diff options
author | Martin Basti <mbasti@redhat.com> | 2014-10-16 16:36:58 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-10-21 12:23:03 +0200 |
commit | 21aef21fb5542e890851f2b9189daa13d168e3e7 (patch) | |
tree | 249191b2c4ee3025552aed16932114d235017bf9 /install/tools/ipa-replica-manage | |
parent | e798bad646f648748872a841f282462d28af795f (diff) | |
download | freeipa-21aef21fb5542e890851f2b9189daa13d168e3e7.tar.gz freeipa-21aef21fb5542e890851f2b9189daa13d168e3e7.tar.xz freeipa-21aef21fb5542e890851f2b9189daa13d168e3e7.zip |
DNSSEC: uninstallation
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417
Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
Diffstat (limited to 'install/tools/ipa-replica-manage')
-rwxr-xr-x | install/tools/ipa-replica-manage | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index e44131ebe..4f92c0c92 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -29,6 +29,7 @@ import socket from ipapython import ipautil from ipaserver.install import replication, dsinstance, installutils from ipaserver.install import bindinstance, cainstance, certs +from ipaserver.install import opendnssecinstance, dnskeysyncinstance from ipaserver.plugins import ldap2 from ipapython import version, ipaldap from ipalib import api, errors, util @@ -687,11 +688,21 @@ def del_master(realm, hostname, options): print "Deleting this server is not allowed as it would leave your installation without a CA." sys.exit(1) + other_dns = True if 'DNS' in this_services and not any(['DNS' in o for o in other_services]): + other_dns = False print "Deleting this server will leave your installation without a DNS." if not options.force and not ipautil.user_input("Continue to delete?", False): sys.exit("Deletion aborted") + # test if replica is not DNSSEC master + # allow to delete it if is last DNS server + if 'DNS' in this_services and other_dns and not options.force: + dnssec_masters = opendnssecinstance.get_dnssec_key_masters(delrepl.conn) + if hostname in dnssec_masters: + print "Replica is active DNSSEC key master. Uninstall could break your DNS system." + sys.exit("Deletion aborted") + # Pick CA renewal master ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) if ca.is_renewal_master(hostname): @@ -746,6 +757,9 @@ def del_master(realm, hostname, options): bind.remove_master_dns_records(hostname, realm, realm.lower()) bind.remove_ipa_ca_dns_records(hostname, realm.lower()) bind.remove_server_ns_records(hostname) + + keysyncd = dnskeysyncinstance.DNSKeySyncInstance() + keysyncd.remove_replica_public_keys(hostname) except Exception, e: print "Failed to cleanup %s DNS entries: %s" % (hostname, e) print "You may need to manually remove them from the tree" |