Backup and restoration of a freeipa infrastructure

authenticationbackupfreeiparestore

I'm finding the documentation on ipa server backup and restoration sadly lacking, and being so centrally critical it's not something i'm really happy about shooting in the dark with – could some kind soul more knowledable in the matter please attempt to provide an idiot-proof guide to backing up and restoring of IPA server(s) ? Particularly the main server (the cert signing one).

…We're looking towards rolling out ipa in a two server setup (1 master, 1 replica). I'm using dns srv records to handle failover, hence a loss of the replica isn't a big deal as i could make a new one and force a resync to happen – it's losing the master that bothered me.

The thing that i'm really struggling with is locating a step-by-step procedure for backing up and restoring the master server. I'm aware that whole-VM snapshot is the recommended way of doing IPA server backup, but that isn't an option at this time for us.

I'm also aware that freeipa 3.2.0 includes some sort of backup command build in, but that isn't in the ipa version of centos, and i don't expect it will be for some time yet.

I've been trying many different methods, but none of them seem to restore cleanly, amongst others, i've tried;

a command similar to db2ldif.pl -D "cn=directory manager" -w – -n userroot -a /root/userroot.ldif
the script from here to produce three ldif files — one for the domain ({domain}-userroot), and two for the ipa server (ipa-ipaca and ipa-userroot):

Most of the restores i've tried have been similar to the form of:
ldif2db.pl -D "cn=directory manager" -w – -n userroot -i userroot.ldif

which seems to work and reports no errors, but totally borks the ipa install on the machine and i can no longer login with either the admin password on the backed up server, or the one i set it to on installation before attempting the ldif2db command (i'm installing ipa-server and running ipa-server-install, then attempting the restore).

I'm not overly bothered about losing the CA, having to rejoin the domain, losing replication etc etc (although it'd be awesome if that could be avoided) but in the instance of the main server dropping i'd really like to avoid having to re-enter all the user/group information.

I guess in the instance of losing the main server i could promote the other one and replicate in the other direction, but i've not tried that, either. Has anyone done that ?

tl;dr: Can someone provide an idiots guide to backing up and restoring an IPA server (preferably on CentOS 6) in a clear enough way that'd make me feel confident it'll actually work when the dreaded time comes ? Crayons are optional, but appreciated 😉 I can't be the only person struggling with this, seeing how widely used IPA is, surely ?

Best Answer

I don't have a proper solution to backup and restore a FreeIPA server on CentOS, only a workaround to have a server operative with the same configuration in the shortest time possible. You do lose the CA and you need to rejoin the hosts to the server.

This is the way I dealt with "disaster recovery" while using the 2.x series. I did many trial and error experiments and got tired of restoring my settings from scratch:

provision a new host using DHCP+PXE+TFTP+Kickstart.
ensure the kickstart script installs the puppetlabs repo and register itself with the puppetmaster, there is (was) an entry in autosign.conf for this purpose. (The puppetlabs repo is not mandatory, but I was using syntax not present in the stock version of puppet).
write a module containing a package resource to have the server and its dependencies installed, and an exec resource to run a shell script (all kept under version control) defining all the infrastructure needed in the domain.

I'll give you a snippet of the script here, you get the general idea:


#!/usr/bin/env bash
# vim:syn=sh:ts=2:fdm=marker
# IPASERVER BOOTSTRAP {{{
# HOSTGROUPS {{{
# foo {{{
ipa hostgroup-add foo --desc='Foo Bar Baz'
ipa hostgroup-add-member sanfernando --hosts={foo,bar,baz}.domain.com
ipa netgroup-add net_foo --nisdomain=domain.com --desc='Foo Bar Baz'
ipa netgroup-add-member net_foo --hostgroups=sanfernando
# }}}
# }}}
# PWPOLICY {{{
ipa pwpolicy-mod global_policy --history=24
ipa pwpolicy-mod global_policy --lockouttime=1200
ipa pwpolicy-mod --setattr=krbpwdmindiffchars=4
ipa pwpolicy-mod --setattr=krbpwdminlenght=14
ipa pwpolicy-mod --setattr=krbpwdmaxfailure=5
ipa pwpolicy-mod --setattr=krbminpwdlife=168
ipa pwpolicy-mod --setattr=krbpwdfailurecountinterval=1200
# }}}
# USERS/GROUPS/HBAC {{{
# developers {{{
ipa user-add jdoe --first='Jane' --last='Doe' --email='jdoe@domain.com' --gecos='Jane Doe' --shell='/bin/rbash' --sshpubkey='AAA......XXGDGHU='
ipa group-add foo --desc='Foo Staff'
ipa group-add-member foo --users=jdoe
ipa hbacrule-add developers_access --desc='Developers access'
ipa hbacrule-add-host developers_access --hostgroups=development
ipa hbacrule-add-user developers_access --groups=developers
ipa hbacrule-add-service developers_access --hbacsvcs=sshd
ipa hbacrule-add-service developers_access --hbacsvcgroups=Sudo
# }}}
# }}}
# SUDO CMD/RULE/GROUP {{{
# networking {{{
ipa sudocmd-add --desc='administration tool for IPv4 packet filtering and NAT' '/sbin/iptables'
ipa sudocmd-add --desc='view and manipulate media-independent interface status' '/sbin/mii-tool'
ipa sudocmd-add --desc='display or change ethernet card settings' '/sbin/ethtool'
ipa sudocmd-add --desc='show and manipulate routing, devices, policy routing and tunnels' '/sbin/ip'
ipa sudocmd-add --desc='sudoedit configuration file of IPv4 packet filtering and NAT' 'sudoedit /etc/sysconfig/iptables'
ipa sudocmdgroup-add networking --desc='commands for network configuration and troubleshooting'
ipa sudocmdgroup-add-member networking --sudocmds=/sbin/{iptables,mii-tool,ethtool,ip}
ipa sudocmdgroup-add-member networking --sudocmds='sudoedit /etc/sysconfig/iptables'
ipa sudorule-add networking_4_operators_2 --desc='Operator Level 2 access to networking management commands'
ipa sudorule-add-allow-command networking_4_operators_2 --sudocmdgroups='networking'
ipa sudorule-add-user networking_4_operators_2 --groups='operators_2'
ipa sudorule-add-host networking_4_operators_2 --hostgroups=foo-hosts
# }}}
# }}}
# }}}

Related Solutions

Brick-level backup and restore with exchange 2007

Well, your chief sysadmin is incorrect. (link removed to KB article posted above because I don't have enough points to post two hyperlinks) shows that it's possible. Those instructions probably won't help you directly, because you should be looking in the admin guide and KB for Symantec NetBackup. Maybe it needs an Exchange agent to do brick-level, have you looked into it?

Edit - Aha. Page 10-12 of this PDF say that the Exchange agent for NBU supports mailbox (brick-level) backups

Also, you do know that brick-level takes a lot more time and space, right? And that if you're doing fulls, you just need to restore to the Recovery Storage Group and then use ExMerge to just get the emails in question; that really shouldn't take more than a day.

Rdiff-backup restoring directories without subdirectories

Assuming you'r specifying your paths correctly, that shouldn't be a problem. Are the local folder /dir and the remote /dir actually the same path? Sometimes you loose valuable information when you obfuscate your examples to much.

Anyway, the important issue is that the --exclude should cover the full path, on the destination you are restoring to. I'll try to illustrate using an example.

$ rdiff-backup server::/original/data/ /local/backup/
$ ls -F /local/backup/
file  rdiff-backup-data/  subA/  subB/
$ rdiff-backup -r now --exclude /restore/point/subA /local/backup/ server::/restore/point/
$ ssh server
$ ls -F /restore/point
file  subB/

Of course, there is also the lazy way of simply doing an --exclude '**/subA', assuming there are no more subA below in the directory structure.

Best Answer

Related Solutions

Brick-level backup and restore with exchange 2007

Rdiff-backup restoring directories without subdirectories

Related Topic