Hi! This is meant for the good future of freeipa, a package I've appreciated for some years, so across the user cultures and languages please understand it as supportive and not a complaint!
For all freeipa's 'master-master' replica technology, there remain 'some instances more primary than others' even if the topology diagrams claim equivalence. Lose 'that one that's even more primary' and (absent high-learning-curve, on-site capability, and intervention that calls for high-bar mastery of seldom used subsystems) -- you're on a track to breakage. Why? Because it's when, not if, that 'primary' system will need a major OS point release (8 to 9 in the present situation). In that case, there is as yet no 'just works' upgrade path. With 'not the super special 'even more master than other' master replicas, it's easy and 'it just works'... but 'for that one...' freeipa is not ready for 'prime time'.
For example, should site admins 'just know' whether there is a current kasp.db maintained in more than one place? How many know about ipa-crlgen-manage, or whether /etc/pki/pki-tomcat/ca/CS.cfg should or shouldn't have ca.certStatusUpdateInterval=0, or have the command ipa config-mod --ca-renewal-master-server at the top of their mind? SID range assignments?
Fundamentally, the fair question is: Which freeipa subsystems that I don't happen to have studied in dev-level detail have similar 'deep gotchas that are obvious to the one who specializes in that, but opaque to everyone else'? Not even the freeipa devs who write the docs collect all the steps in one place. While there are 'characterizations of worries' those come without steps, the advice doesn't say what steps will work, just what won't. ('don't leapp upgrade').
The way forward I think is fairly doable. First is to have each 'dev that's an expert in their thing' (dns, kra, etc. etc.) make sure all 'master' level replicas have, updated, whatever 'special files' might be necessary, even if they aren't 'the extra special primary replica', and may never get used.
Second is an 'orchestration' command, to be run on a master-replica that is 'the latest os', that will, 'all in one', do all the magic to become 'the extra special primary master' and take those options off 'the old primary', even if it means installing trust/dns/etc subsystems extant on the 'old master' but missing from the 'soon to be new primary master'. An orchestration command that manages everything from moving which fqdn is authoritative in SOA records, to magic tiny entries in CA.cfg files. When that command is done, the 'old primary' becomes 'just another master replica that happens to be using an older os'. Then the 'old primary' can be discarded and replaced with the latest os and a fresh install as a master replica. At that point, it's optional whether to move the 'special primary' status 'back' to the 'now new OS master system'.
The admin pain involved at present 'for that one system that's the extra special primary' at os major release upgrade time -- it sets too high an education bar, obviously higher than even one freeipa-dev has, as the docs prove-- and as such needs a team approach to address,, before OS 9 to 10 please!
Thanks for all you've done so far!
Harry Coin