DNSSEC: uninstallation

Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
This commit is contained in:
Martin Basti 2014-10-16 16:36:58 +02:00 committed by Martin Kosek
parent e798bad646
commit 21aef21fb5
2 changed files with 37 additions and 0 deletions

View File

@ -29,6 +29,7 @@ import socket
from ipapython import ipautil
from ipaserver.install import replication, dsinstance, installutils
from ipaserver.install import bindinstance, cainstance, certs
from ipaserver.install import opendnssecinstance, dnskeysyncinstance
from ipaserver.plugins import ldap2
from ipapython import version, ipaldap
from ipalib import api, errors, util
@ -687,11 +688,21 @@ def del_master(realm, hostname, options):
print "Deleting this server is not allowed as it would leave your installation without a CA."
sys.exit(1)
other_dns = True
if 'DNS' in this_services and not any(['DNS' in o for o in other_services]):
other_dns = False
print "Deleting this server will leave your installation without a DNS."
if not options.force and not ipautil.user_input("Continue to delete?", False):
sys.exit("Deletion aborted")
# test if replica is not DNSSEC master
# allow to delete it if is last DNS server
if 'DNS' in this_services and other_dns and not options.force:
dnssec_masters = opendnssecinstance.get_dnssec_key_masters(delrepl.conn)
if hostname in dnssec_masters:
print "Replica is active DNSSEC key master. Uninstall could break your DNS system."
sys.exit("Deletion aborted")
# Pick CA renewal master
ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
if ca.is_renewal_master(hostname):
@ -746,6 +757,9 @@ def del_master(realm, hostname, options):
bind.remove_master_dns_records(hostname, realm, realm.lower())
bind.remove_ipa_ca_dns_records(hostname, realm.lower())
bind.remove_server_ns_records(hostname)
keysyncd = dnskeysyncinstance.DNSKeySyncInstance()
keysyncd.remove_replica_public_keys(hostname)
except Exception, e:
print "Failed to cleanup %s DNS entries: %s" % (hostname, e)
print "You may need to manually remove them from the tree"

View File

@ -585,7 +585,16 @@ def uninstall():
if ca_instance.is_configured():
ca_instance.uninstall()
ods = opendnssecinstance.OpenDNSSECInstance(fstore)
if ods.is_configured():
ods.uninstall()
ods_exporter = odsexporterinstance.ODSExporterInstance(fstore)
if ods_exporter.is_configured():
ods_exporter.uninstall()
bindinstance.BindInstance(fstore).uninstall()
dnskeysyncinstance.DNSKeySyncInstance(fstore).uninstall()
httpinstance.HTTPInstance(fstore).uninstall()
krbinstance.KrbInstance(fstore).uninstall()
dsinstance.DsInstance(fstore=fstore).uninstall()
@ -743,6 +752,20 @@ def main():
"agreements.\n\n")
print textwrap.fill(msg, width=80, replace_whitespace=False)
else:
# test if server is DNSSEC key master
masters = opendnssecinstance.get_dnssec_key_masters(conn)
if api.env.host in masters:
print "This server is active DNSSEC key master. Uninstall could break your DNS system."
if not (options.unattended or user_input("Are you sure you "
"want to continue "
"with the uninstall "
"procedure?",
False)):
print ""
print "Aborting uninstall operation."
sys.exit(1)
rm = replication.ReplicationManager(
realm=api.env.realm,
hostname=api.env.host,