5.3. 从备份中恢复 IdM 服务器

流程

1. 使用 ipa-restore 程序恢复全服务器或仅数据备份。

   • 如果备份目录位于默认 /var/lib/ipa/backup/ 位置，则只输入目录名称：

     [root@server1 ~]# ipa-restore ipa-full-2020-01-14-12-02-32

   • 如果备份目录不在默认位置，请输入其完整路径：

     [root@server1 ~]# ipa-restore /mybackups/ipa-data-2020-02-01-05-30-00

     注意

     ipa-restore 实用程序自动检测该目录包含的备份类型，并且默认执行同类型的恢复。要从全服务器备份中只执行数据恢复，在 ipa-restore 命令中添加 --data 选项：

     [root@server1 ~]# ipa-restore --data ipa-full-2020-01-14-12-02-32

2. 输入 Directory Manager 密码。

   Directory Manager (existing master) password:

3. 输入 yes 以确认备份中的当前数据覆盖。

   Preparing restore from /var/lib/ipa/backup/ipa-full-2020-01-14-12-02-32 on server1.example.com
   Performing FULL restore from FULL backup
   Temporary setting umask to 022
   Restoring data will overwrite existing live data. Continue to restore? [no]: yes

4. ipa-restore 工具禁用所有可用服务器的复制：

   Each master will individually need to be re-initialized or
   re-created from this one. The replication agreements on
   masters running IPA 3.1 or earlier will need to be manually
   re-enabled. See the man page for details.
   Disabling all replication.
   Disabling replication agreement on server1.example.com to caReplica2.example.com
   Disabling CA replication agreement on server1.example.com to caReplica2.example.com
   Disabling replication agreement on caReplica2.example.com to server1.example.com
   Disabling replication agreement on caReplica2.example.com to replica3.example.com
   Disabling CA replication agreement on caReplica2.example.com to server1.example.com
   Disabling replication agreement on replica3.example.com to caReplica2.example.com

   然后该工具将停止 IdM 服务，恢复备份并重启服务：

   Stopping IPA services
   Systemwide CA database updated.
   Restoring files
   Systemwide CA database updated.
   Restoring from userRoot in EXAMPLE-COM
   Restoring from ipaca in EXAMPLE-COM
   Restarting GSS-proxy
   Starting IPA services
   Restarting SSSD
   Restarting oddjobd
   Restoring umask to 18
   The ipa-restore command was successful

5. 重新初始化连接到恢复的服务器的所有副本：

   1. 列出 domai 后缀的所有复制拓扑片段，记录涉及恢复的服务器的拓扑片段。

      [root@server1 ~]# ipa topologysegment-find domain
      ------------------
      2 segments matched
      ------------------
        Segment name: server1.example.com-to-caReplica2.example.com
        Left node: server1.example.com
        Right node: caReplica2.example.com
        Connectivity: both
      
        Segment name: caReplica2.example.com-to-replica3.example.com
        Left node: caReplica2.example.com
        Right node: replica3.example.com
        Connectivity: both
      ----------------------------
      Number of entries returned 2
      ----------------------------

   2. 使用恢复的服务器重新初始化所有拓扑片段的 domai 后缀。

      在本例中，使用来自 server1 的数据对 caReplica2 进行重新初始化。

      [root@caReplica2 ~]# ipa-replica-manage re-initialize --from=server1.example.com
      Update in progress, 2 seconds elapsed
      Update succeeded

   3. 继续到证书颁发机构数据，列出 ca 后缀的所有复制拓扑片段。

      [root@server1 ~]# ipa topologysegment-find ca
      -----------------
      1 segment matched
      -----------------
        Segment name: server1.example.com-to-caReplica2.example.com
        Left node: server1.example.com
        Right node: caReplica2.example.com
        Connectivity: both
      ----------------------------
      Number of entries returned 1
      ----------------------------

   4. 重新初始化连接到恢复的服务器的所有 CA 副本。

      在本例中，使用来自 server1 的数据执行 caReplica2 的 csreplica 重新初始化。

      [root@caReplica2 ~]# ipa-csreplica-manage re-initialize --from=server1.example.com
      Directory Manager password:
      
      Update in progress, 3 seconds elapsed
      Update succeeded

6. 继续进入复制拓扑，重新初始化连续的副本，直到所有服务器都已使用恢复的服务器 server1.example.com 的数据进行更新。

   在本例中，我们只需要使用 caReplica2 中的数据在 replica3 上重新初始化 domai 后缀。

   [root@replica3 ~]# ipa-replica-manage re-initialize --from=caReplica2.example.com
   Directory Manager password:
   
   Update in progress, 3 seconds elapsed
   Update succeeded

7. 清除每台服务器上 SSSD 的缓存，以避免因为数据无效而导致的身份验证问题：

   1. 停止 SSSD 服务：

      [root@server ~]# systemctl stop sssd

   2. 从 SSSD 中删除所有缓存的内容：

      [root@server ~]# sss_cache -E

   3. 启动 SSSD 服务：

      [root@server ~]# systemctl start sssd

   4. 重启服务器。