mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 08:21:05 -06:00
8e165480ac
ipa-backup and ipa-restore now use GnuPG 2 for asymmetric encryption, too. The gpg2 command behaves a bit different and requires a gpg2 compatible config directory. Therefore the --keyring option has been deprecated. The backup and restore tools now use root's GPG keyring by default. Custom configuration and keyring can be used by setting GNUPGHOME environment variables. Fixes: https://pagure.io/freeipa/issue/7560 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
109 lines
5.9 KiB
Groff
109 lines
5.9 KiB
Groff
.\" A man page for ipa-restore
|
|
.\" Copyright (C) 2013 Red Hat, Inc.
|
|
.\"
|
|
.\" This program is free software; you can redistribute it and/or modify
|
|
.\" it under the terms of the GNU General Public License as published by
|
|
.\" the Free Software Foundation, either version 3 of the License, or
|
|
.\" (at your option) any later version.
|
|
.\"
|
|
.\" This program is distributed in the hope that it will be useful, but
|
|
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
.\" General Public License for more details.
|
|
.\"
|
|
.\" You should have received a copy of the GNU General Public License
|
|
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
.\"
|
|
.\" Author: Rob Crittenden <rcritten@redhat.com>
|
|
.\"
|
|
.TH "ipa-restore" "1" "Mar 22 2013" "FreeIPA" "FreeIPA Manual Pages"
|
|
.SH "NAME"
|
|
ipa\-restore \- Restore an IPA master
|
|
.SH "SYNOPSIS"
|
|
ipa\-restore [\fIOPTION\fR]... BACKUP
|
|
.SH "DESCRIPTION"
|
|
Only the name of the backup needs to be passed in, not the full path. Backups are stored in a subdirectory in /var/lib/ipa/backup. If a backup is in another location then the full path must be provided.
|
|
.TP
|
|
The naming convention for full backups is ipa\-full\-YEAR\-MM\-DD\-HH\-MM\-SS in the GMT time zone.
|
|
.TP
|
|
The naming convention for data backups is ipa\-data\-YEAR\-MM\-DD\-HH\-MM\-SS In the GMT time zone.
|
|
.TP
|
|
The type of backup is automatically detected. A data restore can be done from either type.
|
|
.TP
|
|
\fBWARNING\fR: A full restore will restore files like /etc/passwd, /etc/group, /etc/resolv.conf as well. Any file that IPA may have touched is backed up and restored.
|
|
.TP
|
|
An encrypted backup is also automatically detected and the root keyring and gpg-agent is used by default. Set \fBGNUPGHOME\fR environment variable to use a custom keyring and gpg2 configuration.
|
|
.TP
|
|
Within the subdirectory is file, header, that describes the back up including the type, system, date of backup, the version of IPA, the version of the backup and the services on the master.
|
|
.TP
|
|
A backup can not be restored on another host.
|
|
.TP
|
|
A backup can not be restored in a different version of IPA.
|
|
.TP
|
|
Restoring from backup sets the server as the new data master. All other masters will need to be re\-initialized. The first step in restoring a backup is to disable replication on all the other masters. This is to prevent the changelog from overwriting the data in the backup.
|
|
.TP
|
|
Use the ipa\-replica\-manage and ipa\-csreplica\-manage commands to re\-initialize other masters. ipa\-csreplica\-manage only needs to be executed on masters that have a CA installed.
|
|
.SH "REPLICATION"
|
|
The restoration on other masters needs to be done carefully, to match the replication topology, working outward from the restored master. For example, if your topology is A <\-> B <\-> C and you restored master A you would restore B first, then C.
|
|
.TP
|
|
Replication is disabled on all masters that are available when a restoration is done. If a master is down at the time of the restoration you will need to proceed with extreme caution. If this master is brought back up after the restoration is complete it may send out replication updates that apply the very changes you were trying to back out. The only safe answer is to reinstall the master. This would involve deleting all replication agreements to the master. This could have a cascading effect if the master is a hub to other masters. They would need to be connected to other masters before removing the downed master.
|
|
.TP
|
|
If the restore point is from a period prior to a replication agreement then the master will need to be re\-installed. For example, you have masters A and B and you create a backup. You then add master C from B. Then you restore from the backup. The restored data is going to lose the replication agreement to C. The master on C will have a replication agreement pointing to B, but B won't have the reverse agreement. Master C won't be registered as an IPA master. It may be possible to manually correct these and re\-connect C to B but it would be very prone to error.
|
|
.TP
|
|
If re\-initializing on an IPA master version prior to 3.2 then the replication agreements will need to be manually re\-enabled otherwise the re\-initialization will never complete. To manually enable an agreement use ldapsearch to find the agreement name in cn=mapping tree,cn=config. The value of nsds5ReplicaEnabled needs to be on, and enabled on both sides. Remember that CA replication is done through a separate agreement and will need to be updated separately.
|
|
.TP
|
|
If you have older masters you should consider re\-creating them rather than trying to re\-initialize them.
|
|
.SH "OPTIONS"
|
|
.TP
|
|
\fB\-p\fR, \fB\-\-password\fR=\fIPASSWORD\fR
|
|
The Directory Manager password.
|
|
.TP
|
|
\fB\-\-data\fR
|
|
Restore the data only. The default is to restore everything in the backup.
|
|
.TP
|
|
\fB\-\-no\-logs\fR
|
|
Exclude the IPA service log files in the backup (if they were backed up).
|
|
.TP
|
|
\fB\-\-online\fR
|
|
Perform the restore on\-line. Requires data\-only backup or the \-\-data option.
|
|
.TP
|
|
\fB\-\-instance\fR=\fIINSTANCE\fR
|
|
Restore only the databases in this 389\-ds instance. The default is to restore all found (at most this is the IPA REALM instance and the PKI\-IPA instance). Requires data\-only backup or the \-\-data option.
|
|
.TP
|
|
\fB\-\-backend\fR=\fIBACKEND\fR
|
|
The backend to restore within an instance or instances. Requires data\-only backup or the \-\-data option.
|
|
.TP
|
|
\fB\-\-v\fR, \fB\-\-verbose\fR
|
|
Print debugging information
|
|
.TP
|
|
\fB\-d\fR, \fB\-\-debug\fR
|
|
Alias for \-\-verbose
|
|
.TP
|
|
\fB\-q\fR, \fB\-\-quiet\fR
|
|
Output only errors
|
|
.TP
|
|
\fB\-\-log\-file\fR=\fIFILE\fR
|
|
Log to the given file
|
|
.SH "EXIT STATUS"
|
|
0 if the command was successful
|
|
|
|
1 if an error occurred
|
|
.SH "ENVIRONMENT VARIABLES"
|
|
.PP
|
|
\fBGNUPGHOME\fR
|
|
Use custom GnuPG keyring and settings (default: \fB~/.gnupg\fR).
|
|
.SH "FILES"
|
|
.PP
|
|
\fI/var/lib/ipa/backup\fR
|
|
.RS 4
|
|
The default directory for storing backup files.
|
|
.RE
|
|
.PP
|
|
\fl/var/log/iparestore.log\fR
|
|
.RS 4
|
|
The log file for restoration
|
|
.PP
|
|
.SH "SEE ALSO"
|
|
.BR ipa\-backup(1)
|
|
.BR gpg2(1)
|