#73 Add tests for FreeIPA replication
Closed: Fixed 5 years ago Opened 6 years ago by adamwill.

Replication is a key feature of FreeIPA - it's not recommended to have a non-replicated FreeIPA server (master) as it's a single point of failure, and doing a traditional 'backup' of a FreeIPA server is difficult. Replication is the recommended technique.

Given this, we really ought to cover replication in the FreeIPA release criteria, and that looks like it will happen. So we'll also need to extend the openQA tests to cover it. Here's some notes from @cheimes in IRC:

<adamw> can you point me to some nice simple instructions for setting up replication?
<Crys> A single replica should be sufficient. If you want to go fancy, then two replicas with a triangle replication agreement.
<Crys> adamw: https://www.adelton.com/docs/idm/replicate-your-identity-management-text
* adamw does not want to go fancy.
<Crys> adamw: the new system is really easy. First you enrol the machine as client, then you promote the client to replica.
<adamw> oo, that's actually nice
<Crys> adamw: ipa-client-install, kinit admin, ipa-replica-install --setup-ca, done
<adamw> i could just make the test follow on from the simple client enrolment test, then
<adamw> i suppose i need some way to verify that it actually *worked*, though.
<Crys> adamw: adelton's blog post is a bit more advanced, because it uses OTP for enrolment. On the other hand it doesn't need an admin TGT to promote the client to master.
<adamw> what does replication actually...replicate? everything? will the replica have a webUI and all?
* jyaworski (~freenode@bog.hcoop.net) has joined
<Crys> adamw: It sets up LDAP, webUI, KDC, custodia. With --setup-ca and --setup-dns, it also creates a replicated CA and DNS instance.
<adamw> so basically after replication i could shut down the original server and client tests, including web UI etc, should still work?
<Crys> adamw: the replica is a full-features master.
<adamw> okay.
* adamw will try and work that out.
<sgallagh> adamw: Well, you'd need to point the Web UI tests at the replica's host of course
<Crys> adamw: yes, except you have to promote the master to primary master. The primary master takes care of CRL and OCSP stuff.
<adamw> (the tricky bit is just wrangling it into the openqa test organization efficiently.)
<Crys> adamw: same for DNSSEC. If you have DNSSEC, then one machine takes care of key roleover. If you decommission a machine, then another machine has to take over.
<adamw> Crys: don't think our tests do anything to do with either of those.
<adamw> alright, thanks, think that's enough to go with.
<Crys> https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_4.0_or_later

We got this done several months back, I didn't close the ticket.

Metadata Update from @adamwill:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

5 years ago

Login to comment on this ticket.

Metadata