Bug 1372056 - pkidestroy may not remove all files
Summary: pkidestroy may not remove all files
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.4
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Dinesh Prasanth
QA Contact: Asha Akkiangady
Marc Muehlfeld
Depends On: 1644769
Blocks: 1645262
TreeView+ depends on / blocked
Reported: 2016-08-31 19:45 UTC by Matthew Harmsen
Modified: 2020-10-04 21:13 UTC (History)
3 users (show)

Fixed In Version: pki-core-10.5.16-2.el7
Doc Type: Enhancement
Doc Text:
.Uninstalling Certificate System no longer removes all log files Previously, Certificate System removed all corresponding logs when you uninstalled subsystems. With this update, by default, the pkidestroy utility no longer removes the logs. To remove the logs when you uninstall a subsystem, pass the new --remove-logs parameter to pkidestroy. Additionally, this update adds the --force parameter to pkidestroy. Previously, an incomplete installation left some files and directories, which prevented a complete uninstallation of a Certificate System instance. Pass --force to pkidestroy to completely remove a subsystem and all corresponding files of an instance.
Clone Of:
: 1645262 (view as bug list)
Last Closed: 2019-08-06 13:07:17 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github dogtagpki pki issues 1735 0 None closed Add forced instance removal 2020-12-01 20:54:15 UTC
Github dogtagpki pki issues 2546 0 None closed pkidestroy may not remove all files 2020-11-06 00:49:33 UTC
Red Hat Product Errata RHBA-2019:2228 0 None None None 2019-08-06 13:07:49 UTC

Description Matthew Harmsen 2016-08-31 19:45:04 UTC
FreeIPA's CI ran into an issue with pkispawn. An incomplete installation of Dogtag has left some files and directories around. This is also a common situation during development, too. pkidestroy should have a --force option that forcefully removes all remnants of a previous installation. With --force pkidestroy should first attempt to do a regular de-installation.

Endi's pki-nuke.sh script has a list of all directories that should be removed: 

if [ "$INSTANCE_NAME" == "" ]; then
    echo "usage: pki-nuke.sh <instance name>"
    exit 1
echo "Deleting instance $INSTANCE_NAME"
pids="`ps -ef | grep catalina.base=/var/lib/pki/$INSTANCE_NAME | grep -v grep | awk '{print $2}'`"
for pid in $pids; do
    kill -9 $pid
rm -rf /etc/pki/$INSTANCE_NAME
rm -rf /etc/sysconfig/$INSTANCE_NAME
rm -rf /etc/sysconfig/pki/tomcat/$INSTANCE_NAME
rm -rf /var/lib/pki/$INSTANCE_NAME
rm -rf /var/log/pki/$INSTANCE_NAME
rm -rf /var/log/pki/pki-*.log
rm -rf $HOME/.dogtag/$INSTANCE_NAME

Comment 1 Matthew Harmsen 2016-08-31 19:46:56 UTC
mbasti@redhat.com added:

    Please don't remove logfiles if possible :)

Comment 2 Matthew Harmsen 2016-08-31 19:47:18 UTC
Per PKI Bug Council of 08/31/2016:
* Consider this bug for a RHEL 7.3 Batch 1 Update Candidate

Comment 3 Matthew Harmsen 2016-11-30 01:23:02 UTC
Per PKI Bug Council of 11/29/2016: 10.4 - critical

Comment 5 Matthew Harmsen 2017-10-25 22:30:01 UTC
[20171025] - RHEL 7.5 pre-Alpha Offline Triage ==> 7.6

Comment 6 Matthew Harmsen 2018-04-24 01:49:58 UTC
Per RHEL 7.5.z/7.6/8.0 Triage:  7.6

alee: this is related to a previous bug 1458010.  Fixing this will help ipa and other installs in cases of install failure.

Comment 7 Matthew Harmsen 2018-07-04 00:04:28 UTC
Moved to RHEL 7.7.

Comment 8 Dinesh Prasanth 2018-10-29 16:48:12 UTC
Verification steps for QE:

CASE 1: Normal uninstallation

1. Install CA (and other subsystems, if needed)
2. tree /var/log/pki/     # To verify that logs aren't removed by default
3. Run `pkidestroy -s <subsystem> -i <instance>
4. tree /var/log/pki      # Entries must match output from #2

This should uninstall the subsystem (and instance if that's the last subsystem). The logs in /var/log/pki/<instance> will not be removed.

Comment 9 Dinesh Prasanth 2018-10-29 16:51:15 UTC
Verification steps for QE:

CASE 2: Forced uninstallation

1. Install CA (and other subsystems, if needed)
2. Remove a random subsystem dir (eg: rm -rf /var/lib/pki/<instance>/<subsystem>)
3. Run `pkidestroy -s <subsystem> -i <instance>`  # This should throw an error
4. Run `pkidestroy --force -s <subsystem> -i <instance>` # This should uninstall the subsystem

The logs in /var/log/pki/<instance> will not be removed

Comment 10 Dinesh Prasanth 2018-10-29 16:53:34 UTC
Verification steps for QE:

CASE 3: Normal uninstallation with Removing logs

1. Install CA (and other subsystems, if needed)
2. tree /var/log/pki/     # To verify the logs dir structure
3. Run `pkidestroy --remove-logs -s <subsystem> -i <instance>`
4. tree /var/log/pki      # Logs will be removed

Comment 12 Dinesh Prasanth 2018-10-31 14:53:57 UTC
The resolution of this bug introduces a new bug: https://bugzilla.redhat.com/show_bug.cgi?id=1644769

Comment 15 Dinesh Prasanth 2018-11-01 22:34:21 UTC
The changes have been backported (to 10.5) through PR: https://github.com/dogtagpki/pki/pull/93

10_5 branch:
The commit that fixes this specific bug: https://github.com/dogtagpki/pki/commit/926c26e10db1b3fde8f24802d7a77419d0f2f28d

New change to keep logs by default is introduced by commit: https://github.com/dogtagpki/pki/commit/9e2cdb0b2f5df552ef50ba7883b4c686adec41b3

Comment 16 Dinesh Prasanth 2019-01-02 19:30:41 UTC
(In reply to Dinesh Prasanth from comment #10)
> Verification steps for QE:
> CASE 3: Normal uninstallation with Removing logs
> 1. Install CA (and other subsystems, if needed)
> 2. tree /var/log/pki/     # To verify the logs dir structure
> 3. Run `pkidestroy --remove-logs -s <subsystem> -i <instance>`
> 4. tree /var/log/pki      # Logs will be removed

QE team,

Just as a note: in this scenario, the *pkispawn* and *pkidestroy* are intentionally preserved for sysadmin's reference.

My original reply to z-stream bug: https://bugzilla.redhat.com/show_bug.cgi?id=1645262#c8

Comment 18 Geetika Kapoor 2019-06-18 11:28:39 UTC
# rpm -qa pki*

Test Case 1 : pkidestroy should display --force and --remove-logs  options.

# pkidestroy --help
usage: pkidestroy [-s <subsystem>] [-h] [-v] [-p <prefix>] [-i <instance>]
                  [-u <security domain user>]
                  [-W <security domain password file>] [--force]

PKI Instance Removal

optional arguments:
  -s <subsystem>        where <subsystem> is CA, KRA, OCSP, TKS, or TPS
  -h, --help            show this help message and exit
  -v                    display verbose information (details below)
  -i <instance>         FORMAT: ${pki_instance_name}
  -u <security domain user>
                        security domain user
  -W <security domain password file>
                        security domain password file path
  --force               force removal of subsystem
  --remove-logs         remove subsystem logs

Test Case 3: pkidestroy -s CA -i rhel77_ca_gkapoor1 --force  --remove-logs  -vv

Above command should delete instance and logs.

Test Case 4: There is a known failure when instance is removed and then we try to remove logs.


Comment 20 errata-xmlrpc 2019-08-06 13:07:17 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.