On 03.03.21 10:43, Florence Blanc-Renaud wrote:
On 3/3/21 10:24 AM, Ronald Wimmer via FreeIPA-users wrote:
> On 03.03.21 10:13, Alexander Bokovoy wrote:
>> On ke, 03 maalis 2021, Ronald Wimmer via FreeIPA-users wrote:
>>> Some time ago we upgraded our IPA servers from CentOS 7.x to Oracle
>>> Linux 8.3. We did it exactly as recommended in the respective
>>> documentation.
>>>
>>> A few days ago we found out that two out of our eight servers do not
>>> work as they should. On both of them pki-tomcatd refuses to start.
>>> The two servers are ipa2 and ipa6 - both have the CA feature
>>> installed. Additionally, on ipa6 configuration is not replicated to
>>> the other servers. ipa2 seems to have even more problems. kinit does
>>> not work, neither does the WebGUI.
>>>
>>> My first question is addressed to Rob. Is ipa-healthcheck checking
>>> the whole IPA server landscape or does it check only the server
>>> where the command is issued?
>>
>> AFAIK, ipa-healthcheck only evaluates the single machine. You need to
>> run it on each system to produce a report for that system. There are
>> plans to be able to run on multiple machines and combine the report
>> together but there is no tests that use the reports from individual
>> replicas yet.
>>
>>>
>>> What would probably be the best way to make these two servers work
>>> normal again? (I am thinking of just ripping these two servers out
>>> of the topology and setting them up from scratch again?)
>>
>> It heavily depends on what are the problems. Removing a replica is
>> always a hammer but if you don't want to investigate it, sure.
>
> Preferably I would like to investigate. How could I prevent IPA
> clients from contacting one of the two erroneous servers? (Regarding
> the WebUI I configured a loadbalancer in front of the Apaches.) I did
> an "ipactl stop" on both servers - but for investigating ipa will most
> likely need to run on these servers...
>
Hi,
you can have a look at the "hidden replica" feature [1]. If you switch
the replicas under investigation into hidden mode, they won't be used by
clients any more.
flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
That worked perfectly for ipa6 but - unfortunately - not for ipa2:
[root@ipa1 ~]# ipa server-state ipa2.linux.mydomain.at --state=hidden
ipa: ERROR: invalid 'ipa2.linux.mydomain.at': Cannot hide last enabled
KRA server.