How to backup / restore FreeIPA 2.2.0 on Red Hat Enterprise Linux 6

What do I backup?

This question, I am sure will divide some readers from others. Many people say “Just back up the VM and you’ll be fine”, others say “Just backup EVERYTHING and you’ll be fine”.

This is where I chose to stand firm. If you chose to backup your Virtual Server, that is fine, as long as you can restore it quickly.
If you chose to backup EVERYTHING, that is also fine, as long as you can restore it quickly.

Here is where I become stubborn. What ever you chose to do to perform your backups, is entirely YOUR choice, and that is the most important thing to keep in mind. You are the customer of these products after all.

Sometimes backing up everything is not an option. This is why it is important to have the ability to backup the application or service that you are using as a single contained backup. It is unrealistic for a vendor to ask their customers to rely on another technology in order to backup their solution.

For example.
Having a vendor saying “backup the VM”, when you as a customer possibly have not made the decision to move to virtualization technologies yet. Obviously this is a generalization that everyone is using virtualization. This is however not the case for every customer.

 

Time to talk tech

At the time of writing this article, there is no backup feature available for FreeIPA 2.x in Red Hat Enterprise Linux 6 / CentOS / etc.

As I personally use FreeIPA to a rather extensive level, I have created a quick utility-like script to take backups of FreeIPA in a way that is similar to a Microsoft System State Backup.

I have created my solution based on the following Red Hat Knowledge Base article.
https://access.redhat.com/knowledge/solutions/67800

 

 

Before we go any further. I have created this for my own personal use, and as I have only tested this in varied sizes of FreeIPA implementations I cannot guarantee that this will 100% work in your environment.

This solution, is NOT provided by Red Hat in any way.
DO NOT USE THIS if you do not wish to THOROUGHLY test this within your environment!!!!
This solution comes with ABSOLUTELY NO WARRANTY! Use at your own risk and discretion.

That being said, I highly recommend you discuss what I am about to give you with Red Hat GSS if you wish to consider moving forward with this in your production environment.
Please do not take a knee on this one people. You need to know that Red Hat can support you if something goes wrong. I can’t test every possible environment topology for you.

 

You can find the necessary items you need here ipa-backup.tar
Please note: a tarball is being used simply because WordPress does not allow the upload of RPM files.

 

Once again, before we begin, DO NOT do this on your production environment unless you have fully tested this in a development environment.

On your FreeIPA server, install the rpm in the tarball (or use the script if you prefer). This will install both the backup and restore scripts.

 

Performing a backup

Once you have installed the rpm, you can run the “ipa-backup” command.

See the below output.
(Please be aware, that in its current state, the ipa-backup command if used to perform a full or config backup, will stop and start IPA and all surrounding services to create the backup. Please keep this in mind).

[root@ds01 ~]# ipa-backup

#########################################################################
# Please configure your REALM name in /etc/sysconfig/ipa/backup.conf    #
#########################################################################

[root@ds01 ~]# vi /etc/sysconfig/ipa/backup.conf
[root@ds01 ~]# ipa-backup

#########################################################################
# Please enter your Directory Manager password in the file              #
# /etc/sysconfig/ipa/stash. e.g: if your password is 'redhat123',        #
# then the contents of the file *only* read 'redhat123' without quotes.  #
#########################################################################
[root@ds01 ~]# vi /etc/sysconfig/ipa/stash
[root@ds01 ~]# ipa-backup

Usage examples:

To perform a backup, use the below information as a guide.

Full Backup
# ipa-backup --type full  --destination /mybackup

LDAP Backup
# ipa-backup --type ldap  --destination /mybackup

Dogtag Backup
# ipa-backup --type dogtag  --destination /mybackup

Config Backup
# ipa-backup --type config  --destination /mybackup

[root@ds01 ~]# ipa-backup --type config --destination /mybackup

Config backup complete

Please ensure you take a copy of  /mybackup/config/config-20120907211435.tgz
[root@ds01 ~]#

A bit of background on the backup command. In short, it basically does the following

Stops IPA services
creates a tarball
restarts IPA services

The tarball includes the following files and directories
/etc
/etc/certmonger
/etc/dirsrv
/etc/hosts
/etc/httpd
/etc/ipa
/etc/krb5.conf
/etc/krb5.keytab
/etc/named.conf
/etc/named.keytab
/etc/nsswitch.conf
/etc/ntp.conf
/etc/pam.d
/etc/pki
/etc/pki-ca
/etc/resolv.conf
/etc/sssd.d
/etc/sysconfig/authconfig
/etc/sysconfig/dirsrv
/etc/sysconfig/dirsrv-$(echo $REALM | tr . -)
/etc/sysconfig/dirsrv-PKI-IPA
/etc/sysconfig/httpd
/etc/sysconfig/krb5kdc
/etc/sysconfig/named
/etc/sysconfig/ntpd
/etc/sysconfig/pki
/etc/sysconfig/pki-ca
/etc/sysconfig/sshd
/var/kerberos/krb5kdc
/var/lib/authconfig
/var/lib/certmonger
/var/lib/dirsrv
/var/lib/ipa
/var/lib/ipa-client
/var/lib/pki-ca
/var/lib/sss
/var/log/audit/audit.log
/var/log/dirsrv
/var/log/httpd
/var/log/pki-ca
/var/log/pki-ca-install.log
/var/log/ipaclient*.log
/var/log/ipaserver*.log
/var/log/ipareplica*.log
/var/log/ipaupgrade.log
/var/log/sssd
/var/log/messages*
/var/log/krb5kdc.log*
/var/log/secure*
/var/lock/dirsrv/*
/var/run/dirsrv/*
/usr/lib64/dirsrv/slapd-PKI-IPA/
/root/cacert.p12
/root/ca-agent.p12″

However it also excludes the following files and folders
/etc/fstab
/etc/sysconfig/network*
/etc/sysconfig/rhn
/etc/ssh ”

5 comments on “How to backup / restore FreeIPA 2.2.0 on Red Hat Enterprise Linux 6

  1. Johan October 10, 2012 16:28

    Nice article, very detailed and thought thru!

    However I wonder if you have looked into how to recover in a more complex multi master configuration? What would be the way to recover a situation where,

    A) One of the master servers dies and need to be replaced/restored?

    B) A user mistake that leads to missing data?

    For scenario A) I imagine that, since the backup steps provided here, will not work since the data in the backup and on the master, that didn’t die, will be inconsistent.

    For scenario B) how can one restore the missing data from backups?

    • Dale Macartney October 17, 2012 14:42

      Hi Johan

      Thanks for the feedback. Thanks for the questions.

      I have written this process as an interim solution for FreeIPA 2.2. FreeIPA 3 will have a supported backup meathod from what I am aware of.

      Regarding your question of multi master server restorations, This method is to be as simple as a System State backup is for Windows. You would simply have this backup run on each of your master servers. You would simply need to restore the right backup archive for that server.

      As for your question about restoring missing data, this should be treated as a more advanced type of restoration. As such goes beyond the spec of this article.
      The ipa-backup command will give you the ability to backup to an LDIF export for both LDAP and Dogtag. Restoration of this data to a granualar level is something that should really be based on recommendations from the FreeIPA team at Red Hat.

      Best regards

      Dale

  2. rob July 9, 2013 10:31

    thanks for this article. I tried going down the tarball route myself but couldn’t get the conclusive list of paths that needed to be backed up. I’ll give this a shot asap, as backup/restore is the one thing that’s holding up our IPA deployment.

  3. Sergio August 19, 2013 21:36

    I’ve tried to run:

    ./ipa-restore.sh –type full –source /root/respaldo_ipa/full/full_backup-20130819143745.tgz

    But i get the following message:

    “Full restore functionality is currently in development”

    Is there a final version for ipa-backup software?

    Cheers from Chile.

    • Dale Macartney August 23, 2013 22:07

      Hi Sergio

      This tool was written for FreeIPA 2.x as there was no documented method to create a reliable backup.

      With the release of FreeIPA 3, backup and restore was introduced as a supported feature.

      For details covering the topic, have a read of the below link from the FreeIPA team.

      http://www.freeipa.org/page/V3/Backup_and_Restore

      I hope this helps lead you in the right direction.

      Dale

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>