Saurabh Garg wrote:
HiĀ Rob, Thanks for your reply.
In our case we need to put in place a procedure/steps that can helps us
to come out from a situation where our complete IPA server setup
(original server and its replica both) is lost/deleted and need to get
the same setup back from the scheduled full-server-backups (through cron
jobs) available at some object storage location.
Install a server with the same OS level as the backup and run the
restore. Additional new masters can be created from that.
You'll want to keep track of which masters run which optional services
and be sure to backup one (or more) running the CA.
rob
Please advice.
Thanks,
Saurabh Garg
On Fri, Oct 25, 2019 at 6:12 PM Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>> wrote:
Saurabh Garg via FreeIPA-users wrote:
> Background -
> We are trying to restore "full server" from an existing IPA server
(with replication ON to another server) to a newly created IPA
Server from the same golden image as all other servers.
There is no restore with replication on. It would cause endless
problems.
Restore is expected to be for a single master in a catastrophic
situation. The others will require re-init from this master.
> Source IPA Server: Red Hat Enterprise Linux Server release 7.7 (Maipo)
> # ipa-server-install --version
> 4.6.4
>
> Destination IPA Server: Red Hat Enterprise Linux Server release
7.7 (Maipo)
> # ipa-server-install --version
> 4.6.4
>
> Problem Statement -
> While runningĀ "ipa-restore" (exact command: # ipa-restore
/root/backup/) on the new IPA server for full server backup, system
throws the following error lines in iparestore.log:
>
>
> 2019-10-25T08:19:26Z DEBUG stderr=IPA version error: data needs to
be upgraded (expected version '4.6.4-10.el7_6.6', current version
'4.6.4-10.el7_6.3')
> Automatically running upgrade, for details see /var/log/ipaupgrade.log
> Be patient, this may take a few minutes.
> Automatic upgrade failed: Update complete
> Upgrading the configuration of the IPA services
> [Verifying that root certificate is published]
> [Migrate CRL publish directory]
> Publish directory already set to new location
> [Verifying that CA proxy configuration is correct]
> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
command ipa-server-upgrade manually.
> CA did not start in 300.0s
> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log
for more information
It is very persnickety. The versions do not match.
There are sometimes subtle differences between versions of IPA, even in
minor releases, so it is not considered safe to restore between
versions.
You could hack out the version check and roll the dice, or downgrade the
packages to match the backed-up value.
rob