RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1698084 - pkidestroy is not working as expected when used with --force and --remove-logs
Summary: pkidestroy is not working as expected when used with --force and --remove-logs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: pki-core
Version: 8.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: 8.2
Assignee: Dinesh Prasanth
QA Contact: Asha Akkiangady
Florian Delehaye
URL:
Whiteboard:
Depends On:
Blocks: 1729622
TreeView+ depends on / blocked
 
Reported: 2019-04-09 15:11 UTC by Geetika Kapoor
Modified: 2023-03-07 13:00 UTC (History)
4 users (show)

Fixed In Version: pki-core-10.6-8020020200219144652.c7c3114f
Doc Type: Bug Fix
Doc Text:
.The `pkidestroy` utility now picks the correct instance Previously, the `pkidestroy --force` command executed on a half-removed instance picked the `pki-tomcat` instance by default, regardless of the instance name specified with the `-i __instance__` option. As a consequence, this removed the `pki-tomcat` instance instead of the intended instance, and the `--remove-logs` option did not remove the intended instance's logs. `pkidestroy` now applies the right instance name, removing only the intended instance's leftovers.
Clone Of:
: 1729622 (view as bug list)
Environment:
Last Closed: 2020-04-28 15:45:17 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-23199 0 None None None 2023-03-07 13:00:20 UTC
Red Hat Product Errata RHSA-2020:1644 0 None None None 2020-04-28 15:46:03 UTC

Comment 1 Geetika Kapoor 2019-04-18 14:35:59 UTC 
Observed failure with another use case.

Suppose we have an instance pki-kra installed with KRA subsystem.
(Installation failed: PKI subsystem 'KRA' for instance 'pki-kra' already exists!)

During uninstall we specify -s as CA so:

Use Case 1 : with --force and --remove-logs

# pkidestroy -s CA -i pki-kra --force --remove-logs
Log file: /var/log/pki/pki-ca-destroy.20190418103138.log
Uninstalling CA from /var/lib/pki/pki-kra.
pkidestroy    : ERROR    ....... PKI subsystem 'CA' for instance 'pki-tomcat' does NOT exist!
initialization: ERROR    PKI subsystem 'CA' for instance 'pki-tomcat' does NOT exist!
pkidestroy    : WARNING  ....... File '/etc/pki/pki-tomcat/Catalina/localhost/ca.xml' is either missing or is NOT a regular file!
pkidestroy    : WARNING  ....... Directory '/var/lib/pki/pki-tomcat/ca/emails' is either missing or is NOT a directory!
pkidestroy    : WARNING  ....... Directory '/var/lib/pki/pki-tomcat/ca/profiles' is either missing or is NOT a directory!
pkidestroy    : WARNING  ....... Directory '/var/lib/pki/pki-tomcat/ca' is either missing or is NOT a directory!
pkidestroy    : WARNING  ....... Directory '/var/log/pki/pki-tomcat/ca/signedAudit' is either missing or is NOT a directory!
pkidestroy    : WARNING  ....... Directory '/var/log/pki/pki-tomcat/ca/archive' is either missing or is NOT a directory!
pkidestroy    : WARNING  ....... Directory '/var/log/pki/pki-tomcat/ca' is either missing or is NOT a directory!
pkidestroy    : WARNING  ....... Directory '/etc/pki/pki-tomcat/ca' is either missing or is NOT a directory!
pkidestroy    : WARNING  ....... Directory '/etc/sysconfig/pki/tomcat/pki-tomcat/ca' is either missing or is NOT a directory!
pkidestroy    : WARNING  ....... Directory '/etc/pki/pki-tomcat/alias' is either missing or is NOT a directory!
pkidestroy    : WARNING  ....... File '/etc/pki/pki-tomcat/password.conf' is either missing or is NOT a regular file!
pkidestroy    : WARNING  ....... Symlink '/etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd' is either missing or is NOT a symbolic link!
pkidestroy    : WARNING  ....... Directory '/var/lib/pki/pki-tomcat' is either missing or is NOT a directory!
pkidestroy    : WARNING  ....... Directory '/var/log/pki/pki-tomcat' is either missing or is NOT a directory!
pkidestroy    : WARNING  ....... Directory '/etc/pki/pki-tomcat/alias' is either missing or is NOT a directory!
pkidestroy    : WARNING  ....... Directory '/etc/pki/pki-tomcat' is either missing or is NOT a directory!
pkidestroy    : WARNING  ....... File '/etc/sysconfig/pki-tomcat' is either missing or is NOT a regular file!
pkidestroy    : WARNING  ....... Directory '/etc/sysconfig/pki/tomcat/pki-tomcat' is either missing or is NOT a directory!

Uninstallation complete.


Use Case 2: without --force and --remove-logs

# pkidestroy -s CA -i pki-kra
ERROR:  PKI subsystem 'CA' for instance '/var/lib/pki/pki-kra' does NOT exist!

This behavior doesn't look right.
Comment 2 Dinesh Prasanth 2019-07-25 21:21:03 UTC 
Adding this comment for (my) reference:

Though the patch [1] is for master (10.7 while submitting), once reviewed I might need to forward port it to the future master (10.8)

The initial patch review was done by Endi and he wanted to discuss with Ade lee to convert SElinux context removal from transactional to non-transactional model. I have personally tried in my dev machine and there was no difference.

[1] https://github.com/dogtagpki/pki/pull/231
Comment 3 Dinesh Prasanth 2019-08-03 19:09:19 UTC 
Fixed via PR: https://github.com/dogtagpki/pki/pull/231

Related commit information:

commit a53a22546271e1fc4b6b10e5252ae594e84137b7 (HEAD -> master, origin/master, origin/HEAD)
Author: Dinesh Prasanth M K <SilleBille.github.com>
Date:   Sat Aug 3 12:13:49 2019 -0400

    Fix 'pkidestroy --force' to pickup correct instance name (#231)
    
    - When `pkidestroy --force` was executed with a non-existant non-default
      instance, it should not pickup `pki-tomcat` as the default instance
    
    - The commit adds an additional check to remove selinux contexts
      iff the context exists. Otherwise, it skips them. This is
      necessary to accommodate the `--force` option to pkidestroy
    
    Fixes: BZ#1698084
    
    Signed-off-by: Dinesh Prasanth M K <dmoluguw>

GH Commit URL: https://github.com/dogtagpki/pki/commit/a53a22546271e1fc4b6b10e5252ae594e84137b7
Comment 4 Dinesh Prasanth 2019-08-03 19:10:28 UTC 
Test case 1:
============
pkidestroy -v -s CA -i <nonexistant instance> --force



Test Case 2:
============

pkidestroy -v -s CA -i <nonexistant instance> --force --remove-logs

*NOTE:* Ensure to have some left over logs in /var/log/pki/<nonexistant instance> to test this
Comment 5 Fedora Update System 2019-08-24 01:02:44 UTC 
dogtag-pki-10.7.3-3.fc30, jss-4.6.1-2.fc30, ldapjdk-4.21.0-2.fc30, pki-core-10.7.3-3.fc30, tomcatjss-7.4.1-2.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2019-08-24 01:59:32 UTC 
dogtag-pki-10.7.3-3.fc29, jss-4.6.1-2.fc29, ldapjdk-4.21.0-2.fc29, pki-core-10.7.3-3.fc29, tomcatjss-7.4.1-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Dinesh Prasanth 2020-02-25 16:50:10 UTC 
This BZ was probably forgotten. However, this should have made into the latest build. Setting this to MODIFIED
Comment 12 Geetika Kapoor 2020-02-26 06:51:54 UTC 
Env Info :
=======

# yum module  info pki-core
Last metadata expiration check: 1:49:18 ago on Tue 25 Feb 2020 11:31:01 PM EST.
Name             : pki-core
Stream           : 10.6 [e] [a]
Version          : 8020020200219144652
Context          : c7c3114f
Architecture     : x86_64
Profiles         : 
Default profiles : 
Repo             : RHEL8.2-Appstream
Summary          : PKI Core module for PKI 10.6 or later
Description      : A module for PKI Core packages for PKI version 10.6 or later.
Requires         : pki-deps:[10.6]
                 : platform:[el8]
Artifacts        : jss-0:4.6.2-2.module+el8.2.0+4573+c3c38c7b.src
                 : jss-0:4.6.2-2.module+el8.2.0+4573+c3c38c7b.x86_64
                 : jss-debuginfo-0:4.6.2-2.module+el8.2.0+4573+c3c38c7b.x86_64
                 : jss-debugsource-0:4.6.2-2.module+el8.2.0+4573+c3c38c7b.x86_64
                 : jss-javadoc-0:4.6.2-2.module+el8.2.0+4573+c3c38c7b.x86_64
                 : ldapjdk-0:4.21.0-2.module+el8.2.0+4573+c3c38c7b.noarch
                 : ldapjdk-0:4.21.0-2.module+el8.2.0+4573+c3c38c7b.src
                 : ldapjdk-javadoc-0:4.21.0-2.module+el8.2.0+4573+c3c38c7b.noarch
                 : pki-base-0:10.8.2-2.module+el8.2.0+5796+110ac6eb.noarch
                 : pki-base-java-0:10.8.2-2.module+el8.2.0+5796+110ac6eb.noarch
                 : pki-ca-0:10.8.2-2.module+el8.2.0+5796+110ac6eb.noarch
                 : pki-core-0:10.8.2-2.module+el8.2.0+5796+110ac6eb.src
                 : pki-core-debuginfo-0:10.8.2-2.module+el8.2.0+5796+110ac6eb.x86_64
                 : pki-core-debugsource-0:10.8.2-2.module+el8.2.0+5796+110ac6eb.x86_64
                 : pki-kra-0:10.8.2-2.module+el8.2.0+5796+110ac6eb.noarch
                 : pki-server-0:10.8.2-2.module+el8.2.0+5796+110ac6eb.noarch
                 : pki-symkey-0:10.8.2-2.module+el8.2.0+5796+110ac6eb.x86_64
                 : pki-symkey-debuginfo-0:10.8.2-2.module+el8.2.0+5796+110ac6eb.x86_64
                 : pki-tools-0:10.8.2-2.module+el8.2.0+5796+110ac6eb.x86_64
                 : pki-tools-debuginfo-0:10.8.2-2.module+el8.2.0+5796+110ac6eb.x86_64
                 : python3-pki-0:10.8.2-2.module+el8.2.0+5796+110ac6eb.noarch
                 : tomcatjss-0:7.4.1-2.module+el8.2.0+4573+c3c38c7b.noarch
                 : tomcatjss-0:7.4.1-2.module+el8.2.0+4573+c3c38c7b.src



Test Case 1 : Without Force and remove-logs
===========================================

# pkidestroy -s TKS -i topology-02-TPS 
ERROR:  PKI subsystem 'TKS' for instance '/var/lib/pki/topology-02-TPS' does NOT exist!

Test Case 2: with --force and --remove-logs
===========================================

# pkidestroy -s TKS -i topology-02-TPS --force --remove-logs
Uninstallation log: /var/log/pki/pki-tks-destroy.20200226011342.log
Uninstalling TKS from /var/lib/pki/topology-02-TPS.
ERROR: PKI subsystem 'TKS' for instance 'topology-02-TPS' does NOT exist!
ERROR: PKI subsystem 'TKS' for instance 'topology-02-TPS' does NOT exist!
WARNING: File '/etc/pki/topology-02-TPS/Catalina/localhost/tks.xml' is either missing or is NOT a regular file!
WARNING: Directory '/var/lib/pki/topology-02-TPS/tks' is either missing or is NOT a directory!
WARNING: Directory '/var/log/pki/topology-02-TPS/tks/signedAudit' is either missing or is NOT a directory!
WARNING: Directory '/var/log/pki/topology-02-TPS/tks/archive' is either missing or is NOT a directory!
WARNING: Directory '/var/log/pki/topology-02-TPS/tks' is either missing or is NOT a directory!
WARNING: Directory '/etc/pki/topology-02-TPS/tks' is either missing or is NOT a directory!
WARNING: Directory '/etc/sysconfig/pki/tomcat/topology-02-TPS/tks' is either missing or is NOT a directory!

Uninstallation complete.

Test Case 3 : When Instance doesn't exist 

# pkidestroy -s TKS -i topology-02-TPNS --force --remove-logs
Uninstallation log: /var/log/pki/pki-tks-destroy.20200226014407.log
Uninstalling TKS from /var/lib/pki/topology-02-TPNS.
ERROR: PKI subsystem 'TKS' for instance 'topology-02-TPNS' does NOT exist!
ERROR: PKI subsystem 'TKS' for instance 'topology-02-TPNS' does NOT exist!
WARNING: File '/etc/pki/topology-02-TPNS/Catalina/localhost/tks.xml' is either missing or is NOT a regular file!
WARNING: Directory '/var/lib/pki/topology-02-TPNS/tks' is either missing or is NOT a directory!
WARNING: Directory '/var/log/pki/topology-02-TPNS/tks/signedAudit' is either missing or is NOT a directory!
WARNING: Directory '/var/log/pki/topology-02-TPNS/tks/archive' is either missing or is NOT a directory!
WARNING: Directory '/var/log/pki/topology-02-TPNS/tks' is either missing or is NOT a directory!
WARNING: Directory '/etc/pki/topology-02-TPNS/tks' is either missing or is NOT a directory!
WARNING: Directory '/etc/sysconfig/pki/tomcat/topology-02-TPNS/tks' is either missing or is NOT a directory!
ERROR: FileNotFoundError: [Errno 2] No such file or directory: '/etc/pki/topology-02-TPNS/alias'
  File "/usr/lib/python3.6/site-packages/pki/server/pkidestroy.py", line 268, in main
    scriptlet.destroy(deployer)
  File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/security_databases.py", line 371, in destroy
    pki.util.rmtree(deployer.mdict['pki_server_database_path'])
  File "/usr/lib/python3.6/site-packages/pki/util.py", line 300, in rmtree
    shutil.rmtree(path)
  File "/usr/lib64/python3.6/shutil.py", line 477, in rmtree
    onerror(os.lstat, path, sys.exc_info())
  File "/usr/lib64/python3.6/shutil.py", line 475, in rmtree
    orig_st = os.lstat(path)


Uninstallation failed: [Errno 2] No such file or directory: '/etc/pki/topology-02-TPNS/alias'

Test Case 4 : Positive flow where every option is correct 

# pkidestroy -s TPS -i topology-02-TPS --force --remove-logs
Uninstallation log: /var/log/pki/pki-tps-destroy.20200226014804.log
Loading deployment configuration from /var/lib/pki/topology-02-TPS/tps/registry/tps/deployment.cfg.
Uninstalling TPS from /var/lib/pki/topology-02-TPS.

Uninstallation complete.


Ldap tree for DN: o=topology-02-TPS-TPS still exists along with subtree elements . Should we remove this as well?


Needinfo :

1. Can test Case 3 be better handled
2. In test case 4, Ldap tree for DN: o=topology-02-TPS-TPS still exists along with subtree elements . Should we remove this as well?
Comment 13 Dinesh Prasanth 2020-02-26 20:47:27 UTC 
(In reply to Geetika Kapoor from comment #12)
> Needinfo :
> 
> 1. Can test Case 3 be better handled

This should be addressed by PR: https://github.com/dogtagpki/pki/pull/333

> 2. In test case 4, Ldap tree for DN: o=topology-02-TPS-TPS still exists
> along with subtree elements . Should we remove this as well?

<edewata> dmoluguw: for #4, pkidestroy doesn't remove database entries. we probably need a --remove-database if we want to do that.
<edewata> dmoluguw: the instance being removed might be a clone, so we don't want to remove the db by default
Comment 14 Geetika Kapoor 2020-02-27 04:49:42 UTC 
(In reply to Dinesh Prasanth from comment #13)
> (In reply to Geetika Kapoor from comment #12)
> > Needinfo :
> > 
> > 1. Can test Case 3 be better handled
> 
> This should be addressed by PR: https://github.com/dogtagpki/pki/pull/333
--> Thanks Dinesh
> 
> > 2. In test case 4, Ldap tree for DN: o=topology-02-TPS-TPS still exists
> > along with subtree elements . Should we remove this as well?
> 
> <edewata> dmoluguw: for #4, pkidestroy doesn't remove database entries. we
> probably need a --remove-database if we want to do that.
> <edewata> dmoluguw: the instance being removed might be a clone, so we don't
> want to remove the db by default

--> This is not a clone.This is master instance.
Comment 15 Dinesh Prasanth 2020-02-27 18:33:27 UTC 
(In reply to Geetika Kapoor from comment #14)
> > 
> > > 2. In test case 4, Ldap tree for DN: o=topology-02-TPS-TPS still exists
> > > along with subtree elements . Should we remove this as well?
> > 
> > <edewata> dmoluguw: for #4, pkidestroy doesn't remove database entries. we
> > probably need a --remove-database if we want to do that.
> > <edewata> dmoluguw: the instance being removed might be a clone, so we don't
> > want to remove the db by default
> 
> --> This is not a clone.This is master instance.

Right. The current behavior of pkidestroy doesn't remove the DB entries. IIRC,
we use `pki_ds_remove_data=True` during pkispawn to remove any previous entries.

So, Endi's suggestion is that, we need a new option (--remove-database) in pkidestroy
to purge the database entries. IMO, this should be a new bug (or RFE?)
Comment 16 Geetika Kapoor 2020-03-02 04:57:37 UTC 
should we use same bug for  PR: https://github.com/dogtagpki/pki/pull/333 testing and new bug for removal of ldap data?
Comment 17 Dinesh Prasanth 2020-03-04 07:13:26 UTC 
(In reply to Geetika Kapoor from comment #16)
> should we use same bug for  PR: https://github.com/dogtagpki/pki/pull/333
> testing and new bug for removal of ldap data?

PR#333 is available in master (v10.9) branch... I have not backported this to v10.8 branch yet. Backporting will require blocker/exception flag justifications. See [1] for more details.

IMO, both these should be tested via new bugs. This bug can be closed as VERIFIED if running `pkidestroy --force` does not remove the default `pki-tomcat` instance when `-i <instance>` is used.

[1] https://github.com/dogtagpki/pki/pull/333#issuecomment-591656273
Comment 18 Gaurav Swami 2020-03-06 08:17:16 UTC 
Tested Version:

-----------------------------------------------
# rpm -qi pki-ca
Name        : pki-ca
Version     : 10.8.3
Release     : 1.module+el8.2.0+5925+bad5981a
Architecture: noarch
Install Date: Fri 06 Mar 2020 01:05:13 AM EST
Group       : Unspecified
Size        : 2641321
License     : GPLv2 and LGPLv2
Signature   : RSA/SHA256, Wed 04 Mar 2020 10:04:58 AM EST, Key ID 199e2f91fd431d51
Source RPM  : pki-core-10.8.3-1.module+el8.2.0+5925+bad5981a.src.rpm
Build Date  : Tue 03 Mar 2020 11:17:35 PM EST
Build Host  : arm64-033.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://www.dogtagpki.org/
Summary     : PKI CA Package
-----------------------------------------------


Case 1:  With correct subsystem name.

# pkidestroy --force -i topology-03-OCSP
Subsystem (CA/KRA/OCSP/TKS/TPS) [CA]: OCSP

Begin uninstallation (Yes/No/Quit)? Yes

Uninstallation log: /var/log/pki/pki-ocsp-destroy.20200306022801.log
Loading deployment configuration from /var/lib/pki/topology-03-OCSP/ocsp/registry/ocsp/deployment.cfg.
Uninstalling OCSP from /var/lib/pki/topology-03-OCSP.

Uninstallation complete.


As observed in POC , it could be seen that fix is working as expected.
Hence, marking this Bugzilla as verified.
Comment 20 Dinesh Prasanth 2020-04-27 22:28:47 UTC 
````

.The`pkidestroy` utility now picks the correct instance

Previously, the `pkidestroy --force` command executed on a half-removed instance picked up `pki-tomcat` instance by default, regardless of the instance name specified with the `-i __instance__` option.

As a consequence, this removed the `pki-tomcat` instance instead of the intended instance, and the `--remove-logs` option did not remove the intended instance's logs. `pkidestroy` now applies the right instance name, removing only the intended instance's leftovers.

````

Minor corrections made to the doc text.
Comment 24 errata-xmlrpc 2020-04-28 15:45:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1644
Note You need to log in before you can comment on or make changes to this bug.