Versions Compared

Old Version 36

changes.mady.by.user Francesco Murdaca

Saved on

compared with

New Version 37

changes.mady.by.user Francesco Murdaca

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Warning

Pre-requisites:

In order to perform this migration, you need to request Openstack Application Credentials
  • tenant admin in your tenancy
  • Have Openstack Application Credentials, you can request them here

User procedure

  • pre requisite (openstack)
  • deploy the machine from morpheus and then run first workflow (all Morpheus )
  • switch IP interface (openstack + ssh + Morpheus )
  • tests (Morpheus + ssh)
  • deploy second machine from morpheus and then run first workflow (all Morpheus )
  • switch IP interface (openstack + ssh + Morpheus )
  • tests (Morpheus + ssh)
  1. SSH into the OLD LDAP machine (your current one) and create DNS reverse zone (NAME_FROM_IP = LDAP IP or using IP range ) (https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/managing-reverse-dns-zones
    Code Block
    ipa dnszone-add --name-from-ip=NAME_FROM_IP
  2. ssh to the VM with Openstack Client and run the following commands (see ssh to a machine in your tenancy and login with Openstack client EWC - OpenStack Command-Line client for more details):
    1. List ldap security group rule 
      Code Block
      openstack security group rule list ldap
    2. add port 636 TCP.749 TCP,464 UDP to ldap security group if they are missingImage Modified
      Code Block
      openstack security group rule create ldap --protocol tcp --ingress --dst-port 636 --remote-ip 0.0.0.0/0 --ethertype IPv4
openstack security group rule create ldap --protocol tcp --ingress --dst-port 749 --remote-ip 0.0.0.0/0 --ethertype IPv4
openstack security group rule create ldap --protocol udp --ingress --dst-port 464 --remote-ip 0.0.0.0/0 --ethertype IPv4
    SSH into the OLD LDAP machine (your current one) and create DNS reverse zone (NAME_FROM_IP = LDAP IP or using IP range ) (https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/managing-reverse-dns-zones
    Code Blockipa dnszone-add --name-from-ip=NAME_FROM_IP
    2. Backup existing LDAP machine using the following documentation: EWC - How to create and restore backups from VMs
  3. If your LDAP is rocky 8 based, jump to step 9., if it is centos7 based continue the procedure normally.
  4. Create LDAP replica instance type to move from centos7 to rocky 8 (see MigratefromCentos7toRocky8);
  5. Switch IP interfaces between LDAPs (see RunworkflowtoswitchIPinterfacesbetweenLDAP);
  6. Check everything is fine (see Tests);
  7. Create LDAP replica instance type to move from rocky 8 to rocky 9 (see MigratefromRocky8toRocky9)
  8. Switch IP interfaces between LDAPs (see RunworkflowtoswitchIPinterfacesbetweenLDAP);
  9. Check everything is fine (see Tests);
  10. Remove old LDAPs machines to free resources (from Morpheus)
...
Migrate from Centos7 to Rocky 8
Creating a new LDAP to migrate to
  1. From Morpheus, deploy a new machine with
    1. image: rocky 8
    2. security group: ldap security group
    3. plan: eo1.medium
    4. name: different from existing ldap machine
  2. SSH to the new machine and become root
  3. Stop and disable firewalld on the machine
     Code Block
    systemctl stop firewalld && systemctl disable firewalld
  4. Add OLD LDAP IP and domain of the machine acting as LDAP in one line to /etc/hosts on this machine (OLD_LDAP_IP is the private IP of your current LDAP and OLD_LDAP_DOMAIN is the domain from your current LDAP (e.g. ldap.eumetsat.sandbox.ewc) )
     Code Block
    [test234@test-podman2 ~]$ cat /etc/hosts
<!-- BEGIN ANSIBLE MANAGED BLOCK -->
10.0.0.133 test-podman2.eumetsat.sandbox.ewc (this is an example, you will see the private IP of your machine and the domain from your machine here)
OLD_LDAP_IP OLD_LDAP_DOMAIN 
<!-- END ANSIBLE MANAGED BLOCK -->
  5. Install freeipa dependencies
    1. for rocky 8:
      1.  Code Block
        sudo yum -y update
      2.  Code Block
        sudo yum module reset idm:DL1
      3.  Code Block
        sudo yum module enable idm:DL1
      4.  Code Block
        sudo dnf install freeipa-server ipa-server-dns bind-dyndb-ldap -y
  6. Run the following command to install the LDAP replica
  7.  Code Block
    ipa-replica-install --domain "eumetsat.sandbox.ewc" --principal sandbox-ldap-admin --admin-password hunter2 --server <OLD LDAP complete domain (e.g. ldap.eumetsat.sandbox.ewc)> --setup-ca --setup-dns --force-join --forwarder=8.8.8.8 --forwarder=1.1.1.1 --no-host-dns --unattended
    (add --verbose for more logs) NOTE: go ahead with the default netbios and also put yes when asked about the ipa-sidgen task installation for users
  8. Make the new ldap machine primary, running the following commands
    1. Find the dns zone name 
      1.  Code Block
        ipa dnszone-find
    2.  Make the ldap machine primary  (SERVER IS the new LDAP machine complete domain (e.g. ldap-test-rocky.eumetsat.sandbox.ewc), while DNS_ZONE is the zone name from the previous command)
      1.  Code Block
        ipa dnszone-mod DNS_ZONE --name-server=SERVER
rocky 8 LDAP replica
  1. Login to Morpheus
  2. Go to Provisioning → Instances and click '+ADD' Image Added
  3. Select the LDAP replica Instance type Image Added
  4. Select a new name for the VM (e.g. ldap-rocky8) and click 'Next'
  5. Use the following inputs for the VM and then click 'Next' until the deployment starts:
    1. version: 8
    2. plan: eo1.medium
    3. networks: private
    4. security group: ldap


Migrate from Rocky 8 to Rocky 9
Creating a new rocky 8 LDAP to migrate toreplica
  1. Login to Morpheus
  2. Go to Provisioning → Instances and click '+ADD' Image Added
  3. Select the LDAP replica Instance type Image Added
  4. Select a new name for the VM 
  5. From Morpheus, deploy a new machine with
    1. image: rocky 9
    2. security group: ldap security group
    3. plan: eo1.medium
    4. name: different from existing ldap machine
  6. SSH to the new machine and become root
  7. Stop and disable firewalld on the machine
     Code Block
    systemctl stop firewalld && systemctl disable firewalld
  8. Add old ldap IP and domain of the machine acting as LDAP in one line to /etc/hosts on this machine (OLD_LDAP_IP is the private IP of your current LDAP and OLD_LDAP_DOMAIN is the domain from your current LDAP (e.g. ldap.eumetsat.sandbox.ewc) )
     Code Block
    [test234@test-podman2 ~]$ cat /etc/hosts
<!-- BEGIN ANSIBLE MANAGED BLOCK -->
 10.0.0.133 test-podman2.eumetsat.sandbox.ewc (this is an example, you will see the private IP of your machine and the domain from your machine here)
OLD_LDAP_IP OLD_LDAP_DOMAIN  
<!-- END ANSIBLE MANAGED BLOCK -->
  9. Install freeipa dependencies
    1. for rocky 9:
      1.  Code Block
        sudo dnf install ipa-server ipa-server-dns -y
  10. Run the following command to install the LDAP replica
  11.  Code Block
    ipa-replica-install --domain "eumetsat.sandbox.ewc" --principal sandbox-ldap-admin --admin-password hunter2 --server <OLD LDAP complete domain (e.g. ldap.eumetsat.sandbox.ewc)> --setup-ca --setup-dns --force-join --forwarder=8.8.8.8 --forwarder=1.1.1.1 --no-host-dns --unattended
    add --verbose for more logs
  12. Make the new ldap machine primary, running the following commands
    1. Find the dns zone name 
      1.  Code Block
        ipa dnszone-find
    2.  Make the ldap machine primary  (SERVER is the new LDAP machine complete domain (e.g. ldap-test-rocky.eumetsat.sandbox.ewc), while DNS_ZONE is the zone name from the previous command)
      1.  Code Block
        ipa dnszone-mod DNS_ZONE --name-server=SERVER
Switch IP interfaces between LDAP
  1. -rocky8) and click 'Next'
  2. Use the following inputs for the VM and then click 'Next' until the deployment starts:
    1. version: 9
    2. plan: eo1.medium
    3. networks: private
    4. security group: ldap

Switch IP interfaces between LDAP
  1. Using Openstack Application credentials (EWC - OpenStack Command-Line client), identify your OLD LDAP machine 
     Code Block
    openstack server list
  2. SSH to the VM with Openstack client installed and run the following commands:
    1. Show information about the OLD LDAP machine (SERVER_NAME usually is ldap in the tenancies by default):
       Code Block
      openstack server show SERVER_NAME
    1. Detach the interface from the OLD LDAP machine (SERVER_NAME is the name of the OLD LDAP VM from previous command, IP_ADDRESS is the private IP of the OLD LDAP VM, you listed with the previous command, SAVE IT in your notes
     and don't lose it
    1. !)
       Code Block
      openstack server remove fixed ip SERVER_NAME IP_ADDRESS 
  4. SSH In the NEW LDAP machine ,(LDAP replica)
    1. Update the IP of the NEW LDAP machine in the /etc/hosts (IP_ADDRESS ) with the IP of the OLD LDAP machine and remove the line relative to the OLD LDAP ( The one you saved before in your notes!)
       Code Block
      [murdaca@ipa ~]$ cat /etc/hosts

<!-- BEGIN ANSIBLE MANAGED BLOCK -->

IP_ADDRESS ipa.batchpro.ewc

<!-- END ANSIBLE MANAGED BLOCK -->
    2. Delete OLD LDAP machine DNS records (SERVER is the old LDAP machine complete domain (e.g. ldap-test-rocky.eumetsat.sandbox.ewc)
       Code Block
      ipa-replica-manage del SERVER --force
    3. Find the dns zone name name:
      1.  You can find this information loggning in Morpheus → Tools → Cypher and check the following secret → secret/ldap_domain

      2. Use ipa command
         Code Block
        ipa dnszone-find
    4. Replace the NEW LDAP machine IP with the IP of the interface of the OLD LDAP machine (HOSTED_ZONE is the output name from the previous command, IP_ADDRESS=The one you saved before in your notes!HOSTNAME is the new LDAP machine complete domain (e.g. ldap-test-rocky.eumetsat.sandbox.ewc)
       Code Block
      ipa dnsrecord-mod HOSTED_ZONE ipa-ca --a-rec IP_ADDRESS 
ipa dnsrecord-mod HOSTED_ZONE HOSTNAME --a-rec  IP_ADDRESS
  5. SSH to the VM with Openstack client installed and run the following commands:
    1. Switch off the NEW LDAP machine (SERVER_NAME is the name of the VM, you can find it with openstack server list )
       Code Block
      openstack server stop SERVER_NAME 
    2. Detach the interface from the NEW LDAP machine (SERVER_NAME is the name of the VM, IP_ADDRESS is the private IP of the NEW LDAP VM )
       Code Block
      openstack server remove fixed ip SERVER_NAME IP_ADDRESS 
    3. Add interface to the NEW LDAP machine with the IP of the old LDAP machine (SERVER_NAME is the name of the VM, IP_ADDRESS=The one you saved before in your notes! 
       Code Block
      openstack server add fixed ip SERVER_NAME IP_ADDRESS 
    4. Add LDAP security group to new LDAP machine (SERVER_NAME is the name of the NEW LDAP VM)
       Code Block
      openstack server add security group SERVER_NAME ldap
    5. Restart NEW LDAP machine (SERVER_NAME is the name of the new LDAP VM)
       Code Block
      openstack server restart SERVER_NAME 
  6. Go Login to Morpheus and change the value in of the hostname for LDAP, going to Tools → Cypher:
    1. Delete the secret/ldap_hostname 
     and recreate 
    1.  Image Added
    2. Use the '+ADD' to create a new secretImage Added
    3.  Add KEY: secret/ldap_hostname
     it to point to the new ipa host 
    1.  and VALUE: new LDAP hostname (e.g. ldap.eumetsat.sandbox.ewc) Image Added

Tests
  1. login with DNS from ssh to ssh-proxy
  2. ssh using DNS to the new LDAP machine
  3. Run sudo ipactl status → verify the services are all up and running
  4. Deploy From Morpheus go to Provisioning → Instances and deploy a new machine and enrollto test the enrolment to LDAP DNS is working correctly.

Post Installation (optional in case of similar errors)
...