From Fedora Project Wiki

Description

IPA back up and restore

Setup

This requires an IPA master at least one replica.

How to test

Create Users

To make things interesting, create a few users, groups, HBAC rules, something you can use to help confirm that restoration is successful.

Backup

We start by making several kinds of backups. Once done, do some basic sanity checking on the backups themselves, then we'll put them to the test.

Unencrypted Full Backup

# ipa-backup

Confirm that a new directory was created in /var/lib/ipa/backup with your backup data. You can use tar to examine the tarball containing the backup.

Encrypted Full Backup

Generate a GPG key for root. Accepting all the defaults is fine:

# gpg --gen-key
# ipa-backup --gpg

To verify that the data is indeed encrypted, try to examine the contents of /var/lib/ipa/backup/ipa-full-<date-time>/ipa-full.tar.gpg

Data backup

# ipa-backup --data

The backup directory prefix should be ipa-data rather than ipa-full.

Restore

When restoring data the critical thing to remember is that we need to disable replication before restoring data so that nothing newer overwrites what we're restoring.

In each restoration step create a new entry before doing the restore and confirm that it ends up gone on both the master and the replica. If not the test fails.

For each test, on both the master and the replica:

  • Verify that the restored entries are all there
  • Verify that the new entry or entries you created are gone

Restore from unencrypted backup

# ipa-restore <first full backup>

e.g.

# ipa-restore ipa-full-2013-04-12-16-28-04

On the replica when this is done:

# ipa-replica-manage re-initialize --from=master.example.com

Restore from encrypted backup

# ipa-restore <second full backup>

On the replica when this is done:

# ipa-replica-manage re-initialize --from=master.example.com

Restore from data backup

# ipa-restore <only data backup>

On the replica when this is done:

# ipa-replica-manage re-initialize --from=master.example.com

Really test full restore

Let's see how catastrophic restore really works.

On the initial master:

# ipa-server-install --uninstall -U

First a negative test. Try to restore the data backup you made:

# ipa-restore <only data backup>

It should fail because you can't restore a data backup onto a fresh system.

Now do a full restore:

# ipa-restore <either of the full backups>

Expected Results

All the test steps should end with the specified results.