Repair a FreeIPA instance

When running in high-availability mode, the identity management system runs multiple instances of FreeIPA on separate hosts. In case of failure, you can repair failed hosts using the CDP command-line within one week of a node failing.

The repair process for FreeIPA hosts performs the following steps, stopping when a healthy status returns:
  • Start any FreeIPA hosts that are stopped.
  • Reboot FreeIPA hosts. (same physical host, same public DNS name, private IP address, and associated storage).
  • Restore identity management data from backup.
  • Stop and restart FreeIPA hosts (rebuild using new hardware).

This procedure uses the CDP command-line interface. If you haven't already installed the CLI, see Installing CDP client for instructions.

Run the FreeIPA repair command.
Run this command from a computer that has network access to the FreeIPA hosts.
cdp environments repair-freeipa --environment-name <value>
                  [--force | --no-force]
                  [--instances <value>]
                  [--cli-input-json <value>]
                  [--generate-cli-skeleton]
                  [--repair-type <string>]
where the options are the following:
Option Description
--environment-name <value> Specifies the FreeIPA's environment name or CRN. The environment CRN is listed in Environment > Summary > General.
--force | --no-force Choose to force the repair even if the status if the FreeIPA nodes are good. If not specified, defaults to no-force.
--instances <value> Specifies the instance IDs to repair. Use a space to separate multiple instance IDs. If no IDs are provided then all instances are considered for repair. The FreeIPA instance IDs are listed in Environment > Summary > FreeIPA.

You can get the IDs from the output of the cdp environments get-freeipa-status command.

--cli-input-json <value> Performs the operations indicated in the command provided in JSON format. Call generate-cli-skeleton to see a template of the required JSON content. If other arguments are provided on the command line, the command line values override the JSON-provided values.
--generated-cli-skeleton Displays an example of the format of the input JSON. The repair command does not run.
--repair-type <string> The type of FreeIPA repair to perform.
  • AUTO - Currently, this is the same as reboot but this may change in the future.
  • REBOOT - Repair the failed instances by rebooting them.
  • REBUILD - Repair the failed instances by deleting them and creating new instances, then replicate data from an existing instance to the new instances.
Possible values: AUTO REBOOT REBUILD
For example, the following command repairs two instances without forcing the repair:
$ cdp environment repair-freeipa --environment-name crn:cdp:environments:us-west-1:12a0079b-1591-dd33-b721-a446bda74e67:environment:36853fcc-2fef-4094-834c-557b4aea34ee --instances i-078ba50f9feb6638f i-09e8b54a343b33d2 
cdp environments repair-freeipa --environment-name john-doe-env2-25793 --instances i-0288d991ed998ec03 --force
{
    "operationId": "edda2c68-5a29-4f60-a150-aca963b36ead",
    "status": "RUNNING",
    "successfulOperationDetails": [],
    "failureOperationDetails": [],
    "startDate": "2020-10-01T19:48:36.009000+00:00"
}

If you see the following error, consider rerunning the repair command with the --force option:

An error occurred: {"message":"No unhealthy instances to reboot. Maybe use the force option."} (Status Code: 404; Error Code: NOT_FOUND; Service: environments; Operation: repairFreeipa; Request ID: eca3a7fb-aa6b-48f7-ae29-b881161869e5;)
You can check the status of your repair using Show FreeIPA repair status.