I'm open to suggestions on this. I don't mean for it to scare anyone but
the consequences can be head scratching. I have a blog entry on it that
gets quite a few views.
Well, I think the ideal would be to prevent this from happening in FreeIPA. If that doesn't make sense, the next best thing would be to report what to do when the error is shown.
Ok yes, this is certainly not a scenario I imagined.
Yeah, I think running FreeIPA servers on the public Internet is really not a supported configuration, so I wouldn't worry too much about this (IMHO, supporting running FreeIPA on the public Internet would be nice, but this has already been discussed).
You can probably get away with running it once a day. With the exception
of the replication checks these aren't all that dynamic. You would catch
things like permission and FS space issues earlier I suppose.
I'll make a mental note to see if I can categorize things that can be
frequently run vs those that can probably get by on a daily basis. I
don't want to explode the number of switches but it might make sense to
check services frequently and certs daily, for example.
Oh, I think running a check daily is probably the way to go. FS space is of course something that needs to be monitored closely, but I would expect most people who would use healthcheck are already monitoring that.
I would guess that if you do standard monitoring on your FreeIPA hosts (ping, agent-based ping, disk space/inodes, services running, clock properly synchronized, URL checks) + stuff like sssd caching + replication the chances of FreeIPA having a significant failure that goes undetected are pretty slim, so I wouldn't worry much about that use case.
It's just that it is convenient for me to roll this up in my monitoring which runs daily, but that's not a use-case you should consider. Daily monitoring should be fine for most.
Perhaps I would suggest adding a /health public (or IP-restricted) URL to FreeIPA, that would be far more useful, IMHO.
This is great feedback, thanks!
I worked for a few years in an organization where monitoring was very important, so I kinda love tools which are easily monitorizable :)
Cheers,
Álex