On Mon, Nov 11, 2019 at 1:30 AM Rob Crittenden <rcrit...@redhat.com> wrote:
> I'm open to suggestions on this. I don't mean for it to scare anyone but
> the consequences can be head scratching. I have a blog entry on it that
> gets quite a few views.
>
Well, I think the ideal would be to prevent this from happening in FreeIPA.
If that doesn't make sense, the next best thing would be to report what to
do when the error is shown.
> Ok yes, this is certainly not a scenario I imagined.
>
Yeah, I think running FreeIPA servers on the public Internet is really not
a supported configuration, so I wouldn't worry too much about this (IMHO,
supporting running FreeIPA on the public Internet would be nice, but this
has already been discussed).
> You can probably get away with running it once a day. With the exception
> of the replication checks these aren't all that dynamic. You would catch
> things like permission and FS space issues earlier I suppose.
>
> I'll make a mental note to see if I can categorize things that can be
> frequently run vs those that can probably get by on a daily basis. I
> don't want to explode the number of switches but it might make sense to
> check services frequently and certs daily, for example.
>
Oh, I think running a check daily is probably the way to go. FS space is of
course something that needs to be monitored closely, but I would expect
most people who would use healthcheck are already monitoring that.
I would guess that if you do standard monitoring on your FreeIPA hosts
(ping, agent-based ping, disk space/inodes, services running, clock
properly synchronized, URL checks) + stuff like sssd caching + replication
the chances of FreeIPA having a significant failure that goes undetected
are pretty slim, so I wouldn't worry much about that use case.
It's just that it is convenient for me to roll this up in my monitoring
which runs daily, but that's not a use-case you should consider. Daily
monitoring should be fine for most.
Perhaps I would suggest adding a /health public (or IP-restricted) URL to
FreeIPA, that would be far more useful, IMHO.
> This is great feedback, thanks!
>
I worked for a few years in an organization where monitoring was very
important, so I kinda love tools which are easily monitorizable :)
Cheers,
Álex
--
___
{~._.~}
( Y )
()~*~() mail: alex at corcoles dot net
(_)-(_) http://alex.corcoles.net/
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
