Discussion:
[Freeipa-users] Migrate IPA cluster F21 -> C7
Bret Wortman
2017-03-28 12:45:29 UTC
Permalink
I'm studying the best way to migrate out IPA servers (there are two)
from F21 to C7. I _think_ the sequence of steps I need to perform is:

1. Build new C7 IPA server (ipa-c) and enable replication to it.
2. Migrate CA functions from our existing CA server (ipa-a) to this
new one (ipa-c).
3. Upgrade ipa-b to C7 and enable replication to it.
4. Either upgrade ipa-a and have a third ipa server or discard the
vm in favor of the two now in service.

Am I missing anything? Making this harder than it needs to be?

Our F21 servers are using IPA 4.1.4-1 (and pki-ca 10.2.1-3) so I'm not
if replication across versions is supported between these and IPA 4.4.0
(pki-ca 10.3.3).
--
*Bret Wortman*
Damascus Products
ph/fax: 1-855-644-2783
Wrap Buddies InDemand <wrapbuddies.co/store> at http://bwortman.us/2ieQN4t
Rob Crittenden
2017-03-28 13:15:39 UTC
Permalink
Post by Bret Wortman
I'm studying the best way to migrate out IPA servers (there are two)
1. Build new C7 IPA server (ipa-c) and enable replication to it.
2. Migrate CA functions from our existing CA server (ipa-a) to this
new one (ipa-c).
3. Upgrade ipa-b to C7 and enable replication to it.
4. Either upgrade ipa-a and have a third ipa server or discard the
vm in favor of the two now in service.
Am I missing anything? Making this harder than it needs to be?
Our F21 servers are using IPA 4.1.4-1 (and pki-ca 10.2.1-3) so I'm not
if replication across versions is supported between these and IPA 4.4.0
(pki-ca 10.3.3).
This looks fine. I'd ensure there are at least 2 IPA Masters installed
with a CA in order to avoid a single point of failure.

rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Bret Wortman
2017-03-29 10:22:04 UTC
Permalink
I've tried googling but keep coming up with beer recipes.

How do you suggest adding the replica CA? I'm piecing together the
options I want on my ipa-server-install command and am trying to
understand the CA-related options.

Thanks!


Bret
Post by Bret Wortman
I'm studying the best way to migrate out IPA servers (there are two)
1. Build new C7 IPA server (ipa-c) and enable replication to it.
2. Migrate CA functions from our existing CA server (ipa-a) to
this new one (ipa-c).
3. Upgrade ipa-b to C7 and enable replication to it.
4. Either upgrade ipa-a and have a third ipa server or discard the
vm in favor of the two now in service.
Am I missing anything? Making this harder than it needs to be?
Our F21 servers are using IPA 4.1.4-1 (and pki-ca 10.2.1-3) so I'm not
if replication across versions is supported between these and IPA
4.4.0 (pki-ca 10.3.3).
--
*Bret Wortman*
Damascus Products
ph/fax: 1-855-644-2783
Wrap Buddies InDemand <wrapbuddies.co/store> at http://bwortman.us/2ieQN4t
Bret Wortman
2017-03-29 11:39:54 UTC
Permalink
Never mind. Lost my mind.

ipa-replica-install followed by ipa-ca-install appears to be the ticket.


Bret
Post by Bret Wortman
I've tried googling but keep coming up with beer recipes.
How do you suggest adding the replica CA? I'm piecing together the
options I want on my ipa-server-install command and am trying to
understand the CA-related options.
Thanks!
Bret
Post by Bret Wortman
I'm studying the best way to migrate out IPA servers (there are two)
1. Build new C7 IPA server (ipa-c) and enable replication to it.
2. Migrate CA functions from our existing CA server (ipa-a) to
this new one (ipa-c).
3. Upgrade ipa-b to C7 and enable replication to it.
4. Either upgrade ipa-a and have a third ipa server or discard
the vm in favor of the two now in service.
Am I missing anything? Making this harder than it needs to be?
Our F21 servers are using IPA 4.1.4-1 (and pki-ca 10.2.1-3) so I'm
not if replication across versions is supported between these and IPA
4.4.0 (pki-ca 10.3.3).
--
*Bret Wortman*
Damascus Products
ph/fax: 1-855-644-2783
Wrap Buddies InDemand <wrapbuddies.co/store> at
http://bwortman.us/2ieQN4t
Rob Crittenden
2017-03-29 13:53:25 UTC
Permalink
Post by Bret Wortman
Never mind. Lost my mind.
ipa-replica-install followed by ipa-ca-install appears to be the ticket.
Or you can do it in one step by passing --setup-ca to ipa-replica-install

rob
Post by Bret Wortman
Bret
Post by Bret Wortman
I've tried googling but keep coming up with beer recipes.
How do you suggest adding the replica CA? I'm piecing together the
options I want on my ipa-server-install command and am trying to
understand the CA-related options.
Thanks!
Bret
Post by Bret Wortman
I'm studying the best way to migrate out IPA servers (there are two)
1. Build new C7 IPA server (ipa-c) and enable replication to it.
2. Migrate CA functions from our existing CA server (ipa-a) to
this new one (ipa-c).
3. Upgrade ipa-b to C7 and enable replication to it.
4. Either upgrade ipa-a and have a third ipa server or discard
the vm in favor of the two now in service.
Am I missing anything? Making this harder than it needs to be?
Our F21 servers are using IPA 4.1.4-1 (and pki-ca 10.2.1-3) so I'm
not if replication across versions is supported between these and IPA
4.4.0 (pki-ca 10.3.3).
--
*Bret Wortman*
Damascus Products
ph/fax: 1-855-644-2783
Wrap Buddies InDemand <wrapbuddies.co/store> at
http://bwortman.us/2ieQN4t
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Bret Wortman
2017-03-29 13:55:28 UTC
Permalink
I saw as I was working through it, and it's in fact what I did.
Migrating the last server to CentOS right now.

Thanks for the help!
Post by Rob Crittenden
Post by Bret Wortman
Never mind. Lost my mind.
ipa-replica-install followed by ipa-ca-install appears to be the ticket.
Or you can do it in one step by passing --setup-ca to ipa-replica-install
rob
Post by Bret Wortman
Bret
Post by Bret Wortman
I've tried googling but keep coming up with beer recipes.
How do you suggest adding the replica CA? I'm piecing together the
options I want on my ipa-server-install command and am trying to
understand the CA-related options.
Thanks!
Bret
Post by Bret Wortman
I'm studying the best way to migrate out IPA servers (there are two)
1. Build new C7 IPA server (ipa-c) and enable replication to it.
2. Migrate CA functions from our existing CA server (ipa-a) to
this new one (ipa-c).
3. Upgrade ipa-b to C7 and enable replication to it.
4. Either upgrade ipa-a and have a third ipa server or discard
the vm in favor of the two now in service.
Am I missing anything? Making this harder than it needs to be?
Our F21 servers are using IPA 4.1.4-1 (and pki-ca 10.2.1-3) so I'm
not if replication across versions is supported between these and IPA
4.4.0 (pki-ca 10.3.3).
--
*Bret Wortman*
Damascus Products
ph/fax: 1-855-644-2783
Wrap Buddies InDemand <wrapbuddies.co/store> at
http://bwortman.us/2ieQN4t
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Loading...