User procedure

Start user procedure:

1. Have an Ubuntu 22 VM ready in your tenancy or create a new temporary Ubuntu 22 VM from Morpheus 
   
   1. plan: eo1.medium
   2. networks: private
   3. security group: ssh
2. Create backup of the LDAP VM (See CreatebackupofaVM );
3. Check the Operating System of your LDAP from Morpheus, Provisioning → Instances → select LDAP machine ;
   1. If your LDAP is rocky 8 based → jump to step 8. 
      
   2. If your LDAP is centos7 based → continue to step 4.
4. Create LDAP replica instance type to move from centos7 to rocky 8 (see MigratefromCentos7toRocky8);
5. Switch IP interfaces between LDAPs using 'switch interfaces of two VMs' workflow in Morpheus (see SwitchInterfacesoftwoVMs);
6. Update Morpheus (see UpdateMorpheus );
7. Check everything is working fine (see Tests);
8. Create LDAP replica instance type to move from rocky 8 to rocky 9 (see MigratefromRocky8toRocky9)
9. Switch IP interfaces between LDAPs using 'switch interfaces of two VMs' workflow in Morpheus (see SwitchInterfacesoftwoVMs);
10. Update Morpheus (see UpdateMorpheus );
11. Check everything is working fine (see Tests);
12. Delete old LDAP machine/s to free resources (see Delete a VM from Morpheus).

Tasks

Migrate from Centos7 to Rocky 8

Creating a new rocky 8 LDAP replica

1. Login to Morpheus
2. Go to Provisioning → Instances and click '+ADD'
3. Select the LDAP replica Instance type
4. Select a new name for the VM (e.g. ldap-rocky8) and click 'Next'
5. Use the following inputs for the VM and then click 'Next' until the deployment starts:
   
   1. version: 8
   2. plan: eo1.medium
   3. networks: private
   4. security group: ldap

Migrate from Rocky 8 to Rocky 9

Creating a new rocky 8 LDAP replica

1. Login to Morpheus
2. Go to Provisioning → Instances and click '+ADD'
3. Select the LDAP replica Instance type
4. Select a new name for the VM (e.g. ldap-rocky8) and click 'Next'
5. Use the following inputs for the VM and then click 'Next' until the deployment starts:
   
   1. version: 9
   2. plan: eo1.medium
   3. networks: private
   4. security group: ldap

Create backup of a VM

1. Go to an Ubuntu 22 VM and select 'Run Workflow'
   
2. Select the 'Create Backup of a VM using Openstack Applications Credentials' 
   

   

3. Insert inputs and run the workflow where you provide: 
   
   1. Name of the VM to backup
   2. Openstack Application Credentials ID and Secret

Switch Interfaces of two VMs

1. Go to an Ubuntu 22 VM and select 'Run Workflow'
   
2. Select the 'Switch Interfaces of two VMs using Openstack Applicaitons Credentials'
   
3. Insert inputs and run the workflow where you provide:
   1. OLD VM in this case is the OLD LDAP machine name
   2. NEW VM in this case is the NEW LDAP machine name
   3. Security Group Name:  ldap
   4. Openstack Application Credentials ID and Secret

Update Morpheus

1. Login to Morpheus and change the value of the hostname for LDAP, going to Tools → Cypher:
   1. Delete the secret/ldap_hostname
      
   2. Use the '+ADD' to create a new secret
   3.  Add KEY: secret/ldap_hostname and VALUE: NEW_LDAP_HOSTNAME 

Tests

1. ssh to ssh-proxy in your tenancy
2. ssh using DNS to the new LDAP machine
3. Run sudo ipactl status → verify the services are all up and running (if not, try sudo ipactl restart command)
4. From Morpheus go to Provisioning → Instances and deploy a new machine to test the enrollment to LDAP DNS is working correctly with the new LDAP machine.

Known possible errors

ipa command line of WebUI access is denied, with an HTTP error 401

You could identify this error during tests (e.g. running a ipa command) or enrollment of a machine into LDAP, after the migration from Centos7 to Rocky8.

Example error:

[root@replica-first ~]# ipa --verbose
ipa: INFO: Connection to https://replica-first.coreservices.ewc/ipa/session/json failed with <ProtocolError for replica-first.coreservices.ewc/ipa/session/json: 401 Unauthorized>
ipa: INFO: Connection to https://ldap.coreservices.ewc/ipa/session/json failed with [Errno -2] Name or service not known
ipa: ERROR: cannot connect to 'any of the configured servers': https://replica-first.coreservices.ewc/ipa/session/json, https://ldap.coreservices.ewc/ipa/session/json

In order to fix this authentication issue:

1. SSH to the current LDAP machine you have
2. become root
3. Run the following 

   python3 /usr/libexec/ipa/oddjob/org.freeipa.server.config-enable-sid --add-sids

4. restart ipa 

   ipactl restart

5. finally kinit with the LDAP admin user ( you can find it in Morpheus Cypher → secret/ipaadmin_username, password/ipaadmin and try to run ipa commands to verify the above error is no more there) 

   kinit <ldap-admin-user>

6. Finish procedure for new rocky 8 replica
   1. Delete OLD LDAP machine DNS records 

      ipa-replica-manage del OLD_LDAP_HOSTNAME --force

   2. Replace the NEW LDAP machine IP DNS records with the IP of the interface of the OLD LDAP machine 

      ipa dnsrecord-mod DNS_HOSTED_ZONE ipa-ca --a-rec OLD_LDAP_PRIVATE_IP ipa dnsrecord-mod DNS_HOSTED_ZONE NEW_LDAP_SERVER_NAME --a-rec OLD_LDAP_PRIVATE_IP

   3. Edit the /etc/hosts file and make sure it is as follow: 

      [murdaca@ipa ~]$ cat /etc/hosts <!-- BEGIN ANSIBLE MANAGED BLOCK --> OLD_LDAP_PRIVATE_IP NEW_LDAP_HOSTNAME <!-- END ANSIBLE MANAGED BLOCK -->

      
      

where:

• DNS_HOSTED_ZONE→ logging in Morpheus → Tools → Cypher and check the following secret → secret/ldap_domain
• OLD_LDAP_PRIVATE_IP → logging in Morpheus → Provisioning → Instances, check your OLD LDAP VM IP address
• OLD_LDAP_HOSTNAME → logging in Morpheus → Tools → Cypher and check the following secret → secret/ldap_hostname
• NEW_LDAP_SERVER_NAME → name of the machine
  

Resource: https://access.redhat.com/solutions/7052125

DNA range issue

After the IPA Migration, especially from Centos7 to Rocky9, there might be still some possible errors, like the one below:

ipa: ERROR: Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.

There is a FreeIPA doc site related to this: https://www.freeipa.org/page/V3/Recover_DNA_Ranges.html

The fix for that error is the following command:

1. Check if your DNA ranges exists 

   ipa-replica-manage dnarange-show

   (This command should return ldap_server: No on-deck range set)
2. Identify min and max range of IDs (min=First Posix ID of the range) (max=First Posix ID of the range + Number of IDs in the range)

   ipa idrange-find

3. Assign the DNS range using ${min}-${max} identified in the previous steps 

   ipa-replica-manage dnarange-set $ldap_server ${min}-${max}

4. Check the range is assigned now

ipa-replica-manage dnarange-show