Hi all,
Things have been going along smoothly and no issues with FreeIPA until recently. Consider the following:
Original Config:
ipa-1 <---> ipa-2 <-|-> ipa-3 <---> ipa-4 Stage | Prod
Yes, this was not a perfect design because exactly what I feared happened. The connection between 2 and 3 got broken and ipa-2 actually failed an Upgrade and the only way to get it working again was to re-install ipa-server and make it a replica with ipa-1
The problem is - now I have 2 "separate" environments instead of a shared one because I cannot figure out a way to get ipa-3 to reconnect to ipa-2 as a replica agreement.
This is all with latest RHEL 7.6 and 4.6.4-10.el7_6.2 version of IPA on all 4 nodes. Prior to the upgrade, everything was fine and replication was running across all 4 nodes. During the upgrade (patching) process ipa-2 got a database error and it was not detected for 2 days. When you tried to restart it - it wanted to upgrade the database, the same as all the other 3 but failed with errors and there seemed to be no way to get them to sync up. It has been 4 days now. I would love to get all 4 talking again, but because ipa-2 was rebuilt using ipa-1 as the master it connected to, it won't talk to ipa-3. I was trying several of the new "topology" commands to try to get them connected, but no luck.
Any ideas on how I might accomplish getting the 2 environments re-connected?
Thanks K
Hi,
On Sat, Feb 9, 2019 at 10:52 PM Kat via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi all,
Things have been going along smoothly and no issues with FreeIPA until recently. Consider the following:
Original Config:
ipa-1 <---> ipa-2 <-|-> ipa-3 <---> ipa-4 Stage | Prod
Yes, this was not a perfect design because exactly what I feared happened. The connection between 2 and 3 got broken and ipa-2 actually failed an Upgrade and the only way to get it working again was to re-install ipa-server and make it a replica with ipa-1
Yes, this is not a recommended (in fact discouraged) topology. Please see: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
The problem is - now I have 2 "separate" environments instead of a shared one because I cannot figure out a way to get ipa-3 to reconnect to ipa-2 as a replica agreement.
This is all with latest RHEL 7.6 and 4.6.4-10.el7_6.2 version of IPA on all 4 nodes. Prior to the upgrade, everything was fine and replication was running across all 4 nodes. During the upgrade (patching) process ipa-2 got a database error and it was not detected for 2 days. When you tried to restart it - it wanted to upgrade the database, the same as all the other 3 but failed with errors and there seemed to be no way to get them to sync up. It has been 4 days now. I would love to get all 4 talking again, but because ipa-2 was rebuilt using ipa-1 as the master it connected to, it won't talk to ipa-3. I was trying several of the new "topology" commands to try to get them connected, but no luck.
Without associated logs from the commands you tried diagnosing that is next to impossible. Also please contact Red Hat support if you run RHEL before making any changes.
Any ideas on how I might accomplish getting the 2 environments re-connected?
If you can identify the changes done to ipa-3 and ipa-4 or especially if there were none, rebuilding all replicas from ipa-1 (exactly like you did for ipa-2) might be the fastest and easiest way (*). Then use a more resilient topology like the recommended one pointed above. ipa-1 becomes server1, ipa-2 is server2, etc.
(*) I assume ipa-1 was the first install and therefore has a CA instance and is the current CA renewal master and CRL generation master. Please make sure of that first.
Best regards François
Thanks K
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org