I'm finding the documentation on ipa server backup and restoration sadly lacking, and being so centrally critical it's not something i'm really happy about shooting in the dark with – could some kind soul more knowledable in the matter please attempt to provide an idiot-proof guide to backing up and restoring of IPA server(s) ? Particularly the main server (the cert signing one).
…We're looking towards rolling out ipa in a two server setup (1 master, 1 replica). I'm using dns srv records to handle failover, hence a loss of the replica isn't a big deal as i could make a new one and force a resync to happen – it's losing the master that bothered me.
The thing that i'm really struggling with is locating a step-by-step procedure for backing up and restoring the master server. I'm aware that whole-VM snapshot is the recommended way of doing IPA server backup, but that isn't an option at this time for us.
I'm also aware that freeipa 3.2.0 includes some sort of backup command build in, but that isn't in the ipa version of centos, and i don't expect it will be for some time yet.
I've been trying many different methods, but none of them seem to restore cleanly, amongst others, i've tried;
-
a command similar to db2ldif.pl -D "cn=directory manager" -w – -n userroot -a /root/userroot.ldif
-
the script from here to produce three ldif files — one for the domain ({domain}-userroot), and two for the ipa server (ipa-ipaca and ipa-userroot):
Most of the restores i've tried have been similar to the form of:
ldif2db.pl -D "cn=directory manager" -w – -n userroot -i userroot.ldif
which seems to work and reports no errors, but totally borks the ipa install on the machine and i can no longer login with either the admin password on the backed up server, or the one i set it to on installation before attempting the ldif2db command (i'm installing ipa-server and running ipa-server-install, then attempting the restore).
I'm not overly bothered about losing the CA, having to rejoin the domain, losing replication etc etc (although it'd be awesome if that could be avoided) but in the instance of the main server dropping i'd really like to avoid having to re-enter all the user/group information.
I guess in the instance of losing the main server i could promote the other one and replicate in the other direction, but i've not tried that, either. Has anyone done that ?
tl;dr: Can someone provide an idiots guide to backing up and restoring an IPA server (preferably on CentOS 6) in a clear enough way that'd make me feel confident it'll actually work when the dreaded time comes ? Crayons are optional, but appreciated 😉 I can't be the only person struggling with this, seeing how widely used IPA is, surely ?
Best Answer
I don't have a proper solution to backup and restore a FreeIPA server on CentOS, only a workaround to have a server operative with the same configuration in the shortest time possible. You do lose the CA and you need to rejoin the hosts to the server.
This is the way I dealt with "disaster recovery" while using the
2.x
series. I did many trial and error experiments and got tired of restoring my settings from scratch:puppetlabs
repo and register itself with thepuppetmaster
, there is (was) an entry inautosign.conf
for this purpose. (Thepuppetlabs
repo is not mandatory, but I was using syntax not present in the stock version ofpuppet
).package
resource to have the server and its dependencies installed, and anexec
resource to run a shell script (all kept under version control) defining all the infrastructure needed in the domain.I'll give you a snippet of the script here, you get the general idea: