IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

DNSSEC: uninstallation

Browse Source 
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
This commit is contained in:
Martin Basti 2014-10-16 16:36:58 +02:00 committed by Martin Kosek
parent 877fedf6e4
commit 45353245dd
2 changed files with 38 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
install/tools/ipa-replica-manage
View File

@ -29,6 +29,7 @@ import socket
from ipapython import ipautil from ipapython import ipautil
from ipaserver.install import replication, dsinstance, installutils from ipaserver.install import replication, dsinstance, installutils
from ipaserver.install import bindinstance, cainstance, certs from ipaserver.install import bindinstance, cainstance, certs
from ipaserver.install import opendnssecinstance, dnskeysyncinstance
from ipaserver.plugins import ldap2 from ipaserver.plugins import ldap2
from ipapython import version, ipaldap from ipapython import version, ipaldap
from ipalib import api, errors, util from ipalib import api, errors, util
@ -687,11 +688,21 @@ def del_master(realm, hostname, options):
print "Deleting this server is not allowed as it would leave your installation without a CA." print "Deleting this server is not allowed as it would leave your installation without a CA."
sys.exit(1) sys.exit(1)
other_dns = True
if 'DNS' in this_services and not any(['DNS' in o for o in other_services]): if 'DNS' in this_services and not any(['DNS' in o for o in other_services]):
other_dns = False
print "Deleting this server will leave your installation without a DNS." print "Deleting this server will leave your installation without a DNS."
if not options.force and not ipautil.user_input("Continue to delete?", False): if not options.force and not ipautil.user_input("Continue to delete?", False):
sys.exit("Deletion aborted") sys.exit("Deletion aborted")
# test if replica is not DNSSEC master
# allow to delete it if is last DNS server
if 'DNS' in this_services and other_dns and not options.force:
dnssec_masters = opendnssecinstance.get_dnssec_key_masters(delrepl.conn)
if hostname in dnssec_masters:
print "Replica is active DNSSEC key master. Uninstall could break your DNS system."
sys.exit("Deletion aborted")
# Pick CA renewal master # Pick CA renewal master
ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
if ca.is_renewal_master(hostname): if ca.is_renewal_master(hostname):
@ -746,6 +757,9 @@ def del_master(realm, hostname, options):
bind.remove_master_dns_records(hostname, realm, realm.lower()) bind.remove_master_dns_records(hostname, realm, realm.lower())
bind.remove_ipa_ca_dns_records(hostname, realm.lower()) bind.remove_ipa_ca_dns_records(hostname, realm.lower())
bind.remove_server_ns_records(hostname) bind.remove_server_ns_records(hostname)
keysyncd = dnskeysyncinstance.DNSKeySyncInstance()
keysyncd.remove_replica_public_keys(hostname)
except Exception, e: except Exception, e:
print "Failed to cleanup %s DNS entries: %s" % (hostname, e) print "Failed to cleanup %s DNS entries: %s" % (hostname, e)
print "You may need to manually remove them from the tree" print "You may need to manually remove them from the tree"

24
install/tools/ipa-server-install
View File

@ -576,7 +576,17 @@ def uninstall():
api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants) api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants)
if ca_instance.is_configured(): if ca_instance.is_configured():
ca_instance.uninstall() ca_instance.uninstall()
ods = opendnssecinstance.OpenDNSSECInstance(fstore)
if ods.is_configured():
ods.uninstall()
ods_exporter = odsexporterinstance.ODSExporterInstance(fstore)
if ods_exporter.is_configured():
ods_exporter.uninstall()
bindinstance.BindInstance(fstore).uninstall() bindinstance.BindInstance(fstore).uninstall()
dnskeysyncinstance.DNSKeySyncInstance(fstore).uninstall()
httpinstance.HTTPInstance(fstore).uninstall() httpinstance.HTTPInstance(fstore).uninstall()
krbinstance.KrbInstance(fstore).uninstall() krbinstance.KrbInstance(fstore).uninstall()
dsinstance.DsInstance(fstore=fstore).uninstall() dsinstance.DsInstance(fstore=fstore).uninstall()
@ -734,6 +744,20 @@ def main():
"agreements.\n\n") "agreements.\n\n")
print textwrap.fill(msg, width=80, replace_whitespace=False) print textwrap.fill(msg, width=80, replace_whitespace=False)
else: else:
# test if server is DNSSEC key master
masters = opendnssecinstance.get_dnssec_key_masters(conn)
if api.env.host in masters:
print "This server is active DNSSEC key master. Uninstall could break your DNS system."
if not (options.unattended or user_input("Are you sure you "
"want to continue "
"with the uninstall "
"procedure?",
False)):
print ""
print "Aborting uninstall operation."
sys.exit(1)
rm = replication.ReplicationManager( rm = replication.ReplicationManager(
realm=api.env.realm, realm=api.env.realm,
hostname=api.env.host, hostname=api.env.host,