Background - We are trying to restore "full server" from an existing IPA server (with replication ON to another server) to a newly created IPA Server from the same golden image as all other servers.
Source IPA Server: Red Hat Enterprise Linux Server release 7.7 (Maipo) # ipa-server-install --version 4.6.4
Destination IPA Server: Red Hat Enterprise Linux Server release 7.7 (Maipo) # ipa-server-install --version 4.6.4
Problem Statement - While running "ipa-restore" (exact command: # ipa-restore /root/backup/) on the new IPA server for full server backup, system throws the following error lines in iparestore.log:
2019-10-25T08:19:26Z DEBUG stderr=IPA version error: data needs to be upgraded (expected version '4.6.4-10.el7_6.6', current version '4.6.4-10.el7_6.3') Automatically running upgrade, for details see /var/log/ipaupgrade.log Be patient, this may take a few minutes. Automatic upgrade failed: Update complete Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] Publish directory already set to new location [Verifying that CA proxy configuration is correct] IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. CA did not start in 300.0s The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again Aborting ipactl
2019-10-25T08:19:26Z INFO Restoring umask to 23 2019-10-25T08:19:26Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_restore.py", line 428, in run run(['ipactl', 'start']) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 562, in run raise CalledProcessError(p.returncode, arg_string, str(output))
2019-10-25T08:19:26Z DEBUG The ipa-restore command failed, exception: CalledProcessError: Command 'ipactl start' returned non-zero exit status 1 2019-10-25T08:19:26Z ERROR Command 'ipactl start' returned non-zero exit status 1 2019-10-25T08:19:26Z ERROR The ipa-restore command failed. See /var/log/iparestore.log for more information
In case you are aware of its fix/workaround, kindly share the steps.
Thanks, sgarg
Hi
An alternative approach would be to setup your new server as an IPA client and then to promote it.
On new server: # ipa-client-install
Followed by # ipa-replica-install
Check the man pages for options suitable to your environment, otherwise I specify --setup-ca for all our new IPA instances.
I use this process for rolling out new IPA servers when we add new environments.
Regards Angus
________________________________ From: Saurabh Garg via FreeIPA-users freeipa-users@lists.fedorahosted.org Sent: Friday, October 25, 2019 11:55:40 AM To: freeipa-users@lists.fedorahosted.org freeipa-users@lists.fedorahosted.org Cc: Saurabh Garg saurabh.grg@gmail.com Subject: [Freeipa-users] Full Server backup fails with IPA version error
Background - We are trying to restore "full server" from an existing IPA server (with replication ON to another server) to a newly created IPA Server from the same golden image as all other servers.
Source IPA Server: Red Hat Enterprise Linux Server release 7.7 (Maipo) # ipa-server-install --version 4.6.4
Destination IPA Server: Red Hat Enterprise Linux Server release 7.7 (Maipo) # ipa-server-install --version 4.6.4
Problem Statement - While running "ipa-restore" (exact command: # ipa-restore /root/backup/) on the new IPA server for full server backup, system throws the following error lines in iparestore.log:
2019-10-25T08:19:26Z DEBUG stderr=IPA version error: data needs to be upgraded (expected version '4.6.4-10.el7_6.6', current version '4.6.4-10.el7_6.3') Automatically running upgrade, for details see /var/log/ipaupgrade.log Be patient, this may take a few minutes. Automatic upgrade failed: Update complete Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] Publish directory already set to new location [Verifying that CA proxy configuration is correct] IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. CA did not start in 300.0s The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again Aborting ipactl
2019-10-25T08:19:26Z INFO Restoring umask to 23 2019-10-25T08:19:26Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_restore.py", line 428, in run run(['ipactl', 'start']) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 562, in run raise CalledProcessError(p.returncode, arg_string, str(output))
2019-10-25T08:19:26Z DEBUG The ipa-restore command failed, exception: CalledProcessError: Command 'ipactl start' returned non-zero exit status 1 2019-10-25T08:19:26Z ERROR Command 'ipactl start' returned non-zero exit status 1 2019-10-25T08:19:26Z ERROR The ipa-restore command failed. See /var/log/iparestore.log for more information
In case you are aware of its fix/workaround, kindly share the steps.
Thanks, sgarg _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedor... List Guidelines: https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproj... List Archives: https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedo...
Saurabh Garg via FreeIPA-users wrote:
Background - We are trying to restore "full server" from an existing IPA server (with replication ON to another server) to a newly created IPA Server from the same golden image as all other servers.
There is no restore with replication on. It would cause endless problems.
Restore is expected to be for a single master in a catastrophic situation. The others will require re-init from this master.
Source IPA Server: Red Hat Enterprise Linux Server release 7.7 (Maipo) # ipa-server-install --version 4.6.4
Destination IPA Server: Red Hat Enterprise Linux Server release 7.7 (Maipo) # ipa-server-install --version 4.6.4
Problem Statement - While running "ipa-restore" (exact command: # ipa-restore /root/backup/) on the new IPA server for full server backup, system throws the following error lines in iparestore.log:
2019-10-25T08:19:26Z DEBUG stderr=IPA version error: data needs to be upgraded (expected version '4.6.4-10.el7_6.6', current version '4.6.4-10.el7_6.3') Automatically running upgrade, for details see /var/log/ipaupgrade.log Be patient, this may take a few minutes. Automatic upgrade failed: Update complete Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] Publish directory already set to new location [Verifying that CA proxy configuration is correct] IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. CA did not start in 300.0s The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
It is very persnickety. The versions do not match.
There are sometimes subtle differences between versions of IPA, even in minor releases, so it is not considered safe to restore between versions.
You could hack out the version check and roll the dice, or downgrade the packages to match the backed-up value.
rob
Hi Rob, Thanks for your reply.
In our case we need to put in place a procedure/steps that can helps us to come out from a situation where our complete IPA server setup (original server and its replica both) is lost/deleted and need to get the same setup back from the scheduled full-server-backups (through cron jobs) available at some object storage location.
Please advice.
Thanks, Saurabh Garg
On Fri, Oct 25, 2019 at 6:12 PM Rob Crittenden rcritten@redhat.com wrote:
Saurabh Garg via FreeIPA-users wrote:
Background - We are trying to restore "full server" from an existing IPA server (with
replication ON to another server) to a newly created IPA Server from the same golden image as all other servers.
There is no restore with replication on. It would cause endless problems.
Restore is expected to be for a single master in a catastrophic situation. The others will require re-init from this master.
Source IPA Server: Red Hat Enterprise Linux Server release 7.7 (Maipo) # ipa-server-install --version 4.6.4
Destination IPA Server: Red Hat Enterprise Linux Server release 7.7
(Maipo)
# ipa-server-install --version 4.6.4
Problem Statement - While running "ipa-restore" (exact command: # ipa-restore
/root/backup/) on the new IPA server for full server backup, system throws the following error lines in iparestore.log:
2019-10-25T08:19:26Z DEBUG stderr=IPA version error: data needs to be
upgraded (expected version '4.6.4-10.el7_6.6', current version '4.6.4-10.el7_6.3')
Automatically running upgrade, for details see /var/log/ipaupgrade.log Be patient, this may take a few minutes. Automatic upgrade failed: Update complete Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] Publish directory already set to new location [Verifying that CA proxy configuration is correct] IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
command ipa-server-upgrade manually.
CA did not start in 300.0s The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
more information
It is very persnickety. The versions do not match.
There are sometimes subtle differences between versions of IPA, even in minor releases, so it is not considered safe to restore between versions.
You could hack out the version check and roll the dice, or downgrade the packages to match the backed-up value.
rob
Saurabh Garg wrote:
Hi Rob, Thanks for your reply.
In our case we need to put in place a procedure/steps that can helps us to come out from a situation where our complete IPA server setup (original server and its replica both) is lost/deleted and need to get the same setup back from the scheduled full-server-backups (through cron jobs) available at some object storage location.
Install a server with the same OS level as the backup and run the restore. Additional new masters can be created from that.
You'll want to keep track of which masters run which optional services and be sure to backup one (or more) running the CA.
rob
Please advice.
Thanks, Saurabh Garg
On Fri, Oct 25, 2019 at 6:12 PM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Saurabh Garg via FreeIPA-users wrote: > Background - > We are trying to restore "full server" from an existing IPA server (with replication ON to another server) to a newly created IPA Server from the same golden image as all other servers. There is no restore with replication on. It would cause endless problems. Restore is expected to be for a single master in a catastrophic situation. The others will require re-init from this master. > Source IPA Server: Red Hat Enterprise Linux Server release 7.7 (Maipo) > # ipa-server-install --version > 4.6.4 > > Destination IPA Server: Red Hat Enterprise Linux Server release 7.7 (Maipo) > # ipa-server-install --version > 4.6.4 > > Problem Statement - > While running "ipa-restore" (exact command: # ipa-restore /root/backup/) on the new IPA server for full server backup, system throws the following error lines in iparestore.log: > > > 2019-10-25T08:19:26Z DEBUG stderr=IPA version error: data needs to be upgraded (expected version '4.6.4-10.el7_6.6', current version '4.6.4-10.el7_6.3') > Automatically running upgrade, for details see /var/log/ipaupgrade.log > Be patient, this may take a few minutes. > Automatic upgrade failed: Update complete > Upgrading the configuration of the IPA services > [Verifying that root certificate is published] > [Migrate CRL publish directory] > Publish directory already set to new location > [Verifying that CA proxy configuration is correct] > IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. > CA did not start in 300.0s > The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information It is very persnickety. The versions do not match. There are sometimes subtle differences between versions of IPA, even in minor releases, so it is not considered safe to restore between versions. You could hack out the version check and roll the dice, or downgrade the packages to match the backed-up value. rob
freeipa-users@lists.fedorahosted.org