Migrate issued tokens to newly installed server

remko · May 10, 2022, 3:11pm

I have an old centos server with pi 2.23 and a fresh ubuntu 20 server with pi 3.7
Is there a way to migrate all issued tokens to the new server without too much hassle?

Any downtime is not an option what so ever.
That’s why I’m very hesitant to update the old server first.
And I’m not sure if and how I can install pi 2.23 on the new server through packages.

I understand there’s a difference in database structure so that would need special attention.
Is there anything else that needs to be taken in consideration?

cornelinux · May 11, 2022, 12:05pm

The tokenowner are now stored in a different way.
Always take a look at READ BEFORE UPDATE.

github.com

privacyidea/privacyidea/blob/master/READ_BEFORE_UPDATE.md

# Update Notes

## Update from 3.6 to 3.7

* The database schema in table "machinetoken" was changed to support a new way of 
  handling offline tokens.
* The notification handler can contain more complex reply_to emails.
  The handler optiones were adapted in the database.

Be sure to run the schema update script!

## Update from 3.5 to 3.6

* Up to version 3.5 TLS autonegotiation was used for LDAP resolvers, if no specific
  TLS_VERSION was specified. For security reasons this is not supported anymore, thus the
  migration script sets resolvers without a configured TLS_VERSION to 1.2.

  **WARNING**: On Ubuntu 20.04 using TLS 1.0 will fail and users will not be found.
  Either change to TLS 1.2 before running the update or use a local admin to change 
  the TLS version after the update.

This file has been truncated. show original

The DB migrate script should technically take care of this. However, if you have a high 5 digit number of users, this can take quite some time.

Alexey_Dolgopolov · June 24, 2022, 6:55am

Is there any documentation how to migrate only tokens, preferably with assignments, from pi 2.25 to 3.7?

Have a quite old installation of 2.25 on ubuntu 16.04, on which migrate-data.py is failing, so I don’t really want to migrate.

My failback option would be radius passthrough.

cornelinux · June 27, 2022, 5:29pm

No. This is done by the update script. Actually this is a DB update.

cornelinux · June 28, 2022, 7:04am

Hi @Alexey_Dolgopolov

OK, You installed the server anew - I see.

My recommendation would be to try the following:

run a backup pi-manage backup create -e on the old server
run a restore on the new server pi-manage backup restore <your backup file>. This will restore the old database to the newly installed server. This means you have the new code with old data.
You could now run the db upgrade / migration: pi-manage db upgrade -d /opt/privacyidea/lib/privacyidea/migrations/.

This would be the basic concept to go. Pitfalls included. Path changes included per individual installation.

Alexey_Dolgopolov · January 26, 2024, 9:28am

Dear @cornelinux ,

Thank you for the hint!
The path did work for me quite well, so we moved straight from 2.23.5 to 3.9.2 (yeah, it took ca 2yrs to come back to the topic).
Some testing is still ahead, however I can see all the tokens on the target system, as well can authenticate with all token types.