Hello,
I would like to inquire about the healthcheck API of IPA.
First of all, I set up 5 freeipa core servers and these core servers are located behind the load balancer. (to distribute clients' traffic) (* The freeipa version is v4.11)
And I am trying to configure the healthcheck method on my load balancer to avoid sending client's traffic to unhealthy server. I know that there is a command named 'ipa-healcheck' provied by freeipa. But, our load balancer only supports HTTP, HTTPS, and HTTP2 protocol for healthcheck. So I couldn't use ipa-healthcheck command for our load balancer.
So, I tried to create additional API '/healthcheck' in httpd server. and each call to HTTP path /healthcheck will trigger a local execution of ipa-healthcheck command to return the status of all services. : ipa-healthcheck --source 'ipahealthcheck.meta.services' --all
And today we just test using ipa-healthcheck command with rpcservers. But, Unfortunately, the CPU usage of the ipa-healthcheck command is pretty high (~80% CPU). So, we can not use this method for our healthcheck.
So, Could you let me know is there an API provided by Freeipa for healthcheck? or Please share me if there is a best way to configure healthcheck with HTTP protocol.
Gahee Jung
On Аўт, 22 кас 2024, gahee jung via FreeIPA-users wrote:
Hello,
I would like to inquire about the healthcheck API of IPA.
First of all, I set up 5 freeipa core servers and these core servers are located behind the load balancer. (to distribute clients' traffic) (* The freeipa version is v4.11)
FreeIPA team does not support putting load balancers in front of FreeIPA servers. See, for example, http://ssimo.org/blog/id_019.html.
And I am trying to configure the healthcheck method on my load balancer to avoid sending client's traffic to unhealthy server. I know that there is a command named 'ipa-healcheck' provied by freeipa. But, our load balancer only supports HTTP, HTTPS, and HTTP2 protocol for healthcheck. So I couldn't use ipa-healthcheck command for our load balancer.
So, I tried to create additional API '/healthcheck' in httpd server. and each call to HTTP path /healthcheck will trigger a local execution of ipa-healthcheck command to return the status of all services. : ipa-healthcheck --source 'ipahealthcheck.meta.services' --all
And today we just test using ipa-healthcheck command with rpcservers. But, Unfortunately, the CPU usage of the ipa-healthcheck command is pretty high (~80% CPU). So, we can not use this method for our healthcheck.
ipa-healthcheck is a tool to validate server's configuration. It is not a tool to quickly check whether a system is running and answers your calls.
It really depends on what you are trying to achieve here. IPA servers are all-or-nothing services. E.g. if KDC does not work, all other services should not be accessed on this host as well. If LDAP server does not work, all other services should be considered inaccessible as well.
What kind of traffic you are load-balancing?
So, Could you let me know is there an API provided by Freeipa for healthcheck? or Please share me if there is a best way to configure healthcheck with HTTP protocol.
If your load-balancer only supports HTTP protocols, chances are that it is unable to utilize Kerberos over HTTPS either, so it cannot access any of IPA API end-points. It also means it cannot really validate IPA server HTTP end-points are working beyond a simple 'yes, it responded, with whatever status code'.
If you want a minimal non-authenticated response, may be do
curl -X POST \ -H 'Accept-Language: en' --data '{"method":"i18n_messages", "params":[[],{}]}' \ --referer https://ipa-server.hostname/ipa/ \ https://ipa-server.hostname/ipa/i18n_messages
It would return JSON of translations used by the FreeIPA Web UI for the chosen language ('en' in this case). It exercises IPA RPC infrastructure but otherwise doesn't look at any system state.
If you'd do authentication using username/password, then that's going to give you exercise of Kerberos + LDAP + IPA RPC infrastructure: https://freeipa.readthedocs.io/en/latest/api/jsonrpc_usage.html#password-aut...
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
gahee jung