Red Hat Training
A Red Hat training course is available for RHEL 8
8.9. 从备份中恢复 IdM 服务器
以下流程描述了从 IdM 备份中恢复 IdM 服务器或者其 LDAP 数据。
图 8.1. 本例中使用的复制拓扑
表 8.1. 本例中使用的服务器命名惯例
| 服务器主机名 | 功能 |
|---|---|
|
| 需要从备份中恢复的服务器。 |
|
|
连接到 |
|
|
连接到 |
先决条件
流程
使用
ipa-restore程序恢复全服务器或仅数据备份。如果备份目录位于默认
/var/lib/ipa/backup/位置,则只输入目录名称:[root@server1 ~]# ipa-restore ipa-full-2020-01-14-12-02-32如果备份目录不在默认位置,请输入其完整路径:
[root@server1 ~]# ipa-restore /mybackups/ipa-data-2020-02-01-05-30-00注意ipa-restore实用程序自动检测该目录包含的备份类型,并且默认执行同类型的恢复。要从全服务器备份中只执行数据恢复,在ipa-restore命令中添加--data选项:[root@server1 ~]# ipa-restore --data ipa-full-2020-01-14-12-02-32
输入 Directory Manager 密码。
Directory Manager (existing master) password:
输入
yes以确认备份中的当前数据覆盖。Preparing restore from /var/lib/ipa/backup/ipa-full-2020-01-14-12-02-32 on server1.example.com Performing FULL restore from FULL backup Temporary setting umask to 022 Restoring data will overwrite existing live data. Continue to restore? [no]: yesipa-restore工具禁用所有可用服务器的复制:Each master will individually need to be re-initialized or re-created from this one. The replication agreements on masters running IPA 3.1 or earlier will need to be manually re-enabled. See the man page for details. Disabling all replication. Disabling replication agreement on server1.example.com to caReplica2.example.com Disabling CA replication agreement on server1.example.com to caReplica2.example.com Disabling replication agreement on caReplica2.example.com to server1.example.com Disabling replication agreement on caReplica2.example.com to replica3.example.com Disabling CA replication agreement on caReplica2.example.com to server1.example.com Disabling replication agreement on replica3.example.com to caReplica2.example.com
然后该工具将停止 IdM 服务,恢复备份并重启服务:
Stopping IPA services Systemwide CA database updated. Restoring files Systemwide CA database updated. Restoring from userRoot in EXAMPLE-COM Restoring from ipaca in EXAMPLE-COM Restarting GSS-proxy Starting IPA services Restarting SSSD Restarting oddjobd Restoring umask to 18 The ipa-restore command was successful重新初始化连接到恢复的服务器的所有副本:
列出
domai后缀的所有复制拓扑片段,记录涉及恢复的服务器的拓扑片段。[root@server1 ~]# ipa topologysegment-find domain ------------------ 2 segments matched ------------------ Segment name: server1.example.com-to-caReplica2.example.com Left node: server1.example.com Right node: caReplica2.example.com Connectivity: both Segment name: caReplica2.example.com-to-replica3.example.com Left node: caReplica2.example.com Right node: replica3.example.com Connectivity: both ---------------------------- Number of entries returned 2 ----------------------------
使用恢复的服务器重新初始化所有拓扑片段的
domai后缀。在本例中,使用来自
server1的数据对caReplica2进行重新初始化。[root@caReplica2 ~]# ipa-replica-manage re-initialize --from=server1.example.com Update in progress, 2 seconds elapsed Update succeeded继续到证书颁发机构数据,列出
ca后缀的所有复制拓扑片段。[root@server1 ~]# ipa topologysegment-find ca ----------------- 1 segment matched ----------------- Segment name: server1.example.com-to-caReplica2.example.com Left node: server1.example.com Right node: caReplica2.example.com Connectivity: both ---------------------------- Number of entries returned 1 ----------------------------
重新初始化连接到恢复的服务器的所有 CA 副本。
在本例中,使用来自
server1的数据执行caReplica2的csreplica重新初始化。[root@caReplica2 ~]# ipa-csreplica-manage re-initialize --from=server1.example.com Directory Manager password: Update in progress, 3 seconds elapsed Update succeeded
继续进入复制拓扑,重新初始化连续的副本,直到所有服务器都已使用恢复的服务器
server1.example.com的数据进行更新。在本例中,我们只需要使用
caReplica2中的数据在replica3上重新初始化domai后缀。[root@replica3 ~]# ipa-replica-manage re-initialize --from=caReplica2.example.com Directory Manager password: Update in progress, 3 seconds elapsed Update succeeded清除每台服务器上 SSSD 的缓存,以避免因为数据无效而导致身份验证的问题:
停止 SSSD 服务:
[root@server ~]# systemctl stop sssd从 SSSD 中删除所有缓存的内容:
[root@server ~]# sss_cache -E启动 SSSD 服务:
[root@server ~]# systemctl start sssd- 重启服务器。
其他资源
-
ipa-restore(1)man page 还详细介绍了如何在恢复期间处理复杂复制方案。
