAfh5eDzZPefJPMA9Um UsgPqahHbcwuYFR0t1HlBrbgo4HetEcK95VsOkHJTrqBRIuQTaBYHwoYcVDCgUlS 9HDyNXIqNRyhiJKb2F1Ahyh0lcPs/ZX7xwo0kWIr8CHo57BuPfCSh7YqPoCCLNnI o85S5Xt4fKUbHI1ioOPxV596lPDHgTzRRXLax6BtT5oF/KkB/9gxsc6hq9UIPfbj gjdBGxjd0F1It+gxZ5YAtTsYaAONr8n5yJStChJkC14E2l5xOroCePkx8oIowxCB DyG4ZT/AWWdEqCDohAYBZoIdxJODV30X/NJLekNd2tuOMQR1xbt/fvRJP5Ey2zSC 4yL1CRpQd+9JWrDiIsyeLoi/vnyZE8H5u4srvXdp5yVzNrEWoxGpt+WnfQCoEXTV ygXjRJcVIdkuEL+YKR4tTmuhNvEAOPeqyg/y91MbVMKa+hY+SilZa/LCgUkL8S+F Di1UwwyUvV4OsFCJpdkUrdS+hIYdXURzsQRI895PAZTZH1S1WmN+mPt1PHBRQAmM 3NC8iyQzeIPgyaf6+nuKu+Wr0+31WweVAhfRoWh8TzP05Skx11XZrf8m1HYPX7oh g2e64Ku0L0qGHkTcCQUBPZrfrSZVC23t5Bo4JdSkO1TJBdINYttbKXJf0t+z5pRF RHoSd77BcxF3B929Bi8P =3vaB -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Backup / Restore - Everyone's favourite problem child!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 27/06/12 22:25, Steven Jones wrote: Hi, I have successfully restored IPA servers from an ldif...more times than I care to recall in the last 2 months. In fact at one stage I took an ldif from the replica and used it to restore the masterso it seems pretty robust. If you're about on irc at all tomorrow I may pick your brains about your experiences. I kind of ruined my test environment this afternoon. I had to redeploy about 15 virtualized guests on my tiny microserver at home. That took quite a while ;-) In terms of filling with water, depends on how long for but the physical parts of the hds ie platters and arms should survive that.electronics might as well.in which case swapping one half (I assume you have a raid1) to a new box and syncing it might workthen drop out the old disk and slot in a new one...same with fire / smoke damage. NB One of the recommended ways to put out a fire in a server room is water misting using de-mineralised water I was merely giving a radical scenario in jest. My main purpose is to produce an IPA 'specifc' backup/restore procedure that doesn't rely on other technologies. Starting with a similar goal to restoring an AD system state backup for example. Dale 1 to 4 looks OK to mesomething I want to fully try. There are some interesting tech like gluster which give you a distributed raid1Im wondering on using virtualisation and gluster together...IPA for your scenario would be very small 1 core and 2gbnot much disk useuse kvm and gluster might work well. The second machine could be a reasonable spec'd desktoplike $2k should be good enough I have a single Esxi machine at home, when I get the chance and buy a second one then I want to try something along the above lines...the idea is to avoid having a NAS and that expenseso 2 ESXi boxes running a gluster node on each and then the rest of the VMware guests inside gluster's disk. Another way might be rsyncing the ldif over ssh to a remote site..maybe even email it to say googleit shouldnt be very big, ours is 400k at the moment. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dale Macartney [d...@themacartneyclan.com] Sent: Wednesday, 27 June 2012 11:27 p.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] IPA Backup / Restore - Everyone's favourite problem child! Howdy all We have had quite alot of discussions on the list about this process but I'd like to get some documentation together so we are all speaking the same language. So last night I wrote a script to backup IPA based on the below article. https://access.redhat.com/knowledge/solutions/67800 This is fine and dandy. I have an easy way where I end up with a config tarball, an LDIF export of Dogtag and an LDIF export of LDAP. Now my question is how on earth am I meant to restore it? My test scenario is as follows. And you'll have to humour me a bit with my imagination. Background: Customer has a very small environment. Single IPA server installation on a physical server. Several member servers and clients all pointing to that one server for IPA / CA and DNS. Incident: A very unhappy employee has just been fired for being a naughty boy and decided, for revenge to test how water tight the server was by filling the chassis with 5 litres of water. Result: Server is no longer happy either. A new server deployment is required to replace old server. Thoughts for restoration: My thinking was, to build a replacement server with all dependency packages and then: 1. restore config files in order to start IPA services 2. restore LDAP ldif file to ensure LDAP data was correct 3. restore Dogtag ldig file to ensure Dogtag data was correct. 4. restart IPA services to bring things back online smoothly. Of course Steps 2-4 didn't happen as they DEFINITELY were not happy to co-operate. I'm trying to get to a stage, where we have a method or procedure for simple restoration. Once we have the ability to restore everything, then we can move beyond that, and restore individual components. E.g OU / User / Group Data. Any takers for this one? Will be on IRC today if anyone fancies having a bun fight for bouncing ideas. Dale ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP637pAAoJEAJsWS61tB+qKBMQAJ8zHCH6ysobN3R13QtrNzso 7RxyhnLF3KG2zpEkICTAYwuwT1uGoqjqc7z5z2ypV/77k7VvMu3ejDWm3i8RvD8A n0g43bcY4rA6Jk2Z/JVYc/aPIQqqRdbgx80eK3R8Hi1g0xv0NWVRw3yHiwwKEY27 PpH6zXzjAhsSc
Re: [Freeipa-users] IPA Backup / Restore - Everyone's favourite problem child!
I can join now as its 10am Thursday here...as I dont know when tomorrow is for you regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dale Macartney [d...@themacartneyclan.com] Sent: Thursday, 28 June 2012 9:45 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA Backup / Restore - Everyone's favourite problem child! -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 27/06/12 22:25, Steven Jones wrote: Hi, I have successfully restored IPA servers from an ldif...more times than I care to recall in the last 2 months. In fact at one stage I took an ldif from the replica and used it to restore the masterso it seems pretty robust. If you're about on irc at all tomorrow I may pick your brains about your experiences. I kind of ruined my test environment this afternoon. I had to redeploy about 15 virtualized guests on my tiny microserver at home. That took quite a while ;-) In terms of filling with water, depends on how long for but the physical parts of the hds ie platters and arms should survive that.electronics might as well.in which case swapping one half (I assume you have a raid1) to a new box and syncing it might workthen drop out the old disk and slot in a new one...same with fire / smoke damage. NB One of the recommended ways to put out a fire in a server room is water misting using de-mineralised water I was merely giving a radical scenario in jest. My main purpose is to produce an IPA 'specifc' backup/restore procedure that doesn't rely on other technologies. Starting with a similar goal to restoring an AD system state backup for example. Dale 1 to 4 looks OK to mesomething I want to fully try. There are some interesting tech like gluster which give you a distributed raid1Im wondering on using virtualisation and gluster together...IPA for your scenario would be very small 1 core and 2gbnot much disk useuse kvm and gluster might work well. The second machine could be a reasonable spec'd desktoplike $2k should be good enough I have a single Esxi machine at home, when I get the chance and buy a second one then I want to try something along the above lines...the idea is to avoid having a NAS and that expenseso 2 ESXi boxes running a gluster node on each and then the rest of the VMware guests inside gluster's disk. Another way might be rsyncing the ldif over ssh to a remote site..maybe even email it to say googleit shouldnt be very big, ours is 400k at the moment. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on behalf of Dale Macartney [d...@themacartneyclan.commailto:d...@themacartneyclan.com] Sent: Wednesday, 27 June 2012 11:27 p.m. To: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: [Freeipa-users] IPA Backup / Restore - Everyone's favourite problem child! Howdy all We have had quite alot of discussions on the list about this process but I'd like to get some documentation together so we are all speaking the same language. So last night I wrote a script to backup IPA based on the below article. https://access.redhat.com/knowledge/solutions/67800 This is fine and dandy. I have an easy way where I end up with a config tarball, an LDIF export of Dogtag and an LDIF export of LDAP. Now my question is how on earth am I meant to restore it? My test scenario is as follows. And you'll have to humour me a bit with my imagination. Background: Customer has a very small environment. Single IPA server installation on a physical server. Several member servers and clients all pointing to that one server for IPA / CA and DNS. Incident: A very unhappy employee has just been fired for being a naughty boy and decided, for revenge to test how water tight the server was by filling the chassis with 5 litres of water. Result: Server is no longer happy either. A new server deployment is required to replace old server. Thoughts for restoration: My thinking was, to build a replacement server with all dependency packages and then: 1. restore config files in order to start IPA services 2. restore LDAP ldif file to ensure LDAP data was correct 3. restore Dogtag ldig file to ensure Dogtag data was correct. 4. restart IPA services to bring things back online smoothly. Of course Steps 2-4 didn't happen as they DEFINITELY were not happy to co-operate. I'm trying to get to a stage, where we have a method or procedure for simple restoration. Once we have the ability to restore everything
