[Freeipa-users] Please help: How to restore IPA Master/Replicas from daily IPA Replica setup???

Petr Spacek pspacek at redhat.com
Tue May 15 09:13:37 UTC 2012


Hello,

IMHO it *must* be documented very well. Thank for scenario proposal!

There is a new documentation ticket: https://fedorahosted.org/freeipa/ticket/2758

Another ticket exists for CA master recovery procedure: 
https://fedorahosted.org/freeipa/ticket/2749

Petr^2 Spacek

On 05/15/2012 01:19 AM, Gelen James wrote:
> Hi Dimitri,
>
> thanks a lot for your offer. It will be more than appreciated if Rob, or some
> other talented genius could wiki the steps. The more details, the sooner, and
> the better. It will help IPA projects and its users dramatically, especially
> for newbies like me. :)
>
> Thanks again for you, Rob and others for the coming documentation work.
>
>
> --Gelen.
>
> ------------------------------------------------------------------------------
> *From:* Dmitri Pal <dpal at redhat.com>
> *To:* Robinson Tiemuqinke <hahaha_30k at yahoo.com>
> *Cc:* "Freeipa-users at redhat.com" <Freeipa-users at redhat.com>; Rich Megginson
> <rmeggins at redhat.com>
> *Sent:* Monday, May 14, 2012 1:20 PM
> *Subject:* Re: Please help: How to restore IPA Master/Replicas from daily IPA
> Replica setup???
>
> On 05/14/2012 03:48 PM, Robinson Tiemuqinke wrote:
>> Hi Dmitri, Rich and all,
>>
>> I am a newbie to Redhat IPA, It looks like pretty cool compared with other
>> solutions I've tried before. Thanks a lot for this great product! :)
>>
>> But there are still some things I needs your help. My main question is: How
>> to restore the IPA setup with a daily machine-level IPA Replica backup?
>>
>> Please let me explain my IPA setup background and backup/restore goals
>> trying to reach:
>>
>> I'm running IPA 2.1.3 on Redhat Enterprise 6.2. The IPA master is setup with
>> Dogtag CA system. It is installed first. Then two IPA replicas are installed
>> -- with '--setup-ca' options -- for load balancing and failover purposes.
>>
>> To describe my problems/objectives, I'll name the IPA Master as machine A,
>> IPA replicas as B and C. and now I've one more extra IPA replica 'D'
>> (virtual machine) setup ONLY for backup purposes.
>> The setup looks like the following, A is the configuration Hub. B,C,D are
>> siblings.
>>
>> A
>> / | \
>> B C D
>>
>> The following are the steps I backup IPA setups and LDAP backends daily --
>> it is a whole machine-level backup (through virtual machine D).
>>
>> 1, First, IPA replica D is backed up daily. The backup happens like this:
>>
>> 1.1 on IP replica D, run 'service IPA stop'. Then run 'shutdown -h <D>'. On
>> the Hypervisor which holds virtual machine D, do a daily backup of the whole
>> virtual disk that D is on.
>> 1.2 turn on the IP replica D again.
>> 1.3 after virtual machine D is up, on D optionally run a 'ipa-replica-manage
>> --force-sync --from <A>' to sync the IPA databases forcibly.
>>
>> Now comes to restore part, which is pretty confusing to me. I've tried
>> several times, and every times it comes this or that kinds of issues and so
>> I am wondering that correct steps/ineraction of IPA Master/replicas are the
>> king :(
>>
>> 2, case #1, A is broken, like disc failure, and then re-imaged after several
>> days.
>>
>> 2.1 How to rebuild the IPA Master/Hub A after A is re-imaged, with the daily
>> backup from IPA replica D?
>> 2.2 do I have to check some files on A into subversion immediately after A
>> was initially installed?
>> 2.3 Please describe the steps. I'll follow exactly and report the results.
>>
>> 3, case #2, A is working, but either B, or C is broken.
>>
>> 3.1 It looks that I don't need the daily backup of D to kick in, is that right?
>> 3.2 What are the correct steps on A; and B after it is re-imaged?
>> 3.3 Please describe the steps. I'll follow exactly and report the results.
>>
>> 4, case #3, If some un-expected IPA changes happens on A -- like all users
>> are deleted by human mistakes --, and even worse, all the changes are
>> propagated to B and C in minutes.
>>
>> 4.1 How can I recover the IPA setup from daily backup from D?
>> 4.2 which IPA master/replicas I should recover first? IPA master A, or IPA
>> replicas B/C? and then how to recover others left one by one?
>> 4.3 Do I have to disconnect replication agreement of B,C,D from A first?
>> 4.4 Please describe the steps. I'll follow exactly and report the results.
>>
>> I've heard something about tombstone records too, Not sure whether the
>> problem still exists in 2.1.3, or 2.2.0(on 6.3Beta)? If so, How can I avoid
>> it with correct recovery steps/interactions.
>>
>> Thanks a lot.
>>
>> --Gelen.
>
> I can explain it conceptually. Rob is probably best to define the exact
> sequence and commands.
>
> If you A is broken you reinstall it, make it connect to D and init (force
> sync) A from D. Now you have a new A.
>
> If B or C dies you just re-install B or C and init from A.
>
> If you lost a lot of data I suggest you start a saved D instance and
> force-sync A from it and then force sync B and C from A.
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/  <http://www.redhat.com/carveoutcosts/>
>
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users




More information about the Freeipa-users mailing list