[Freeipa-users] Virtualising FreeIPA domain controller

[Simo Sorce]

On Fri, 2012-03-02 at 15:39 +0100, Ondrej Valousek wrote:
> 
> > Well I do not know about just 'pausing' it sounds not plausible to me,
> > except wrt clock skew which may cause krb auth and replication to fail.
> > 
> Yes, that's exactly what is happening.

This should be easily fixed by making sure to bring the clock back to
proper date as soon as you un-pause.

> > But if you restore such a snapshot after the original machine had a
> > fatal accident then it may come with issues.
> It is enough just to 'resume' the VM host operation (after being
> paused) to cause problems.

Ok, I do not think FreeIPA has this problem then, sound something AD
specific.

> > I think the issue is due to the fact that the directory service in AD is
> > not being shut down before the snapshot. This results in you
> > snapshotting the underlying database in a potentially unclean state.
> > You could run in similar issues if you do this with FreeIPA and you do
> > not ipactl stop right before taking the snapshot, the DS database will
> > be in an open state and potentially in the middle of a transaction.

> Yes, I understand the consequences and how to deal with them in the
> IPA environment. But for most admins it seems to me better just to
> generally say "never virtualize this unless you well know what you are
> doing", right?

I do not thikn there is any problem in virtualizing IPA. Pausing the
machine (except for clock skew issues that can be easily resolved)
shouldn't cause too many issues. You have a small window in which
replication may temporarily stop (until the clock is set back right) and
clients may fail to auth (again due to clock skew) but I don't think you
will see any other issue.
And if you ipactl stop before pausing then set clock back straight
before ipactl start after unpausing you should see no problems at all.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York