From 90bb3cd1793275da50d509570d07d279989e2c45 Mon Sep 17 00:00:00 2001

From: Pino Toscano <ptoscano@redhat.com>

Date: Thu, 7 May 2020 13:53:21 +0200

Subject: [PATCH] sysprep: add IPA offline unenrollment (RHBZ#1789592)

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

This new operation unenrolls the guest from a IPA server offline, by

removing the configuration files and certificates.

Thanks to Christian Heimes and François Cami for the hints.

(cherry picked from commit 0a53e2c7fc4fe2aa69052134230db0804849b470)

---

 sysprep/Makefile.am                     |  1 +

 sysprep/sysprep_operation_ipa_client.ml | 66 +++++++++++++++++++++++++

 2 files changed, 67 insertions(+)

 create mode 100644 sysprep/sysprep_operation_ipa_client.ml

diff --git a/sysprep/Makefile.am b/sysprep/Makefile.am

index e6269c3f7..79266314b 100644

--- a/sysprep/Makefile.am

+++ b/sysprep/Makefile.am

@@ -43,6 +43,7 @@ operations = \

 	flag_reconfiguration \

 	firewall_rules \

 	fs_uuids \

+	ipa_client \

 	kerberos_data \

 	lvm_uuids \

 	logfiles \

diff --git a/sysprep/sysprep_operation_ipa_client.ml b/sysprep/sysprep_operation_ipa_client.ml

new file mode 100644

index 000000000..6e64a754a

--- /dev/null

+++ b/sysprep/sysprep_operation_ipa_client.ml

@@ -0,0 +1,66 @@

+(* virt-sysprep

+ * Copyright (C) 2020 Red Hat Inc.

+ *

+ * This program is free software; you can redistribute it and/or modify

+ * it under the terms of the GNU General Public License as published by

+ * the Free Software Foundation; either version 2 of the License, or

+ * (at your option) any later version.

+ *

+ * This program is distributed in the hope that it will be useful,

+ * but WITHOUT ANY WARRANTY; without even the implied warranty of

+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ * GNU General Public License for more details.

+ *

+ * You should have received a copy of the GNU General Public License along

+ * with this program; if not, write to the Free Software Foundation, Inc.,

+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

+ *)

+

+open Sysprep_operation

+open Common_gettext.Gettext

+

+module G = Guestfs

+

+let ipa_client_perform (g : Guestfs.guestfs) root side_effects =

+  let typ = g#inspect_get_type root in

+  if typ = "linux" then (

+    (* Simple paths with no side effects. *)

+    let paths = [ "/etc/ipa/ca.crt";

+                  "/etc/ipa/default.conf";

+                  "/var/lib/ipa-client/sysrestore/*";

+                  "/var/lib/ipa-client/pki/*" ] in

+    let paths = List.concat (List.map Array.to_list (List.map g#glob_expand paths)) in

+    List.iter (

+      fun filename ->

+        try g#rm filename with G.Error _ -> ()

+    ) paths;

+

+    (* Certificates in the system CA store. *)

+    let certs = [ "/etc/pki/ca-trust/source/anchors/ipa-ca.crt";

+                  "/usr/local/share/ca-certificates/ipa-ca.crt";

+                  "/etc/pki/ca-trust/source/ipa.p11-kit" ] in

+    List.iter (

+      fun filename ->

+        try

+          g#rm filename;

+          side_effects#update_system_ca_store ()

+        with

+          G.Error _ -> ()

+    ) certs

+  )

+

+let op = {

+  defaults with

+    name = "ipa-client";

+    enabled_by_default = true;

+    heading = s_"Remove the IPA files";

+    pod_description = Some (s_"\

+Remove all the files related to an IPA (Identity, Policy, Audit) system.

+This effectively unenrolls the guest from an IPA server without interacting

+with it.

+

+This operation does not run C<ipa-client>.");

+    perform_on_filesystems = Some ipa_client_perform;

+}

+

+let () = register_operation op

-- 

2.18.4