Angus Clarke via FreeIPA-users wrote:
Hello
I am planning the upgrade of one of our FreeIPA deployments from EL7.9
Previously, we have been quite good at upgrading through OS point upgrades (7.3, 7.4, 7.5 etc) as this was the advice through that series of FreeIPA software.
Upgrading our FreeIPAs from EL7.9 today will see me introduce an EL8 FreeIPA which will receive the freeipa software from the Appstream repository. At time of writing, that process will see me introducing a replica running ipa-server 4.9.8 to my existing FreeIPA nodes running ipa-server 4.6.8
Should I be concerned about more minor updates and find some way of upgrading through different ipa-server (and dependencies) releases from Appstream or do you think I should just run the procedure as described above?
Major version upgrades via adding a new machine is the recommended and documented route. It includes retiring existing, older servers, so have a plan for that.
Running mixed versions is likely fine in most cases but we don't recommend doing it for very long and encourage a relatively fast migration (weeks not months). Be sure to watch the replication topology and maintain the service mix (e.g. at least 2 CAs), and at have one CA designated as the renewal master, CRL master, etc. It's all in the docs.
rob
On 2022-06-15 14:15:12, Rob Crittenden via FreeIPA-users wrote:
Major version upgrades via adding a new machine is the recommended and documented route. It includes retiring existing, older servers, so have a plan for that.
How comes? Maybe I am wrong, but I saw FreeIPA as a set of (complex) services integrated with each other, but without "deep" operating system integration. A few services talking with each other, so to say. And unlike others FreeIPA brings its own HA.
?
No complaint, of course. I am just curious. Regards
Harri
On ke, 15 kesä 2022, Harald Dunkel via FreeIPA-users wrote:
On 2022-06-15 14:15:12, Rob Crittenden via FreeIPA-users wrote:
Major version upgrades via adding a new machine is the recommended and documented route. It includes retiring existing, older servers, so have a plan for that.
How comes? Maybe I am wrong, but I saw FreeIPA as a set of (complex) services integrated with each other, but without "deep" operating system integration. A few services talking with each other, so to say. And unlike others FreeIPA brings its own HA.
?
No complaint, of course. I am just curious. Regards
The same as with not doing backports to older OSes, FreeIPA depends on a *particular set* of integrated services and libraries, not just any. We choose to avoid some of tough to solve upgrade issues by doing upgrade by replication. Sometimes battles won by not fighting them.
See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm... for more details on migration and upgrades.
Hi Alex,
On 2022-06-15 16:23:53, Alexander Bokovoy via FreeIPA-users wrote:
The same as with not doing backports to older OSes, FreeIPA depends on a *particular set* of integrated services and libraries, not just any. We choose to avoid some of tough to solve upgrade issues by doing upgrade by replication. Sometimes battles won by not fighting them.
You mean I cannot upgrade to FreeIPA 4.9.x on RHEL7, either? That was plan B.
Regards Harri
On pe, 17 kesä 2022, Harald Dunkel via FreeIPA-users wrote:
Hi Alex,
On 2022-06-15 16:23:53, Alexander Bokovoy via FreeIPA-users wrote:
The same as with not doing backports to older OSes, FreeIPA depends on a *particular set* of integrated services and libraries, not just any. We choose to avoid some of tough to solve upgrade issues by doing upgrade by replication. Sometimes battles won by not fighting them.
You mean I cannot upgrade to FreeIPA 4.9.x on RHEL7, either? That was plan B.
I think at least my messaging was pretty consistent for the past decade or so. ;)
There were no plans to have FreeIPA 4.x on RHEL 6. Install new replica on RHEL 7 to migrate.
There were no plans to have FreeIPA 4.7+ on RHEL 7. Install new replica on RHEL 8 to migrate.
RHEL 8 will see FreeIPA 4.9.10 soon and we are going to switch to FreeIPA 4.10.x series for RHEL 9 in next several weeks. FreeIPA 4.10 series will not appear in RHEL 8 because of Dogtag PKI 11.2+ dependency for Random Serial Number features.
Setting up a replica on newer OS release is a preferred way to upgrade.
Fedora was kind of excluded from this policy because there are only two Fedora releases in support at the same time and they typically very close to each other in terms of packages provided. Still, we stop pushing new versions to older releases when that is not possible to fulfill -- this happened a year ago with Fedora 33, for example, when pluggable subid support was not present there.
Thanks Rob Angus ________________________________ From: Rob Crittenden rcritten@redhat.com Sent: 15 June 2022 14:15 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Angus Clarke angus@charworth.com Subject: Re: [Freeipa-users] Upgrading from EL7.9 to EL8
Angus Clarke via FreeIPA-users wrote:
Hello
I am planning the upgrade of one of our FreeIPA deployments from EL7.9
Previously, we have been quite good at upgrading through OS point upgrades (7.3, 7.4, 7.5 etc) as this was the advice through that series of FreeIPA software.
Upgrading our FreeIPAs from EL7.9 today will see me introduce an EL8 FreeIPA which will receive the freeipa software from the Appstream repository. At time of writing, that process will see me introducing a replica running ipa-server 4.9.8 to my existing FreeIPA nodes running ipa-server 4.6.8
Should I be concerned about more minor updates and find some way of upgrading through different ipa-server (and dependencies) releases from Appstream or do you think I should just run the procedure as described above?
Major version upgrades via adding a new machine is the recommended and documented route. It includes retiring existing, older servers, so have a plan for that.
Running mixed versions is likely fine in most cases but we don't recommend doing it for very long and encourage a relatively fast migration (weeks not months). Be sure to watch the replication topology and maintain the service mix (e.g. at least 2 CAs), and at have one CA designated as the renewal master, CRL master, etc. It's all in the docs.
rob
freeipa-users@lists.fedorahosted.org