Yes, while in general upgrades should be possible, the big jump you made combined with a distro that isn’t as robust as say, CentOS or RHEL I’d suggest always simply rolling a replacement server to replace the old ones one by one. Also always run at least 2 servers with all the roles so you don’t end up in a situation where you cannot recover from a broken system. Keep in mind that enrolments and server replication only works as long as you have at least 1 functional server.
John > On 29 May 2019, at 22:25, Darac Marjal via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > Ah, is FreeIPA generally okay with servers being at different versions, > then? Could I upgrade by creating a new server, enrolling it as a > replica of then old server and then shut down the old server. Can I do > that as a general behaviour? > > On 29/05/2019 21:21, John Keates via FreeIPA-users wrote: >> I’d suggest creating a new server, enrolling it as a replica (well, it’s >> multi-master so technically it’s just another FreeIPA server) instead of >> upgrading. >> If you have other servers that still work, do that and nuke this one. If >> this is the last/only server you have, I’d restore it from backups (you have >> those, right?). >> >> If you neither have additional servers that work, nor backups, prepare for a >> nightmare. If you know ahead of time that rebuilding your IPA infrastructure >> might be a slight hassle yet only take an hour or so to re-enroll all hosts >> and reset your users, do that as it’ll be faster in many cases. >> >> John >> >>> On 29 May 2019, at 21:35, Darac Marjal via FreeIPA-users >>> <freeipa-users@lists.fedorahosted.org> wrote: >>> >>> Hello good people, >>> >>> Due to being unfamiliar with Fedora, my home FreeIPA server has been >>> languishing on Fedora version 25 for ages. I recently twigged that it >>> hadn't been updated in ages to upgraded to Fedora version 30. That >>> seemed to go OK, but now, when I try to run ipactl start, I get the >>> following: >>> >>> # ipactl start >>> IPA version error: data needs to be upgraded (expected version >>> '4.7.90.pre1-4.fc30', current version '4.4.4-1.fc25') >>> Automatically running upgrade, for details see /var/log/ipaupgrade.log >>> Be patient, this may take a few minutes. >>> Automatic upgrade failed: IPA server upgrade failed: Inspect >>> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. >>> Unexpected error - see /var/log/ipaupgrade.log for details: >>> CalledProcessError: CalledProcessError(Command ['/bin/systemctl', >>> 'start', 'dirsrv@GHIBLI-DARAC-ORG-UK.service'] returned non-zero exit >>> status 1: 'Job for dirsrv@GHIBLI-DARAC-ORG-UK.service failed because the >>> control process exited with error code.\nSee "systemctl status >>> dirsrv@GHIBLI-DARAC-ORG-UK.service" and "journalctl -xe" for details.\n') >>> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for >>> more information >>> >>> See the upgrade log for more details and/or run >>> /usr/sbin/ipa-server-upgrade again >>> Aborting ipactl >>> >>> Looking into the logs for dirsrv@<REALM>, I see the following: >>> >>> May 29 20:30:52 yubaba.ghibli.darac.org.uk ns-slapd[9839]: >>> [29/May/2019:20:30:52.917492045 +0100] - ERR - dse_read_one_file - The >>> entry cn=schema in file /usr/share/dirsrv/schema/00core.ldif (lineno: 1) >>> is invalid, error code > >>> May 29 20:30:52 yubaba.ghibli.darac.org.uk ns-slapd[9839]: >>> [29/May/2019:20:30:52.989705116 +0100] - ERR - setup_internal_backends - >>> Please edit the file to correct the reported problems and then restart >>> the server. >>> May 29 20:30:53 yubaba.ghibli.darac.org.uk systemd[1]: >>> dirsrv@GHIBLI-DARAC-ORG-UK.service: Main process exited, code=exited, >>> status=1/FAILURE >>> May 29 20:30:53 yubaba.ghibli.darac.org.uk systemd[1]: >>> dirsrv@GHIBLI-DARAC-ORG-UK.service: Failed with result 'exit-code'. >>> May 29 20:30:53 yubaba.ghibli.darac.org.uk systemd[1]: Failed to start >>> 389 Directory Server GHIBLI-DARAC-ORG-UK.. >>> >>> Now, in an attempt to fix this, I spun up a new VM, installed >>> freeipa-server and then copied /usr/share/dirsrv/schema/*.ldif over, but >>> that doesn't seem do have had any effect. >>> >>> Can anyone assist in pointing me in a direction to fixing this? >>> >>> >>> Many thanks! >>> >>> _______________________________________________ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org