[Freeipa-users] Problems and questions installing Identity Manager on RHEL V7

Endi Sukma Dewata edewata at redhat.com
Fri Oct 3 18:13:05 UTC 2014

On 10/3/2014 2:30 AM, Alexander Bokovoy wrote:
>>> This issue is known -- when CA install fails, we rollback but since CA
>>> isn't installed, we miss rolling it back. There is a ticket for
>>> eventually fixing this issue.
>> Which ticket is this? The rollback was actually disabled to allow
>> troubleshooting the failed installation:
>> https://fedorahosted.org/freeipa/ticket/3990

> I think this ticket is unrelated -- its solution only affects
> ipa-client-install --on-master, not what ipa-server-install does when it
> rolls back configuration for dirsrv and other servers.

I think the idea can be expanded to the entire server installation.

> I can't find the exact ticket though.
>>> Following sequence should clean up all the bits:
>>> pkidestroy -s CA -i pki-tomcat
>>> rm -rf /var/log/pki/pki-tomcat
>>> rm -rf /etc/sysconfig/pki-tomcat
>>> rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat
>>> rm -rf /var/lib/pki/pki-tomcat
>>> rm -rf /etc/pki/pki-tomcat
>> It's not official, but we call this step pki-nuke.
>>> It also helps to reboot between multiple reinstalls on a single machine.
>> Rather than rolling back the installation automatically (and delete
>> all files needed to troubleshoot the problem), it would be better to
>> provide an option to the uninstall command to forcibly remove all
>> installed files regardless whether the installation was successful or
>> not, just like the pki-nuke above.

> We simply have no information about the fact what pkicreate did before
> it failed.

It shouldn't matter. The forced removal should clean up anything that 
might have been created during the installation. That way the next 
installation should be able to run without any possibility of conflicts 
with residual files.

I created this Dogtag ticket:

When that's implemented, the IPA uninstall script can do this:

       # forcibly remove Dogtag instance
       pkidestroy -i pki-tomcat
   except Exception:
       # ignore error

       # forcibly remove DS instance
       remove-ds.pl -f -i slapd-pki-tomcat
   except Exception:
       # ignore error

   ... and so on ...

If we use an automatic rollback, in addition to the lost debugging info, 
sometimes the rollback itself can be buggy so the machine is left in an 
inconsistent/unusable state. With a separate forced removal like above, 
we can debug the failed installation, and also debug the failed removal 
if necessary.

Endi S. Dewata

More information about the Freeipa-users mailing list