DNSSEC: uninstallation

Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
author: Martin Basti <mbasti@redhat.com> 2014-10-16 16:36:58 +0200
committer: Martin Kosek <mkosek@redhat.com> 2014-10-21 12:23:03 +0200
commit: 21aef21fb5542e890851f2b9189daa13d168e3e7 (patch)
tree: 249191b2c4ee3025552aed16932114d235017bf9
parent: e798bad646f648748872a841f282462d28af795f (diff)
download: freeipa-21aef21fb5542e890851f2b9189daa13d168e3e7.tar.gz
freeipa-21aef21fb5542e890851f2b9189daa13d168e3e7.tar.xz
freeipa-21aef21fb5542e890851f2b9189daa13d168e3e7.zip
2 files changed, 37 insertions, 0 deletions
diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index e44131ebe..4f92c0c92 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -29,6 +29,7 @@ import socket
 from ipapython import ipautil
 from ipaserver.install import replication, dsinstance, installutils
 from ipaserver.install import bindinstance, cainstance, certs
+from ipaserver.install import opendnssecinstance, dnskeysyncinstance
 from ipaserver.plugins import ldap2
 from ipapython import version, ipaldap
 from ipalib import api, errors, util
@@ -687,11 +688,21 @@ def del_master(realm, hostname, options):
             print "Deleting this server is not allowed as it would leave your installation without a CA."
             sys.exit(1)
 
+        other_dns = True
         if 'DNS' in this_services and not any(['DNS' in o for o in other_services]):
+            other_dns = False
             print "Deleting this server will leave your installation without a DNS."
             if not options.force and not ipautil.user_input("Continue to delete?", False):
                 sys.exit("Deletion aborted")
 
+        # test if replica is not DNSSEC master
+        # allow to delete it if is last DNS server
+        if 'DNS' in this_services and other_dns and not options.force:
+            dnssec_masters = opendnssecinstance.get_dnssec_key_masters(delrepl.conn)
+            if hostname in dnssec_masters:
+                print "Replica is active DNSSEC key master. Uninstall could break your DNS system."
+                sys.exit("Deletion aborted")
+
         # Pick CA renewal master
         ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
         if ca.is_renewal_master(hostname):
@@ -746,6 +757,9 @@ def del_master(realm, hostname, options):
             bind.remove_master_dns_records(hostname, realm, realm.lower())
             bind.remove_ipa_ca_dns_records(hostname, realm.lower())
             bind.remove_server_ns_records(hostname)
+
+            keysyncd = dnskeysyncinstance.DNSKeySyncInstance()
+            keysyncd.remove_replica_public_keys(hostname)
     except Exception, e:
         print "Failed to cleanup %s DNS entries: %s" % (hostname, e)
         print "You may need to manually remove them from the tree"
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 005aec617..3ffd3b981 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -585,7 +585,16 @@ def uninstall():
     if ca_instance.is_configured():
         ca_instance.uninstall()
 
+    ods = opendnssecinstance.OpenDNSSECInstance(fstore)
+    if ods.is_configured():
+        ods.uninstall()
+
+    ods_exporter = odsexporterinstance.ODSExporterInstance(fstore)
+    if ods_exporter.is_configured():
+        ods_exporter.uninstall()
+
     bindinstance.BindInstance(fstore).uninstall()
+    dnskeysyncinstance.DNSKeySyncInstance(fstore).uninstall()
     httpinstance.HTTPInstance(fstore).uninstall()
     krbinstance.KrbInstance(fstore).uninstall()
     dsinstance.DsInstance(fstore=fstore).uninstall()
@@ -743,6 +752,20 @@ def main():
                    "agreements.\n\n")
             print textwrap.fill(msg, width=80, replace_whitespace=False)
         else:
+
+            # test if server is DNSSEC key master
+            masters = opendnssecinstance.get_dnssec_key_masters(conn)
+            if api.env.host in masters:
+                print "This server is active DNSSEC key master. Uninstall could break your DNS system."
+                if not (options.unattended or user_input("Are you sure you "
+                                                         "want to continue "
+                                                         "with the uninstall "
+                                                         "procedure?",
+                                                         False)):
+                    print ""
+                    print "Aborting uninstall operation."
+                    sys.exit(1)
+
             rm = replication.ReplicationManager(
                 realm=api.env.realm,
                 hostname=api.env.host,
author	Martin Basti <mbasti@redhat.com>	2014-10-16 16:36:58 +0200
committer	Martin Kosek <mkosek@redhat.com>	2014-10-21 12:23:03 +0200
commit	21aef21fb5542e890851f2b9189daa13d168e3e7 (patch)
tree	249191b2c4ee3025552aed16932114d235017bf9
parent	e798bad646f648748872a841f282462d28af795f (diff)
download	freeipa-21aef21fb5542e890851f2b9189daa13d168e3e7.tar.gz freeipa-21aef21fb5542e890851f2b9189daa13d168e3e7.tar.xz freeipa-21aef21fb5542e890851f2b9189daa13d168e3e7.zip