On la, 29 huhti 2023, Sebastiano Pomata via FreeIPA-users wrote:
Hi all,
I successfully deployed a FreeIPA installation with a master server and
two replicas using podman and the container images provided on
docker.io (specifically, those based on fedora 36) on RHEL 8. Time has
passed (indeed flied) and fedora 36 is now about to reach end of
security support and I started thinking about upgrading to either the
4.10 freeipa based on fedora 38 or the one based on RHEL 9.
Whatever the final choice, I wonder what's the recommended path to
follow? I remember having asked in the past on the freeipa IRC channel
and the most common suggestion was to avoid mounting the same ipa-data
directory under a new, upgraded container image, but rather creating a
new replica directly based on the updated container image.
This is very sensible however now I'm faced with a practical issue on
the steps to take: assuming I wanted to upgrade the master and two
replicas from 4.9 to 4.10 one by one, shall I create a temporary
replica under a new hostname (and same IP), delete the old replica from
topology and bring its container down, then re-create a new replica
with the proper previous hostname? Or just give up on the old hostname
and stick with the new one for the upgraded replica? As I manage the
installation with SRV records from DNS, ditching the old name for a new
one doesn't seem painful, however we have some services that rely on
the LDAP hostname of the current IPA servers and would still require
manual upgrade.
DNS is not managed by FreeIPA but externally on another server, which I
fully control.
Hope my question is clear and somebody who dealt with upgrades more
often can provide some feedback.
FreeIPA container is supposed to run upgrade on the data volume when you
do upgrade images. This is one of scenarios tested by the upstream CI.
This is documented in the upstream documentation:
https://github.com/freeipa/freeipa-container/blob/master/README#L183-L189
----------------------
If you have existing container with data volume, it should be safe to
shut it down and run new one based on newer image, with the same data
directory bind-mounted to /data. The container logic will detect that it
is running with data produced by different image and attempt to upgrade
the configuration and data. Of course, keeping backup of the data
directory for cases when the upgrade process fails is recommended.
----------------------
What probably would be good to do is to simulate incremental version
upgrades here -- if you are going up from Fedora 36, step up to Fedora
36:latest first, then Fedora 37:latest, then Fedora 38:latest.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland