Alex Corcoles via FreeIPA-users wrote: > Hi Rob, > > On Tue, Nov 5, 2019 at 4:35 PM Rob Crittenden via FreeIPA-users > <freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>> wrote: > > I made an EPEL 7 build in COPR, > https://copr.fedorainfracloud.org/coprs/rcritten/ipa-healthcheck/ > > The more feedback I get on it the better and more useful I can make it. > > > Awesome work, thanks. I tried it running in my personal IPA instance. I > get the following: > > WARNING "No DNA range defined. If no masters define a range then users > and groups cannot be created." > > This is on my replica and was already reported by someone else. Fixed it > by adding and removing a user on the web ui of the replica, as you > described.
I'm open to suggestions on this. I don't mean for it to scare anyone but the consequences can be head scratching. I have a blog entry on it that gets quite a few views. > CRITICAL "[Errno 2] No such file or directory: '/var/log/audit/'" > > This also has been reported; my replica is running as an LXC container > under Proxmox. Hacked it by creating the directory. I've got a PR upstream to not enforce /var/log/audit when healthcheck is executed inside a container. I will hopefully have an updated build later this week. > WARNING "Unexpected SRV entry in DNS" "_ntp._udp.<my_domain>.:<replica > hostname>." > > I think this is correct because I'm not running ntpd on the replica. > I've removed the entry. Ok, that very well could be true. > WARNING "Got 1 ipa-ca A records, expected 2" > WARNING "Expected SRV record missing" "_<service>._(tcp|udp).<my > domain>.:<replica hostname>." > > Those are problematic for me, I guess because I'm running a probably > unsupported configuration: > > * My first master is public on the Internet > * My second master is not public on the Internet > * Public DNS contains entries for the first master > * The DNS server which servers in the second master's network use > contains entries for both masters > * My first public master uses another DNS server* which does not have > specific IPA entries and thus uses the public Internet DNS's entries, > which do not contain the second master > (* actually the DNS server for the first master is running on the same > host, using dnsmasq) > > I "fixed" this by putting all the DNS entries in all my internal DNS > servers, but then healthcheck won't be verifying the public Internet's > DNS records. This is not ideal, but I think it's fine. Ok yes, this is certainly not a scenario I imagined. > ... > > I now have clean runs in all my masters, so I'll work to add it on my > monitoring agent ( https://github.com/alexpdp7/ragent ). I'm running my > agent every minute, and ipa-healthcheck seems to be quite expensive to > run, so I'll probably run it in cron every hour or so and then have the > agent gather the results. You can probably get away with running it once a day. With the exception of the replication checks these aren't all that dynamic. You would catch things like permission and FS space issues earlier I suppose. I'll make a mental note to see if I can categorize things that can be frequently run vs those that can probably get by on a daily basis. I don't want to explode the number of switches but it might make sense to check services frequently and certs daily, for example. This is great feedback, thanks! rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
