From 45353245dd65ad5228f9c6ef133aa0e3cbe3ba5e Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Oct 21 2014 10:18:55 +0000 Subject: DNSSEC: uninstallation Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta Reviewed-By: David Kupka --- diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index e44131e..4f92c0c 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -29,6 +29,7 @@ import socket from ipapython import ipautil from ipaserver.install import replication, dsinstance, installutils from ipaserver.install import bindinstance, cainstance, certs +from ipaserver.install import opendnssecinstance, dnskeysyncinstance from ipaserver.plugins import ldap2 from ipapython import version, ipaldap from ipalib import api, errors, util @@ -687,11 +688,21 @@ def del_master(realm, hostname, options): print "Deleting this server is not allowed as it would leave your installation without a CA." sys.exit(1) + other_dns = True if 'DNS' in this_services and not any(['DNS' in o for o in other_services]): + other_dns = False print "Deleting this server will leave your installation without a DNS." if not options.force and not ipautil.user_input("Continue to delete?", False): sys.exit("Deletion aborted") + # test if replica is not DNSSEC master + # allow to delete it if is last DNS server + if 'DNS' in this_services and other_dns and not options.force: + dnssec_masters = opendnssecinstance.get_dnssec_key_masters(delrepl.conn) + if hostname in dnssec_masters: + print "Replica is active DNSSEC key master. Uninstall could break your DNS system." + sys.exit("Deletion aborted") + # Pick CA renewal master ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) if ca.is_renewal_master(hostname): @@ -746,6 +757,9 @@ def del_master(realm, hostname, options): bind.remove_master_dns_records(hostname, realm, realm.lower()) bind.remove_ipa_ca_dns_records(hostname, realm.lower()) bind.remove_server_ns_records(hostname) + + keysyncd = dnskeysyncinstance.DNSKeySyncInstance() + keysyncd.remove_replica_public_keys(hostname) except Exception, e: print "Failed to cleanup %s DNS entries: %s" % (hostname, e) print "You may need to manually remove them from the tree" diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 405104b..0394314 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -576,7 +576,17 @@ def uninstall(): api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants) if ca_instance.is_configured(): ca_instance.uninstall() + + ods = opendnssecinstance.OpenDNSSECInstance(fstore) + if ods.is_configured(): + ods.uninstall() + + ods_exporter = odsexporterinstance.ODSExporterInstance(fstore) + if ods_exporter.is_configured(): + ods_exporter.uninstall() + bindinstance.BindInstance(fstore).uninstall() + dnskeysyncinstance.DNSKeySyncInstance(fstore).uninstall() httpinstance.HTTPInstance(fstore).uninstall() krbinstance.KrbInstance(fstore).uninstall() dsinstance.DsInstance(fstore=fstore).uninstall() @@ -734,6 +744,20 @@ def main(): "agreements.\n\n") print textwrap.fill(msg, width=80, replace_whitespace=False) else: + + # test if server is DNSSEC key master + masters = opendnssecinstance.get_dnssec_key_masters(conn) + if api.env.host in masters: + print "This server is active DNSSEC key master. Uninstall could break your DNS system." + if not (options.unattended or user_input("Are you sure you " + "want to continue " + "with the uninstall " + "procedure?", + False)): + print "" + print "Aborting uninstall operation." + sys.exit(1) + rm = replication.ReplicationManager( realm=api.env.realm, hostname=api.env.host,