1ipa-restore(1) IPA Manual Pages ipa-restore(1)
2
3
4
6 ipa-restore - Restore an IPA master
7
9 ipa-restore [OPTION]... BACKUP
10
12 Only the name of the backup needs to be passed in, not the full path.
13 Backups are stored in a subdirectory in /var/lib/ipa/backup. If a
14 backup is in another location then the full path must be provided.
15
16 The naming convention for full backups is ipa-full-YEAR-MM-DD-HH-MM-SS
17 in the GMT time zone.
18
19 The naming convention for data backups is ipa-data-YEAR-MM-DD-HH-MM-SS
20 In the GMT time zone.
21
22 The type of backup is automatically detected. A data restore can be
23 done from either type.
24
25 WARNING: A full restore will restore files like /etc/passwd,
26 /etc/group, /etc/resolv.conf as well. Any file that IPA may have
27 touched is backed up and restored.
28
29 An encrypted backup is also automatically detected and the root keyring
30 and gpg-agent is used by default. Set GNUPGHOME environment variable to
31 use a custom keyring and gpg2 configuration.
32
33 Within the subdirectory is file, header, that describes the back up
34 including the type, system, date of backup, the version of IPA, the
35 version of the backup and the services on the master.
36
37 A backup can not be restored on another host.
38
39 A backup can not be restored in a different version of IPA.
40
41 Restoring from backup sets the server as the new data master. All other
42 masters will need to be re-initialized. The first step in restoring a
43 backup is to disable replication on all the other masters. This is to
44 prevent the changelog from overwriting the data in the backup.
45
46 Use the ipa-replica-manage and ipa-csreplica-manage commands to re-ini‐
47 tialize other masters. ipa-csreplica-manage only needs to be executed
48 on masters that have a CA installed.
49
51 The restoration on other masters needs to be done carefully, to match
52 the replication topology, working outward from the restored master. For
53 example, if your topology is A <-> B <-> C and you restored master A
54 you would restore B first, then C.
55
56 Replication is disabled on all masters that are available when a
57 restoration is done. If a master is down at the time of the restoration
58 you will need to proceed with extreme caution. If this master is
59 brought back up after the restoration is complete it may send out
60 replication updates that apply the very changes you were trying to back
61 out. The only safe answer is to reinstall the master. This would
62 involve deleting all replication agreements to the master. This could
63 have a cascading effect if the master is a hub to other masters. They
64 would need to be connected to other masters before removing the downed
65 master.
66
67 If the restore point is from a period prior to a replication agreement
68 then the master will need to be re-installed. For example, you have
69 masters A and B and you create a backup. You then add master C from B.
70 Then you restore from the backup. The restored data is going to lose
71 the replication agreement to C. The master on C will have a replication
72 agreement pointing to B, but B won't have the reverse agreement. Master
73 C won't be registered as an IPA master. It may be possible to manually
74 correct these and re-connect C to B but it would be very prone to
75 error.
76
77 If re-initializing on an IPA master version prior to 3.2 then the
78 replication agreements will need to be manually re-enabled otherwise
79 the re-initialization will never complete. To manually enable an agree‐
80 ment use ldapsearch to find the agreement name in cn=mapping
81 tree,cn=config. The value of nsds5ReplicaEnabled needs to be on, and
82 enabled on both sides. Remember that CA replication is done through a
83 separate agreement and will need to be updated separately.
84
85 If you have older masters you should consider re-creating them rather
86 than trying to re-initialize them.
87
89 -p, --password=PASSWORD
90 The Directory Manager password.
91
92 --data Restore the data only. The default is to restore everything in
93 the backup.
94
95 --no-logs
96 Exclude the IPA service log files in the backup (if they were
97 backed up).
98
99 --online
100 Perform the restore on-line. Requires data-only backup or the
101 --data option.
102
103 --instance=INSTANCE
104 Restore only the databases in this 389-ds instance. The default
105 is to restore all found (at most this is the IPA REALM instance
106 and the PKI-IPA instance). Requires data-only backup or the
107 --data option.
108
109 --backend=BACKEND
110 The backend to restore within an instance or instances. Requires
111 data-only backup or the --data option.
112
113 --v, --verbose
114 Print debugging information
115
116 -d, --debug
117 Alias for --verbose
118
119 -q, --quiet
120 Output only errors
121
122 --log-file=FILE
123 Log to the given file
124
126 0 if the command was successful
127
128 1 if an error occurred
129
131 GNUPGHOME Use custom GnuPG keyring and settings (default: ~/.gnupg).
132
134 /var/lib/ipa/backup
135 The default directory for storing backup files.
136
137 /var/log/iparestore.log
138 The log file for restoration
139
141 ipa-backup(1) gpg2(1)
142
143
144
145IPA Mar 22 2013 ipa-restore(1)