#8080 ipa-server-install --uninstall leaves files
Opened 4 months ago by cheimes. Modified 3 months ago

Issue

ipa-server-install leaves a lot of files around

Steps to Reproduce

  1. find /etc/ /run/ /var/ /root/ -mount | sort > /root/before
  2. ipa-server-install -p Secret123 -a Secret123 -r IPA.EXAMPLE -n ipa.example -U --auto-reverse --auto-forwarders --no-dnssec-validation --setup-dns --setup-kra
  3. ipa-dns-install --dnssec-master --no-dnssec-validation -U --auto-forwarders
  4. ipa-server-install --uninstall -U
  5. find /etc/ /run/ /var/ /root/ -mount | sort > /root/after
  6. diff files

Actual behavior

The uninstall does not clean up all files

Expected behavior

I expect uninstall to be clean and pristine.

Version/Release/Distribution

freeipa-server-4.8.1-1.fc30.x86_64
freeipa-client-4.8.1-1.fc30.x86_64
package ipa-server is not installed
package ipa-client is not installed
389-ds-base-1.4.1.6-1.fc30.x86_64
pki-ca-10.7.3-3.fc30.noarch
krb5-server-1.17-14.fc30.x86_64

file list

Single server with DNS, DNSSEC, and KRA, no AD integration.

+/etc/dirsrv/ssca/18a51399.0
+/etc/dirsrv/ssca/ca.crt
+/etc/httpd/alias
+/etc/httpd/conf.d/nss.conf
+/etc/ipa/dnssec/softhsm_pin_so
+/etc/krb5.conf.d/freeipa
+/etc/krb5.keytab
+/etc/named.keytab
+/etc/rndc.key
+/etc/sssd/sssd.conf.deleted
+/etc/sysconfig/krb5kdc.orig
-/etc/systemd/system/dirsrv.target.wants
+/etc/systemd/system/dirsrv@IPA-EXAMPLE.service.d
+/etc/systemd/system/dirsrv@IPA-EXAMPLE.service.d/ipa-env.conf
-/etc/systemd/system/multi-user.target.wants/sssd.service
+/root/ca-agent.p12
+/root/cacert.p12
+/root/.cache
+/root/.cache/ipa
+/root/.cache/ipa/schema
+/root/.cache/ipa/schema/1
+/root/.cache/ipa/schema/1/2fa5fa44
+/root/.cache/ipa/servers
+/root/.cache/ipa/servers/host-10-0-137-212.ipa.example
+/root/.dogtag
+/root/kracert.p12
-/run/certmonger.pid
+/run/httpd/ipa-custodia.sock
+/run/ipa/ccaches/host~host-10-0-137-212.ipa.example@IPA.EXAMPLE
+/run/opendnssec/engine.sock
+/run/slapd-IPA-EXAMPLE.socket
-/run/sssd.pid
+/var/lib/gssproxy/rcache/HTTP_0
+/var/lib/ipa/dnssec
+/var/lib/ipa/ipa-kasp.db.backup
+/var/lib/sss/db/timestamps_ipa.example.ldb
+/var/lib/sss/pipes/pac
+/var/lib/sss/pipes/pam
-/var/lib/sss/pipes/private/sbus-dp_implicit_files
+/var/lib/sss/pipes/private/pam
-/var/lib/sss/pipes/private/sbus-dp_implicit_files.8426
-/var/lib/sss/pipes/private/sbus-monitor
+/var/lib/sss/pipes/ssh
+/var/lib/sss/pipes/sudo
+/var/lib/sss/pubconf/krb5.include.d/domain_realm_ipa_example
+/var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults
+/var/lib/sss/pubconf/krb5.include.d/localauth_plugin
+/var/log/httpd/access_log
+/var/log/httpd/error_log
+/var/log/httpd/ssl_request_log
+/var/log/ipa
+/var/log/ipaclient-install.log
+/var/log/ipa-custodia.audit.log
+/var/log/ipa/ipactl.log
+/var/log/ipa/renew.log
+/var/log/ipa/restart.log
+/var/log/kadmind.log
+/var/log/krb5kdc.log
+/var/log/pki/pki-ca-destroy.20190927054213.log
+/var/log/pki/pki-ca-spawn.20190927052754.log
+/var/log/pki/pki-kra-destroy.20190927054038.log
+/var/log/pki/pki-kra-spawn.20190927053133.log
+/var/log/pki/pki-tomcat
+/var/log/pki/pki-tomcat/ca
+/var/log/pki/pki-tomcat/ca/archive
+/var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20190927052754
+/var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20190927052754
+/var/log/pki/pki-tomcat/ca/debug.2019-09-27.log
+/var/log/pki/pki-tomcat/ca/selftests.log
+/var/log/pki/pki-tomcat/ca/signedAudit
+/var/log/pki/pki-tomcat/ca/signedAudit/ca_audit
+/var/log/pki/pki-tomcat/ca/system
+/var/log/pki/pki-tomcat/catalina.2019-09-27.log
+/var/log/pki/pki-tomcat/ca/transactions
+/var/log/pki/pki-tomcat/host-manager.2019-09-27.log
+/var/log/pki/pki-tomcat/kra
+/var/log/pki/pki-tomcat/kra/archive
+/var/log/pki/pki-tomcat/kra/archive/spawn_deployment.cfg.20190927053133
+/var/log/pki/pki-tomcat/kra/archive/spawn_manifest.20190927053133
+/var/log/pki/pki-tomcat/kra/debug.2019-09-27.log
+/var/log/pki/pki-tomcat/kra/selftests.log
+/var/log/pki/pki-tomcat/kra/signedAudit
+/var/log/pki/pki-tomcat/kra/signedAudit/kra_cert-kra_audit
+/var/log/pki/pki-tomcat/kra/system
+/var/log/pki/pki-tomcat/kra/transactions
+/var/log/pki/pki-tomcat/localhost.2019-09-27.log
+/var/log/pki/pki-tomcat/localhost_access_log.2019-09-27.txt
+/var/log/pki/pki-tomcat/manager.2019-09-27.log
+/var/log/pki/pki-tomcat/pki
+/var/log/pki/pki-tomcat/pki/debug.2019-09-27.log
+/var/log/sssd/krb5_child.log
+/var/log/sssd/ldap_child.log
+/var/log/sssd/sssd_ifp.log
+/var/log/sssd/sssd_ipa.example.log
+/var/log/sssd/sssd_pac.log
+/var/log/sssd/sssd_pam.log
+/var/log/sssd/sssd_ssh.log
+/var/log/sssd/sssd_sudo.log
+/var/named/data/named.run
+/var/named/_default.tsigkeys
+/var/named/dynamic/managed-keys.bind
+/var/named/dynamic/managed-keys.bind.jnl
+/var/tmp/kadmin_0
+/var/tmp/ldap_389

Please consider not cleaning logs from the above list.

+/etc/httpd/alias
+/etc/httpd/conf.d/nss.conf

These are quite curious since IPA doesn't use mod_nss anymore.

AD trust leaves additional files behind, e.g. Samba keytab.

# ktutil 
ktutil:  rkt /etc/samba/samba.keytab
ktutil:  l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2 host/host-10-0-137-224.ipa.example@IPA.EXAMPLE
   2    2 host/host-10-0-137-224.ipa.example@IPA.EXAMPLE
   3    2 host/host-10-0-137-224.ipa.example@IPA.EXAMPLE

It may be a pain to get right but perhaps once this is resolved a test can be written to do a similar find before and after execution to verify that new things don't end up being left behind.

Login to comment on this ticket.

Metadata