Alex Corcoles via FreeIPA-users wrote:
Hi Rob,
On Tue, Nov 5, 2019 at 4:35 PM Rob Crittenden via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>> wrote:
I made an EPEL 7 build in COPR,
https://copr.fedorainfracloud.org/coprs/rcritten/ipa-healthcheck/
The more feedback I get on it the better and more useful I can make it.
Awesome work, thanks. I tried it running in my personal IPA instance. I
get the following:
WARNING "No DNA range defined. If no masters define a range then users
and groups cannot be created."
This is on my replica and was already reported by someone else. Fixed it
by adding and removing a user on the web ui of the replica, as you
described.
I'm open to suggestions on this. I don't mean for it to scare anyone but
the consequences can be head scratching. I have a blog entry on it that
gets quite a few views.
CRITICAL "[Errno 2] No such file or directory:
'/var/log/audit/'"
This also has been reported; my replica is running as an LXC container
under Proxmox. Hacked it by creating the directory.
I've got a PR upstream to not enforce /var/log/audit when healthcheck is
executed inside a container. I will hopefully have an updated build
later this week.
WARNING "Unexpected SRV entry in DNS"
"_ntp._udp.<my_domain>.:<replica
hostname>."
I think this is correct because I'm not running ntpd on the replica.
I've removed the entry.
Ok, that very well could be true.
WARNING "Got 1 ipa-ca A records, expected 2"
WARNING "Expected SRV record missing" "_<service>._(tcp|udp).<my
domain>.:<replica hostname>."
Those are problematic for me, I guess because I'm running a probably
unsupported configuration:
* My first master is public on the Internet
* My second master is not public on the Internet
* Public DNS contains entries for the first master
* The DNS server which servers in the second master's network use
contains entries for both masters
* My first public master uses another DNS server* which does not have
specific IPA entries and thus uses the public Internet DNS's entries,
which do not contain the second master
(* actually the DNS server for the first master is running on the same
host, using dnsmasq)
I "fixed" this by putting all the DNS entries in all my internal DNS
servers, but then healthcheck won't be verifying the public Internet's
DNS records. This is not ideal, but I think it's fine.
Ok yes, this is certainly not a scenario I imagined.
...
I now have clean runs in all my masters, so I'll work to add it on my
monitoring agent (
https://github.com/alexpdp7/ragent ). I'm running my
agent every minute, and ipa-healthcheck seems to be quite expensive to
run, so I'll probably run it in cron every hour or so and then have the
agent gather the results.
You can probably get away with running it once a day. With the exception
of the replication checks these aren't all that dynamic. You would catch
things like permission and FS space issues earlier I suppose.
I'll make a mental note to see if I can categorize things that can be
frequently run vs those that can probably get by on a daily basis. I
don't want to explode the number of switches but it might make sense to
check services frequently and certs daily, for example.
This is great feedback, thanks!
rob