Kees Bakker via FreeIPA-users wrote:
Thanks Rob
Here are my findings, mainly as an FYI.
On the CA master it reports the following (which I have to investigate)
[
{
"source": "ipahealthcheck.ipa.certs",
"kw": {
"msg": "Unknown certmonger id 20190412141828",
"key": "20190412141828"
},
"uuid": "f3d6ccb9-fb82-49ac-aa02-f485d08826c3",
"duration": "0.980984",
"when": "20191106095349Z",
"check": "IPACertTracking",
"result": "WARNING"
}
]
To see what the request is run:
# getcert list -i 20190412141828
It may be perfectly fine, it is acceptable to track other certs on the
master, it is just unexpected so healthcheck is warning about it.
One replica reports no problems. Another replica reports the
following.
This replica is installed and running in a LXC container (Ubuntu host).
Healthcheck reports:
[
{
"source": "ipahealthcheck.system.filesystemspace",
"kw": {
"exception": "[Errno 2] No such file or directory:
'/var/log/audit/'"
},
"uuid": "087b9370-7d5a-4814-8a0b-956bdeed5ae7",
"duration": "0.000464",
"when": "20191106094813Z",
"check": "FileSystemSpaceCheck",
"result": "CRITICAL"
}
]
Strangely enough the package audit wasn't installed, only audit-libs and
audit-libs-python.
It seems to function alright though.
It isn't dependent upon installed packages, it just checks a bunch of
filesystems. I'd have sworn we've seen a similar issue when someone ran
healthcheck in a docker container and I thought we considered the
context when checking. I'll take a look.
This is one of those false-positives I was worried about :/
thanks
rob
-- Kees
On 05-11-19 16:34, Rob Crittenden via FreeIPA-users wrote:
> *** EXTERNAL E-MAIL ***
>
>
> Over the summer we announced the freeipa-healthcheck project which is
> designed to look at an IdM cluster and look for common problems so you
> can have some level of assurance that the system is running as it should.
>
> It was built against the IPA 4.8.x branch and originally released only
> for Fedora 29+. It is also included in the newly released RHEL 8.1.0.
>
> My curious nature led me to see if it would also work in in the IPA
> 4.6.x branch. It was a bit of a challenge backing down to Python 2 but I
> was able to get something working. I tested primarily on Fedora 27 but
> it should also work in RHEL/CentOS 7 (I smoke tested 7.8).
>
> I made an EPEL 7 build in COPR,
>
https://copr.fedorainfracloud.org/coprs/rcritten/ipa-healthcheck/
>
> Enable the repo and do: yum install freeipa-healthcheck
>
> Then run: ipa-healthcheck --failures-only
>
> Ideally there will be no output but an empty list []. Otherwise the
> output is JSON and hopefully has enough information to point you in the
> right direction. Feel free to ask if need help.
>
> False positives are always a possibility and many of the checks run
> independently so it's possible to get multiple issues from a single root
> problem. It's hard to predict all possible installations so some
> fine-tuning may be required.
>
> I'd recommend running it every now and then at least, like prior to
> updating IPA packages, creating a new master, etc, if not daily. It
> will, for example, warn of impending cert expiration.
>
> The more feedback I get on it the better and more useful I can make it.
>
> This is my own personal backport and is not officially supported by
> anyone but me. It's preferred to report issues on this mailing list.
> I'll see them and others may be able to chime in as well.
>
> rob
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...