#2888 [RFE] Replica installation by client promotion
Closed: Fixed None Opened 7 years ago by dpal.

Current replica creation model calls for creation of a package on the existing replica and then delivering it to the new replica host being installed.

This has several downsides:

  • Replica installation in a container more difficult, requires direct access to container and moving files around
  • Installation requires moving DM password around, instead of working with OTP or keytab

A more robust approach that would allow easier migration between different versions is to have the following model:

  • Install a client on a future replica machine (via OTP, privileged user credentials)
  • Join in to the domain
  • Install server bits using yum install
  • Run a command to promote the client to replica. As result of this command the client would connect to the existing master and pull in the data it needs rather than having a replica package being manually pre-created and delivered.

The new replica promotion model will need to be compatible with the old FreeIPA servers and accept replica info package as optional input.


Changing 3.2 priority

I can take this when it's needed.

Postponed, see freeipa-devel for reasoning.

master:

  • 9e007ed Remove unused kra option
  • 6a0087a Add low level helper to get domain level
  • 42e859d Make checks for existing credentials reusable
  • 2606f5a Allow to setup the CA when promoting a replica
  • 102651b prevent operation on tombstones
  • fcb9854 handle multiple managed suffixes
  • 80e11d2 topology plugin configuration workaround
  • 834b5fd enable topology plugin on upgrade
  • fff31ca topology: manage ca replication agreements
  • 8624093 Add function to extract CA certs for install
  • 5761f73 Allow ipa-replica-conncheck to use default creds
  • f7d1e4f Change DNS installer code to use passed in api
  • d03619f Implement replica promotion functionality
  • 2cd0d20 Require a DS version that has working DNA plugin
  • 463dda3 Add ipa-custodia service
  • 98bf90e fix dsinstance.py:get_domain_level function
  • 958996b Allow ipa-ca-install to use the new promotion code

master:

  • bc39cc9 Allow to install the KRA on a promoted server

Replica promotion was implemented in the commits above. Issues in the implementation are handled in separate tickets.

Metadata Update from @dpal:
- Issue assigned to simo
- Issue set to the milestone: FreeIPA 4.3

2 years ago

Login to comment on this ticket.

Metadata