I am currently running FreeIPA on CentOS 7, and I am considering moving it to Fedora.
On RHEL and derivatives, in-place upgrades are not supported. It is necessary to provision a new server, running the new OS version, add it as a FreeIPA replica, and then decommission the old system.
How does this work on Fedora? Will I be able to use dnf system-upgrade, or will I find myself having to use the process described above?
On Thu, Jun 29, 2023 at 03:26:40PM -0500, Ian Pilcher via FreeIPA-users wrote:
I am currently running FreeIPA on CentOS 7, and I am considering moving it to Fedora.
On RHEL and derivatives, in-place upgrades are not supported. It is necessary to provision a new server, running the new OS version, add it as a FreeIPA replica, and then decommission the old system.
In-place upgrades seem to be support since RHEL7, but maybe IPA there is more problematic? https://access.redhat.com/articles/4263361
How does this work on Fedora? Will I be able to use dnf system-upgrade, or will I find myself having to use the process described above?
On Fedora, doing dnf system-upgrade is official way to upgrade, including FreeIPA. No need for special steps. You can even skip a version (for example, Fedora 38->40 is/will be tested and supported), so you can upgrade once per year.
On Аўт, 04 ліп 2023, Tomasz Torcz via FreeIPA-users wrote:
On Thu, Jun 29, 2023 at 03:26:40PM -0500, Ian Pilcher via FreeIPA-users wrote:
I am currently running FreeIPA on CentOS 7, and I am considering moving it to Fedora.
On RHEL and derivatives, in-place upgrades are not supported. It is necessary to provision a new server, running the new OS version, add it as a FreeIPA replica, and then decommission the old system.
In-place upgrades seem to be support since RHEL7, but maybe IPA there is more problematic? https://access.redhat.com/articles/4263361
It is way more complex in RHEL 7 to 8 and in RHEL 8 to 9 because of modularity introduction and phasing out. That and FIPS requirements.
We do not support in-place RHEL 7 to RHEL 8 upgrade because IPA server packages moved into a modular stream that is not enabled by default. IPA client packages are in a modular stream that is enabled by default so they behave as if they are not in a module at all. The latter allows to upgrade IPA clients inplace.
We also do not support in-place RHEL 8 to RHEL 9 upgrade because IPA server packages were moved out of a modular stream and dnf is not really helpful in solving that.
The reality is complicated by the fact that we use intra-modular dependencies (idm:DL1 stream depends on 389-ds and pki-core modules, some of 389-ds and pki code also depends on healthcheck code provided by both idm:client and idm:DL1).
Leapp tool was instructed to prevent in-place upgrades of IPA servers accordingly.
There are also complications due to FIPS 140-2 to FIPS 140-3 changes which make it more complex even with non-modular setup. Technically, you cannot even upgrade in-place FIPS 140-2 to FIPS 140-3 certified environments without violating the previous audit results.
How does this work on Fedora? Will I be able to use dnf system-upgrade, or will I find myself having to use the process described above?
On Fedora, doing dnf system-upgrade is official way to upgrade, including FreeIPA. No need for special steps. You can even skip a version (for example, Fedora 38->40 is/will be tested and supported), so you can upgrade once per year.
It is easier on Fedora due to organizational reasons, not technical ones.
freeipa-users@lists.fedorahosted.org