backup and restoration of a freeipa infrastructure
Solution 1:
I don't have a proper solution to backup and restore a FreeIPA server on CentOS, only a workaround to have a server operative with the same configuration in the shortest time possible. You do lose the CA and you need to rejoin the hosts to the server.
This is the way I dealt with "disaster recovery" while using the 2.x series. I did many trial and error experiments and got tired of restoring my settings from scratch:
- provision a new host using DHCP+PXE+TFTP+Kickstart.
- ensure the kickstart script installs the
puppetlabsrepo and register itself with thepuppetmaster, there is (was) an entry inautosign.conffor this purpose. (Thepuppetlabsrepo is not mandatory, but I was using syntax not present in the stock version ofpuppet). - write a module containing a
packageresource to have the server and its dependencies installed, and anexecresource to run a shell script (all kept under version control) defining all the infrastructure needed in the domain.
I'll give you a snippet of the script here, you get the general idea:
#!/usr/bin/env bash
# vim:syn=sh:ts=2:fdm=marker
# IPASERVER BOOTSTRAP {{{
# HOSTGROUPS {{{
# foo {{{
ipa hostgroup-add foo --desc='Foo Bar Baz'
ipa hostgroup-add-member sanfernando --hosts={foo,bar,baz}.domain.com
ipa netgroup-add net_foo --nisdomain=domain.com --desc='Foo Bar Baz'
ipa netgroup-add-member net_foo --hostgroups=sanfernando
# }}}
# }}}
# PWPOLICY {{{
ipa pwpolicy-mod global_policy --history=24
ipa pwpolicy-mod global_policy --lockouttime=1200
ipa pwpolicy-mod --setattr=krbpwdmindiffchars=4
ipa pwpolicy-mod --setattr=krbpwdminlenght=14
ipa pwpolicy-mod --setattr=krbpwdmaxfailure=5
ipa pwpolicy-mod --setattr=krbminpwdlife=168
ipa pwpolicy-mod --setattr=krbpwdfailurecountinterval=1200
# }}}
# USERS/GROUPS/HBAC {{{
# developers {{{
ipa user-add jdoe --first='Jane' --last='Doe' --email='[email protected]' --gecos='Jane Doe' --shell='/bin/rbash' --sshpubkey='AAA......XXGDGHU='
ipa group-add foo --desc='Foo Staff'
ipa group-add-member foo --users=jdoe
ipa hbacrule-add developers_access --desc='Developers access'
ipa hbacrule-add-host developers_access --hostgroups=development
ipa hbacrule-add-user developers_access --groups=developers
ipa hbacrule-add-service developers_access --hbacsvcs=sshd
ipa hbacrule-add-service developers_access --hbacsvcgroups=Sudo
# }}}
# }}}
# SUDO CMD/RULE/GROUP {{{
# networking {{{
ipa sudocmd-add --desc='administration tool for IPv4 packet filtering and NAT' '/sbin/iptables'
ipa sudocmd-add --desc='view and manipulate media-independent interface status' '/sbin/mii-tool'
ipa sudocmd-add --desc='display or change ethernet card settings' '/sbin/ethtool'
ipa sudocmd-add --desc='show and manipulate routing, devices, policy routing and tunnels' '/sbin/ip'
ipa sudocmd-add --desc='sudoedit configuration file of IPv4 packet filtering and NAT' 'sudoedit /etc/sysconfig/iptables'
ipa sudocmdgroup-add networking --desc='commands for network configuration and troubleshooting'
ipa sudocmdgroup-add-member networking --sudocmds=/sbin/{iptables,mii-tool,ethtool,ip}
ipa sudocmdgroup-add-member networking --sudocmds='sudoedit /etc/sysconfig/iptables'
ipa sudorule-add networking_4_operators_2 --desc='Operator Level 2 access to networking management commands'
ipa sudorule-add-allow-command networking_4_operators_2 --sudocmdgroups='networking'
ipa sudorule-add-user networking_4_operators_2 --groups='operators_2'
ipa sudorule-add-host networking_4_operators_2 --hostgroups=foo-hosts
# }}}
# }}}
# }}}
Solution 2:
FreeIPA (now branded as Red Hat Identity Manager on RHEL) as of 4.x includes CLI tools: ipa-backup (producing a GPG-encrypted backup dump of either all server information or LDAP data only) and ipa-restore.
One caveat: after restoring a data-only backup on a freshly installed server I found that it clobbered the admin credentials and I couldn't log in as admin or any other use no matter what I did ("incorrect password" error message). So it was pretty useless. This could have been a quirk of my setup, however. Be sure to test restore before relying on it!