Hi all,
Is there any official literature about how to monitor FreeIPA?
The upstream guide mentions:
1) Testing clients using id
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
2) Adding a user on a replica and verifying it appears on another server
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
There's also some troubleshooting appendices which look interesting.
I see also ipactl, "ipa ping", there seems to be:
https://www.freeipa.org/page/V4/Tool_to_Check_Status_of_All_Replicas (but it seems dead)
https://www.freeipa.org/page/V4/Monitor_Replication_Topology
, and also some indepedent initiatives all over the web.
Is there any plan to provide an official way to monitor FreeIPA? My foremost concern would be to ensure that all clients are correctly enrolled and sudo/ssh work, so I am not locked out of my systems. Ensuring that replication works seems good and popular. Of course I can check that all services are running and ports respond.
What are the most common ways for FreeIPA to break?
Thoughts?
Álex
Wow! It's really important question. I'm joining with it. It's good to be able to know what happening with IPA-infra. Espesially - ssh/sudo working (in general at least, with out concearning about HBAC+Policy groups).
2018-01-31 22:04 GMT+03:00 Alex Corcoles via FreeIPA-users < freeipa-users@lists.fedorahosted.org>:
Hi all,
Is there any official literature about how to monitor FreeIPA?
The upstream guide mentions:
- Testing clients using id
https://access.redhat.com/documentation/en-us/red_hat_ enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_ guide/client-test
- Adding a user on a replica and verifying it appears on another server
https://access.redhat.com/documentation/en-us/red_hat_ enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_ guide/replica-verify
There's also some troubleshooting appendices which look interesting.
I see also ipactl, "ipa ping", there seems to be:
https://www.freeipa.org/page/V4/Tool_to_Check_Status_of_All_Replicas (but it seems dead)
https://www.freeipa.org/page/V4/Monitor_Replication_Topology
, and also some indepedent initiatives all over the web.
Is there any plan to provide an official way to monitor FreeIPA? My foremost concern would be to ensure that all clients are correctly enrolled and sudo/ssh work, so I am not locked out of my systems. Ensuring that replication works seems good and popular. Of course I can check that all services are running and ports respond.
What are the most common ways for FreeIPA to break?
Thoughts?
Álex
-- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Alex Corcoles via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Is there any official literature about how to monitor FreeIPA?
I'm using https://github.com/peterpakos/checkipaconsistency to monitor my replicas.
Is there any plan to provide an official way to monitor FreeIPA? My foremost concern would be to ensure that all clients are correctly enrolled and sudo/ssh work, so I am not locked out of my systems. Ensuring that replication works seems good and popular. Of course I can check that all services are running and ports respond.
What are the most common ways for FreeIPA to break?
Right now we had some problems with certificates not/halfway renewing, so some tool to check LDAP against the different cert-stores might be helpful.
Jochen
On Thu, Feb 1, 2018 at 5:25 PM, Jochen Hein jochen@jochen.org wrote:
I'm using https://github.com/peterpakos/checkipaconsistency to monitor my replicas.
Yeah, but I'm not exactly reassured by choosing on of the many plugins out there- or running them all. It would be great to push for an official check.
I'm might be willing to help, but I'd need documentation about what (and how) to check, but that's basically 90% of the work. I would propose assimilating the best-looking plugin out there and expanding it every time sometime reports some broken thing that needs proactive fixing.
Any way we can help this happen?
Right now we had some problems with certificates not/halfway renewing,
so some tool to check LDAP against the different cert-stores might be helpful.
$ ipa cert-find --validnotafter-to=$(date --date="3 years" +"%Y-%m-%d")
Actually changing "3 years" to something inferior to the margin FreeIPA starts renewing certificates should warn you that something is amiss.
Alex Corcoles via FreeIPA-users wrote:
On Thu, Feb 1, 2018 at 5:25 PM, Jochen Hein <jochen@jochen.org mailto:jochen@jochen.org> wrote:
I'm using https://github.com/peterpakos/checkipaconsistency <https://github.com/peterpakos/checkipaconsistency> to monitor my replicas.
Yeah, but I'm not exactly reassured by choosing on of the many plugins out there- or running them all. It would be great to push for an official check.
There are not that many plugins doing this that I know of.
I'm pretty sure there is a nagios script that looks at the agreement in LDAP, or the output of ipa-replica-manage list -v `hostname` to look for replication issues.
For a more full-blown view there is http://cnmonitor.sourceforge.net/
389-ds instructions for this are at http://directory.fedoraproject.org/docs/389ds/howto/howto-cn-equals-monitor-...
The team has talked about a monitoring script but for now Peter's script is filling the void.
I'm might be willing to help, but I'd need documentation about what (and how) to check, but that's basically 90% of the work. I would propose assimilating the best-looking plugin out there and expanding it every time sometime reports some broken thing that needs proactive fixing.
Any way we can help this happen?
Right now we had some problems with certificates not/halfway renewing, so some tool to check LDAP against the different cert-stores might be helpful.
$ ipa cert-find --validnotafter-to=$(date --date="3 years" +"%Y-%m-%d")
Actually changing "3 years" to something inferior to the margin FreeIPA starts renewing certificates should warn you that something is amiss.
Server certs in IPA are good for 2 years.
We have in mind a tool to troubleshoot cert issues but haven't yet started work on it.
rob
I know this is an old thread, but there are no changes to FreeIPA that cnmonitor might conflict with are there?
On Thursday, February 1, 2018 1:34 PM, Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Alex Corcoles via FreeIPA-users wrote:
On Thu, Feb 1, 2018 at 5:25 PM, Jochen Hein <jochen@jochen.org mailto:jochen@jochen.org> wrote:
I'm using https://github.com/peterpakos/checkipaconsistency https://github.com/peterpakos/checkipaconsistency to monitor my replicas.
Yeah, but I'm not exactly reassured by choosing on of the many plugins out there- or running them all. It would be great to push for an official check.
There are not that many plugins doing this that I know of.
I'm pretty sure there is a nagios script that looks at the agreement in LDAP, or the output of ipa-replica-manage list -v `hostname` to look for replication issues.
For a more full-blown view there is http://cnmonitor.sourceforge.net/
389-ds instructions for this are at http://directory.fedoraproject.org/docs/389ds/howto/howto-cn-equals-monitor-...
The team has talked about a monitoring script but for now Peter's script is filling the void.
I'm might be willing to help, but I'd need documentation about what (and how) to check, but that's basically 90% of the work. I would propose assimilating the best-looking plugin out there and expanding it every time sometime reports some broken thing that needs proactive fixing.
Any way we can help this happen?
Right now we had some problems with certificates not/halfway renewing, so some tool to check LDAP against the different cert-stores might be helpful.
$ ipa cert-find --validnotafter-to=$(date --date="3 years" +"%Y-%m-%d")
Actually changing "3 years" to something inferior to the margin FreeIPA starts renewing certificates should warn you that something is amiss.
Server certs in IPA are good for 2 years.
We have in mind a tool to troubleshoot cert issues but haven't yet started work on it.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org