Versions Compared

Old Version 62

changes.mady.by.user Francesco Murdaca

Saved on

compared with

New Version 63

changes.mady.by.user Francesco Murdaca

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Warning

Pre-requisites:

Table of Contents

User procedure

Start user procedure:

  1. Edit LDAP Security Group (see EditLDAPsecuritygroup);
  2. Backup existing LDAP machine using the following documentation: EWC - How to create and restore backups from VMs (VM Images Backup)
  3. Check the Operating System of your LDAP from Morpheus, Provisioning → Instances → select LDAP machine ;
    1. If your LDAP is rocky 8 based → jump to step 10. 
    2. If your LDAP is centos7 based → continue to step 4.

  4. Prepare the following information knowing that your OLD_LDAP is centos7 based and NEW_LDAP is rocky8 based:

    • DNS_HOSTED_ZONE→ logging in Morpheus → Tools → Cypher and check the following secret → secret/ldap_domain
    • OLD_LDAP_SERVER_NAME → Name of the server from Openstack → you can find the name from openstack server list command
    • OLD_LDAP_PRIVATE_IP → logging in Morpheus → Provisioning → Instances, check your OLD LDAP VM IP address
    • OLD_LDAP_HOSTNAME → logging in Morpheus → Tools → Cypher and check the following secret → secret/ldap_hostname
    • NEW_LDAP_SERVER_NAME → Name of the server from Openstack → you can find the name from openstack server list command
    • NEW_LDAP_PRIVATE_IP → logging in Morpheus → Provisioning → Instances, check your new LDAP VM IP address
    • NEW_LDAP_HOSTNAME → <name-of-the-machine>.<tenancy-domain> where tenancy-domain → logging in Morpheus → Tools → Cypher and check the following secret → secret/ldap_domain (e.g. the result should be something like ldap-test-rocky.eumetsat.sandbox.ewc). Alternatively you can find it in /etc/hosts file in your new LDAP machine
  5. Create LDAP replica instance type to move from centos7 to rocky 8 (see MigratefromCentos7toRocky8);
  6. Make new LDAP machine primary (see PreparenewLDAPmachine );
  7. Switch IP interfaces between LDAPs (see SwitchIPinterfacesbetweenLDAPs);
  8. Update Morpheus (see UpdateMorpheus );
  9. Check everything is working fine (see Tests);

  10. Prepare the following information knowing that your OLD_LDAP is rocky8 based and NEW_LDAP is rocky9 based:

    • DNS_HOSTED_ZONE→ logging in Morpheus → Tools → Cypher and check the following secret → secret/ldap_domain
    • OLD_LDAP_SERVER_NAME → Name of the server from Openstack → you can find the name from openstack server list command
    • OLD_LDAP_PRIVATE_IP → logging in Morpheus → Provisioning → Instances, check your OLD LDAP VM IP address
    • OLD_LDAP_HOSTNAME → logging in Morpheus → Tools → Cypher and check the following secret → secret/ldap_hostname
    • NEW_LDAP_SERVER_NAME → Name of the server from Openstack → you can find the name from openstack server list command
    • NEW_LDAP_PRIVATE_IP → logging in Morpheus → Provisioning → Instances, check your new LDAP VM IP address
    • NEW_LDAP_HOSTNAME → <name-of-the-machine>.<tenancy-domain> where tenancy-domain → logging in Morpheus → Tools → Cypher and check the following secret → secret/ldap_domain (e.g. the result should be something like ldap-test-rocky.eumetsat.sandbox.ewc). Alternatively you can find it in /etc/hosts file in your new LDAP machine
  11. Create LDAP replica instance type to move from rocky 8 to rocky 9 (see MigratefromRocky8toRocky9)
  12. Make new LDAP machine primary (see PreparenewLDAPmachine );
  13. Switch IP interfaces between LDAPs (see SwitchIPinterfacesbetweenLDAPs);
  14. Update Morpheus (see UpdateMorpheus );
  15. Check everything is working fine (see Tests);
  16. Delete old LDAP machine/s to free resources (see Delete a VM from Morpheus).



Tasks

Edit LDAP security group

  1. ssh to the VM with Openstack Client and run the following commands (see EWC - OpenStack Command-Line client for more details):
    1. List ldap security group rule 
      Code Block
      openstack security group rule list ldap
    2. add port 636 TCP.749 TCP,464 UDP to ldap security group if they are missing
      Code Block
      openstack security group rule create ldap --protocol tcp --ingress --dst-port 636 --remote-ip 0.0.0.0/0 --ethertype IPv4
openstack security group rule create ldap --protocol tcp --ingress --dst-port 749 --remote-ip 0.0.0.0/0 --ethertype IPv4
openstack security group rule create ldap --protocol udp --ingress --dst-port 464 --remote-ip 0.0.0.0/0 --ethertype IPv4


Migrate from Centos7 to Rocky 8

Creating a new rocky 8 LDAP replica

  1. Login to Morpheus
  2. Go to Provisioning → Instances and click '+ADD'
  3. Select the LDAP replica Instance type
  4. Select a new name for the VM (e.g. ldap-rocky8) and click 'Next'
  5. Use the following inputs for the VM and then click 'Next' until the deployment starts:
    1. version: 8
    2. plan: eo1.medium
    3. networks: private
    4. security group: ldap


Migrate from Rocky 8 to Rocky 9

Creating a new rocky 8 LDAP replica

  1. Login to Morpheus
  2. Go to Provisioning → Instances and click '+ADD'
  3. Select the LDAP replica Instance type
  4. Select a new name for the VM (e.g. ldap-rocky8) and click 'Next'
  5. Use the following inputs for the VM and then click 'Next' until the deployment starts:
    1. version: 9
    2. plan: eo1.medium
    3. networks: private
    4. security group: ldap

Prepare new LDAP machine

  1. SSH In the NEW LDAP machine (LDAP replica) and become root
    1. Edit the /etc/hosts file and make sure it is as follow:
    2. Code Block
      [murdaca@ipa ~]$ cat /etc/hosts

<!-- BEGIN ANSIBLE MANAGED BLOCK -->

OLD_LDAP_PRIVATE_IP NEW_LDAP_HOSTNAME 

<!-- END ANSIBLE MANAGED BLOCK -->
    3. Delete OLD LDAP machine DNS records
      Code Block
      ipa-replica-manage del OLD_LDAP_HOSTNAME --force
    4. Replace the NEW LDAP machine IP DNS records with the IP of the interface of the OLD LDAP machine
      Code Block
      ipa dnsrecord-mod DNS_HOSTED_ZONE ipa-ca --a-rec OLD_LDAP_PRIVATE_IP 
ipa dnsrecord-mod DNS_HOSTED_ZONE NEW_LDAP_HOSTNAME --a-rec OLD_LDAP_PRIVATE_IP

Switch IP interfaces between LDAPs

Now you can start the procedure to switch interfaces between two VMs:

  1. SSH to the VM with Openstack client installed and run the following commands:
    1. Show information about the OLD LDAP machine (SERVER_NAME usually is ldap in the tenancies by default):
      Code Block
      openstack server show OLD_LDAP_SERVER_NAME
    2. Detach the interface from the OLD LDAP machine (SERVER_NAME is the name of the OLD LDAP VM from previous command, IP_ADDRESS is the private IP of the OLD LDAP VM, you listed with the previous command, SAVE IT in your notes!)
      Code Block
      openstack server remove fixed ip OLD_LDAP_SERVER_NAME OLD_LDAP_PRIVATE_IP
    3. Switch off the NEW LDAP machine (SERVER_NAME is the name of the VM, you can find it with openstack server list )
      Code Block
      openstack server stop OLD_LDAP_SERVER_NAME
    4. Detach the interface from the NEW LDAP machine (SERVER_NAME is the name of the VM, IP_ADDRESS is the private IP of the NEW LDAP VM )
      Code Block
      openstack server remove fixed ip NEW_LDAP_SERVER_NAME NEW_LDAP_PRIVATE_IP
    5. Add interface to the NEW LDAP machine with the IP of the old LDAP machine (SERVER_NAME is the name of the VM, IP_ADDRESS=The one you saved before in your notes!
      Code Block
      openstack server add fixed ip NEW_LDAP_SERVER_NAME OLD_LDAP_PRIVATE_IP
    6. Add LDAP security group to new LDAP machine (SERVER_NAME is the name of the NEW LDAP VM)
      Code Block
      openstack server add security group NEW_LDAP_SERVER_NAME ldap
    7. Restart NEW LDAP machine (SERVER_NAME is the name of the new LDAP VM)
      Code Block
      openstack server restart NEW_LDAP_SERVER_NAME

Update Morpheus

  1. Login to Morpheus and change the value of the hostname for LDAP, going to Tools → Cypher:
    1. Delete the secret/ldap_hostname
    2. Use the '+ADD' to create a new secret
    3.  Add KEY: secret/ldap_hostname and VALUE: NEW_LDAP_HOSTNAME 


Tests

  1. ssh to ssh-proxy in your tenancy
  2. ssh using DNS to the new LDAP machine
  3. Run sudo ipactl status → verify the services are all up and running
  4. From Morpheus go to Provisioning → Instances and deploy a new machine to test the enrollment to LDAP DNS is working correctly with the new LDAP machine.


Known possible errors

After the IPA Migration, especially from Centos7 to Rocky9, there might be still some possible errors, like the one below:

ipa: ERROR: Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.


There is a FreeIPA doc site related to this: https://www.freeipa.org/page/V3/Recover_DNA_Ranges.html

The fix for that error is the following command:

  1. Identify min and max range of IDs 
    Code Block
     ipa idrange-find
  2. Set the lower boundary to exclude every existing account (as of ipa user-find | grep 'UID')
  3. Assign the DNS range using ${min}-${max} identified in the previous steps 
    Code Block
     ipa-replica-manage dnarange-set $ldap_server ${min}-${max}
  4. Check the range that is used 
Code Block
ipa-replica-manage dnarange-show