def uninstall(self): if self.is_configured(): self.print_msg("Unconfiguring %s" % self.service_name) # Just eat states self.restore_state("running") self.restore_state("enabled") self.restore_state("configured") # stop and disable service (IPA service, we do not need it anymore) self.stop() self.disable() for f in [paths.SYSCONFIG_NAMED]: try: self.fstore.restore_file(f) except ValueError as error: logger.debug('%s', error) # remove softhsm pin, to make sure new installation will generate # new token database # do not delete *so pin*, user can need it to get token data installutils.remove_file(paths.DNSSEC_SOFTHSM_PIN) installutils.remove_file(paths.DNSSEC_SOFTHSM2_CONF) try: shutil.rmtree(paths.DNSSEC_TOKENS_DIR) except OSError as e: if e.errno != errno.ENOENT: logger.exception("Failed to remove %s", paths.DNSSEC_TOKENS_DIR) installutils.remove_keytab(self.keytab)
def uninstall(self): if self.is_configured(): self.print_msg("Unconfiguring %s" % self.service_name) running = self.restore_state("running") enabled = self.restore_state("enabled") named_regular_running = self.restore_state("named-regular-running") named_regular_enabled = self.restore_state("named-regular-enabled") self.dns_backup.clear_records(self.api.Backend.ldap2.isconnected()) for f in [NAMED_CONF, RESOLV_CONF]: try: self.fstore.restore_file(f) except ValueError as error: root_logger.debug(error) # disabled by default, by ldap_enable() if enabled: self.enable() if running: self.restart() self.named_regular.unmask() if named_regular_enabled: self.named_regular.enable() if named_regular_running: self.named_regular.start() installutils.remove_keytab(self.keytab) installutils.remove_ccache(run_as=self.service_user)
def uninstall(self): if self.is_configured(): self.print_msg("Unconfiguring %s" % self.service_name) # Just eat states self.restore_state("running") self.restore_state("enabled") self.restore_state("configured") # stop and disable service (IPA service, we do not need it anymore) self.stop() self.disable() for f in [paths.SYSCONFIG_NAMED]: try: self.fstore.restore_file(f) except ValueError as error: self.logger.debug(error) # remove softhsm pin, to make sure new installation will generate # new token database # do not delete *so pin*, user can need it to get token data try: os.remove(paths.DNSSEC_SOFTHSM_PIN) except Exception: pass installutils.remove_keytab(self.keytab)
def uninstall(self): if not self.is_configured(): return self.print_msg("Unconfiguring %s" % self.service_name) # just eat states self.restore_state("running") self.restore_state("enabled") # stop and disable service (IPA service, we do not need it anymore) self.disable() self.stop() # restore state of dnssec default signer daemon signerd_enabled = self.restore_state("singerd_enabled") signerd_running = self.restore_state("singerd_running") signerd_service = services.knownservices.ods_signerd signerd_service.unmask() # service was stopped and disabled by setup if signerd_enabled: signerd_service.enable() if signerd_running: signerd_service.start() installutils.remove_keytab(self.keytab) installutils.remove_ccache(ccache_path=paths.IPA_ODS_EXPORTER_CCACHE)
def uninstall(self): if self.is_configured(): self.print_msg("Unconfiguring %s" % self.service_name) # Just eat states self.restore_state("running") self.restore_state("enabled") self.restore_state("configured") # stop and disable service (IPA service, we do not need it anymore) self.stop() self.disable() for f in [paths.SYSCONFIG_NAMED]: try: self.fstore.restore_file(f) except ValueError as error: logger.debug('%s', error) # remove softhsm pin, to make sure new installation will generate # new token database # do not delete *so pin*, user can need it to get token data installutils.remove_file(paths.DNSSEC_SOFTHSM_PIN) installutils.remove_file(paths.DNSSEC_SOFTHSM2_CONF) try: shutil.rmtree(paths.DNSSEC_TOKENS_DIR) except OSError as e: if e.errno != errno.ENOENT: logger.exception( "Failed to remove %s", paths.DNSSEC_TOKENS_DIR ) installutils.remove_keytab(self.keytab)
def uninstall(self): if self.is_configured(): self.print_msg("Unconfiguring %s" % self.service_name) # Just eat states self.restore_state("running") self.restore_state("enabled") self.restore_state("configured") # stop and disable service (IPA service, we do not need it anymore) self.stop() self.disable() for f in [paths.SYSCONFIG_NAMED]: try: self.fstore.restore_file(f) except ValueError as error: self.logger.debug(error) # remove softhsm pin, to make sure new installation will generate # new token database # do not delete *so pin*, user can need it to get token data try: os.remove(paths.DNSSEC_SOFTHSM_PIN) except Exception: pass installutils.remove_keytab(paths.IPA_DNSKEYSYNCD_KEYTAB)
def uninstall(self): if self.is_configured(): self.print_msg("Unconfiguring %s" % self.service_name) running = self.restore_state("running") enabled = self.restore_state("enabled") named_regular_running = self.restore_state("named-regular-running") named_regular_enabled = self.restore_state("named-regular-enabled") self.dns_backup.clear_records(self.api.Backend.ldap2.isconnected()) for f in [NAMED_CONF, RESOLV_CONF]: try: self.fstore.restore_file(f) except ValueError as error: root_logger.debug(error) # disabled by default, by ldap_enable() if enabled: self.enable() if running: self.restart() self.named_regular.unmask() if named_regular_enabled: self.named_regular.enable() if named_regular_running: self.named_regular.start() installutils.remove_keytab(paths.NAMED_KEYTAB) installutils.remove_ccache(run_as='named')
def __create_http_keytab(self): if not self.promote: installutils.remove_keytab(paths.IPA_KEYTAB) installutils.kadmin_addprinc(self.principal) installutils.create_keytab(paths.IPA_KEYTAB, self.principal) self.move_service(self.principal) pent = pwd.getpwnam(HTTPD_USER) os.chown(paths.IPA_KEYTAB, pent.pw_uid, pent.pw_gid)
def uninstall(self): if self.is_configured(): self.print_msg("Unconfiguring directory server") enabled = self.restore_state("enabled") # Just eat this state if it exists self.restore_state("running") try: self.fstore.restore_file(paths.LIMITS_CONF) self.fstore.restore_file(paths.SYSCONFIG_DIRSRV) except ValueError as error: logger.debug("%s", error) # disabled during IPA installation if enabled: self.enable() serverid = self.restore_state("serverid") if serverid is not None: self.stop_tracking_certificates(serverid) logger.debug("Removing DS instance %s", serverid) try: remove_ds_instance(serverid) except ipautil.CalledProcessError: logger.error("Failed to remove DS instance. You may " "need to remove instance data manually") installutils.remove_keytab(paths.DS_KEYTAB) installutils.remove_ccache(run_as=DS_USER) # Remove scripts dir scripts = paths.VAR_LIB_DIRSRV_INSTANCE_SCRIPTS_TEMPLATE % ( serverid) installutils.rmtree(scripts) # Just eat this state self.restore_state("user_exists") # Make sure some upgrade-related state is removed. This could cause # re-installation problems. self.restore_state('nsslapd-port') self.restore_state('nsslapd-security') self.restore_state('nsslapd-ldapiautobind') # If any dirsrv instances remain after we've removed ours then # (re)start them. for ds_instance in get_ds_instances(): try: services.knownservices.dirsrv.restart(ds_instance, wait=False) except Exception as e: logger.error( 'Unable to restart DS instance %s: %s', ds_instance, e)
def __setup_principal(self): assert self.ods_gid is not None installutils.remove_keytab(paths.IPA_DNSKEYSYNCD_KEYTAB) dnssynckey_principal = "ipa-dnskeysyncd/" + self.fqdn + "@" + self.realm installutils.kadmin_addprinc(dnssynckey_principal) # Store the keytab on disk installutils.create_keytab(paths.IPA_DNSKEYSYNCD_KEYTAB, dnssynckey_principal) p = self.move_service(dnssynckey_principal) if p is None: # the service has already been moved, perhaps we're doing a DNS reinstall dnssynckey_principal_dn = DN( ('krbprincipalname', dnssynckey_principal), ('cn', 'services'), ('cn', 'accounts'), self.suffix) else: dnssynckey_principal_dn = p # Make sure access is strictly reserved to the named user os.chown(paths.IPA_DNSKEYSYNCD_KEYTAB, 0, self.ods_gid) os.chmod(paths.IPA_DNSKEYSYNCD_KEYTAB, 0o440) dns_group = DN(('cn', 'DNS Servers'), ('cn', 'privileges'), ('cn', 'pbac'), self.suffix) mod = [(ldap.MOD_ADD, 'member', dnssynckey_principal_dn)] try: self.admin_conn.modify_s(dns_group, mod) except ldap.TYPE_OR_VALUE_EXISTS: pass except Exception as e: self.logger.critical("Could not modify principal's %s entry: %s" % (dnssynckey_principal_dn, str(e))) raise # bind-dyndb-ldap persistent search feature requires both size and time # limit-free connection mod = [(ldap.MOD_REPLACE, 'nsTimeLimit', '-1'), (ldap.MOD_REPLACE, 'nsSizeLimit', '-1'), (ldap.MOD_REPLACE, 'nsIdleTimeout', '-1'), (ldap.MOD_REPLACE, 'nsLookThroughLimit', '-1')] try: self.admin_conn.modify_s(dnssynckey_principal_dn, mod) except Exception as e: self.logger.critical( "Could not set principal's %s LDAP limits: %s" % (dnssynckey_principal_dn, str(e))) raise
def uninstall(self): if self.is_configured(): self.print_msg("Unconfiguring directory server") enabled = self.restore_state("enabled") # Just eat this state if it exists self.restore_state("running") try: self.fstore.restore_file(paths.LIMITS_CONF) self.fstore.restore_file(paths.SYSCONFIG_DIRSRV) except ValueError as error: logger.debug("%s", error) # disabled during IPA installation if enabled: self.enable() serverid = self.restore_state("serverid") if serverid is not None: self.stop_tracking_certificates(serverid) logger.debug("Removing DS instance %s", serverid) try: remove_ds_instance(serverid) installutils.remove_keytab(paths.DS_KEYTAB) installutils.remove_ccache(run_as=DS_USER) except ipautil.CalledProcessError: logger.error("Failed to remove DS instance. You may " "need to remove instance data manually") # Just eat this state self.restore_state("user_exists") # Make sure some upgrade-related state is removed. This could cause # re-installation problems. self.restore_state('nsslapd-port') self.restore_state('nsslapd-security') self.restore_state('nsslapd-ldapiautobind') # If any dirsrv instances remain after we've removed ours then # (re)start them. for ds_instance in get_ds_instances(): try: services.knownservices.dirsrv.restart(ds_instance, wait=False) except Exception as e: logger.error( 'Unable to restart DS instance %s: %s', ds_instance, e)
def __setup_principal(self): assert self.ods_gid is not None installutils.remove_keytab(paths.IPA_DNSKEYSYNCD_KEYTAB) dnssynckey_principal = "ipa-dnskeysyncd/" + self.fqdn + "@" + self.realm installutils.kadmin_addprinc(dnssynckey_principal) # Store the keytab on disk installutils.create_keytab(paths.IPA_DNSKEYSYNCD_KEYTAB, dnssynckey_principal) p = self.move_service(dnssynckey_principal) if p is None: # the service has already been moved, perhaps we're doing a DNS reinstall dnssynckey_principal_dn = DN( ('krbprincipalname', dnssynckey_principal), ('cn', 'services'), ('cn', 'accounts'), self.suffix) else: dnssynckey_principal_dn = p # Make sure access is strictly reserved to the named user os.chown(paths.IPA_DNSKEYSYNCD_KEYTAB, 0, self.ods_gid) os.chmod(paths.IPA_DNSKEYSYNCD_KEYTAB, 0o440) dns_group = DN(('cn', 'DNS Servers'), ('cn', 'privileges'), ('cn', 'pbac'), self.suffix) mod = [(ldap.MOD_ADD, 'member', dnssynckey_principal_dn)] try: self.admin_conn.modify_s(dns_group, mod) except ldap.TYPE_OR_VALUE_EXISTS: pass except Exception as e: self.logger.critical("Could not modify principal's %s entry: %s" % (dnssynckey_principal_dn, str(e))) raise # bind-dyndb-ldap persistent search feature requires both size and time # limit-free connection mod = [(ldap.MOD_REPLACE, 'nsTimeLimit', '-1'), (ldap.MOD_REPLACE, 'nsSizeLimit', '-1'), (ldap.MOD_REPLACE, 'nsIdleTimeout', '-1'), (ldap.MOD_REPLACE, 'nsLookThroughLimit', '-1')] try: self.admin_conn.modify_s(dnssynckey_principal_dn, mod) except Exception as e: self.logger.critical("Could not set principal's %s LDAP limits: %s" % (dnssynckey_principal_dn, str(e))) raise
def uninstall(self): if self.is_configured(): self.print_msg("Unconfiguring %s" % self.service_name) running = self.restore_state("running") enabled = self.restore_state("enabled") named_regular_running = self.restore_state("named-regular-running") named_regular_enabled = self.restore_state("named-regular-enabled") self.dns_backup.clear_records(self.api.Backend.ldap2.isconnected()) try: self.fstore.restore_file(paths.NAMED_CONF) except ValueError as error: logger.debug('%s', error) try: tasks.unconfigure_dns_resolver(fstore=self.fstore) except Exception: logger.exception("Failed to unconfigure DNS resolver") installutils.rmtree(paths.BIND_LDAP_DNS_IPA_WORKDIR) # disabled by default, by ldap_configure() if enabled: self.enable() else: self.disable() if running: self.restart() else: self.stop() self.named_regular.unmask() if named_regular_enabled: self.named_regular.enable() if named_regular_running: self.named_regular.start() installutils.remove_keytab(self.keytab) installutils.remove_ccache(run_as=self.service_user)
def uninstall(self): if self.is_configured(): self.print_msg("Unconfiguring web server") running = self.restore_state("running") enabled = self.restore_state("enabled") # Restore oddjobd to its original state oddjobd = services.service('oddjobd', api) if not self.sstore.restore_state('oddjobd', 'running'): try: oddjobd.stop() except Exception: pass if not self.sstore.restore_state('oddjobd', 'enabled'): try: oddjobd.disable() except Exception: pass self.stop_tracking_certificates() helper = self.restore_state('certmonger_ipa_helper') if helper: bus = dbus.SystemBus() obj = bus.get_object('org.fedorahosted.certmonger', '/org/fedorahosted/certmonger') iface = dbus.Interface(obj, 'org.fedorahosted.certmonger') path = iface.find_ca_by_nickname('IPA') if path: ca_obj = bus.get_object('org.fedorahosted.certmonger', path) ca_iface = dbus.Interface(ca_obj, 'org.freedesktop.DBus.Properties') ca_iface.Set('org.fedorahosted.certmonger.ca', 'external-helper', helper) for f in [paths.HTTPD_IPA_CONF, paths.HTTPD_SSL_CONF, paths.HTTPD_SSL_SITE_CONF, paths.HTTPD_NSS_CONF]: try: self.fstore.restore_file(f) except ValueError as error: logger.debug("%s", error) # Remove the configuration files we create installutils.remove_keytab(self.keytab) remove_files = [ paths.HTTP_CCACHE, paths.HTTPD_CERT_FILE, paths.HTTPD_KEY_FILE, paths.HTTPD_PASSWD_FILE_FMT.format(host=api.env.host), paths.HTTPD_IPA_REWRITE_CONF, paths.HTTPD_IPA_CONF, paths.HTTPD_IPA_PKI_PROXY_CONF, paths.HTTPD_IPA_KDCPROXY_CONF_SYMLINK, paths.HTTPD_IPA_KDCPROXY_CONF, paths.GSSPROXY_CONF, paths.GSSAPI_SESSION_KEY, paths.HTTPD_PASSWORD_CONF, paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, ] # NSS DB backups remove_files.extend( glob.glob(os.path.join(paths.HTTPD_ALIAS_DIR, '*.ipasave')) ) if paths.HTTPD_IPA_WSGI_MODULES_CONF is not None: remove_files.append(paths.HTTPD_IPA_WSGI_MODULES_CONF) for filename in remove_files: installutils.remove_file(filename) try: os.rmdir(paths.SYSTEMD_SYSTEM_HTTPD_D_DIR) except OSError as e: if e.errno not in {errno.ENOENT, errno.ENOTEMPTY}: logger.error( "Failed to remove directory %s", paths.SYSTEMD_SYSTEM_HTTPD_D_DIR ) # Restore SELinux boolean states boolean_states = {name: self.restore_state(name) for name in constants.SELINUX_BOOLEAN_HTTPD} try: tasks.set_selinux_booleans(boolean_states) except ipapython.errors.SetseboolError as e: self.print_msg('WARNING: ' + str(e)) if running: self.restart() # disabled by default, by ldap_enable() if enabled: self.enable()
def uninstall(self): if self.is_configured(): self.print_msg("Unconfiguring web server") running = self.restore_state("running") enabled = self.restore_state("enabled") # Restore oddjobd to its original state oddjobd = services.service('oddjobd') if not self.sstore.restore_state('oddjobd', 'running'): try: oddjobd.stop() except Exception: pass if not self.sstore.restore_state('oddjobd', 'enabled'): try: oddjobd.disable() except Exception: pass self.stop_tracking_certificates() helper = self.restore_state('certmonger_ipa_helper') if helper: bus = dbus.SystemBus() obj = bus.get_object('org.fedorahosted.certmonger', '/org/fedorahosted/certmonger') iface = dbus.Interface(obj, 'org.fedorahosted.certmonger') path = iface.find_ca_by_nickname('IPA') if path: ca_obj = bus.get_object('org.fedorahosted.certmonger', path) ca_iface = dbus.Interface(ca_obj, 'org.freedesktop.DBus.Properties') ca_iface.Set('org.fedorahosted.certmonger.ca', 'external-helper', helper) for f in [paths.HTTPD_IPA_CONF, paths.HTTPD_SSL_CONF, paths.HTTPD_NSS_CONF]: try: self.fstore.restore_file(f) except ValueError as error: root_logger.debug(error) installutils.remove_keytab(paths.IPA_KEYTAB) installutils.remove_ccache(ccache_path=paths.KRB5CC_HTTPD, run_as=HTTPD_USER) # Remove the configuration files we create installutils.remove_file(paths.HTTPD_IPA_REWRITE_CONF) installutils.remove_file(paths.HTTPD_IPA_CONF) installutils.remove_file(paths.HTTPD_IPA_PKI_PROXY_CONF) installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF_SYMLINK) installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF) # Restore SELinux boolean states boolean_states = {name: self.restore_state(name) for name in SELINUX_BOOLEAN_SETTINGS} try: tasks.set_selinux_booleans(boolean_states) except ipapython.errors.SetseboolError as e: self.print_msg('WARNING: ' + str(e)) if running: self.restart() # disabled by default, by ldap_enable() if enabled: self.enable()
def uninstall(self): if self.is_configured(): self.print_msg("Unconfiguring web server") running = self.restore_state("running") enabled = self.restore_state("enabled") # Restore oddjobd to its original state oddjobd = services.service('oddjobd') if not self.sstore.restore_state('oddjobd', 'running'): try: oddjobd.stop() except Exception: pass if not self.sstore.restore_state('oddjobd', 'enabled'): try: oddjobd.disable() except Exception: pass self.stop_tracking_certificates() helper = self.restore_state('certmonger_ipa_helper') if helper: bus = dbus.SystemBus() obj = bus.get_object('org.fedorahosted.certmonger', '/org/fedorahosted/certmonger') iface = dbus.Interface(obj, 'org.fedorahosted.certmonger') path = iface.find_ca_by_nickname('IPA') if path: ca_obj = bus.get_object('org.fedorahosted.certmonger', path) ca_iface = dbus.Interface(ca_obj, 'org.freedesktop.DBus.Properties') ca_iface.Set('org.fedorahosted.certmonger.ca', 'external-helper', helper) for f in [ paths.HTTPD_IPA_CONF, paths.HTTPD_SSL_CONF, paths.HTTPD_NSS_CONF ]: try: self.fstore.restore_file(f) except ValueError as error: root_logger.debug(error) installutils.remove_keytab(self.keytab) installutils.remove_ccache(ccache_path=paths.KRB5CC_HTTPD, run_as=self.service_user) # Remove the configuration files we create installutils.remove_file(paths.HTTPD_IPA_REWRITE_CONF) installutils.remove_file(paths.HTTPD_IPA_CONF) installutils.remove_file(paths.HTTPD_IPA_PKI_PROXY_CONF) installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF_SYMLINK) installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF) tasks.remove_httpd_service_ipa_conf() # Restore SELinux boolean states boolean_states = { name: self.restore_state(name) for name in SELINUX_BOOLEAN_SETTINGS } try: tasks.set_selinux_booleans(boolean_states) except ipapython.errors.SetseboolError as e: self.print_msg('WARNING: ' + str(e)) if running: self.restart() # disabled by default, by ldap_enable() if enabled: self.enable()
def uninstall(self): if self.is_configured(): self.print_msg("Unconfiguring web server") running = self.restore_state("running") enabled = self.restore_state("enabled") # Restore oddjobd to its original state oddjobd = services.service('oddjobd', api) if not self.sstore.restore_state('oddjobd', 'running'): try: oddjobd.stop() except Exception: pass if not self.sstore.restore_state('oddjobd', 'enabled'): try: oddjobd.disable() except Exception: pass self.stop_tracking_certificates() helper = self.restore_state('certmonger_ipa_helper') if helper: bus = dbus.SystemBus() obj = bus.get_object('org.fedorahosted.certmonger', '/org/fedorahosted/certmonger') iface = dbus.Interface(obj, 'org.fedorahosted.certmonger') path = iface.find_ca_by_nickname('IPA') if path: ca_obj = bus.get_object('org.fedorahosted.certmonger', path) ca_iface = dbus.Interface(ca_obj, 'org.freedesktop.DBus.Properties') ca_iface.Set('org.fedorahosted.certmonger.ca', 'external-helper', helper) for f in [ paths.HTTPD_IPA_CONF, paths.HTTPD_SSL_CONF, paths.HTTPD_SSL_SITE_CONF, paths.HTTPD_NSS_CONF ]: try: self.fstore.restore_file(f) except ValueError as error: logger.debug("%s", error) # Remove the configuration files we create installutils.remove_keytab(self.keytab) remove_files = [ paths.HTTP_CCACHE, paths.HTTPD_CERT_FILE, paths.HTTPD_KEY_FILE, paths.HTTPD_PASSWD_FILE_FMT.format(host=api.env.host), paths.HTTPD_IPA_REWRITE_CONF, paths.HTTPD_IPA_CONF, paths.HTTPD_IPA_PKI_PROXY_CONF, paths.HTTPD_IPA_KDCPROXY_CONF_SYMLINK, paths.HTTPD_IPA_KDCPROXY_CONF, paths.GSSPROXY_CONF, paths.GSSAPI_SESSION_KEY, paths.HTTPD_PASSWORD_CONF, paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, ] # NSS DB backups remove_files.extend( glob.glob(os.path.join(paths.HTTPD_ALIAS_DIR, '*.ipasave'))) if paths.HTTPD_IPA_WSGI_MODULES_CONF is not None: remove_files.append(paths.HTTPD_IPA_WSGI_MODULES_CONF) for filename in remove_files: installutils.remove_file(filename) try: os.rmdir(paths.SYSTEMD_SYSTEM_HTTPD_D_DIR) except OSError as e: if e.errno not in {errno.ENOENT, errno.ENOTEMPTY}: logger.error("Failed to remove directory %s", paths.SYSTEMD_SYSTEM_HTTPD_D_DIR) # Restore SELinux boolean states boolean_states = { name: self.restore_state(name) for name in constants.SELINUX_BOOLEAN_HTTPD } try: tasks.set_selinux_booleans(boolean_states) except ipapython.errors.SetseboolError as e: self.print_msg('WARNING: ' + str(e)) if running: self.restart() # disabled by default, by ldap_enable() if enabled: self.enable()