On Mon, Nov 11, 2019 at 1:30 AM Rob Crittenden <rcritten(a)redhat.com> wrote:
I'm open to suggestions on this. I don't mean for it to scare
anyone but
the consequences can be head scratching. I have a blog entry on it that
gets quite a few views.
Well, I think the ideal would be to prevent this from happening in FreeIPA.
If that doesn't make sense, the next best thing would be to report what to
do when the error is shown.
Ok yes, this is certainly not a scenario I imagined.
Yeah, I think running FreeIPA servers on the public Internet is really not
a supported configuration, so I wouldn't worry too much about this (IMHO,
supporting running FreeIPA on the public Internet would be nice, but this
has already been discussed).
You can probably get away with running it once a day. With the
exception
of the replication checks these aren't all that dynamic. You would catch
things like permission and FS space issues earlier I suppose.
I'll make a mental note to see if I can categorize things that can be
frequently run vs those that can probably get by on a daily basis. I
don't want to explode the number of switches but it might make sense to
check services frequently and certs daily, for example.
Oh, I think running a check daily is probably the way to go. FS space is of
course something that needs to be monitored closely, but I would expect
most people who would use healthcheck are already monitoring that.
I would guess that if you do standard monitoring on your FreeIPA hosts
(ping, agent-based ping, disk space/inodes, services running, clock
properly synchronized, URL checks) + stuff like sssd caching + replication
the chances of FreeIPA having a significant failure that goes undetected
are pretty slim, so I wouldn't worry much about that use case.
It's just that it is convenient for me to roll this up in my monitoring
which runs daily, but that's not a use-case you should consider. Daily
monitoring should be fine for most.
Perhaps I would suggest adding a /health public (or IP-restricted) URL to
FreeIPA, that would be far more useful, IMHO.
This is great feedback, thanks!
I worked for a few years in an organization where monitoring was very
important, so I kinda love tools which are easily monitorizable :)
Cheers,
Álex
--
___
{~._.~}
( Y )
()~*~() mail: alex at corcoles dot net
(_)-(_)
http://alex.corcoles.net/