Bug 1372056

Summary:	pkidestroy may not remove all files
Product:	Red Hat Enterprise Linux 7	Reporter:	Matthew Harmsen <mharmsen>
Component:	pki-core	Assignee:	Dinesh Prasanth <dmoluguw>
Status:	CLOSED ERRATA	QA Contact:	Asha Akkiangady <aakkiang>
Severity:	high	Docs Contact:	Marc Muehlfeld <mmuehlfe>
Priority:	high
Version:	7.4	CC:	edewata, gkapoor, msauton
Target Milestone:	rc	Keywords:	TestCaseProvided, ZStream
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	pki-core-10.5.16-2.el7	Doc Type:	Enhancement
Doc Text:	.Uninstalling Certificate System no longer removes all log files Previously, Certificate System removed all corresponding logs when you uninstalled subsystems. With this update, by default, the pkidestroy utility no longer removes the logs. To remove the logs when you uninstall a subsystem, pass the new --remove-logs parameter to pkidestroy. Additionally, this update adds the --force parameter to pkidestroy. Previously, an incomplete installation left some files and directories, which prevented a complete uninstallation of a Certificate System instance. Pass --force to pkidestroy to completely remove a subsystem and all corresponding files of an instance.	Story Points:	---
Clone Of:
Clones:	1645262 (view as bug list)		Environment:
Last Closed:	2019-08-06 13:07:17 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1644769
Bug Blocks:	1645262

Description Matthew Harmsen 2016-08-31 19:45:04 UTC

FreeIPA's CI ran into an issue with pkispawn. An incomplete installation of Dogtag has left some files and directories around. This is also a common situation during development, too. pkidestroy should have a --force option that forcefully removes all remnants of a previous installation. With --force pkidestroy should first attempt to do a regular de-installation.

Endi's pki-nuke.sh script has a list of all directories that should be removed: 

#!/bin/sh
 
INSTANCE_NAME=$1
 
if [ "$INSTANCE_NAME" == "" ]; then
    echo "usage: pki-nuke.sh <instance name>"
    exit 1
fi
 
echo "Deleting instance $INSTANCE_NAME"
 
pids="`ps -ef | grep catalina.base=/var/lib/pki/$INSTANCE_NAME | grep -v grep | awk '{print $2}'`"
for pid in $pids; do
    kill -9 $pid
done
 
rm -rf /etc/pki/$INSTANCE_NAME
rm -rf /etc/sysconfig/$INSTANCE_NAME
rm -rf /etc/sysconfig/pki/tomcat/$INSTANCE_NAME
rm -rf /var/lib/pki/$INSTANCE_NAME
rm -rf /var/log/pki/$INSTANCE_NAME
rm -rf /var/log/pki/pki-*.log
rm -rf $HOME/.dogtag/$INSTANCE_NAME

Comment 1 Matthew Harmsen 2016-08-31 19:46:56 UTC

mbasti added:

    Please don't remove logfiles if possible :)

Comment 2 Matthew Harmsen 2016-08-31 19:47:18 UTC

Per PKI Bug Council of 08/31/2016:
* Consider this bug for a RHEL 7.3 Batch 1 Update Candidate

Comment 3 Matthew Harmsen 2016-11-30 01:23:02 UTC

Per PKI Bug Council of 11/29/2016: 10.4 - critical

Comment 5 Matthew Harmsen 2017-10-25 22:30:01 UTC

[20171025] - RHEL 7.5 pre-Alpha Offline Triage ==> 7.6

Comment 6 Matthew Harmsen 2018-04-24 01:49:58 UTC

Per RHEL 7.5.z/7.6/8.0 Triage:  7.6

alee: this is related to a previous bug 1458010.  Fixing this will help ipa and other installs in cases of install failure.

Comment 7 Matthew Harmsen 2018-07-04 00:04:28 UTC

Moved to RHEL 7.7.

Comment 8 Dinesh Prasanth 2018-10-29 16:48:12 UTC

Verification steps for QE:

CASE 1: Normal uninstallation

1. Install CA (and other subsystems, if needed)
2. tree /var/log/pki/     # To verify that logs aren't removed by default
3. Run `pkidestroy -s <subsystem> -i <instance>
4. tree /var/log/pki      # Entries must match output from #2

This should uninstall the subsystem (and instance if that's the last subsystem). The logs in /var/log/pki/<instance> will not be removed.

Comment 9 Dinesh Prasanth 2018-10-29 16:51:15 UTC

Verification steps for QE:

CASE 2: Forced uninstallation

1. Install CA (and other subsystems, if needed)
2. Remove a random subsystem dir (eg: rm -rf /var/lib/pki/<instance>/<subsystem>)
3. Run `pkidestroy -s <subsystem> -i <instance>`  # This should throw an error
4. Run `pkidestroy --force -s <subsystem> -i <instance>` # This should uninstall the subsystem

The logs in /var/log/pki/<instance> will not be removed

Comment 10 Dinesh Prasanth 2018-10-29 16:53:34 UTC

Verification steps for QE:

CASE 3: Normal uninstallation with Removing logs

1. Install CA (and other subsystems, if needed)
2. tree /var/log/pki/     # To verify the logs dir structure
3. Run `pkidestroy --remove-logs -s <subsystem> -i <instance>`
4. tree /var/log/pki      # Logs will be removed

Comment 12 Dinesh Prasanth 2018-10-31 14:53:57 UTC

The resolution of this bug introduces a new bug: https://bugzilla.redhat.com/show_bug.cgi?id=1644769

Comment 15 Dinesh Prasanth 2018-11-01 22:34:21 UTC

The changes have been backported (to 10.5) through PR: https://github.com/dogtagpki/pki/pull/93

10_5 branch:
============
The commit that fixes this specific bug: https://github.com/dogtagpki/pki/commit/926c26e10db1b3fde8f24802d7a77419d0f2f28d

New change to keep logs by default is introduced by commit: https://github.com/dogtagpki/pki/commit/9e2cdb0b2f5df552ef50ba7883b4c686adec41b3

Comment 16 Dinesh Prasanth 2019-01-02 19:30:41 UTC

(In reply to Dinesh Prasanth from comment #10)
> Verification steps for QE:
> 
> CASE 3: Normal uninstallation with Removing logs
> 
> 1. Install CA (and other subsystems, if needed)
> 2. tree /var/log/pki/     # To verify the logs dir structure
> 3. Run `pkidestroy --remove-logs -s <subsystem> -i <instance>`
> 4. tree /var/log/pki      # Logs will be removed

QE team,

Just as a note: in this scenario, the *pkispawn* and *pkidestroy* are intentionally preserved for sysadmin's reference.

My original reply to z-stream bug: https://bugzilla.redhat.com/show_bug.cgi?id=1645262#c8

Comment 18 Geetika Kapoor 2019-06-18 11:28:39 UTC

# rpm -qa pki*
pki-server-10.5.16-2.el7.noarch
pki-javadoc-10.5.16-2.el7.noarch
pki-tks-10.5.16-2.el7pki.noarch
pki-base-java-10.5.16-2.el7.noarch
pki-kra-10.5.16-2.el7.noarch
pki-symkey-10.5.16-2.el7.x86_64
pki-core-debuginfo-10.5.16-2.el7.x86_64
pki-tps-10.5.16-2.el7pki.x86_64
pki-ocsp-10.5.16-2.el7pki.noarch
pki-base-10.5.16-2.el7.noarch
pki-tools-10.5.16-2.el7.x86_64
pki-ca-10.5.16-2.el7.noarch
pki-console-10.5.16-1.el7pki.noarch

Test Case 1 : pkidestroy should display --force and --remove-logs  options.

# pkidestroy --help
usage: pkidestroy [-s <subsystem>] [-h] [-v] [-p <prefix>] [-i <instance>]
                  [-u <security domain user>]
                  [-W <security domain password file>] [--force]
                  [--remove-logs]

PKI Instance Removal

optional arguments:
  -s <subsystem>        where <subsystem> is CA, KRA, OCSP, TKS, or TPS
  -h, --help            show this help message and exit
  -v                    display verbose information (details below)
  -i <instance>         FORMAT: ${pki_instance_name}
  -u <security domain user>
                        security domain user
  -W <security domain password file>
                        security domain password file path
  --force               force removal of subsystem
  --remove-logs         remove subsystem logs


Test Case 3: pkidestroy -s CA -i rhel77_ca_gkapoor1 --force  --remove-logs  -vv

Above command should delete instance and logs.

Test Case 4: There is a known failure when instance is removed and then we try to remove logs.

https://bugzilla.redhat.com/show_bug.cgi?id=1698084

Comment 20 errata-xmlrpc 2019-08-06 13:07:17 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2228