On 02/05/2016 11:35 AM, Petr Vobornik wrote: > On 02/04/2016 06:14 PM, Christophe TREFOIS wrote: >> Hi all, >> >> We are currently running a 3-replica (all are setup with the —setup-ca flag) >> cluster on Fedora 21, with FreeIPA 4.1.4. >> >> We would like to slowly upgrade to the new version and move away from Fedora >> to CentOS 7.2. >> >> We were thinking of the following: >> >> - Create 3 CentOS machines with —setup-ca flag so that our current cluster >> is 6. >> The first CentOS VM would then probably update the DB schema to the new >> FreeIPA version. >> - Remove the Fedora VMs 1 by 1 from the cluster using ipa-replica-manage del >> <host> >> - Be happy? >> >> >> 1. Could you please advise if this is considered the safest practise? > > More or less yes: > > 1. create First IPA 4.2 against some FreeIPA 4.1.4 with CA > 2. create the other two against the newly Created CentOS - will verify if it > is > in a good shape > 3. set new renewal CRL master: > http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master > 4. Migrate DNA ranges using ipa-replica-manage tool > > if all works well, remove all servers: > > 5. remove CA repl. agreements for old servers using ipa-csreplica-manage del > 6. remove old servers data and repl. agreements using ipa-replica-manage del > 7. uninstall old servers using ipa-server-install --uninstall > >> 2. Do we have to update to intermediate versions and if so how? > > Should not be necessary.
Some advise is also present in the RHEL official docs: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html#migrating-ipa-proc -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
