URL: https://github.com/freeipa/freeipa/pull/1414 Author: tiran Title: #1414: [Backport][ipa-4-6] Custodia uninstall: Don't fail when LDAP is down Action: opened
PR body: """ This PR was opened automatically because PR #1410 was pushed to master and backport to ipa-4-6 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1414/head:pr1414 git checkout pr1414
From f54357604342d73d7c2db0201106d3617832014f Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Mon, 18 Dec 2017 13:52:10 +0100 Subject: [PATCH] Custodia uninstall: Don't fail when LDAP is down The Custodia instance is removed when LDAP is already shut down. Don't fail and only remove the key files from disk. The server_del command takes care of all Custodia keys in LDAP. https://pagure.io/freeipa/issue/7318 Signed-off-by: Christian Heimes <chei...@redhat.com> --- ipaserver/install/cainstance.py | 11 ++++++++++- ipaserver/install/custodiainstance.py | 12 +++++++++++- ipaserver/secrets/kem.py | 20 +++++++++++++++----- 3 files changed, 36 insertions(+), 7 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 3176742e00..68cc77b9ff 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1304,7 +1304,16 @@ def __remove_lightweight_ca_key_retrieval_custodia(self): keyfile = os.path.join(paths.PKI_TOMCAT, self.service_prefix + '.keys') keystore = IPAKEMKeys({'server_keys': keyfile}) - keystore.remove_keys(self.service_prefix) + # Call remove_server_keys_file explicitly to ensure that the key + # file is always removed. + keystore.remove_server_keys_file() + try: + keystore.remove_keys(self.service_prefix) + except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN): + logger.debug( + "Cannot remove custodia keys now, server_del takes care of " + "them later." + ) def add_lightweight_ca_tracking_requests(self): try: diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py index 46998164ad..748f84763a 100644 --- a/ipaserver/install/custodiainstance.py +++ b/ipaserver/install/custodiainstance.py @@ -16,6 +16,7 @@ from ipaserver.install import sysupgrade from base64 import b64decode from jwcrypto.common import json_decode +import ldap import shutil import os import stat @@ -70,7 +71,16 @@ def uninstall(self): 'server_keys': self.server_keys, 'ldap_uri': self.ldap_uri }) - keystore.remove_server_keys() + # Call remove_server_keys_file explicitly to ensure that the key + # file is always removed. + keystore.remove_server_keys_file() + try: + keystore.remove_server_keys() + except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN): + logger.debug( + "Cannot remove custodia keys now, server_del takes care of " + "them later." + ) installutils.remove_file(self.config_file) sysupgrade.set_upgrade_state('custodia', 'installed', False) diff --git a/ipaserver/secrets/kem.py b/ipaserver/secrets/kem.py index 266d975d54..5521c4772b 100644 --- a/ipaserver/secrets/kem.py +++ b/ipaserver/secrets/kem.py @@ -235,6 +235,20 @@ def generate_keys(self, servicename): ldapconn.set_key(KEY_USAGE_SIG, principal, pubkeys[0]) ldapconn.set_key(KEY_USAGE_ENC, principal, pubkeys[1]) + def remove_server_keys_file(self): + """Remove keys from disk + + The method does not fail when the file is missing. + """ + try: + os.unlink(self.config['server_keys']) + except OSError as e: + if e.errno != errno.ENOENT: + raise + return False + else: + return True + def remove_server_keys(self): """Remove keys from LDAP and disk """ @@ -243,15 +257,11 @@ def remove_server_keys(self): def remove_keys(self, servicename): """Remove keys from LDAP and disk """ + self.remove_server_keys_file() principal = '%s/%s@%s' % (servicename, self.host, self.realm) ldapconn = KEMLdap(self.ldap_uri) ldapconn.del_key(KEY_USAGE_SIG, principal) ldapconn.del_key(KEY_USAGE_ENC, principal) - try: - os.unlink(self.config['server_keys']) - except OSError as e: - if e.errno != errno.ENOENT: - raise @property def server_keys(self):
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org