8.9. 从备份中恢复 IdM 服务器
从 IdM 备份中恢复 IdM 服务器或其 LDAP 数据。
图 8.1. 本例中使用的复制拓扑
服务器主机名 | 功能 |
---|---|
| 需要从备份中恢复的服务器。 |
|
连接到 |
|
连接到 |
先决条件
流程
使用
ipa-restore
程序恢复全服务器或仅数据备份。如果备份目录位于默认
/var/lib/ipa/backup/
位置,则只输入目录名称:[root@server1 ~]# ipa-restore ipa-full-2020-01-14-12-02-32
如果备份目录不在默认位置,请输入其完整路径:
[root@server1 ~]# ipa-restore /mybackups/ipa-data-2020-02-01-05-30-00
注意ipa-restore
实用程序自动检测该目录包含的备份类型,并且默认执行同类型的恢复。要从全服务器备份中只执行数据恢复,在ipa-restore
命令中添加--data
选项:[root@server1 ~]# ipa-restore --data ipa-full-2020-01-14-12-02-32
输入 Directory Manager 密码。
Directory Manager (existing master) password:
输入
yes
以确认备份中的当前数据覆盖。Preparing restore from /var/lib/ipa/backup/ipa-full-2020-01-14-12-02-32 on server1.example.com Performing FULL restore from FULL backup Temporary setting umask to 022 Restoring data will overwrite existing live data. Continue to restore? [no]: yes
ipa-restore
工具禁用所有可用服务器的复制:Each master will individually need to be re-initialized or re-created from this one. The replication agreements on masters running IPA 3.1 or earlier will need to be manually re-enabled. See the man page for details. Disabling all replication. Disabling replication agreement on server1.example.com to caReplica2.example.com Disabling CA replication agreement on server1.example.com to caReplica2.example.com Disabling replication agreement on caReplica2.example.com to server1.example.com Disabling replication agreement on caReplica2.example.com to replica3.example.com Disabling CA replication agreement on caReplica2.example.com to server1.example.com Disabling replication agreement on replica3.example.com to caReplica2.example.com
然后该工具将停止 IdM 服务,恢复备份并重启服务:
Stopping IPA services Systemwide CA database updated. Restoring files Systemwide CA database updated. Restoring from userRoot in EXAMPLE-COM Restoring from ipaca in EXAMPLE-COM Restarting GSS-proxy Starting IPA services Restarting SSSD Restarting oddjobd Restoring umask to 18 The ipa-restore command was successful
重新初始化连接到恢复的服务器的所有副本:
列出
domai
后缀的所有复制拓扑片段,记录涉及恢复的服务器的拓扑片段。[root@server1 ~]# ipa topologysegment-find domain ------------------ 2 segments matched ------------------ Segment name: server1.example.com-to-caReplica2.example.com Left node: server1.example.com Right node: caReplica2.example.com Connectivity: both Segment name: caReplica2.example.com-to-replica3.example.com Left node: caReplica2.example.com Right node: replica3.example.com Connectivity: both ---------------------------- Number of entries returned 2 ----------------------------
使用恢复的服务器重新初始化所有拓扑片段的
domai
后缀。在本例中,使用来自
server1
的数据对caReplica2
进行重新初始化。[root@caReplica2 ~]# ipa-replica-manage re-initialize --from=server1.example.com Update in progress, 2 seconds elapsed Update succeeded
继续到证书颁发机构数据,列出
ca
后缀的所有复制拓扑片段。[root@server1 ~]# ipa topologysegment-find ca ----------------- 1 segment matched ----------------- Segment name: server1.example.com-to-caReplica2.example.com Left node: server1.example.com Right node: caReplica2.example.com Connectivity: both ---------------------------- Number of entries returned 1 ----------------------------
重新初始化连接到恢复的服务器的所有 CA 副本。
在本例中,使用来自
server1
的数据执行caReplica2
的csreplica
重新初始化。[root@caReplica2 ~]# ipa-csreplica-manage re-initialize --from=server1.example.com Directory Manager password: Update in progress, 3 seconds elapsed Update succeeded
继续进入复制拓扑,重新初始化连续的副本,直到所有服务器都已使用恢复的服务器
server1.example.com
的数据进行更新。在本例中,我们只需要使用
caReplica2
中的数据在replica3
上重新初始化domai
后缀。[root@replica3 ~]# ipa-replica-manage re-initialize --from=caReplica2.example.com Directory Manager password: Update in progress, 3 seconds elapsed Update succeeded
清除每台服务器上 SSSD 的缓存,以避免因为数据无效而导致身份验证的问题:
停止 SSSD 服务:
[root@server ~]# systemctl stop sssd
从 SSSD 中删除所有缓存的内容:
[root@server ~]# sss_cache -E
启动 SSSD 服务:
[root@server ~]# systemctl start sssd
- 重启服务器。
其他资源
-
ipa-restore(1)
man page 还详细介绍了如何在恢复期间处理复杂复制方案。