On Аўт, 04 ліп 2023, Tomasz Torcz via FreeIPA-users wrote:
On Thu, Jun 29, 2023 at 03:26:40PM -0500, Ian Pilcher via
FreeIPA-users wrote:
> I am currently running FreeIPA on CentOS 7, and I am considering moving
> it to Fedora.
>
> On RHEL and derivatives, in-place upgrades are not supported. It is
> necessary to provision a new server, running the new OS version, add it
> as a FreeIPA replica, and then decommission the old system.
In-place upgrades seem to be support since RHEL7, but maybe IPA there
is more problematic?
https://access.redhat.com/articles/4263361
It is way more complex in RHEL 7 to 8 and in RHEL 8 to 9 because of
modularity introduction and phasing out. That and FIPS requirements.
We do not support in-place RHEL 7 to RHEL 8 upgrade because IPA server
packages moved into a modular stream that is not enabled by default. IPA
client packages are in a modular stream that is enabled by default so
they behave as if they are not in a module at all. The latter allows to
upgrade IPA clients inplace.
We also do not support in-place RHEL 8 to RHEL 9 upgrade because IPA
server packages were moved out of a modular stream and dnf is not really
helpful in solving that.
The reality is complicated by the fact that we use intra-modular
dependencies (idm:DL1 stream depends on 389-ds and pki-core modules,
some of 389-ds and pki code also depends on healthcheck code provided by
both idm:client and idm:DL1).
Leapp tool was instructed to prevent in-place upgrades of IPA servers
accordingly.
There are also complications due to FIPS 140-2 to FIPS 140-3 changes
which make it more complex even with non-modular setup. Technically, you
cannot even upgrade in-place FIPS 140-2 to FIPS 140-3 certified
environments without violating the previous audit results.
>
> How does this work on Fedora? Will I be able to use dnf system-upgrade,
> or will I find myself having to use the process described above?
On Fedora, doing dnf system-upgrade is official way to upgrade,
including FreeIPA. No need for special steps.
You can even skip a version (for example, Fedora 38->40 is/will be
tested and supported), so you can upgrade once per year.
It is easier on Fedora due to organizational reasons, not technical
ones.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland