You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 32 Next »

In order to perform this migration, you need to request Openstack Application Credentials EWC - How to request Openstack Application Credentials

User procedure

  1. ssh to a machine and login with openstack client EWC - OpenStack Command-Line client
  2. add port 636 TCP.749 TCP,464 UDP to ldap security group
    openstack security group rule create ldap --protocol tcp --ingress --dst-port 636 --remote-ip 0.0.0.0/0 --ethertype IPv4
openstack security group rule create ldap --protocol tcp --ingress --dst-port 749 --remote-ip 0.0.0.0/0 --ethertype IPv4
openstack security group rule create ldap --protocol udp --ingress --dst-port 464 --remote-ip 0.0.0.0/0 --ethertype IPv4
  3. SSH into the OLD LDAP machine (your current one) and create DNS reverse zone (NAME_FROM_IP = LDAP IP or using IP range ) (https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/managing-reverse-dns-zones
    ipa dnszone-add --name-from-ip=NAME_FROM_IP
  4. Backup existing LDAP machine using the following documentation: EWC - How to create and restore backups from VMs
  5. If your LDAP is rocky 8 based jump to step 9., if it is centos7 continue normally.
  6. Create LDAP replica instance type to move from centos7 to rocky 8 (see MigratefromCentos7toRocky8);
  7. Switch IP interfaces between LDAPs (see RunworkflowtoswitchIPinterfacesbetweenLDAP);
  8. Check everything is fine (see Tests);
  9. Create LDAP replica instance type to move from rocky 8 to rocky 9 (see MigratefromRocky8toRocky9)
  10. Switch IP interfaces between LDAPs (see RunworkflowtoswitchIPinterfacesbetweenLDAP);
  11. Check everything is fine (see Tests);
  12. Remove old LDAPs machines to free resources (from Morpheus)


Migrate from Centos7 to Rocky 8

Creating a new LDAP to migrate to

  1. From Morpheus, deploy a new machine with
    1. image: rocky 8
    2. security group: ldap security group
    3. plan: eo1.medium
    4. name: different from existing ldap machine
  2. SSH to the new machine and become root
  3. Stop and disable firewalld on the machine
    systemctl stop firewalld && systemctl disable firewalld
  4. Add OLD LDAP IP and domain of the machine acting as LDAP in one line to /etc/hosts on this machine (OLD_LDAP_IP is the private IP of your current LDAP and OLD_LDAP_DOMAIN is the domain from your current LDAP (e.g. ldap.eumetsat.sandbox.ewc) )
    [test234@test-podman2 ~]$ cat /etc/hosts
<!-- BEGIN ANSIBLE MANAGED BLOCK -->
10.0.0.133 test-podman2.eumetsat.sandbox.ewc (this is an example, you will see the private IP of your machine and the domain from your machine here)
OLD_LDAP_IP OLD_LDAP_DOMAIN 
<!-- END ANSIBLE MANAGED BLOCK -->
  5. Install dependencies
    1. for rocky 8:
      1. sudo yum -y update
      2. sudo yum module reset idm:DL1
      3. sudo yum module enable idm:DL1
      4. sudo dnf install freeipa-server ipa-server-dns bind-dyndb-ldap -y
  6. Run the following command to install the LDAP replica
  7. ipa-replica-install --domain "eumetsat.sandbox.ewc" --principal sandbox-ldap-admin --admin-password hunter2 --server <OLD LDAP complete domain (e.g. ldap.eumetsat.sandbox.ewc)> --setup-ca --setup-dns --force-join --forwarder=8.8.8.8 --forwarder=1.1.1.1 --no-host-dns --unattended

    (add --verbose for more logs) NOTE: go ahead with the default netbios and also put yes when asked about the ipa-sidgen task installation for users

  8. Make the new ldap machine primary, running the following commands

    1. Find the dns zone name 

      1. ipa dnszone-find

    2.  Make the ldap machine primary  (SERVER IS the new LDAP machine complete domain (e.g. ldap-test-rocky.eumetsat.sandbox.ewc), while DNS_ZONE is the zone name from the previous command)

      1. ipa dnszone-mod DNS_ZONE --name-server=SERVER


Migrate from Rocky 8 to Rocky 9

Creating a new LDAP to migrate to

  1. From Morpheus, deploy a new machine with
    1. image: rocky 9
    2. security group: ldap security group
    3. plan: eo1.medium
    4. name: different from existing ldap machine
  2. SSH to the new machine and become root
  3. Stop and disable firewalld on the machine
    systemctl stop firewalld && systemctl disable firewalld
  4. Add old ldap IP and domain of the machine acting as LDAP in one line to /etc/hosts on this machine (OLD_LDAP_IP is the private IP of your current LDAP and OLD_LDAP_DOMAIN is the domain from your current LDAP (e.g. ldap.eumetsat.sandbox.ewc) )
    [test234@test-podman2 ~]$ cat /etc/hosts
<!-- BEGIN ANSIBLE MANAGED BLOCK -->
 10.0.0.133 test-podman2.eumetsat.sandbox.ewc (this is an example, you will see the private IP of your machine and the domain from your machine here)
OLD_LDAP_IP OLD_LDAP_DOMAIN  
<!-- END ANSIBLE MANAGED BLOCK -->
  5. Install dependencies
    1. for rocky 9:
      1. sudo dnf install ipa-server ipa-server-dns -y
  6. Run the following command to install the LDAP replica
  7. ipa-replica-install --domain "eumetsat.sandbox.ewc" --principal sandbox-ldap-admin --admin-password hunter2 --server <OLD LDAP complete domain (e.g. ldap.eumetsat.sandbox.ewc)> --setup-ca --setup-dns --force-join --forwarder=8.8.8.8 --forwarder=1.1.1.1 --no-host-dns --unattended

    add --verbose for more logs

  8. Make the new ldap machine primary, running the following commands

    1. Find the dns zone name 

      1. ipa dnszone-find

    2.  Make the ldap machine primary  (SERVER is the new LDAP machine complete domain (e.g. ldap-test-rocky.eumetsat.sandbox.ewc), while DNS_ZONE is the zone name from the previous command)

      1. ipa dnszone-mod DNS_ZONE --name-server=SERVER


Switch IP interfaces between LDAP

  1. Using Openstack Application credentials (EWC - OpenStack Command-Line client), identify your OLD LDAP machine 
    openstack server list
  2. Detach the interface from the OLD LDAP machine (SERVER_NAME is the name of the VM from previous command, IP_ADDRESS is the private IP of the OLD LDAP VM, you listed with the previous command, SAVE IT in your notes and don't lose it!)
    openstack server remove fixed ip SERVER_NAME IP_ADDRESS
  3. SSH In the NEW LDAP machine,
    1. Update the IP of the NEW LDAP machine in the /etc/hosts (IP_ADDRESS ) with the IP of the OLD LDAP machine ( The one you saved before in your notes!)
      [murdaca@ipa ~]$ cat /etc/hosts

<!-- BEGIN ANSIBLE MANAGED BLOCK -->

IP_ADDRESS ipa.batchpro.ewc

<!-- END ANSIBLE MANAGED BLOCK -->
    2. Delete OLD LDAP machine DNS records (SERVER is the old LDAP machine complete domain (e.g. ldap-test-rocky.eumetsat.sandbox.ewc)
      ipa-replica-manage del SERVER --force

    3. Find the dns zone name 

    4. ipa dnszone-find
    5. Replace the NEW LDAP machine IP with the IP of the interface of the OLD LDAP machine (HOSTED_ZONE is the output name from the previous command, IP_ADDRESS=The one you saved before in your notes!HOSTNAME is the new LDAP machine complete domain (e.g. ldap-test-rocky.eumetsat.sandbox.ewc)
      ipa dnsrecord-mod HOSTED_ZONE ipa-ca --a-rec IP_ADDRESS 
ipa dnsrecord-mod HOSTED_ZONE HOSTNAME --a-rec  IP_ADDRESS
  4. Switch off the NEW LDAP machine (SERVER_NAME is the name of the VM, you can find it with openstack server list )
    openstack server stop SERVER_NAME
  5. Detach the interface from the NEW LDAP machine (SERVER_NAME is the name of the VM, IP_ADDRESS is the private IP of the NEW LDAP VM )
    openstack server remove fixed ip SERVER_NAME IP_ADDRESS
  6. Add interface to the NEW LDAP machine with the IP of the old LDAP machine (SERVER_NAME is the name of the VM, IP_ADDRESS=The one you saved before in your notes! 
  7. openstack server add fixed ip SERVER_NAME IP_ADDRESS
  8. Add security groups to new LDAP
  9. Restart NEW LDAP machine (SERVER_NAME is the name of the VM)
    openstack server restart SERVER_NAME
  10. Go to Morpheus and change the value in Cypher: Delete the secret/ldap_hostname and recreate secret/ldap_hostname it to point to the new ipa host (e.g. ldap.eumetsat.sandbox.ewc)


Tests

  1. login with DNS from ssh-proxy
  2. Run sudo ipactl status → verify the services are all up and running
  3. Deploy a new machine and enroll


Post Installation (optional in case of similar errors)

After the IPA Migration, especially from Centos7 to Rocky9, there might be still some possible errors, like the one below:

ipa: ERROR: Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.


There is a FreeIPA doc site related to this: https://www.freeipa.org/page/V3/Recover_DNA_Ranges.html

The fix for that error is the following command:

  1. Identify min and max range of IDs 
     ipa idrange-find
  2. Set the lower boundary to exclude every existing account (as of ipa user-find | grep 'UID')
  3. Assign the DNS range using ${min}-${max} identified in the previous steps 
     ipa-replica-manage dnarange-set $ldap_server ${min}-${max}
  4. Check the range that is used 
ipa-replica-manage dnarange-show



  • No labels