Hide Forgot
Observed failure with another use case. Suppose we have an instance pki-kra installed with KRA subsystem. (Installation failed: PKI subsystem 'KRA' for instance 'pki-kra' already exists!) During uninstall we specify -s as CA so: Use Case 1 : with --force and --remove-logs # pkidestroy -s CA -i pki-kra --force --remove-logs Log file: /var/log/pki/pki-ca-destroy.20190418103138.log Uninstalling CA from /var/lib/pki/pki-kra. pkidestroy : ERROR ....... PKI subsystem 'CA' for instance 'pki-tomcat' does NOT exist! initialization: ERROR PKI subsystem 'CA' for instance 'pki-tomcat' does NOT exist! pkidestroy : WARNING ....... File '/etc/pki/pki-tomcat/Catalina/localhost/ca.xml' is either missing or is NOT a regular file! pkidestroy : WARNING ....... Directory '/var/lib/pki/pki-tomcat/ca/emails' is either missing or is NOT a directory! pkidestroy : WARNING ....... Directory '/var/lib/pki/pki-tomcat/ca/profiles' is either missing or is NOT a directory! pkidestroy : WARNING ....... Directory '/var/lib/pki/pki-tomcat/ca' is either missing or is NOT a directory! pkidestroy : WARNING ....... Directory '/var/log/pki/pki-tomcat/ca/signedAudit' is either missing or is NOT a directory! pkidestroy : WARNING ....... Directory '/var/log/pki/pki-tomcat/ca/archive' is either missing or is NOT a directory! pkidestroy : WARNING ....... Directory '/var/log/pki/pki-tomcat/ca' is either missing or is NOT a directory! pkidestroy : WARNING ....... Directory '/etc/pki/pki-tomcat/ca' is either missing or is NOT a directory! pkidestroy : WARNING ....... Directory '/etc/sysconfig/pki/tomcat/pki-tomcat/ca' is either missing or is NOT a directory! pkidestroy : WARNING ....... Directory '/etc/pki/pki-tomcat/alias' is either missing or is NOT a directory! pkidestroy : WARNING ....... File '/etc/pki/pki-tomcat/password.conf' is either missing or is NOT a regular file! pkidestroy : WARNING ....... Symlink '/etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd' is either missing or is NOT a symbolic link! pkidestroy : WARNING ....... Directory '/var/lib/pki/pki-tomcat' is either missing or is NOT a directory! pkidestroy : WARNING ....... Directory '/var/log/pki/pki-tomcat' is either missing or is NOT a directory! pkidestroy : WARNING ....... Directory '/etc/pki/pki-tomcat/alias' is either missing or is NOT a directory! pkidestroy : WARNING ....... Directory '/etc/pki/pki-tomcat' is either missing or is NOT a directory! pkidestroy : WARNING ....... File '/etc/sysconfig/pki-tomcat' is either missing or is NOT a regular file! pkidestroy : WARNING ....... Directory '/etc/sysconfig/pki/tomcat/pki-tomcat' is either missing or is NOT a directory! Uninstallation complete. Use Case 2: without --force and --remove-logs # pkidestroy -s CA -i pki-kra ERROR: PKI subsystem 'CA' for instance '/var/lib/pki/pki-kra' does NOT exist! This behavior doesn't look right.
Adding this comment for (my) reference: Though the patch [1] is for master (10.7 while submitting), once reviewed I might need to forward port it to the future master (10.8) The initial patch review was done by Endi and he wanted to discuss with Ade lee to convert SElinux context removal from transactional to non-transactional model. I have personally tried in my dev machine and there was no difference. [1] https://github.com/dogtagpki/pki/pull/231
Fixed via PR: https://github.com/dogtagpki/pki/pull/231 Related commit information: commit a53a22546271e1fc4b6b10e5252ae594e84137b7 (HEAD -> master, origin/master, origin/HEAD) Author: Dinesh Prasanth M K <SilleBille.github.com> Date: Sat Aug 3 12:13:49 2019 -0400 Fix 'pkidestroy --force' to pickup correct instance name (#231) - When `pkidestroy --force` was executed with a non-existant non-default instance, it should not pickup `pki-tomcat` as the default instance - The commit adds an additional check to remove selinux contexts iff the context exists. Otherwise, it skips them. This is necessary to accommodate the `--force` option to pkidestroy Fixes: BZ#1698084 Signed-off-by: Dinesh Prasanth M K <dmoluguw> GH Commit URL: https://github.com/dogtagpki/pki/commit/a53a22546271e1fc4b6b10e5252ae594e84137b7
Test case 1: ============ pkidestroy -v -s CA -i <nonexistant instance> --force Test Case 2: ============ pkidestroy -v -s CA -i <nonexistant instance> --force --remove-logs *NOTE:* Ensure to have some left over logs in /var/log/pki/<nonexistant instance> to test this
dogtag-pki-10.7.3-3.fc30, jss-4.6.1-2.fc30, ldapjdk-4.21.0-2.fc30, pki-core-10.7.3-3.fc30, tomcatjss-7.4.1-2.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
dogtag-pki-10.7.3-3.fc29, jss-4.6.1-2.fc29, ldapjdk-4.21.0-2.fc29, pki-core-10.7.3-3.fc29, tomcatjss-7.4.1-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
This BZ was probably forgotten. However, this should have made into the latest build. Setting this to MODIFIED
Env Info : ======= # yum module info pki-core Last metadata expiration check: 1:49:18 ago on Tue 25 Feb 2020 11:31:01 PM EST. Name : pki-core Stream : 10.6 [e] [a] Version : 8020020200219144652 Context : c7c3114f Architecture : x86_64 Profiles : Default profiles : Repo : RHEL8.2-Appstream Summary : PKI Core module for PKI 10.6 or later Description : A module for PKI Core packages for PKI version 10.6 or later. Requires : pki-deps:[10.6] : platform:[el8] Artifacts : jss-0:4.6.2-2.module+el8.2.0+4573+c3c38c7b.src : jss-0:4.6.2-2.module+el8.2.0+4573+c3c38c7b.x86_64 : jss-debuginfo-0:4.6.2-2.module+el8.2.0+4573+c3c38c7b.x86_64 : jss-debugsource-0:4.6.2-2.module+el8.2.0+4573+c3c38c7b.x86_64 : jss-javadoc-0:4.6.2-2.module+el8.2.0+4573+c3c38c7b.x86_64 : ldapjdk-0:4.21.0-2.module+el8.2.0+4573+c3c38c7b.noarch : ldapjdk-0:4.21.0-2.module+el8.2.0+4573+c3c38c7b.src : ldapjdk-javadoc-0:4.21.0-2.module+el8.2.0+4573+c3c38c7b.noarch : pki-base-0:10.8.2-2.module+el8.2.0+5796+110ac6eb.noarch : pki-base-java-0:10.8.2-2.module+el8.2.0+5796+110ac6eb.noarch : pki-ca-0:10.8.2-2.module+el8.2.0+5796+110ac6eb.noarch : pki-core-0:10.8.2-2.module+el8.2.0+5796+110ac6eb.src : pki-core-debuginfo-0:10.8.2-2.module+el8.2.0+5796+110ac6eb.x86_64 : pki-core-debugsource-0:10.8.2-2.module+el8.2.0+5796+110ac6eb.x86_64 : pki-kra-0:10.8.2-2.module+el8.2.0+5796+110ac6eb.noarch : pki-server-0:10.8.2-2.module+el8.2.0+5796+110ac6eb.noarch : pki-symkey-0:10.8.2-2.module+el8.2.0+5796+110ac6eb.x86_64 : pki-symkey-debuginfo-0:10.8.2-2.module+el8.2.0+5796+110ac6eb.x86_64 : pki-tools-0:10.8.2-2.module+el8.2.0+5796+110ac6eb.x86_64 : pki-tools-debuginfo-0:10.8.2-2.module+el8.2.0+5796+110ac6eb.x86_64 : python3-pki-0:10.8.2-2.module+el8.2.0+5796+110ac6eb.noarch : tomcatjss-0:7.4.1-2.module+el8.2.0+4573+c3c38c7b.noarch : tomcatjss-0:7.4.1-2.module+el8.2.0+4573+c3c38c7b.src Test Case 1 : Without Force and remove-logs =========================================== # pkidestroy -s TKS -i topology-02-TPS ERROR: PKI subsystem 'TKS' for instance '/var/lib/pki/topology-02-TPS' does NOT exist! Test Case 2: with --force and --remove-logs =========================================== # pkidestroy -s TKS -i topology-02-TPS --force --remove-logs Uninstallation log: /var/log/pki/pki-tks-destroy.20200226011342.log Uninstalling TKS from /var/lib/pki/topology-02-TPS. ERROR: PKI subsystem 'TKS' for instance 'topology-02-TPS' does NOT exist! ERROR: PKI subsystem 'TKS' for instance 'topology-02-TPS' does NOT exist! WARNING: File '/etc/pki/topology-02-TPS/Catalina/localhost/tks.xml' is either missing or is NOT a regular file! WARNING: Directory '/var/lib/pki/topology-02-TPS/tks' is either missing or is NOT a directory! WARNING: Directory '/var/log/pki/topology-02-TPS/tks/signedAudit' is either missing or is NOT a directory! WARNING: Directory '/var/log/pki/topology-02-TPS/tks/archive' is either missing or is NOT a directory! WARNING: Directory '/var/log/pki/topology-02-TPS/tks' is either missing or is NOT a directory! WARNING: Directory '/etc/pki/topology-02-TPS/tks' is either missing or is NOT a directory! WARNING: Directory '/etc/sysconfig/pki/tomcat/topology-02-TPS/tks' is either missing or is NOT a directory! Uninstallation complete. Test Case 3 : When Instance doesn't exist # pkidestroy -s TKS -i topology-02-TPNS --force --remove-logs Uninstallation log: /var/log/pki/pki-tks-destroy.20200226014407.log Uninstalling TKS from /var/lib/pki/topology-02-TPNS. ERROR: PKI subsystem 'TKS' for instance 'topology-02-TPNS' does NOT exist! ERROR: PKI subsystem 'TKS' for instance 'topology-02-TPNS' does NOT exist! WARNING: File '/etc/pki/topology-02-TPNS/Catalina/localhost/tks.xml' is either missing or is NOT a regular file! WARNING: Directory '/var/lib/pki/topology-02-TPNS/tks' is either missing or is NOT a directory! WARNING: Directory '/var/log/pki/topology-02-TPNS/tks/signedAudit' is either missing or is NOT a directory! WARNING: Directory '/var/log/pki/topology-02-TPNS/tks/archive' is either missing or is NOT a directory! WARNING: Directory '/var/log/pki/topology-02-TPNS/tks' is either missing or is NOT a directory! WARNING: Directory '/etc/pki/topology-02-TPNS/tks' is either missing or is NOT a directory! WARNING: Directory '/etc/sysconfig/pki/tomcat/topology-02-TPNS/tks' is either missing or is NOT a directory! ERROR: FileNotFoundError: [Errno 2] No such file or directory: '/etc/pki/topology-02-TPNS/alias' File "/usr/lib/python3.6/site-packages/pki/server/pkidestroy.py", line 268, in main scriptlet.destroy(deployer) File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/security_databases.py", line 371, in destroy pki.util.rmtree(deployer.mdict['pki_server_database_path']) File "/usr/lib/python3.6/site-packages/pki/util.py", line 300, in rmtree shutil.rmtree(path) File "/usr/lib64/python3.6/shutil.py", line 477, in rmtree onerror(os.lstat, path, sys.exc_info()) File "/usr/lib64/python3.6/shutil.py", line 475, in rmtree orig_st = os.lstat(path) Uninstallation failed: [Errno 2] No such file or directory: '/etc/pki/topology-02-TPNS/alias' Test Case 4 : Positive flow where every option is correct # pkidestroy -s TPS -i topology-02-TPS --force --remove-logs Uninstallation log: /var/log/pki/pki-tps-destroy.20200226014804.log Loading deployment configuration from /var/lib/pki/topology-02-TPS/tps/registry/tps/deployment.cfg. Uninstalling TPS from /var/lib/pki/topology-02-TPS. Uninstallation complete. Ldap tree for DN: o=topology-02-TPS-TPS still exists along with subtree elements . Should we remove this as well? Needinfo : 1. Can test Case 3 be better handled 2. In test case 4, Ldap tree for DN: o=topology-02-TPS-TPS still exists along with subtree elements . Should we remove this as well?
(In reply to Geetika Kapoor from comment #12) > Needinfo : > > 1. Can test Case 3 be better handled This should be addressed by PR: https://github.com/dogtagpki/pki/pull/333 > 2. In test case 4, Ldap tree for DN: o=topology-02-TPS-TPS still exists > along with subtree elements . Should we remove this as well? <edewata> dmoluguw: for #4, pkidestroy doesn't remove database entries. we probably need a --remove-database if we want to do that. <edewata> dmoluguw: the instance being removed might be a clone, so we don't want to remove the db by default
(In reply to Dinesh Prasanth from comment #13) > (In reply to Geetika Kapoor from comment #12) > > Needinfo : > > > > 1. Can test Case 3 be better handled > > This should be addressed by PR: https://github.com/dogtagpki/pki/pull/333 --> Thanks Dinesh > > > 2. In test case 4, Ldap tree for DN: o=topology-02-TPS-TPS still exists > > along with subtree elements . Should we remove this as well? > > <edewata> dmoluguw: for #4, pkidestroy doesn't remove database entries. we > probably need a --remove-database if we want to do that. > <edewata> dmoluguw: the instance being removed might be a clone, so we don't > want to remove the db by default --> This is not a clone.This is master instance.
(In reply to Geetika Kapoor from comment #14) > > > > > 2. In test case 4, Ldap tree for DN: o=topology-02-TPS-TPS still exists > > > along with subtree elements . Should we remove this as well? > > > > <edewata> dmoluguw: for #4, pkidestroy doesn't remove database entries. we > > probably need a --remove-database if we want to do that. > > <edewata> dmoluguw: the instance being removed might be a clone, so we don't > > want to remove the db by default > > --> This is not a clone.This is master instance. Right. The current behavior of pkidestroy doesn't remove the DB entries. IIRC, we use `pki_ds_remove_data=True` during pkispawn to remove any previous entries. So, Endi's suggestion is that, we need a new option (--remove-database) in pkidestroy to purge the database entries. IMO, this should be a new bug (or RFE?)
should we use same bug for PR: https://github.com/dogtagpki/pki/pull/333 testing and new bug for removal of ldap data?
(In reply to Geetika Kapoor from comment #16) > should we use same bug for PR: https://github.com/dogtagpki/pki/pull/333 > testing and new bug for removal of ldap data? PR#333 is available in master (v10.9) branch... I have not backported this to v10.8 branch yet. Backporting will require blocker/exception flag justifications. See [1] for more details. IMO, both these should be tested via new bugs. This bug can be closed as VERIFIED if running `pkidestroy --force` does not remove the default `pki-tomcat` instance when `-i <instance>` is used. [1] https://github.com/dogtagpki/pki/pull/333#issuecomment-591656273
Tested Version: ----------------------------------------------- # rpm -qi pki-ca Name : pki-ca Version : 10.8.3 Release : 1.module+el8.2.0+5925+bad5981a Architecture: noarch Install Date: Fri 06 Mar 2020 01:05:13 AM EST Group : Unspecified Size : 2641321 License : GPLv2 and LGPLv2 Signature : RSA/SHA256, Wed 04 Mar 2020 10:04:58 AM EST, Key ID 199e2f91fd431d51 Source RPM : pki-core-10.8.3-1.module+el8.2.0+5925+bad5981a.src.rpm Build Date : Tue 03 Mar 2020 11:17:35 PM EST Build Host : arm64-033.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://www.dogtagpki.org/ Summary : PKI CA Package ----------------------------------------------- Case 1: With correct subsystem name. # pkidestroy --force -i topology-03-OCSP Subsystem (CA/KRA/OCSP/TKS/TPS) [CA]: OCSP Begin uninstallation (Yes/No/Quit)? Yes Uninstallation log: /var/log/pki/pki-ocsp-destroy.20200306022801.log Loading deployment configuration from /var/lib/pki/topology-03-OCSP/ocsp/registry/ocsp/deployment.cfg. Uninstalling OCSP from /var/lib/pki/topology-03-OCSP. Uninstallation complete. As observed in POC , it could be seen that fix is working as expected. Hence, marking this Bugzilla as verified.
```` .The`pkidestroy` utility now picks the correct instance Previously, the `pkidestroy --force` command executed on a half-removed instance picked up `pki-tomcat` instance by default, regardless of the instance name specified with the `-i __instance__` option. As a consequence, this removed the `pki-tomcat` instance instead of the intended instance, and the `--remove-logs` option did not remove the intended instance's logs. `pkidestroy` now applies the right instance name, removing only the intended instance's leftovers. ```` Minor corrections made to the doc text.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:1644