[Freeipa-users] FreeIPA master replica generation divorce?

Simo Sorce ssorce at redhat.com
Wed Jan 13 14:58:01 UTC 2010


On Tue, 12 Jan 2010 15:01:32 -0800
root <freeipa at voidembraced.net> wrote:

> Thinking outside of the box for a moment, is it possible to divorce
> the FreeIPA "master" feature of deploying FreeIPA servers from the
> FreeIPA cluster which handles everything else?  Keeps it safe and out
> of harms way, especially considering it has the CA key on it. 
> 
> This could be done a couple of different ways.  One would be to just
> have the master FreeIPA "server" deployed as a VM instance -- we only
> dust it off and start it up when a new server needs deployment, and
> shut it back down after it's generated the replica file.  While crude
> for my environment, this would work really well for a VM based shop. 

No, I think you can't "start it up" only "when needed".
Replication would be compromised, the backlog window is about a week
IIRC.

But what you could do is to keep the first master reachable only by
other replicas through firewalling/vpn/vlans your choice.
And expose to the real world only the replicas.

In this scenario you can shut it down without much care because it is
not serving clients. But you cannot keep it shut for long times or it
will get completely out of sync with the other replicas.

Of course, as Rob already pointed out, you may want to add replication
channels between replicas so that your master server is not critical
for replication if you have to shut it down.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York




More information about the Freeipa-users mailing list