FreeIPA is a new technology which gives you many features in the areas of Identity management, host based security control as well as user based security control over your Linux infrastructure.
FreeIPA is designed to give centralised management capabilities over Linux, in a way similar to Microsoft Active Directory has over a Windows estate.
If you would like to find out more about FreeIPA, head across to the project wiki which you can find here.
For those of you who are already running FreeIPA, and looking for information about backing up and restoring your environment. Please read on.
Backup and Restore procedures are always an interesting topic in the industry. What do I use to perform backups? How often do I backup? What do I backup? are all very commonly asked questions.
I have witnessed countless opinions on how an organisation should do there backups, and realistically, there is no right and wrong way, provided your restoration procedures work.
If your restoration procedures fail when you need them most, I hate to say it, but you’re doing it wrong.
What do I use to perform backups?
This question is often asked and there is no easy answer. When it comes to managing a reliable backup schedule, I highly recommend you use a product where you have some form of enterprise support from the vendor. I have seen may people say “Why should we pay for something when we can do it ourselves?”, yet in the hour of need, they are the ones who end up suffering because they aren’t able to restore. Don’t let this be you. If you can afford it, please don’t hold back.
I personally recommend the use of Acronis, CommVault, NetBackup or even ArcServe if you really want. The important thing is that you have the ability to back up the files within your servers.
A note on virtualization:
A common assumption is that “if I run my infrastructure inside of virtual servers within a virtualization technology, I can backup the virtual server and I don’t have to worry about anything else”.
This definitely has its merits, however one very important question for you is “Can you restore specific files within that virtual server backup? or do you have to restore the entire server just to restore one file?”
It is important to consider the above as this will directly affect the time it takes to restore your data and how complicated the process will be.
Something to remember is that single file or folder restores are substantially more common statistically, compared to restoring from a full server failure.
If you are using Red Hat Enterprise Virtualization (RHEV), Acronis will give you the ability to back up your virtual server’s completely as well as restoring individual files.
How often do I backup?
This question is really open to interpretation. As this article will refer to FreeIPA, I will compare this to Microsoft Active Directory.
Active Directory allows you to take what is referred to as a System State backup. This is performed on your Domain Controller, which is the equivalent to your FreeIPA Directory Server.
In recent years, it has been very common practice to conduct a System State backup of Active Directory every 1-3 days, depending on the size of your organization.
For example,
If you have a small deployment, where your Active Directory environment does not change very frequently, the need for a daily backup is not as 100% as critical as a large organisation which has a constantly evolving environment.
Please be aware, that I am not condoning taking a very lose approach to backing up Active Directory. If you have the ability and resources available, I highly recommend backing up your Active Directory Domain Controllers, or FreeIPA Directory Servers on a daily basis.
The more backups you have, the less chance of not being able to restore you will have.
Nice article, very detailed and thought thru!
However I wonder if you have looked into how to recover in a more complex multi master configuration? What would be the way to recover a situation where,
A) One of the master servers dies and need to be replaced/restored?
B) A user mistake that leads to missing data?
For scenario A) I imagine that, since the backup steps provided here, will not work since the data in the backup and on the master, that didn’t die, will be inconsistent.
For scenario B) how can one restore the missing data from backups?
Hi Johan
Thanks for the feedback. Thanks for the questions.
I have written this process as an interim solution for FreeIPA 2.2. FreeIPA 3 will have a supported backup meathod from what I am aware of.
Regarding your question of multi master server restorations, This method is to be as simple as a System State backup is for Windows. You would simply have this backup run on each of your master servers. You would simply need to restore the right backup archive for that server.
As for your question about restoring missing data, this should be treated as a more advanced type of restoration. As such goes beyond the spec of this article.
The ipa-backup command will give you the ability to backup to an LDIF export for both LDAP and Dogtag. Restoration of this data to a granualar level is something that should really be based on recommendations from the FreeIPA team at Red Hat.
Best regards
Dale
thanks for this article. I tried going down the tarball route myself but couldn’t get the conclusive list of paths that needed to be backed up. I’ll give this a shot asap, as backup/restore is the one thing that’s holding up our IPA deployment.
I’ve tried to run:
./ipa-restore.sh –type full –source /root/respaldo_ipa/full/full_backup-20130819143745.tgz
But i get the following message:
“Full restore functionality is currently in development”
Is there a final version for ipa-backup software?
Cheers from Chile.
Hi Sergio
This tool was written for FreeIPA 2.x as there was no documented method to create a reliable backup.
With the release of FreeIPA 3, backup and restore was introduced as a supported feature.
For details covering the topic, have a read of the below link from the FreeIPA team.
http://www.freeipa.org/page/V3/Backup_and_Restore
I hope this helps lead you in the right direction.
Dale