URL: https://github.com/freeipa/freeipa/pull/1410 Author: tiran Title: #1410: Custodia uninstall: Don't fail when LDAP is down Action: opened
PR body: """ The Custodia instance is removed when LDAP is already shut down. Don't fail and only remove the key files from disk. The server_del command takes care of all Custodia keys in LDAP. https://pagure.io/freeipa/issue/7318 Signed-off-by: Christian Heimes <chei...@redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1410/head:pr1410 git checkout pr1410
From 1d1587851062591bc6d25b89f3de134b12bd7900 Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Mon, 18 Dec 2017 13:52:10 +0100 Subject: [PATCH] Custodia uninstall: Don't fail when LDAP is down The Custodia instance is removed when LDAP is already shut down. Don't fail and only remove the key files from disk. The server_del command takes care of all Custodia keys in LDAP. https://pagure.io/freeipa/issue/7318 Signed-off-by: Christian Heimes <chei...@redhat.com> --- ipaserver/install/cainstance.py | 9 ++++++++- ipaserver/install/custodiainstance.py | 10 +++++++++- ipaserver/secrets/kem.py | 15 ++++++++++----- 3 files changed, 27 insertions(+), 7 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 3176742e00..14c6ed6ebe 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1304,7 +1304,14 @@ def __remove_lightweight_ca_key_retrieval_custodia(self): keyfile = os.path.join(paths.PKI_TOMCAT, self.service_prefix + '.keys') keystore = IPAKEMKeys({'server_keys': keyfile}) - keystore.remove_keys(self.service_prefix) + keystore.remove_server_keys_file() + try: + keystore.remove_keys(self.service_prefix) + except ldap.CONNECT_ERROR: + logger.debug( + "Cannot remove custodia keys now, server_del takes care of " + "them later." + ) def add_lightweight_ca_tracking_requests(self): try: diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py index 46998164ad..25f122bbd7 100644 --- a/ipaserver/install/custodiainstance.py +++ b/ipaserver/install/custodiainstance.py @@ -16,6 +16,7 @@ from ipaserver.install import sysupgrade from base64 import b64decode from jwcrypto.common import json_decode +import ldap import shutil import os import stat @@ -70,7 +71,14 @@ def uninstall(self): 'server_keys': self.server_keys, 'ldap_uri': self.ldap_uri }) - keystore.remove_server_keys() + keystore.remove_server_keys_file() + try: + keystore.remove_server_keys() + except ldap.CONNECT_ERROR: + logger.debug( + "Cannot remove custodia keys now, server_del takes care of " + "them later." + ) installutils.remove_file(self.config_file) sysupgrade.set_upgrade_state('custodia', 'installed', False) diff --git a/ipaserver/secrets/kem.py b/ipaserver/secrets/kem.py index 266d975d54..22d6afcef3 100644 --- a/ipaserver/secrets/kem.py +++ b/ipaserver/secrets/kem.py @@ -235,6 +235,15 @@ def generate_keys(self, servicename): ldapconn.set_key(KEY_USAGE_SIG, principal, pubkeys[0]) ldapconn.set_key(KEY_USAGE_ENC, principal, pubkeys[1]) + def remove_server_keys_file(self): + """Remove keys from disk + """ + try: + os.unlink(self.config['server_keys']) + except OSError as e: + if e.errno != errno.ENOENT: + raise + def remove_server_keys(self): """Remove keys from LDAP and disk """ @@ -243,15 +252,11 @@ def remove_server_keys(self): def remove_keys(self, servicename): """Remove keys from LDAP and disk """ + self.remove_server_keys_file() principal = '%s/%s@%s' % (servicename, self.host, self.realm) ldapconn = KEMLdap(self.ldap_uri) ldapconn.del_key(KEY_USAGE_SIG, principal) ldapconn.del_key(KEY_USAGE_ENC, principal) - try: - os.unlink(self.config['server_keys']) - except OSError as e: - if e.errno != errno.ENOENT: - raise @property def server_keys(self):
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
