[Freeipa-devel] Backup and Restore design

Rob Crittenden rcritten at redhat.com
Wed Feb 20 15:20:04 UTC 2013 

John Dennis wrote:
> On 02/19/2013 10:43 PM, Rob Crittenden wrote:
>> I've looked into some basic backup and restore procedures for IPA. My
>> findings are here: http://freeipa.org/page/V3/Backup_and_Restore
>
> Good write up Rob!
>
> It seems to me there are two critical sub-issues to solve first that
> could benefit us in the long run anyway.
>
> 1) Replacing certs. This has been a pain point for many admins who for
> various reasons now have invalid certs and need to redeploy all certs to
> bring back up our integrated web of services. Can this be a separate
> work item? It would be generally useful in contexts other than backups.

This is definitely something we need, but yeah, it's a bit out of my 
scope here. There are lots of reasons to replace the CA but we don't 
really have any way to do that currently.

I did find a sort of poor-man's way of replacing the CA and documented 
that, but I'm not sure I'd want to do that with live data. It was sort 
of a "gee, I wonder what would happen..." sort of thing.

> 2) Tracking every file we modify. Aren't we already a good way there
> with the sysrestore functionality already in use in the install tools?
> It is just a matter of enhancing it a bit and being diligent about
> making sure it's used in every modification we make? Actually I'm not
> thinking we track every modification, rather we keep a manifest of
> everything we've touched and then just snapshot those files during
> backup, this would capture any modifications not made by us but perhaps
> are critical to restoring a working system (i.e. puppet modifications).
> The sysrestore module could provide the manifest, right?

The problem is we also need to back up a lot of files we don't otherwise 
track (or probably want to). For example, the entire CA instance, the 
entire 389-ds instances, etc. My goal for the data backup was to be able 
to drop the file onto a brand new machine, with the right rpms installed 
and be able to do a restore and start everything up. To do that we have 
to restore a whole ton of things that we don't necessarily touch in our 
installer so is beyond the scope of sysrestore.

That and we already herd cats. It would require us to be more 
responsible for files provided by other apps. So if 389-ds or dogtag 
decided to ship a new file, we'd have to update our sysrestore stuff to 
capture that, or we'd have to loop over the directories to make sure we 
had everything tracked.

Thanks for the feedback.

rob

More information about the Freeipa-devel mailing list