Versions Compared

Old Version 76

changes.mady.by.user Francesco Murdaca

Saved on

compared with

New Version 77

changes.mady.by.user Francesco Murdaca

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Table of Contents

User procedure

Automatic

Start user procedure:

  1. Have an Ubuntu 22 VM ready in your tenancy or create a new temporary Ubuntu 22 VM from Morpheus 
    1. plan: eo1.medium
    2. networks: private
    3. security group: ssh
  2. Create backup of the LDAP VM (See CreatebackupofaVM );
  3. Check the Operating System of your LDAP from Morpheus, Provisioning → Instances → select LDAP machine ;
    1. If your LDAP is rocky 8 based → jump to step 8. 
    2. If your LDAP is centos7 based → continue to step 4.
  4. Create LDAP replica instance type to move from centos7 to rocky 8 (see MigratefromCentos7toRocky8);
  5. Switch IP interfaces between LDAPs using 'switch interfaces of two VMs' workflow in Morpheus (see SwitchInterfacesoftwoVMs);
  6. Update Morpheus (see UpdateMorpheus );
  7. Check everything is working fine (see Tests);
  8. Create LDAP replica instance type to move from rocky 8 to rocky 9 (see MigratefromRocky8toRocky9)
  9. Switch IP interfaces between LDAPs using 'switch interfaces of two VMs' workflow in Morpheus (see SwitchInterfacesoftwoVMs);
  10. Update Morpheus (see UpdateMorpheus );
  11. Check everything is working fine (see Tests);
  12. Delete old LDAP machine/s to free resources (see Delete a VM from Morpheus).

Tasks

Migrate from Centos7 to Rocky 8

Creating a new rocky 8 LDAP replica

...

Warning

In case of errors during the provision of the replica for Rocky 8, please check ipacommandlineofWebUIaccessisdenied,withanHTTPerror401


Migrate from Rocky 8 to Rocky 9

Creating a new rocky 8 LDAP replica

  1. Login to Morpheus
  2. Go to Provisioning → Instances and click '+ADD'
  3. Select the LDAP replica Instance type
  4. Select a new name for the VM (e.g. ldap-rocky8) and click 'Next'
  5. Use the following inputs for the VM and then click 'Next' until the deployment starts:
    1. version: 9
    2. plan: eo1.medium
    3. networks: private
    4. security group: ldap

Create backup of a VM

  1. Go to an Ubuntu 22 VM and select 'Run Workflow'
  2. Select the 'Create Backup of a VM using Openstack Applications Credentials' 

  3. Insert inputs and run the workflow where you provide: 
    1. Name of the VM to backup
    2. Openstack Application Credentials ID and Secret


Switch Interfaces of two VMs

  1. Go to an Ubuntu 22 VM and select 'Run Workflow'
  2. Select the 'Switch Interfaces of two VMs using Openstack Applicaitons Credentials'
  3. Insert inputs and run the workflow where you provide:
    1. OLD VM in this case is the OLD LDAP machine name
    2. NEW VM in this case is the NEW LDAP machine name
    3. Security Group Name:  ldap
    4. Openstack Application Credentials ID and Secret


Update Morpheus

  1. Login to Morpheus and change the value of the hostname for LDAP, going to Tools → Cypher:
  2. DeleteEdit the secret/ldap_hostname Image Removed
  3. Use the '+ADD' to create a new secretImage Removed
    4.  Add KEY: secret/ldap_hostname with and VALUE: NEW_LDAP_HOSTNAME  Image Added


Tests

  1. ssh to ssh-proxy in your tenancy
  2. ssh using DNS to the new LDAP machine
  3. Run sudo ipactl status → verify the services are all up and running (if not, try sudo ipactl restart command)
  4. From Morpheus go to Provisioning → Instances and deploy a new machine to test the enrollment to LDAP DNS is working correctly with the new LDAP machine.



Manual

You can find the manual procedure for some of the steps above

Migrate from Centos7 to Rocky 8

Creating a new LDAP to migrate to

  1. From Morpheus, deploy a new machine with
    1. image: rocky 8
    2. security group: ldap security group
    3. plan: eo1.medium
    4. name: different from existing ldap machine
  2. SSH to the new machine and become root
  3. Stop and disable firewalld on the machine
    Code Block
    systemctl stop firewalld && systemctl disable firewalld
  4. Add OLD LDAP IP and domain of the machine acting as LDAP in one line to /etc/hosts on this machine (OLD_LDAP_IP is the private IP of your current LDAP and OLD_LDAP_DOMAIN is the domain from your current LDAP (e.g. ldap.eumetsat.sandbox.ewc) )
    Code Block
    [test234@test-podman2 ~]$ cat /etc/hosts
<!-- BEGIN ANSIBLE MANAGED BLOCK -->
10.0.0.133 test-podman2.eumetsat.sandbox.ewc (this is an example, you will see the private IP of your machine and the domain from your machine here)
OLD_LDAP_IP OLD_LDAP_DOMAIN 
<!-- END ANSIBLE MANAGED BLOCK -->
  5. Install freeipa dependencies
    1. for rocky 8:
      1. Code Block
        sudo yum -y update
      2. Code Block
        sudo yum module reset idm:DL1
      3. Code Block
        sudo yum module enable idm:DL1
      4. Code Block
        sudo dnf install freeipa-server ipa-server-dns bind-dyndb-ldap -y
  6. Run the following command to install the LDAP replica
  7. Code Block
    ipa-replica-install --domain "eumetsat.sandbox.ewc" --principal sandbox-ldap-admin --admin-password hunter2 --server <OLD LDAP complete domain (e.g. ldap.eumetsat.sandbox.ewc)> --setup-ca --setup-dns --force-join --forwarder=8.8.8.8 --forwarder=1.1.1.1 --no-host-dns --unattended

    (add --verbose for more logs) NOTE: go ahead with the default netbios and also put yes when asked about the ipa-sidgen task installation for users

  8. Make the new ldap machine primary, running the following commands

    1. Find the dns zone name 

      1. Code Block
        ipa dnszone-find

    2.  Make the ldap machine primary  (SERVER IS the new LDAP machine complete domain (e.g. ldap-test-rocky.eumetsat.sandbox.ewc), while DNS_ZONE is the zone name from the previous command)

      1. Code Block
        ipa dnszone-mod DNS_ZONE --name-server=SERVER


Migrate from Rocky 8 to Rocky 9

Creating a new LDAP to migrate to

  1. From Morpheus, deploy a new machine with
    1. image: rocky 9
    2. security group: ldap security group
    3. plan: eo1.medium
    4. name: different from existing ldap machine
  2. SSH to the new machine and become root
  3. Stop and disable firewalld on the machine
    Code Block
    systemctl stop firewalld && systemctl disable firewalld
  4. Add old ldap IP and domain of the machine acting as LDAP in one line to /etc/hosts on this machine (OLD_LDAP_IP is the private IP of your current LDAP and OLD_LDAP_DOMAIN is the domain from your current LDAP (e.g. ldap.eumetsat.sandbox.ewc) )
    Code Block
    [test234@test-podman2 ~]$ cat /etc/hosts
<!-- BEGIN ANSIBLE MANAGED BLOCK -->
 10.0.0.133 test-podman2.eumetsat.sandbox.ewc (this is an example, you will see the private IP of your machine and the domain from your machine here)
OLD_LDAP_IP OLD_LDAP_DOMAIN  
<!-- END ANSIBLE MANAGED BLOCK -->
  5. Install freeipa dependencies
    1. for rocky 9:
      1. Code Block
        sudo dnf install ipa-server ipa-server-dns -y
  6. Run the following command to install the LDAP replica
  7. Code Block
    ipa-replica-install --domain "eumetsat.sandbox.ewc" --principal sandbox-ldap-admin --admin-password hunter2 --server <OLD LDAP complete domain (e.g. ldap.eumetsat.sandbox.ewc)> --setup-ca --setup-dns --force-join --forwarder=8.8.8.8 --forwarder=1.1.1.1 --no-host-dns --unattended

    add --verbose for more logs

  8. Make the new ldap machine primary, running the following commands

    1. Find the dns zone name 

      1. Code Block
        ipa dnszone-find

    2.  Make the ldap machine primary  (SERVER is the new LDAP machine complete domain (e.g. ldap-test-rocky.eumetsat.sandbox.ewc), while DNS_ZONE is the zone name from the previous command)

      1. Code Block
        ipa dnszone-mod DNS_ZONE --name-server=SERVER


Post installation

  1. Delete OLD LDAP machine DNS records (SERVER is the old LDAP machine complete domain (e.g. ldap-test-rocky.eumetsat.sandbox.ewc)
    Code Block
    ipa-replica-manage del SERVER --force

  2. Find the dns zone name 

  3. Code Block
    ipa dnszone-find
  4. Replace the NEW LDAP machine IP with the IP of the interface of the OLD LDAP machine (HOSTED_ZONE is the output name from the previous command, IP_ADDRESS=The one you saved before in your notes!HOSTNAME is the new LDAP machine complete domain (e.g. ldap-test-rocky.eumetsat.sandbox.ewc)
    Code Block
    ipa dnsrecord-mod HOSTED_ZONE ipa-ca --a-rec IP_ADDRESS 
ipa dnsrecord-mod HOSTED_ZONE HOSTNAME --a-rec  IP_ADDRESS

Switch IP interfaces between LDAP

  1. SSH to the VM with Openstack Application credentials (EWC - OpenStack Command-Line client) installed and run the following commands:
    1. Show information about the OLD LDAP machine (SERVER_NAME usually is ldap in the tenancies by default):
      Code Block
      openstack server show SERVER_NAME
    2. Detach the interface from the OLD LDAP machine (SERVER_NAME is the name of the OLD LDAP VM from previous command, IP_ADDRESS is the private IP of the OLD LDAP VM, you listed with the previous command, SAVE IT in your notes!)
      Code Block
      openstack server remove fixed ip SERVER_NAME IP_ADDRESS
  2. SSH In the NEW LDAP machine (LDAP replica)
    1. Update the IP of the NEW LDAP machine in the /etc/hosts (IP_ADDRESS ) with the IP of the OLD LDAP machine and remove the line relative to the OLD LDAP ( The one you saved before in your notes!)
      Code Block
      [murdaca@ipa ~]$ cat /etc/hosts

<!-- BEGIN ANSIBLE MANAGED BLOCK -->

IP_ADDRESS ipa.batchpro.ewc

<!-- END ANSIBLE MANAGED BLOCK -->
  3. SSH to the VM with Openstack client installed and run the following commands:
    1. Switch off the NEW LDAP machine (SERVER_NAME is the name of the VM, you can find it with openstack server list )
      Code Block
      openstack server stop SERVER_NAME
    2. Detach the interface from the NEW LDAP machine (SERVER_NAME is the name of the VM, IP_ADDRESS is the private IP of the NEW LDAP VM )
      Code Block
      openstack server remove fixed ip SERVER_NAME IP_ADDRESS
    3. Add interface to the NEW LDAP machine with the IP of the old LDAP machine (SERVER_NAME is the name of the VM, IP_ADDRESS=The one you saved before in your notes!
      Code Block
      openstack server add fixed ip SERVER_NAME IP_ADDRESS
    4. Add LDAP security group to new LDAP machine (SERVER_NAME is the name of the NEW LDAP VM)
      Code Block
      openstack server add security group SERVER_NAME ldap
    5. Restart NEW LDAP machine (SERVER_NAME is the name of the new LDAP VM)
      Code Block
      openstack server restart SERVER_NAME

Known possible errors

ipa command line of WebUI access is denied, with an HTTP error 401

...