Hi all. What's the best procedure/practice to periodically perform a backup on a single freeipa server with CA?
Cheers
On 06/11/2018 09:10 AM, Alfredo De Luca via FreeIPA-users wrote:
Hi all. What's the best procedure/practice to periodically perform a backup on a single freeipa server with CA?
Best practice is to NOT have just a single server.
Backup shuts down IPA for a short period of time, so you have to focus on a schedule where impact of a downed identification server has the least impact. In busy environments, that's hard - very hard, hence the need for redundancy.
Each "ipa-backup" run is a full backup, so the rest is pretty simple. How far back do you want to be able to restore things? Well, backup at twice the interval for that, and once the "ipa-backup" is complete, backup /var/lib/ipa/backup to tape or offsite (before you do that, you encrypt, and DON'T ship the private encryption key AND the data at the same time).
Cheers
-- /Alfredo/
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
thanks Peter. I know that having only one server it's not good thats' why for now I just want to implement a backup/restore process then one/multiple replicas.
About a retore... is it better to restore from a full backup rather than only data backup?
Cheers
Hi Alfredo,
As Peter says, use ipa-backup. I suggest running it twice a day, but that depends on how many changes you make in FreeIPA.
Then, get your backup software to backup /var/lib/ipa/backup some time after you've run ipa-backup. Or, get your backup software to run ipa-backup for you and then back up the destination folder.
It's always easier to restore a system from a full backup, but it takes time and demands many full backups which are large in size, demands a lot of storage and stresses your network.
I'd run a full backup of the FreeIPA server weekly and incrementals twice a day, all of them right after running ipa-backup.
HTH
/tony
On 13/06/18 10:07, Alfredo De Luca via FreeIPA-users wrote:
thanks Peter. I know that having only one server it's not good thats' why for now I just want to implement a backup/restore process then one/multiple replicas.
About a retore... is it better to restore from a full backup rather than only data backup?
Cheers _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
Thanks Tony. Appreciated.
I will soon do that. Cheers
On Wed, Jun 13, 2018 at 11:10 AM Tony Brian Albers via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi Alfredo,
As Peter says, use ipa-backup. I suggest running it twice a day, but that depends on how many changes you make in FreeIPA.
Then, get your backup software to backup /var/lib/ipa/backup some time after you've run ipa-backup. Or, get your backup software to run ipa-backup for you and then back up the destination folder.
It's always easier to restore a system from a full backup, but it takes time and demands many full backups which are large in size, demands a lot of storage and stresses your network.
I'd run a full backup of the FreeIPA server weekly and incrementals twice a day, all of them right after running ipa-backup.
HTH
/tony
On 13/06/18 10:07, Alfredo De Luca via FreeIPA-users wrote:
thanks Peter. I know that having only one server it's not good thats' why for now I
just want to implement a backup/restore process then one/multiple replicas.
About a retore... is it better to restore from a full backup rather than
only data backup?
Cheers _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
-- Tony Albers Systems administrator, IT-development Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. Tel: +45 2566 2383 / +45 8946 2316 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
Hi Tony et all. AFAIK if I perform a full backup, and one day I need to restore it , I can but only on the same machine/FQDN... is that right? So if I destroy the IPA server then create a new one with the same FQDN and options as the first time then I restore it should be fine?
Cheers Alfredo
On Wed, Jun 13, 2018 at 5:49 PM Alfredo De Luca alfredo.deluca@gmail.com wrote:
Thanks Tony. Appreciated.
I will soon do that. Cheers
On Wed, Jun 13, 2018 at 11:10 AM Tony Brian Albers via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi Alfredo,
As Peter says, use ipa-backup. I suggest running it twice a day, but that depends on how many changes you make in FreeIPA.
Then, get your backup software to backup /var/lib/ipa/backup some time after you've run ipa-backup. Or, get your backup software to run ipa-backup for you and then back up the destination folder.
It's always easier to restore a system from a full backup, but it takes time and demands many full backups which are large in size, demands a lot of storage and stresses your network.
I'd run a full backup of the FreeIPA server weekly and incrementals twice a day, all of them right after running ipa-backup.
HTH
/tony
On 13/06/18 10:07, Alfredo De Luca via FreeIPA-users wrote:
thanks Peter. I know that having only one server it's not good thats' why for now I
just want to implement a backup/restore process then one/multiple replicas.
About a retore... is it better to restore from a full backup rather
than only data backup?
Cheers _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
-- Tony Albers Systems administrator, IT-development Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. Tel: +45 2566 2383 / +45 8946 2316 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
-- *Alfredo*
Alfredo De Luca via FreeIPA-users wrote:
Hi Tony et all. AFAIK if I perform a full backup, and one day I need to restore it , I can but only on the same machine/FQDN... is that right? So if I destroy the IPA server then create a new one with the same FQDN and options as the first time then I restore it should be fine?
Yes. The same version of IPA is also required.
rob
Cheers Alfredo
On Wed, Jun 13, 2018 at 5:49 PM Alfredo De Luca <alfredo.deluca@gmail.com mailto:alfredo.deluca@gmail.com> wrote:
Thanks Tony. Appreciated. I will soon do that. Cheers On Wed, Jun 13, 2018 at 11:10 AM Tony Brian Albers via FreeIPA-users <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> wrote: Hi Alfredo, As Peter says, use ipa-backup. I suggest running it twice a day, but that depends on how many changes you make in FreeIPA. Then, get your backup software to backup /var/lib/ipa/backup some time after you've run ipa-backup. Or, get your backup software to run ipa-backup for you and then back up the destination folder. It's always easier to restore a system from a full backup, but it takes time and demands many full backups which are large in size, demands a lot of storage and stresses your network. I'd run a full backup of the FreeIPA server weekly and incrementals twice a day, all of them right after running ipa-backup. HTH /tony On 13/06/18 10:07, Alfredo De Luca via FreeIPA-users wrote: > thanks Peter. > I know that having only one server it's not good thats' why for now I just want to implement a backup/restore process then one/multiple replicas. > > About a retore... is it better to restore from a full backup rather than only data backup? > > > Cheers > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/ZQODAMCETRGPFZXWHDAMV3C2ASSQIEDS/ > -- Tony Albers Systems administrator, IT-development Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. Tel: +45 2566 2383 / +45 8946 2316 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/XVJJI4RT4TSPGNTOTAP2Z56JNVLP4MES/ -- /Alfredo/
-- /Alfredo/
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
Thanks heaps.
On Mon, Jun 18, 2018 at 8:16 PM Rob Crittenden rcritten@redhat.com wrote:
Alfredo De Luca via FreeIPA-users wrote:
Hi Tony et all. AFAIK if I perform a full backup, and one day I need to restore it , I can but only on the same machine/FQDN... is that right? So if I destroy the IPA server then create a new one with the same FQDN and options as the first time then I restore it should be fine?
Yes. The same version of IPA is also required.
rob
Cheers Alfredo
On Wed, Jun 13, 2018 at 5:49 PM Alfredo De Luca <alfredo.deluca@gmail.com mailto:alfredo.deluca@gmail.com> wrote:
Thanks Tony. Appreciated. I will soon do that. Cheers On Wed, Jun 13, 2018 at 11:10 AM Tony Brian Albers via FreeIPA-users <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> wrote: Hi Alfredo, As Peter says, use ipa-backup. I suggest running it twice a day, but that depends on how many changes you make in FreeIPA. Then, get your backup software to backup /var/lib/ipa/backup some time after you've run ipa-backup. Or, get your backup software to run ipa-backup for you and then back up the destination folder. It's always easier to restore a system from a full backup, but it takes time and demands many full backups which are large in size, demands a lot of storage and stresses your network. I'd run a full backup of the FreeIPA server weekly and
incrementals
twice a day, all of them right after running ipa-backup. HTH /tony On 13/06/18 10:07, Alfredo De Luca via FreeIPA-users wrote: > thanks Peter. > I know that having only one server it's not good thats' why for now I just want to implement a backup/restore process then one/multiple replicas. > > About a retore... is it better to restore from a full backup rather than only data backup? > > > Cheers > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
> -- Tony Albers Systems administrator, IT-development Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C,
Denmark.
Tel: +45 2566 2383 / +45 8946 2316 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
-- /Alfredo/
-- /Alfredo/
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
Our IPA servers are VMs. We do backups of snapshots, either through VMware or when the image is on a Netapp, through a Netapp snapshot. That guarantees that you have all the pieces in a consistent state. I’ve never had to restore a production server, but I have started copies of one of the backups to do experiments that I didn’t want to do on a production system. I’ve never had an issue starting from a backup, though I need to do some changes so the system thinks it has the same hostname as the original one.
On Jun 11, 2018, at 9:10 AM, Alfredo De Luca via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi all. What's the best procedure/practice to periodically perform a backup on a single freeipa server with CA?
Cheers
-- Alfredo
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
Thanks Charles. Out IPA is a VM too on Openstack but for some reasons they said it's not good to take snapshots and rely on that for backups... I ll investigate further tho... cause my idea was exactly that. Snapshots!!!!
Thanks for sharing.
On Fri, Jun 22, 2018 at 4:34 PM Charles Hedrick hedrick@cs.rutgers.edu wrote:
Our IPA servers are VMs. We do backups of snapshots, either through VMware or when the image is on a Netapp, through a Netapp snapshot. That guarantees that you have all the pieces in a consistent state. I’ve never had to restore a production server, but I have started copies of one of the backups to do experiments that I didn’t want to do on a production system. I’ve never had an issue starting from a backup, though I need to do some changes so the system thinks it has the same hostname as the original one.
On Jun 11, 2018, at 9:10 AM, Alfredo De Luca via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi all. What's the best procedure/practice to periodically perform a backup on a single freeipa server with CA?
Cheers
-- *Alfredo*
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
There is actually documentation supporting my view: https://www.freeipa.org/page/Backup_and_Restore https://www.freeipa.org/page/Backup_and_Restore Look particularly at the section "Why snapshot and not backup and restore scripts?"
The difference is that they suggest stopping a replica before making a snapshot, while we snapshot a running system. I’ve done this with a variety of databases and other applications. My claim is that a point in time snapshot should be safe for any software that is designed to survive a crash, because a point in time snapshot is no harder to recover from than a crash. We have multiple snapshots, in case we can’t use one of them. But I’ve never seen that happen.
We always run complex software systems such a ipa in a VM.
On Jun 23, 2018, at 11:28:37 AM, Alfredo De Luca alfredo.deluca@gmail.com wrote:
Thanks Charles. Out IPA is a VM too on Openstack but for some reasons they said it's not good to take snapshots and rely on that for backups... I ll investigate further tho... cause my idea was exactly that. Snapshots!!!!
Thanks for sharing.
On Fri, Jun 22, 2018 at 4:34 PM Charles Hedrick <hedrick@cs.rutgers.edu mailto:hedrick@cs.rutgers.edu> wrote: Our IPA servers are VMs. We do backups of snapshots, either through VMware or when the image is on a Netapp, through a Netapp snapshot. That guarantees that you have all the pieces in a consistent state. I’ve never had to restore a production server, but I have started copies of one of the backups to do experiments that I didn’t want to do on a production system. I’ve never had an issue starting from a backup, though I need to do some changes so the system thinks it has the same hostname as the original one.
On Jun 11, 2018, at 9:10 AM, Alfredo De Luca via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org> wrote:
Hi all. What's the best procedure/practice to periodically perform a backup on a single freeipa server with CA?
Cheers
-- Alfredo
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost... https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/KKKIFFZZQS4V562HUWYYR6FHGEA4KOYL/
-- Alfredo
Hi Hedrick. Jus a quick one. If i want to restore a full backup IPA in a different host (just for test purpose) can I change the IP address but have the same hostname/FQDN?
Alfredo
On Sat, Jun 23, 2018 at 5:54 PM hedrick@rutgers.edu wrote:
There is actually documentation supporting my view: https://www.freeipa.org/page/Backup_and_Restore Look particularly at the section "Why snapshot and not backup and restore scripts?"
The difference is that they suggest stopping a replica before making a snapshot, while we snapshot a running system. I’ve done this with a variety of databases and other applications. My claim is that a point in time snapshot should be safe for any software that is designed to survive a crash, because a point in time snapshot is no harder to recover from than a crash. We have multiple snapshots, in case we can’t use one of them. But I’ve never seen that happen.
We always run complex software systems such a ipa in a VM.
On Jun 23, 2018, at 11:28:37 AM, Alfredo De Luca alfredo.deluca@gmail.com wrote:
Thanks Charles. Out IPA is a VM too on Openstack but for some reasons they said it's not good to take snapshots and rely on that for backups... I ll investigate further tho... cause my idea was exactly that. Snapshots!!!!
Thanks for sharing.
On Fri, Jun 22, 2018 at 4:34 PM Charles Hedrick hedrick@cs.rutgers.edu wrote:
Our IPA servers are VMs. We do backups of snapshots, either through VMware or when the image is on a Netapp, through a Netapp snapshot. That guarantees that you have all the pieces in a consistent state. I’ve never had to restore a production server, but I have started copies of one of the backups to do experiments that I didn’t want to do on a production system. I’ve never had an issue starting from a backup, though I need to do some changes so the system thinks it has the same hostname as the original one.
On Jun 11, 2018, at 9:10 AM, Alfredo De Luca via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi all. What's the best procedure/practice to periodically perform a backup on a single freeipa server with CA?
Cheers
-- *Alfredo*
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
-- *Alfredo*
Yes. Edit /etc/hosts and add your IP address and hostname. Edit /etc/hostname to put your hostname.
That works for me.
You should probably make sure that you have iptables on the production systems to reject connections from the ip address of your copy. Otherwise you run the danger of having an out of date copy giving you out of date data.
On Jun 25, 2018, at 11:31 AM, Alfredo De Luca alfredo.deluca@gmail.com wrote:
Hi Hedrick. Jus a quick one. If i want to restore a full backup IPA in a different host (just for test purpose) can I change the IP address but have the same hostname/FQDN?
Alfredo
On Sat, Jun 23, 2018 at 5:54 PM <hedrick@rutgers.edu mailto:hedrick@rutgers.edu> wrote: There is actually documentation supporting my view: https://www.freeipa.org/page/Backup_and_Restore https://www.freeipa.org/page/Backup_and_Restore Look particularly at the section "Why snapshot and not backup and restore scripts?"
The difference is that they suggest stopping a replica before making a snapshot, while we snapshot a running system. I’ve done this with a variety of databases and other applications. My claim is that a point in time snapshot should be safe for any software that is designed to survive a crash, because a point in time snapshot is no harder to recover from than a crash. We have multiple snapshots, in case we can’t use one of them. But I’ve never seen that happen.
We always run complex software systems such a ipa in a VM.
On Jun 23, 2018, at 11:28:37 AM, Alfredo De Luca <alfredo.deluca@gmail.com mailto:alfredo.deluca@gmail.com> wrote:
Thanks Charles. Out IPA is a VM too on Openstack but for some reasons they said it's not good to take snapshots and rely on that for backups... I ll investigate further tho... cause my idea was exactly that. Snapshots!!!!
Thanks for sharing.
On Fri, Jun 22, 2018 at 4:34 PM Charles Hedrick <hedrick@cs.rutgers.edu mailto:hedrick@cs.rutgers.edu> wrote: Our IPA servers are VMs. We do backups of snapshots, either through VMware or when the image is on a Netapp, through a Netapp snapshot. That guarantees that you have all the pieces in a consistent state. I’ve never had to restore a production server, but I have started copies of one of the backups to do experiments that I didn’t want to do on a production system. I’ve never had an issue starting from a backup, though I need to do some changes so the system thinks it has the same hostname as the original one.
On Jun 11, 2018, at 9:10 AM, Alfredo De Luca via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org> wrote:
Hi all. What's the best procedure/practice to periodically perform a backup on a single freeipa server with CA?
Cheers
-- Alfredo
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost... https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/KKKIFFZZQS4V562HUWYYR6FHGEA4KOYL/
-- Alfredo
-- Alfredo
ok thanks. but can I have a different IP address but same hostname? this is to check if everything works
/Alfredo
On Mon, 25 Jun 2018, 18:24 , hedrick@rutgers.edu wrote:
Yes. Edit /etc/hosts and add your IP address and hostname. Edit /etc/hostname to put your hostname.
That works for me.
You should probably make sure that you have iptables on the production systems to reject connections from the ip address of your copy. Otherwise you run the danger of having an out of date copy giving you out of date data.
On Jun 25, 2018, at 11:31 AM, Alfredo De Luca alfredo.deluca@gmail.com wrote:
Hi Hedrick. Jus a quick one. If i want to restore a full backup IPA in a different host (just for test purpose) can I change the IP address but have the same hostname/FQDN?
Alfredo
On Sat, Jun 23, 2018 at 5:54 PM hedrick@rutgers.edu wrote:
There is actually documentation supporting my view: https://www.freeipa.org/page/Backup_and_Restore Look particularly at the section "Why snapshot and not backup and restore scripts?"
The difference is that they suggest stopping a replica before making a snapshot, while we snapshot a running system. I’ve done this with a variety of databases and other applications. My claim is that a point in time snapshot should be safe for any software that is designed to survive a crash, because a point in time snapshot is no harder to recover from than a crash. We have multiple snapshots, in case we can’t use one of them. But I’ve never seen that happen.
We always run complex software systems such a ipa in a VM.
On Jun 23, 2018, at 11:28:37 AM, Alfredo De Luca < alfredo.deluca@gmail.com> wrote:
Thanks Charles. Out IPA is a VM too on Openstack but for some reasons they said it's not good to take snapshots and rely on that for backups... I ll investigate further tho... cause my idea was exactly that. Snapshots!!!!
Thanks for sharing.
On Fri, Jun 22, 2018 at 4:34 PM Charles Hedrick hedrick@cs.rutgers.edu wrote:
Our IPA servers are VMs. We do backups of snapshots, either through VMware or when the image is on a Netapp, through a Netapp snapshot. That guarantees that you have all the pieces in a consistent state. I’ve never had to restore a production server, but I have started copies of one of the backups to do experiments that I didn’t want to do on a production system. I’ve never had an issue starting from a backup, though I need to do some changes so the system thinks it has the same hostname as the original one.
On Jun 11, 2018, at 9:10 AM, Alfredo De Luca via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi all. What's the best procedure/practice to periodically perform a backup on a single freeipa server with CA?
Cheers
-- *Alfredo*
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
-- *Alfredo*
-- *Alfredo*
Yes. If you put a mapping between the new IP address and hostname in /etc/hosts, lookups will use that in preference to the usual one. If you also put the hostname in /etc/hostname and reboot, together those things should make the system believe it has the hostname of your actual server.
On Jun 25, 2018, at 2:19:16 PM, Alfredo De Luca via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
ok thanks. but can I have a different IP address but same hostname? this is to check if everything works
/Alfredo
On Mon, 25 Jun 2018, 18:24 , <hedrick@rutgers.edu mailto:hedrick@rutgers.edu> wrote: Yes. Edit /etc/hosts and add your IP address and hostname. Edit /etc/hostname to put your hostname.
That works for me.
You should probably make sure that you have iptables on the production systems to reject connections from the ip address of your copy. Otherwise you run the danger of having an out of date copy giving you out of date data.
On Jun 25, 2018, at 11:31 AM, Alfredo De Luca <alfredo.deluca@gmail.com mailto:alfredo.deluca@gmail.com> wrote:
Hi Hedrick. Jus a quick one. If i want to restore a full backup IPA in a different host (just for test purpose) can I change the IP address but have the same hostname/FQDN?
Alfredo
On Sat, Jun 23, 2018 at 5:54 PM <hedrick@rutgers.edu mailto:hedrick@rutgers.edu> wrote: There is actually documentation supporting my view: https://www.freeipa.org/page/Backup_and_Restore https://www.freeipa.org/page/Backup_and_Restore Look particularly at the section "Why snapshot and not backup and restore scripts?"
The difference is that they suggest stopping a replica before making a snapshot, while we snapshot a running system. I’ve done this with a variety of databases and other applications. My claim is that a point in time snapshot should be safe for any software that is designed to survive a crash, because a point in time snapshot is no harder to recover from than a crash. We have multiple snapshots, in case we can’t use one of them. But I’ve never seen that happen.
We always run complex software systems such a ipa in a VM.
On Jun 23, 2018, at 11:28:37 AM, Alfredo De Luca <alfredo.deluca@gmail.com mailto:alfredo.deluca@gmail.com> wrote:
Thanks Charles. Out IPA is a VM too on Openstack but for some reasons they said it's not good to take snapshots and rely on that for backups... I ll investigate further tho... cause my idea was exactly that. Snapshots!!!!
Thanks for sharing.
On Fri, Jun 22, 2018 at 4:34 PM Charles Hedrick <hedrick@cs.rutgers.edu mailto:hedrick@cs.rutgers.edu> wrote: Our IPA servers are VMs. We do backups of snapshots, either through VMware or when the image is on a Netapp, through a Netapp snapshot. That guarantees that you have all the pieces in a consistent state. I’ve never had to restore a production server, but I have started copies of one of the backups to do experiments that I didn’t want to do on a production system. I’ve never had an issue starting from a backup, though I need to do some changes so the system thinks it has the same hostname as the original one.
On Jun 11, 2018, at 9:10 AM, Alfredo De Luca via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org> wrote:
Hi all. What's the best procedure/practice to periodically perform a backup on a single freeipa server with CA?
Cheers
-- Alfredo
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost... https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/KKKIFFZZQS4V562HUWYYR6FHGEA4KOYL/
-- Alfredo
-- Alfredo
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
If you do some searches, you can find some perl scripts that will do things like compare two LDIF files to see what changed.
On Jun 25, 2018, at 2:19:16 PM, Alfredo De Luca via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
ok thanks. but can I have a different IP address but same hostname? this is to check if everything works
/Alfredo
On Mon, 25 Jun 2018, 18:24 , <hedrick@rutgers.edu mailto:hedrick@rutgers.edu> wrote: Yes. Edit /etc/hosts and add your IP address and hostname. Edit /etc/hostname to put your hostname.
That works for me.
You should probably make sure that you have iptables on the production systems to reject connections from the ip address of your copy. Otherwise you run the danger of having an out of date copy giving you out of date data.
On Jun 25, 2018, at 11:31 AM, Alfredo De Luca <alfredo.deluca@gmail.com mailto:alfredo.deluca@gmail.com> wrote:
Hi Hedrick. Jus a quick one. If i want to restore a full backup IPA in a different host (just for test purpose) can I change the IP address but have the same hostname/FQDN?
Alfredo
On Sat, Jun 23, 2018 at 5:54 PM <hedrick@rutgers.edu mailto:hedrick@rutgers.edu> wrote: There is actually documentation supporting my view: https://www.freeipa.org/page/Backup_and_Restore https://www.freeipa.org/page/Backup_and_Restore Look particularly at the section "Why snapshot and not backup and restore scripts?"
The difference is that they suggest stopping a replica before making a snapshot, while we snapshot a running system. I’ve done this with a variety of databases and other applications. My claim is that a point in time snapshot should be safe for any software that is designed to survive a crash, because a point in time snapshot is no harder to recover from than a crash. We have multiple snapshots, in case we can’t use one of them. But I’ve never seen that happen.
We always run complex software systems such a ipa in a VM.
On Jun 23, 2018, at 11:28:37 AM, Alfredo De Luca <alfredo.deluca@gmail.com mailto:alfredo.deluca@gmail.com> wrote:
Thanks Charles. Out IPA is a VM too on Openstack but for some reasons they said it's not good to take snapshots and rely on that for backups... I ll investigate further tho... cause my idea was exactly that. Snapshots!!!!
Thanks for sharing.
On Fri, Jun 22, 2018 at 4:34 PM Charles Hedrick <hedrick@cs.rutgers.edu mailto:hedrick@cs.rutgers.edu> wrote: Our IPA servers are VMs. We do backups of snapshots, either through VMware or when the image is on a Netapp, through a Netapp snapshot. That guarantees that you have all the pieces in a consistent state. I’ve never had to restore a production server, but I have started copies of one of the backups to do experiments that I didn’t want to do on a production system. I’ve never had an issue starting from a backup, though I need to do some changes so the system thinks it has the same hostname as the original one.
On Jun 11, 2018, at 9:10 AM, Alfredo De Luca via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org> wrote:
Hi all. What's the best procedure/practice to periodically perform a backup on a single freeipa server with CA?
Cheers
-- Alfredo
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost... https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/KKKIFFZZQS4V562HUWYYR6FHGEA4KOYL/
-- Alfredo
-- Alfredo
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
freeipa-users@lists.fedorahosted.org