Saurabh Garg wrote:
> HiĀ Rob, Thanks for your reply.
> 
> In our case we need to put in place a procedure/steps that can helps us
> to come out from a situation where our complete IPA server setup
> (original server and its replica both) is lost/deleted and need to get
> the same setup back from the scheduled full-server-backups (through cron
> jobs) available at some object storage location.

Install a server with the same OS level as the backup and run the
restore. Additional new masters can be created from that.

You'll want to keep track of which masters run which optional services
and be sure to backup one (or more) running the CA.

rob
> 
> Please advice.
> 
> Thanks,
> Saurabh Garg
> 
> 
> 
> On Fri, Oct 25, 2019 at 6:12 PM Rob Crittenden <rcrit...@redhat.com
> <mailto:rcrit...@redhat.com>> wrote:
> 
>     Saurabh Garg via FreeIPA-users wrote:
>     > Background -
>     > We are trying to restore "full server" from an existing IPA server
>     (with replication ON to another server) to a newly created IPA
>     Server from the same golden image as all other servers.
> 
>     There is no restore with replication on. It would cause endless
>     problems.
> 
>     Restore is expected to be for a single master in a catastrophic
>     situation. The others will require re-init from this master.
> 
>     > Source IPA Server: Red Hat Enterprise Linux Server release 7.7 (Maipo)
>     > # ipa-server-install --version
>     > 4.6.4
>     >
>     > Destination IPA Server: Red Hat Enterprise Linux Server release
>     7.7 (Maipo)
>     > # ipa-server-install --version
>     > 4.6.4
>     >
>     > Problem Statement -
>     > While runningĀ  "ipa-restore" (exact command: # ipa-restore
>     /root/backup/) on the new IPA server for full server backup, system
>     throws the following error lines in iparestore.log:
>     >
>     >
>     > 2019-10-25T08:19:26Z DEBUG stderr=IPA version error: data needs to
>     be upgraded (expected version '4.6.4-10.el7_6.6', current version
>     '4.6.4-10.el7_6.3')
>     > Automatically running upgrade, for details see /var/log/ipaupgrade.log
>     > Be patient, this may take a few minutes.
>     > Automatic upgrade failed: Update complete
>     > Upgrading the configuration of the IPA services
>     > [Verifying that root certificate is published]
>     > [Migrate CRL publish directory]
>     > Publish directory already set to new location
>     > [Verifying that CA proxy configuration is correct]
>     > IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
>     command ipa-server-upgrade manually.
>     > CA did not start in 300.0s
>     > The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log
>     for more information
> 
>     It is very persnickety. The versions do not match.
> 
>     There are sometimes subtle differences between versions of IPA, even in
>     minor releases, so it is not considered safe to restore between
>     versions.
> 
>     You could hack out the version check and roll the dice, or downgrade the
>     packages to match the backed-up value.
> 
>     rob
> 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to