Petr Viktorin wrote:
Hello,
Can I use old replica files to install replicas? For example, is this
supported?
1) Create replica file on master
2) Upgrade master
3) Use the (old) replica file to install a replica
The rule of thumb is (or should be): New replicas should be installed
from a file prepared on the highest available version in the chain, on
that same version
Also: For ipa-ca-install, do I need to use the same replica file that
was used to install the replica originally? Consider the following:
1) Create replica file on master
2) Install a replica
3) Upgrade the master
4) Install a CA on the replica
Am I supposed to use the old file for (4), or a newly generated one?
I'm not sure I considered this case before. I think you'd probably be ok
using an old replica file. The downside of generating a new one is this
will generate new SSL certificates for the IPA services on that replica
which will go unused (but certs are cheap).
The place we would get into trouble is if at some point we change the
server cert profile and the cert in the old replica file was generated
before the change. This would mean we'd install an out-of-policy cert.
I couldn't find clear answers in the documentation.
I could test how this works now, but I'd rather ask if there's a clear
idea of how it's supposed to work.
rob
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
