Hi Rob,
On Tue, Nov 5, 2019 at 4:35 PM Rob Crittenden via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
I made an EPEL 7 build in COPR,
https://copr.fedorainfracloud.org/coprs/rcritten/ipa-healthcheck/
The more feedback I get on it the better and more useful I can make it.
Awesome work, thanks. I tried it running in my personal IPA instance. I get
the following:
WARNING "No DNA range defined. If no masters define a range then users and
groups cannot be created."
This is on my replica and was already reported by someone else. Fixed it by
adding and removing a user on the web ui of the replica, as you described.
CRITICAL "[Errno 2] No such file or directory: '/var/log/audit/'"
This also has been reported; my replica is running as an LXC container
under Proxmox. Hacked it by creating the directory.
WARNING "Unexpected SRV entry in DNS"
"_ntp._udp.<my_domain>.:<replica
hostname>."
I think this is correct because I'm not running ntpd on the replica. I've
removed the entry.
WARNING "Got 1 ipa-ca A records, expected 2"
WARNING "Expected SRV record missing" "_<service>._(tcp|udp).<my
domain>.:<replica hostname>."
Those are problematic for me, I guess because I'm running a probably
unsupported configuration:
* My first master is public on the Internet
* My second master is not public on the Internet
* Public DNS contains entries for the first master
* The DNS server which servers in the second master's network use contains
entries for both masters
* My first public master uses another DNS server* which does not have
specific IPA entries and thus uses the public Internet DNS's entries, which
do not contain the second master
(* actually the DNS server for the first master is running on the same
host, using dnsmasq)
I "fixed" this by putting all the DNS entries in all my internal DNS
servers, but then healthcheck won't be verifying the public Internet's DNS
records. This is not ideal, but I think it's fine.
...
I now have clean runs in all my masters, so I'll work to add it on my
monitoring agent (
https://github.com/alexpdp7/ragent ). I'm running my
agent every minute, and ipa-healthcheck seems to be quite expensive to run,
so I'll probably run it in cron every hour or so and then have the agent
gather the results.
Cheers,
Álex
--
___
{~._.~}
( Y )
()~*~() mail: alex at corcoles dot net
(_)-(_)
http://alex.corcoles.net/