Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
.Uninstalling Certificate System no longer removes all log files
Previously, Certificate System removed all corresponding logs when you uninstalled subsystems. With this update, by default, the pkidestroy utility no longer removes the logs. To remove the logs when you uninstall a subsystem, pass the new --remove-logs parameter to pkidestroy. Additionally, this update adds the --force parameter to pkidestroy. Previously, an incomplete installation left some files and directories, which prevented a complete uninstallation of a Certificate System instance. Pass --force to pkidestroy to completely remove a subsystem and all corresponding files of an instance.
DescriptionMatthew Harmsen
2016-08-31 19:45:04 UTC
FreeIPA's CI ran into an issue with pkispawn. An incomplete installation of Dogtag has left some files and directories around. This is also a common situation during development, too. pkidestroy should have a --force option that forcefully removes all remnants of a previous installation. With --force pkidestroy should first attempt to do a regular de-installation.
Endi's pki-nuke.sh script has a list of all directories that should be removed:
#!/bin/sh
INSTANCE_NAME=$1
if [ "$INSTANCE_NAME" == "" ]; then
echo "usage: pki-nuke.sh <instance name>"
exit 1
fi
echo "Deleting instance $INSTANCE_NAME"
pids="`ps -ef | grep catalina.base=/var/lib/pki/$INSTANCE_NAME | grep -v grep | awk '{print $2}'`"
for pid in $pids; do
kill -9 $pid
done
rm -rf /etc/pki/$INSTANCE_NAME
rm -rf /etc/sysconfig/$INSTANCE_NAME
rm -rf /etc/sysconfig/pki/tomcat/$INSTANCE_NAME
rm -rf /var/lib/pki/$INSTANCE_NAME
rm -rf /var/log/pki/$INSTANCE_NAME
rm -rf /var/log/pki/pki-*.log
rm -rf $HOME/.dogtag/$INSTANCE_NAME
Per RHEL 7.5.z/7.6/8.0 Triage: 7.6
alee: this is related to a previous bug 1458010. Fixing this will help ipa and other installs in cases of install failure.
Verification steps for QE:
CASE 1: Normal uninstallation
1. Install CA (and other subsystems, if needed)
2. tree /var/log/pki/ # To verify that logs aren't removed by default
3. Run `pkidestroy -s <subsystem> -i <instance>
4. tree /var/log/pki # Entries must match output from #2
This should uninstall the subsystem (and instance if that's the last subsystem). The logs in /var/log/pki/<instance> will not be removed.
Verification steps for QE:
CASE 2: Forced uninstallation
1. Install CA (and other subsystems, if needed)
2. Remove a random subsystem dir (eg: rm -rf /var/lib/pki/<instance>/<subsystem>)
3. Run `pkidestroy -s <subsystem> -i <instance>` # This should throw an error
4. Run `pkidestroy --force -s <subsystem> -i <instance>` # This should uninstall the subsystem
The logs in /var/log/pki/<instance> will not be removed
Verification steps for QE:
CASE 3: Normal uninstallation with Removing logs
1. Install CA (and other subsystems, if needed)
2. tree /var/log/pki/ # To verify the logs dir structure
3. Run `pkidestroy --remove-logs -s <subsystem> -i <instance>`
4. tree /var/log/pki # Logs will be removed
(In reply to Dinesh Prasanth from comment #10)
> Verification steps for QE:
>
> CASE 3: Normal uninstallation with Removing logs
>
> 1. Install CA (and other subsystems, if needed)
> 2. tree /var/log/pki/ # To verify the logs dir structure
> 3. Run `pkidestroy --remove-logs -s <subsystem> -i <instance>`
> 4. tree /var/log/pki # Logs will be removed
QE team,
Just as a note: in this scenario, the *pkispawn* and *pkidestroy* are intentionally preserved for sysadmin's reference.
My original reply to z-stream bug: https://bugzilla.redhat.com/show_bug.cgi?id=1645262#c8
# rpm -qa pki*
pki-server-10.5.16-2.el7.noarch
pki-javadoc-10.5.16-2.el7.noarch
pki-tks-10.5.16-2.el7pki.noarch
pki-base-java-10.5.16-2.el7.noarch
pki-kra-10.5.16-2.el7.noarch
pki-symkey-10.5.16-2.el7.x86_64
pki-core-debuginfo-10.5.16-2.el7.x86_64
pki-tps-10.5.16-2.el7pki.x86_64
pki-ocsp-10.5.16-2.el7pki.noarch
pki-base-10.5.16-2.el7.noarch
pki-tools-10.5.16-2.el7.x86_64
pki-ca-10.5.16-2.el7.noarch
pki-console-10.5.16-1.el7pki.noarch
Test Case 1 : pkidestroy should display --force and --remove-logs options.
# pkidestroy --help
usage: pkidestroy [-s <subsystem>] [-h] [-v] [-p <prefix>] [-i <instance>]
[-u <security domain user>]
[-W <security domain password file>] [--force]
[--remove-logs]
PKI Instance Removal
optional arguments:
-s <subsystem> where <subsystem> is CA, KRA, OCSP, TKS, or TPS
-h, --help show this help message and exit
-v display verbose information (details below)
-i <instance> FORMAT: ${pki_instance_name}
-u <security domain user>
security domain user
-W <security domain password file>
security domain password file path
--force force removal of subsystem
--remove-logs remove subsystem logs
Test Case 3: pkidestroy -s CA -i rhel77_ca_gkapoor1 --force --remove-logs -vv
Above command should delete instance and logs.
Test Case 4: There is a known failure when instance is removed and then we try to remove logs.
https://bugzilla.redhat.com/show_bug.cgi?id=1698084
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2019:2228
FreeIPA's CI ran into an issue with pkispawn. An incomplete installation of Dogtag has left some files and directories around. This is also a common situation during development, too. pkidestroy should have a --force option that forcefully removes all remnants of a previous installation. With --force pkidestroy should first attempt to do a regular de-installation. Endi's pki-nuke.sh script has a list of all directories that should be removed: #!/bin/sh INSTANCE_NAME=$1 if [ "$INSTANCE_NAME" == "" ]; then echo "usage: pki-nuke.sh <instance name>" exit 1 fi echo "Deleting instance $INSTANCE_NAME" pids="`ps -ef | grep catalina.base=/var/lib/pki/$INSTANCE_NAME | grep -v grep | awk '{print $2}'`" for pid in $pids; do kill -9 $pid done rm -rf /etc/pki/$INSTANCE_NAME rm -rf /etc/sysconfig/$INSTANCE_NAME rm -rf /etc/sysconfig/pki/tomcat/$INSTANCE_NAME rm -rf /var/lib/pki/$INSTANCE_NAME rm -rf /var/log/pki/$INSTANCE_NAME rm -rf /var/log/pki/pki-*.log rm -rf $HOME/.dogtag/$INSTANCE_NAME