ipa主从切换测试
ipa主从切换测试
背景
- 需要将A机房的ipa-master迁移到b机房,b机房有ipa的复制服务器,我当前理解的是每一个ipa-server都是一个独立的server。只是他们之间会有数据的同步。
- 我现在需要在c机房部署ipa复制服务器,(解释ABC机房的网络关系:A<->B<->C)C和A的网络是不通的。
- C机房部署freeipa复制服务器,master服务器选择B机房中ipa复制服务器。在部署的时候在安装ipa-custodia服务的时候就会去请求A机房的freeipa,不知道为什么我找不到问题,就先测试如果把主master的freeipa下掉看能不能解决这个问题。
环境准备
| 主机名 | ip | 模拟角色 | 域 |
|---|---|---|---|
| ipa-master1.test.cn0.wormpex.com | 10.255.206.101 | base1.sys.ops.cn1 | TEST.CN0.WORMPEX.COM |
| ipa-slave1.test.cn0.wormpex.com | 10.255.206.100 | dns1.sys.ops.bj1 | TEST.CN0.WORMPEX.COM |
| ipa-realy1.test.bj1.wormpex.com | 10.253.208.121 | relay | TEST.CN0.WORMPEX.COM |
| ipa-client1.test.bj1.wormpex.com | 10.253.208.95 | dns1.sys.ops.bj2 | TEST.CN0.WORMPEX.COM |
上一个文档主从已经搭建完毕
现在开始搭建ipa-client1.test.bj1.wormpex.com上的服务
- 安装ipa-client
ipa-client-install --server=ipa-slave1.test.cn0.wormpex.com --domain=test.cn0.wormpex.com
按照提示输入就成
- 安装ipa复制服务器
kinit admin
ipa-replica-install -d
- 安装过程中的日志分析
第一步会对dns的正向反向进行检查
2019-06-25T11:11:24Z DEBUG Check if ipa-client1.test.bj1.wormpex.com is a primary hostname for localhost
2019-06-25T11:11:24Z DEBUG Primary hostname for localhost: ipa-client1.test.bj1.wormpex.com
2019-06-25T11:11:24Z DEBUG Search DNS for ipa-client1.test.bj1.wormpex.com
2019-06-25T11:11:24Z DEBUG Check if ipa-client1.test.bj1.wormpex.com is not a CNAME
2019-06-25T11:11:24Z DEBUG Check reverse address of 10.253.208.95
2019-06-25T11:11:24Z DEBUG Found reverse name: ipa-client1.test.bj1.wormpex.com
2019-06-25T11:11:24Z DEBUG Check if ipa-slave1.test.cn0.wormpex.com is a primary hostname for localhost
2019-06-25T11:11:24Z DEBUG Primary hostname for localhost: ipa-slave1.test.cn0.wormpex.com
2019-06-25T11:11:24Z DEBUG Search DNS for ipa-slave1.test.cn0.wormpex.com
2019-06-25T11:11:24Z DEBUG Check if ipa-slave1.test.cn0.wormpex.com is not a CNAME
2019-06-25T11:11:24Z DEBUG Check reverse address of 10.255.206.100
2019-06-25T11:11:24Z DEBUG Found reverse name: ipa-slave1.test.cn0.wormpex.com
2019-06-25T11:11:24Z DEBUG Initializing principal host/ipa-client1.test.bj1.wormpex.com@TEST.CN0.WORMPEX.COM using keytab /etc/krb5.keytab
2019-06-25T11:11:24Z DEBUG using ccache /tmp/krbccciatxc/ccache
2019-06-25T11:11:24Z DEBUG Attempt 1/1: success
...........
第二步会对freeipa-server连接和服务的检查
2019-06-25T11:11:26Z DEBUG Name ipa-client1.test.bj1.wormpex.com resolved to set([UnsafeIPAddress('10.253.208.95')])
2019-06-25T11:11:26Z DEBUG Searching for an interface of IP address: 10.253.208.95
2019-06-25T11:11:26Z DEBUG Testing local IP address: 127.0.0.1/255.0.0.0 (interface: lo)
2019-06-25T11:11:26Z DEBUG Testing local IP address: 10.253.208.95/255.255.252.0 (interface: eth0)
2019-06-25T11:11:26Z DEBUG Destroyed connection context.ldap2_139701782171920
2019-06-25T11:11:26Z DEBUG Starting external process
2019-06-25T11:11:26Z DEBUG args=/usr/sbin/ipa-replica-conncheck --master ipa-slave1.test.cn0.wormpex.com --auto-master-check --realm TEST.CN0.WORMPEX.COM --hostname ipa-client1.test.bj1.wormpex.com --ca-cert-file /etc/ipa/ca.crt
2019-06-25T11:11:36Z DEBUG Process finished, return code=0
2019-06-25T11:11:36Z DEBUG stdout=
2019-06-25T11:11:36Z DEBUG stderr=Check connection from replica to remote master 'ipa-slave1.test.cn0.wormpex.com':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos Kpasswd: TCP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
The following list of ports use UDP protocoland would need to be
checked manually:
Kerberos KDC: UDP (88): SKIPPED
Kerberos Kpasswd: UDP (464): SKIPPED
Connection from replica to master is OK.
Start listening on required ports for remote master check
80 tcp: Failed to bind
443 tcp: Failed to bind
Get credentials to log in to remote master
Check RPC connection to remote master
trying https://ipa-slave1.test.cn0.wormpex.com/ipa/session/json
[try 1]: Forwarding 'ping/1' to json server 'https://ipa-slave1.test.cn0.wormpex.com/ipa/session/json'
Execute check on remote master
[try 1]: Forwarding 'server_conncheck' to json server 'https://ipa-slave1.test.cn0.wormpex.com/ipa/session/json'
Check connection from master to remote replica 'ipa-client1.test.bj1.wormpex.com':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos KDC: UDP (88): OK
Kerberos Kpasswd: TCP (464): OK
Kerberos Kpasswd: UDP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
Connection from master to replica is OK.
。。。。。。。。。。
接下来就是各种服务的安装
到达这一步的时候
2019-06-25T11:13:55Z DEBUG stderr=
2019-06-25T11:13:55Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2019-06-25T11:13:55Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2019-06-25T11:13:55Z DEBUG Starting external process
2019-06-25T11:13:55Z DEBUG args=/bin/systemctl disable ipa-otpd.socket
2019-06-25T11:13:56Z DEBUG Process finished, return code=0
2019-06-25T11:13:56Z DEBUG stdout=
2019-06-25T11:13:56Z DEBUG stderr=
2019-06-25T11:13:56Z DEBUG duration: 0 seconds
2019-06-25T11:13:56Z DEBUG Done configuring ipa-otpd.
2019-06-25T11:13:56Z INFO Custodia client for '<CustodiaModes.CA_PEER: 'Custodia CA peer'>' with promotion yes.
2019-06-25T11:13:56Z INFO Custodia uses 'ipa-master1.test.cn0.wormpex.com' as master peer. # 就是这一步,他会去找ipa-master1.test.cn0.wormpex.com这台服务器。但是实际上这俩个服务器是不通的。我猜测的解决方式是把 ipa-master1.test.cn0.wormpex.com 下掉,和把 ipa-master1.test.cn0.wormpex.com上的ca-server关闭。能解决
2019-06-25T11:13:56Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2019-06-25T11:13:56Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2019-06-25T11:13:56Z DEBUG Configuring ipa-custodia
2019-06-25T11:13:56Z DEBUG [1/4]: Generating ipa-custodia config file
2019-06-25T11:13:56Z DEBUG duration: 0 seconds
2019-06-25T11:13:56Z DEBUG [2/4]: Generating ipa-custodia keys
2019-06-25T11:13:56Z DEBUG duration: 0 seconds
2019-06-25T11:13:56Z DEBUG [3/4]: starting ipa-custodia
2019-06-25T11:13:56Z DEBUG Starting external process
2019-06-25T11:13:56Z DEBUG args=/bin/systemctl is-active ipa-custodia.service
2019-06-25T11:13:57Z DEBUG Process finished, return code=3
2019-06-25T11:13:57Z DEBUG stdout=unknown
走到这里不通了
清除服务器上的配置
ipa-server-install --uninstall -q -U
接下来是解决方式
-
我理解的freeipa主服务器和复制服务器都是独立提供服务的,只不过他们之间有数据的同步,就例如这个图
-
配置一个假设relay的服务器
hostnamectl set-hostname ipa-slave1.test.cn0.wormpex.com
yum install ipa-server -y
vim /etc/krb5.conf
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = TEST.CN0.WORMPEX.COM
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
TEST.CN0.WORMPEX.COM = {
kdc = ipa-slave1.test.cn0.wormpex.com:88
master_kdc = ipa-slave1.test.cn0.wormpex.com:88
admin_server = ipa-slave1.test.cn0.wormpex.com:749
default_domain = test.cn0.wormpex.com
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.test.cn0.wormpex.com = TEST.CN0.WORMPEX.COM
test.cn0.wormpex.com = TEST.CN0.WORMPEX.COM
ipa-slave1.test.cn0.wormpex.com = TEST.CN0.WORMPEX.COM
[dbmodules]
TEST.CN0.WORMPEX.COM = {
db_library = ipadb.so
}
[plugins]
certauth = {
module = ipakdb:kdb/ipadb.so
enable_only = ipakdb
}
说明: 从这个的配置看的出我们所使用的kdc是ipa-slave1.test.cn0.wormpex.com这台服务器,在整个实验中这台服务器是不动的,按道理说是不会影响用户登录的。
-
下线ipa-master1.test.cn0.wormpex.com上的freeipa-server
ipa-server-install --uninstall -q -U -
下线完成以后配置ipa-client1.test.bj1.wormpex.com这台服务器
发现和第一开始安装的问题一样,安装不成功 -
去ipa的拓扑图中发现ipa-master1.test.cn0.wormpex.com这个还是存在。
我将
这个界面中的ipa-master1.test.cn0.wormpex.com删除以后,拓扑图中也不存在的了 -
重新安装ipa-client1.test.bj1.wormpex.com就能成功了。
在安装过程中
2019-06-25T11:13:56Z INFO Custodia uses 'ipa-slave1.test.cn0.wormpex.com' as master peer.
这里会使用ipa-slave1.test.cn0.wormpex.com服务器
安装成功
7. 测试relay登录情况
在整个实验过程
ssh admin@ipa-client1.test.bj1.wormpex.com
115 ls
116 ssh admin@ipa-client1.test.bj1.wormpex.com
117 cat /etc/krb5.conf
118 ssh admin@ipa-client1.test.bj1.wormpex.com
119 ssh admin@ipa-slave1.test.cn0.wormpex.com
120 ssh admin@ipa-client1.test.bj1.wormpex.com
121 ssh admin@ipa-slave1.test.cn0.wormpex.com
122 ssh admin@ipa-client1.test.bj1.wormpex.com
123 ssh admin@ipa-slave1.test.cn0.wormpex.com
124 ifconfig
125 cat /etc/krb5.conf
126 ssh admin@ipa-client1.test.bj1.wormpex.com
一直在测试登录都是成功的。所以并不影响正常的使用
总结
ipa-client1.test.bj1.wormpex.com去找最开始master去同步ldap的数据,应该是在多个ipa-server中存在一个ca-server这个服务的主ipa-server,我们现在只需要去寻找配置,切换ca-server的主ipa-server就能将这个问题解决,也不需要去下线主ipa-server-master 切换更为平滑。
