Bug 1719767
| Summary: | Extend IPA to support unadvertised replicas | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | François Cami <fcami> |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | unspecified | Docs Contact: | Marc Muehlfeld <mmuehlfe> |
| Priority: | unspecified | ||
| Version: | 8.0 | CC: | abokovoy, batkisso, fcami, fhanzelk, frenaud, ipa-maint, ipa-qe, ksiddiqu, mkosek, mmuehlfe, ndehadra, pasik, pcech, pvoborni, rcritten, saime, tmihinto, tscherf, twoerner |
| Target Milestone: | rc | Keywords: | TechPreview |
| Target Release: | 8.1 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.8.0-1 | Doc Type: | Enhancement |
| Doc Text: |
.Setting up IdM as a hidden replica is now fully supported
Identity Management (IdM) in RHEL 8.2 fully supports setting up IdM servers as hidden replicas. A hidden replica is an IdM server that has all services running and available. However, it is not advertised to other clients or masters because no `SRV` records exist for the services in DNS, and LDAP server roles are not enabled. Therefore, clients cannot use service discovery to detect hidden replicas.
Hidden replicas are primarily designed for dedicated services that can otherwise disrupt clients. For example, a full backup of IdM requires to shut down all IdM services on the master or replica. Since no clients use a hidden replica, administrators can temporarily shut down the services on this host without affecting any clients. Other use cases include high-load operations on the IdM API or the LDAP server, such as a mass import or extensive queries.
To install a new hidden replica, use the `ipa-replica-install --hidden-replica` command. To change the state of an existing replica, use the `ipa server-state` command.
For further details, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/installing-an-ipa-replica_installing-identity-management#installing-an-idm-hidden-replica_install-replica[Installing an IdM hidden replica].
|
Story Points: | --- |
| Clone Of: | 1518939 | Environment: | |
| Last Closed: | 2019-11-05 20:53:20 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1518939 | ||
| Bug Blocks: | 1647919, 1720120 | ||
Removing RFE. The introduction of this feature happened in RHEL 7.7. ipa-server-version:ipa-4.8.0-10.module+el8.1.0+4107+4a66eb87 Tested the bug with following scenarios: 1.Verify that Hidden replica can be setup as a direct replica installation: PASS 2.Verify that Hidden replica can be setup using replica promotion: PASS 3.Verify that Replica can be setup from another Replica already configured as Hidden Replica: PASS 4.Verify that Error message is displayed when state of all master is changed to 'hidden'.: PASS 5.Verify that replica can be demoted to be a hidden replica.: PASS 6.Verify that hidden replica can be promoted.: PASS 7.Verify that KRA installation works on replica setup as hidden Replica: PASS 8. Verified that replica state can be changed to hidden after upgrade [root@kvm-04-guest01 ~]# kdestroy -A [root@kvm-04-guest01 ~]# kinit admin Password for admin: [root@kvm-04-guest01 ~]# klist Ticket cache: KCM:0 Default principal: admin Valid starting Expires Service principal 09/04/2019 10:52:37 09/05/2019 10:52:34 krbtgt/TESTRELM.TEST [root@kvm-04-guest01 ~]# ipa server-state `hostname` --state=enabled ipa: ERROR: no modifications to be performed [root@kvm-04-guest01 ~]# ipa server-state `hostname` --state=disabled ipa: ERROR: invalid 'state': must be one of 'enabled', 'hidden' [root@kvm-04-guest01 ~]# ipa server-state `hostname` --state=hidden ------------------------------------------------------- Changed server state of "kvm-04-guest01.testrelm.test". ------------------------------------------------------- [root@kvm-04-guest01 ~]# 9. Verify that Automatic CRL configuration works for hidden REPLICA: PASS [root@vm-idm-025 ~]# ipa config-show | grep "CA renewal master" IPA CA renewal master: vm-idm-010.testrelm.test [root@vm-idm-025 ~]# ipa-crlgen-manage enable Stopping pki-tomcatd Editing /var/lib/pki/pki-tomcat/conf/ca/CS.cfg Starting pki-tomcatd Editing /etc/httpd/conf.d/ipa-pki-proxy.conf Restarting httpd Forcing CRL update CRL generation enabled on the local host. Please make sure to have only a single CRL generation master. The ipa-crlgen-manage command was successful [root@vm-idm-025 ~]# ipa-crlgen-manage status CRL generation: enabled Last CRL update: 2019-09-05 09:56:33 Last CRL Number: 7 The ipa-crlgen-manage command was successful [root@vm-idm-025 ~]# ipa config-show | grep Hidden Hidden IPA masters: vm-idm-025.testrelm.test Hidden IPA CA servers: vm-idm-025.testrelm.test Hidden IPA DNS servers: vm-idm-025.testrelm.test [root@vm-idm-025 ~]# ipa config-show | grep "CA renewal master" IPA CA renewal master: vm-idm-010.testrelm.test 10. Verified that hidden replica can be installed against upgraded server : PASS 11. Verified that UI is accessible for hidden Replica when state is changed from hidden to enable and vice-versa: PASS Thus on the basis of above observations, marking status of bug to 'VERIFIED' Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3348 I moved the RN to the Tech Preview section. Unfortunately, our publishing system is currently down. We will republish the RHEL 8.1 RNs as soon as possible. |
Fixed upstream: ipa-4-6: cb85342 Add hidden replica feature 016c47f ipatests: Exercise hidden replica feature 7691162 Simplify and improve tests da9f62d Implement server-state --state=enabled/hidden d12cca4 Consider hidden servers as role provider ed00466 Improve config-show to show hidden servers 131c1ab More test fixes bcf70c5 Don't allow to hide last server for a role d8d6799 Synchronize hidden state from IPA master role e40d92f Test replica installation from hidden replica d1eb4c7 Add design draft a0f00e6 Don't fail if config-show does not return servers aa3f60b Unify and simplify LDAP service discovery aba0fce Use api.env.container_masters ec94a68 Consolidate container_masters queries ipa-4-7: ddf8e16 Add hidden replica feature f96f4a1 ipatests: Exercise hidden replica feature 585bc52 Simplify and improve tests f3daa45 Implement server-state --state=enabled/hidden 0bf26c5 Consider hidden servers as role provider de1a075 Improve config-show to show hidden servers 3e2fb21 More test fixes dc2a5ec Don't allow to hide last server for a role 87f9119 Synchronize hidden state from IPA master role 467ceaf Test replica installation from hidden replica 66c961d Add design draft c76620e Don't fail if config-show does not return servers master: 025facb Add hidden replica feature 0770d8a ipatests: Exercise hidden replica feature 99133eb Simplify and improve tests 94b8635 Implement server-state --state=enabled/hidden d810e1f Consider hidden servers as role provider 56d97f9 Improve config-show to show hidden servers f839d3c More test fixes e7e0f19 Don't allow to hide last server for a role 8b1bb21 Synchronize hidden state from IPA master role e04dc9a Test replica installation from hidden replica d727321 Add design draft 713c9b0 Don't fail if config-show does not return servers