Bug 1397660

Summary: User is able to remove ipa-server from within container using ipa-server-install --uninstall command
Product: Red Hat Enterprise Linux 7 Reporter: Nikhil Dehadrai <ndehadra>
Component: ipa-server-containerAssignee: Petr Vobornik <pvoborni>
Status: CLOSED DEFERRED QA Contact: Nikhil Dehadrai <ndehadra>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: pcech
Target Milestone: rcKeywords: Extras
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-01-06 11:14:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Nikhil Dehadrai 2016-11-23 05:47:54 UTC 
Description of problem:
User is able to remove ipa-server from within container using ipa-server-install --uninstall command. User should be presented with a warning message instead.

Version-Release number of selected component (if applicable):
ipa-server-docker: 4.4.0-21 image
ipa-server version: ipa-server-4.4.0-12.el7.x86_64
atomic host: Version: 7.3

Steps to Reproduce:
1. Setup ipa-server using ipa-server-docker image on an atomic host.
2. Access the ipa-server shell and run ipa-server uninstallation command:


Actual results:
After step2, ipa server is uninstalled within the container

-bash-4.2# docker exec -it ipa-server-container rpm -q ipa-server
ipa-server-4.4.0-12.el7.x86_64

-bash-4.2# docker exec -it ipa-server-container ipa-server-install --uninstall -U
Updating DNS system records
-----------------------------------------------
Deleted IPA server "rhel73atomic.example.com"
-----------------------------------------------
Shutting down all IPA services
Unconfiguring ntpd
Configuring certmonger to stop tracking system certificates for KRA
Configuring certmonger to stop tracking system certificates for CA
Unconfiguring CA
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL failed to uninstall CA instance Command '/usr/sbin/pkidestroy -i pki-tomcat -s CA' returned non-zero exit status 1
Unconfiguring named
Unconfiguring ipa-dnskeysyncd
Unconfiguring web server
Unconfiguring krb5kdc
Unconfiguring kadmin
Unconfiguring directory server
Unconfiguring ipa-custodia
Unconfiguring ipa_memcached
Unconfiguring ipa-otpd
Removing IPA client configuration
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
Restoring client configuration files
Unconfiguring the NIS domain.
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Systemwide CA database updated.
Client uninstall complete.
-bash-4.2# docker exec -it ipa-server-container ipactl status
IPA is not configured (see man pages of ipa-server-install for help)
-bash-4.2# 


Expected results:
Since uninstallation of ipa-server from within container using command ipa-server-install --uninstall, may not be a clean way for ipa-server-docker, user should be presented with a warning message.
Comment 4 Petr Čech 2021-01-06 11:14:29 UTC 
This BZ has been evaluated multiple times over the last several years and we assessed that it is a valuable request to keep in the backlog and address it at some point in future. Time showed that we did not have such capacity, nor have it now nor will have in the foreseeable future. In such a situation keeping it in the backlog is misleading and setting the wrong expectation that we will be able to address it. Unfortunately we will not. To reflect this we are closing this BZ. If you disagree with the decision please reopen or open a new support case and create a new BZ. However this does not guarantee that the request will not be closed during the triage as we are currently applying much more rigor to what we actually can accomplish in the foreseeable future. Contributions and collaboration in the upstream community and CentOS Stream is always welcome!
Thank you for understanding
Red Hat Enterprise Linux Identity Management Team