3:26 p.m.
I am currently running FreeIPA on CentOS 7, and I am considering moving
it to Fedora.
On RHEL and derivatives, in-place upgrades are not supported. It is
necessary to provision a new server, running the new OS version, add it
as a FreeIPA replica, and then decommission the old system.
How does this work on Fedora? Will I be able to use dnf system-upgrade,
or will I find myself having to use the process described above?
--
========================================================================
Google Where SkyNet meets Idiocracy
========================================================================
2:56 a.m.
On Thu, Jun 29, 2023 at 03:26:40PM -0500, Ian Pilcher via FreeIPA-users wrote:
I am currently running FreeIPA on CentOS 7, and I am considering
moving
it to Fedora.
On RHEL and derivatives, in-place upgrades are not supported. It is
necessary to provision a new server, running the new OS version, add it
as a FreeIPA replica, and then decommission the old system.
In-place upgrades seem to be support since RHEL7, but maybe IPA there
is more problematic?
https://access.redhat.com/articles/4263361
How does this work on Fedora? Will I be able to use dnf system-upgrade,
or will I find myself having to use the process described above?
On Fedora, doing dnf system-upgrade is official way to upgrade,
including FreeIPA. No need for special steps.
You can even skip a version (for example, Fedora 38->40 is/will be
tested and supported), so you can upgrade once per year.
--
Tomasz Torcz “God, root, what's the difference?”
tomek(a)pipebreaker.pl “God is more forgiving.”
2:44 a.m.
On Аўт, 04 ліп 2023, Tomasz Torcz via FreeIPA-users wrote:
On Thu, Jun 29, 2023 at 03:26:40PM -0500, Ian Pilcher via
FreeIPA-users wrote:
> I am currently running FreeIPA on CentOS 7, and I am considering moving
> it to Fedora.
>
> On RHEL and derivatives, in-place upgrades are not supported. It is
> necessary to provision a new server, running the new OS version, add it
> as a FreeIPA replica, and then decommission the old system.
In-place upgrades seem to be support since RHEL7, but maybe IPA there
is more problematic?
https://access.redhat.com/articles/4263361
It is way more complex in RHEL 7 to 8 and in RHEL 8 to 9 because of
modularity introduction and phasing out. That and FIPS requirements.
We do not support in-place RHEL 7 to RHEL 8 upgrade because IPA server
packages moved into a modular stream that is not enabled by default. IPA
client packages are in a modular stream that is enabled by default so
they behave as if they are not in a module at all. The latter allows to
upgrade IPA clients inplace.
We also do not support in-place RHEL 8 to RHEL 9 upgrade because IPA
server packages were moved out of a modular stream and dnf is not really
helpful in solving that.
The reality is complicated by the fact that we use intra-modular
dependencies (idm:DL1 stream depends on 389-ds and pki-core modules,
some of 389-ds and pki code also depends on healthcheck code provided by
both idm:client and idm:DL1).
Leapp tool was instructed to prevent in-place upgrades of IPA servers
accordingly.
There are also complications due to FIPS 140-2 to FIPS 140-3 changes
which make it more complex even with non-modular setup. Technically, you
cannot even upgrade in-place FIPS 140-2 to FIPS 140-3 certified
environments without violating the previous audit results.
>
> How does this work on Fedora? Will I be able to use dnf system-upgrade,
> or will I find myself having to use the process described above?
On Fedora, doing dnf system-upgrade is official way to upgrade,
including FreeIPA. No need for special steps.
You can even skip a version (for example, Fedora 38->40 is/will be
tested and supported), so you can upgrade once per year.
It is easier on Fedora due to organizational reasons, not technical
ones.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
308
days inactive
325
days old
freeipa-users@lists.fedorahosted.org
2 comments
3 participants
participants (3)
-
Alexander Bokovoy -
Ian Pilcher -
Tomasz Torcz