Upgrading Centos and IPA ( from 6 to 8 ), broken repo?

General support questions
Post Reply
goorooj
Posts: 4
Joined: 2021/03/16 10:58:18

Upgrading Centos and IPA ( from 6 to 8 ), broken repo?

Post by goorooj » 2021/03/16 11:26:53

Hi Forum,

we have a Linux infrastructure, only two centos machines with IPA Ldap server on it, that was a decision before my time.
All the rest is ubuntu. And they did not have an admin for years...

Now the CA ran out, and on the old IPA versions ( before 3 ) as far as i know now there was no automatic renewal and only 8 Years validity, now its 20... for good reasons.

My normal upgrade process, as seen here
https://github.com/BackBoxSoftware/cent ... -7-upgrade
https://itbeginner.net/upgrade-centos-6-7.html

would be now to set back the servers in time where the CA was still valid, upgrade Centos 6 to 7, upgrade IPA to last Repository version on 7, upgrade Centos to 8, upgrade IPA to Version above 4, have the automatic renewal of CA and certificates and then set todays date again. That will spare me a lot of trouble with Schema changes in IPA, just setting up a new V4 IPA Server on a new Centos, bring it into the Domain, replicate and switch off the old servers will not work as far as i know.

But all the Information is quite old, plus i have no experience with yum, coming from debian.

The Problem i have at the moment is that i have 3 packages that cannot be processed, its

[root@ldap upgrade]# yum localinstall preupgrade-assistant-*
...
Fehler: Package: preupgrade-assistant-1.0.2-33.0.3.el6.centos.x86_64 (/preupgrade-assistant-1.0.2-33.0.3.el6.centos.x86_64)
Requires: pkgconfig(libxslt)
Fehler: Package: preupgrade-assistant-1.0.2-33.0.3.el6.centos.x86_64 (/preupgrade-assistant-1.0.2-33.0.3.el6.centos.x86_64)
Requires: pkgconfig(libpcre)
Fehler: Package: preupgrade-assistant-1.0.2-33.0.3.el6.centos.x86_64 (/preupgrade-assistant-1.0.2-33.0.3.el6.centos.x86_64)
Requires: pkgconfig(libxml-2.0)
...

I have the packages, so i dont understand what happens...
rpm -q pcre
pcre-7.8-6.el6.x86_64
rpm -q libxml2
libxml2-2.7.6-17.el6_6.1.x86_64
rpm -q libxslt
libxslt-1.1.26-2.el6_3.1.x86_64

what is this pkgconfig, why does it not find it?

I changed the dev.centos.org repository to http://buildlogs.centos.org/centos/6/up ... /Packages/
and i changed the repos like this:
https://www.codesiri.com/2020/12/centos ... valid.html

but i still cant seem to install the right stuff. Help?

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Upgrading Centos and IPA ( from 6 to 8 ), broken repo?

Post by TrevorH » 2021/03/16 15:36:59

It may be a good plan but it has one major flaw.

There is no upgrade process to go from one CentOS major version to another. Any "guides" you find on the internet telling you otherwise are talking out of their rear end. The process to go from CentOS 6 to 7 is to do a reinstall from scratch. The same process is also true for moving from 6 to 8 or from 7 to 8. There is NO upgrade process and attempting to follow the various guides on the internet will almost certainly end in failure, either catastrophic to the pooint of rendering the machine unbootable or with other severe errors.

Do not attempt it, it will break.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Upgrading Centos and IPA ( from 6 to 8 ), broken repo?

Post by jlehtone » 2021/03/16 18:15:17

TrevorH wrote:
2021/03/16 15:36:59
Do not attempt it, it will break.
Or -- put other way -- there are two paths that could lead to success:
  1. Clean install
  2. Unsupported attempt to "upgrade" that breaks the system and then Clean install

If there are two systems, then what is their relationship? Can the service be provided with just one?
Can you clean install one of them and then migrate the service(s) from old to new? (Then clean install the second.)

goorooj
Posts: 4
Joined: 2021/03/16 10:58:18

Re: Upgrading Centos and IPA ( from 6 to 8 ), broken repo?

Post by goorooj » 2021/03/17 07:55:09

Well... the IPA server is an LDAP server with added functionality, integrated CA, kerberos and such.

It replicates with other Masters, in our case a Master in another network segment in another data centre. But there can only be one certificate authority.

the problem is that IPA does not have a forum, at least i did not find one. And back in the time it was installed here, it did not run on ubuntu, thats why that are the only Centos machines.

I would not have done that if i would have been here back in that time, but i have no choice now.

Now all guides tro IPA i found say you cant just replicate a new server with an old one, what you should do is just upgrading the underlying OS and then upgrade the IPA to the version in the repositories of that OS-Version. And then do the same with the other server.

What adds to my Misery is that the certificates and CA ran out in February, past its 8 Years. So i have to set back the time on my IPA servers to january, pull them up to the newest version, wait until they renew everything and then set the date right again.

What still adds more to my misery is that this is a live environment with ~60 Servers running traffic stuff ( like car traffic, not net traffic ) in 2 sites and the IPAs are the Master Domain Controllers, regulating just about everything so i only have limited time to do stuff... and very carefully, i cannot risk to damage the domain... and then kerberos tickets....

i do have the possibility to take snapshots as the IPA servers are VMs but the Kerberos will be fsck up after a while. At the moment the only problem is that password changes are not replicated and people have 2 passwords, but after some time they will be rendered useless so i am also in a bit of a time pressure.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Upgrading Centos and IPA ( from 6 to 8 ), broken repo?

Post by jlehtone » 2021/03/17 08:30:05

goorooj wrote:
2021/03/17 07:55:09
Well... the IPA server is an LDAP server with added functionality, integrated CA, kerberos and such.
Indeed. Last summer I had to get rid of CentOS 6 servers. They had kerberos, (deprecated) openldap, etc.
I did look at FreeIPA. https://www.freeipa.org/page/About I actually had most of the components that FreeIPA integrates.
Therefore, I chose to just replace openldap with 389 dirsrv, rather than installing FreeIPA. There was conversion of
LDAP data from openldap's schema to 389 schema. Kerberos has its data somewhere too. Transferrable.
goorooj wrote:
2021/03/17 07:55:09
It replicates with other Masters, in our case a Master in another network segment in another data centre. But there can only be one certificate authority.
In the story above I did create a new LDAP and CA in new server. Migrated data. Then updated all clients to use the new server.
A client can and does know many CA's. IPA clients ... are they more limited?
goorooj wrote:
2021/03/17 07:55:09
Now all guides tro IPA i found say you cant just replicate a new server with an old one, what you should do is just upgrading the underlying OS and then upgrade the IPA to the version in the repositories of that OS-Version. And then do the same with the other server.
Consider two scenarios:
A:
1. Stop service
2. Update service package
3. Start service

B:
1. Install service to new server
2. Stop service in old server
3. Copy data of service to new server
4. Start service in new server

How does the starting service know whether it is in case A or B?
goorooj wrote:
2021/03/17 07:55:09
What still adds more to my misery is that this is a live environment with ~60 Servers running traffic stuff ( like car traffic, not net traffic ) in 2 sites and the IPAs are the Master Domain Controllers, regulating just about everything so i only have limited time to do stuff... and very carefully, i cannot risk to damage the domain... and then kerberos tickets....
Yes, that is the challenge. Is certificate authority the only component that cannot be replicated?

goorooj
Posts: 4
Joined: 2021/03/16 10:58:18

Re: Upgrading Centos and IPA ( from 6 to 8 ), broken repo?

Post by goorooj » 2021/03/17 13:06:45

Thank you for the tips.

IPA can actually replicate the CA to another Master and activate there ( it can have only one active CA though ), its a very easy process in the newer versions.

But I have a few nasty tackles there. The change from IPA 2 to IPA 3 had a change in some components, like dogtag-certmonger, etc.

how do i, in Centos, see and choose the package versions for yum? like getting not the most recent version of ipa but the earliest one for this centos-version?

I do find, well documented, how to migrate ipa ( same version ) from one OS to another... or how to migrate ipa from one version to another...
you can actually make a file with "ipa-replica-prepare", copy that file to the new OS ( same version ) and get it running instantly with "ipa-replica-install", including CA and all.

If i lose my kerberos, it will be very nasty because i have to manually generate keys again for more than 80 Servers/Workstations, and i cant think of a way now to do that with puppet or ansible... so its by foot.

so what i try now will be setting up a centos 7, fresh ipa install ( oldest version there ), and trying if the replica file way works when its a minor jump.
then upgrading to last version available on centos 7, and so on.

but i kind of need the earliest version of centos 7 with the earliest IPA in the repository... I guess it comes down to getting a DVD and not using an online repo???

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Upgrading Centos and IPA ( from 6 to 8 ), broken repo?

Post by jlehtone » 2021/03/18 14:15:50

Presumably "ipa-replica-install" loads data (schema and all) into database. A restore from full dump.
Update from one IPA version to another would modify the schema within database to accommodate new features.
Is it possible that "ipa-replica-install" of modern IPA could read and modify on-the-fly old format dump?


Certificates are {private,public} pairs with chain of trust. When you connect to a service, it offers you its public certificate.
The cert claims to have been signed by X. You have public part of X. Therefore, you can check whether the claim is true.

The service has also the private part of its cert. Both parts of the pair were signed by the private part of X.
Only the CA has the private part of X.

The CA did create the CA root pair X. The public part was delivered to clients. Clients have long list of public parts of
root certificates. Some come in packages, but you can add many more. To replace all, you would therefore:
1. Create new CA root pair (in secret, like Sauron forged the One Ring)
2. Distribute public part to all clients. They can start to trust to services. I have ansible tasks:

Code: Select all

  - name: Install CA package on rhel systems
    yum:
      name:  ca-certificates
      state: present
  - name: Enable dynamic ca configuration on el6
    command: /usr/bin/update-ca-trust enable
    when: ansible_distribution_major_version is version( '6', '==' )
  - name: Copy certificate authority to trusted ca path of the os
    copy:
      src:  '{{ item }}'
      dest: '/etc/pki/ca-trust/source/anchors/'
      owner: root
      group: root
      setype: cert_t
      mode: 0644
    with_fileglob: '{{ site_certificate_glob }}'
  - name: Update trusted ca redhat
    command: /usr/bin/update-ca-trust
3. Create new certificate for each service and sign with the new CA
4. Deliver the new certificates to services

Alas, I don't use IPA, so I have no idea whether any of that can be done with IPA. Integration is wonderful, when it works ...

Post Reply