According to a RedHat document (https://access.redhat.com/articles/4263361 ) an in-place upgrade is only possible from RHEL 7.6 to RHEL 8.1. Unfortunately, I've kept my IPA servers up-to-date so that their version is now 7.7.1908.
The document also states that there will be a possibility to upgrade from the last RHEL 7.x minor version to RHEL 8. Will this happen any time soon?
Is it generally recommended to perform an in-place upgrade on an IPA server or is it better to follow the steps in "Migrating IDM from RHEL 7 to 8" as documented in https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm... ?
Cheers, Ronald
Could a RedHat guy give a short answer to my last question, please?
Cheers, Ronald
Ronald Wimmer via FreeIPA-users wrote:
Could a RedHat guy give a short answer to my last question, please?
This is an upstream user's list. If you want an official answer from Red Hat on what is supported then you should open a support ticket.
In my opinion as a general rule it is far safer to create a new master than in-place upgrade.
rob
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm... states that the CA-Master should be replaced.
How would you proceed if there were multiple servers that needed an upgrade to 8? Do I need to stop the CA service and disable CRL generation on three of my four CA servers and migrate the remaining server from 7 to 8?
Or could I
1) stop ipa servers 2 to 8 2) migrate ipa1 to RHEL8 3) deploy 7 RHEL8 machines 4) setup replicas on these machines
Here's my setup:
Server name: ipa1.linux.mydomain.at Role name: CA server Role status: enabled
Server name: ipa2.linux.mydomain.at Role name: CA server Role status: enabled
Server name: ipa5.linux.mydomain.at Role name: CA server Role status: enabled
Server name: ipa6.linux.mydomain.at Role name: CA server Role status: enabled
Server name: ipa1.linux.mydomain.at Role name: NTP server Role status: enabled
Server name: ipa2.linux.mydomain.at Role name: NTP server Role status: enabled
Server name: ipa3.linux.mydomain.at Role name: NTP server Role status: enabled
Server name: ipa4.linux.mydomain.at Role name: NTP server Role status: enabled
Server name: ipa5.linux.mydomain.at Role name: NTP server Role status: enabled
Server name: ipa6.linux.mydomain.at Role name: NTP server Role status: enabled
Server name: ipa7.linux.mydomain.at Role name: NTP server Role status: enabled
Server name: ipa8.linux.mydomain.at Role name: NTP server Role status: enabled
Server name: ipa1.linux.mydomain.at Role name: AD trust agent Role status: enabled
Server name: ipa2.linux.mydomain.at Role name: AD trust agent Role status: enabled
Server name: ipa3.linux.mydomain.at Role name: AD trust agent Role status: enabled
Server name: ipa4.linux.mydomain.at Role name: AD trust agent Role status: enabled
Server name: ipa5.linux.mydomain.at Role name: AD trust agent Role status: enabled
Server name: ipa6.linux.mydomain.at Role name: AD trust agent Role status: enabled
Server name: ipa7.linux.mydomain.at Role name: AD trust agent Role status: enabled
Server name: ipa8.linux.mydomain.at Role name: AD trust agent Role status: enabled
Server name: ipa1.linux.mydomain.at Role name: KRA server Role status: enabled
Server name: ipa2.linux.mydomain.at Role name: KRA server Role status: enabled
Server name: ipa1.linux.mydomain.at Role name: AD trust controller Role status: enabled
Server name: ipa2.linux.mydomain.at Role name: AD trust controller Role status: enabled
Server name: ipa5.linux.mydomain.at Role name: AD trust controller Role status: enabled
Server name: ipa6.linux.mydomain.at Role name: AD trust controller Role status: enabled
Ronald Wimmer via FreeIPA-users wrote:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm... states that the CA-Master should be replaced.
How would you proceed if there were multiple servers that needed an upgrade to 8? Do I need to stop the CA service and disable CRL generation on three of my four CA servers and migrate the remaining server from 7 to 8?
Or could I
- stop ipa servers 2 to 8
- migrate ipa1 to RHEL8
- deploy 7 RHEL8 machines
- setup replicas on these machines
Only one master should generate the CRL.
You don't have to do the migration all in one fell swoop at the same time. But you don't want to drag it out forever either (life is a balance).
What I'd do is create a new master in RHEL 8 with a CA. Set that as the CRL generator and CA Renewal Master. If you have physical machines then it's fine to remove one of the existing servers and re-create it with RHEL 8.
Once things are working then create another RHEL 8 master, drop another RHEL 7. Rinse and repeat. Eventually you'll run out of RHEL 7 machines to migrate. This can happen over as long a period as you're comfortable with you just don't want to drag it out for months if you can avoid it.
Watch the replication topology for both IPA and the CA. Remember to keep at least 2 CA masters and trust controller/agent (which you seem to have in good order now).
freeipa-users@lists.fedorahosted.org