Hide Forgot
FreeIPA's CI ran into an issue with pkispawn. An incomplete installation of Dogtag has left some files and directories around. This is also a common situation during development, too. pkidestroy should have a --force option that forcefully removes all remnants of a previous installation. With --force pkidestroy should first attempt to do a regular de-installation. Endi's pki-nuke.sh script has a list of all directories that should be removed: #!/bin/sh INSTANCE_NAME=$1 if [ "$INSTANCE_NAME" == "" ]; then echo "usage: pki-nuke.sh <instance name>" exit 1 fi echo "Deleting instance $INSTANCE_NAME" pids="`ps -ef | grep catalina.base=/var/lib/pki/$INSTANCE_NAME | grep -v grep | awk '{print $2}'`" for pid in $pids; do kill -9 $pid done rm -rf /etc/pki/$INSTANCE_NAME rm -rf /etc/sysconfig/$INSTANCE_NAME rm -rf /etc/sysconfig/pki/tomcat/$INSTANCE_NAME rm -rf /var/lib/pki/$INSTANCE_NAME rm -rf /var/log/pki/$INSTANCE_NAME rm -rf /var/log/pki/pki-*.log rm -rf $HOME/.dogtag/$INSTANCE_NAME
mbasti added: Please don't remove logfiles if possible :)
Per PKI Bug Council of 08/31/2016: * Consider this bug for a RHEL 7.3 Batch 1 Update Candidate
Per PKI Bug Council of 11/29/2016: 10.4 - critical
[20171025] - RHEL 7.5 pre-Alpha Offline Triage ==> 7.6
Per RHEL 7.5.z/7.6/8.0 Triage: 7.6 alee: this is related to a previous bug 1458010. Fixing this will help ipa and other installs in cases of install failure.
Moved to RHEL 7.7.
Verification steps for QE: CASE 1: Normal uninstallation 1. Install CA (and other subsystems, if needed) 2. tree /var/log/pki/ # To verify that logs aren't removed by default 3. Run `pkidestroy -s <subsystem> -i <instance> 4. tree /var/log/pki # Entries must match output from #2 This should uninstall the subsystem (and instance if that's the last subsystem). The logs in /var/log/pki/<instance> will not be removed.
Verification steps for QE: CASE 2: Forced uninstallation 1. Install CA (and other subsystems, if needed) 2. Remove a random subsystem dir (eg: rm -rf /var/lib/pki/<instance>/<subsystem>) 3. Run `pkidestroy -s <subsystem> -i <instance>` # This should throw an error 4. Run `pkidestroy --force -s <subsystem> -i <instance>` # This should uninstall the subsystem The logs in /var/log/pki/<instance> will not be removed
Verification steps for QE: CASE 3: Normal uninstallation with Removing logs 1. Install CA (and other subsystems, if needed) 2. tree /var/log/pki/ # To verify the logs dir structure 3. Run `pkidestroy --remove-logs -s <subsystem> -i <instance>` 4. tree /var/log/pki # Logs will be removed
The resolution of this bug introduces a new bug: https://bugzilla.redhat.com/show_bug.cgi?id=1644769
The changes have been backported (to 10.5) through PR: https://github.com/dogtagpki/pki/pull/93 10_5 branch: ============ The commit that fixes this specific bug: https://github.com/dogtagpki/pki/commit/926c26e10db1b3fde8f24802d7a77419d0f2f28d New change to keep logs by default is introduced by commit: https://github.com/dogtagpki/pki/commit/9e2cdb0b2f5df552ef50ba7883b4c686adec41b3
(In reply to Dinesh Prasanth from comment #10) > Verification steps for QE: > > CASE 3: Normal uninstallation with Removing logs > > 1. Install CA (and other subsystems, if needed) > 2. tree /var/log/pki/ # To verify the logs dir structure > 3. Run `pkidestroy --remove-logs -s <subsystem> -i <instance>` > 4. tree /var/log/pki # Logs will be removed QE team, Just as a note: in this scenario, the *pkispawn* and *pkidestroy* are intentionally preserved for sysadmin's reference. My original reply to z-stream bug: https://bugzilla.redhat.com/show_bug.cgi?id=1645262#c8
# rpm -qa pki* pki-server-10.5.16-2.el7.noarch pki-javadoc-10.5.16-2.el7.noarch pki-tks-10.5.16-2.el7pki.noarch pki-base-java-10.5.16-2.el7.noarch pki-kra-10.5.16-2.el7.noarch pki-symkey-10.5.16-2.el7.x86_64 pki-core-debuginfo-10.5.16-2.el7.x86_64 pki-tps-10.5.16-2.el7pki.x86_64 pki-ocsp-10.5.16-2.el7pki.noarch pki-base-10.5.16-2.el7.noarch pki-tools-10.5.16-2.el7.x86_64 pki-ca-10.5.16-2.el7.noarch pki-console-10.5.16-1.el7pki.noarch Test Case 1 : pkidestroy should display --force and --remove-logs options. # pkidestroy --help usage: pkidestroy [-s <subsystem>] [-h] [-v] [-p <prefix>] [-i <instance>] [-u <security domain user>] [-W <security domain password file>] [--force] [--remove-logs] PKI Instance Removal optional arguments: -s <subsystem> where <subsystem> is CA, KRA, OCSP, TKS, or TPS -h, --help show this help message and exit -v display verbose information (details below) -i <instance> FORMAT: ${pki_instance_name} -u <security domain user> security domain user -W <security domain password file> security domain password file path --force force removal of subsystem --remove-logs remove subsystem logs Test Case 3: pkidestroy -s CA -i rhel77_ca_gkapoor1 --force --remove-logs -vv Above command should delete instance and logs. Test Case 4: There is a known failure when instance is removed and then we try to remove logs. https://bugzilla.redhat.com/show_bug.cgi?id=1698084
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2228