[Freeipa-devel] [freeipa PR#764][comment] Basic uninstaller for the CA
rcritten
freeipa-github-notification at redhat.com
Tue May 9 17:49:06 UTC 2017
URL: https://github.com/freeipa/freeipa/pull/764
Title: #764: Basic uninstaller for the CA
rcritten commented:
"""
As far as I can tell it is always recoverable using this. I wasn't able to force a failure of replication, that could be a potential show-stopper. The PR doesn't touch the replication agreements at all except to allow them to already be there, so if things were in some sort of halfway state I couldn't say for sure what would happen.
The code is there for examination to determine what steps are done, but in short:
- call the existing CA uninstaller which mostly just calls pki-destroy (it also does some state cleanup, removes the CRLs and untracks the CA certs via certmonger)
- A side-effect of the uninstaller is to shutdown certmonger. I start that back up
- The service is removed from cn=masters
- The cached services list is removed so ipactl won't fail starting a non-existent tomcat instance
To be idempotent would require changes in dogtag, it is that which blows up on a re-install attempt.
I would not be in favor of automatically uninstalling dogtag on another ipa-ca-install call.
ipa-ca-install would/should never be run on the original master. It already prints a big fat warning. I'd be ok making it fatter and requiring (no joke) multiple "Are you sure" prompts.
There is no CA install for CAless so not a case I'm interested in.
If you want to rename options I'm ok with that as well, maybe --try-again or something of that nature (in which case I WOULD be in favor of doing the uninstall automatically).
"""
See the full comment at https://github.com/freeipa/freeipa/pull/764#issuecomment-300247543
More information about the Freeipa-devel
mailing list