Description
IPA back up and restore
Setup
This requires an IPA master at least one replica.
How to test
Create Users
To make things interesting, create a few users, groups, HBAC rules, something you can use to help confirm that restoration is successful.
Backup
We start by making several kinds of backups. Once done, do some basic sanity checking on the backups themselves, then we'll put them to the test.
Unencrypted Full Backup
# ipa-backup
Confirm that a new directory was created in /var/lib/ipa/backup with your backup data. You can use tar to examine the tarball containing the backup.
Encrypted Full Backup
Generate a GPG key for root. Accepting all the defaults is fine:
# gpg --gen-key # ipa-backup --gpg
To verify that the data is indeed encrypted, try to examine the contents of /var/lib/ipa/backup/ipa-full-<date-time>/ipa-full.tar.gpg
Data backup
# ipa-backup --data
The backup directory prefix should be ipa-data rather than ipa-full.
Restore
When restoring data the critical thing to remember is that we need to disable replication before restoring data so that nothing newer overwrites what we're restoring.
In each restoration step create a new entry before doing the restore and confirm that it ends up gone on both the master and the replica. If not the test fails.
For each test, on both the master and the replica:
- Verify that the restored entries are all there
- Verify that the new entry or entries you created are gone
Restore from unencrypted backup
# ipa-restore <first full backup>
e.g.
# ipa-restore ipa-full-2013-04-12-16-28-04
On the replica when this is done:
# ipa-replica-manage re-initialize --from=master.example.com
Restore from encrypted backup
# ipa-restore <second full backup>
On the replica when this is done:
# ipa-replica-manage re-initialize --from=master.example.com
Restore from data backup
# ipa-restore <only data backup>
On the replica when this is done:
# ipa-replica-manage re-initialize --from=master.example.com
Really test full restore
Let's see how catastrophic restore really works.
On the initial master:
# ipa-server-install --uninstall -U
First a negative test. Try to restore the data backup you made:
# ipa-restore <only data backup>
It should fail because you can't restore a data backup onto a fresh system.
Now do a full restore:
# ipa-restore <either of the full backups>
Expected Results
All the test steps should end with the specified results.