Thank you!

On Wed, Aug 16, 2017 at 10:30 AM, Ludwig Krispenz via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

>
> On 08/16/2017 03:46 PM, Anthony Clark via FreeIPA-users wrote:
>
> Hello All,
>
> I was wondering if anyone has written a health check script for FreeIPA?
>
> don't think soemthing IPA specific exists, but soemone can correct me
>
>
> How do you all check replication (and IPA server health)?
>
> There are two approaches:
> 1] check the individual agreements, especially the update status
> 2] check the RUV (replication update vector) as you did with your search
> below.
> Both approaches need to be handled with care because of the dynamics of
> replication
>
> 1] you always only get the status of a single agreement, the update status
> can change and many "failure" states are transient. A documentation of the
> update states of an agreement can be found here:
> https://access.redhat.com/documentation/en-US/Red_Hat_
> Directory_Server/10/html-single/Configuration_Command_
> and_File_Reference/index.html#replication_agreement_status
>
> 2] the RUV, as found by the search for "(&(objectclass=nstombstone)(
> nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))"  tracks the highest csn
> a server has  seen for a specific replica id, the maxcsn which is the last
> csn in the output like:
> nsds50ruv: {replica 97 ldap://ns02.dev.example.net:389}  529d000000610000
> 58deae97000500610000
>
> If replication is in sync the RUVs on all servers will be identical, but
> in a highly active environment you will probably never be in this state,
> there will be changes on soem servers not yet replicated to all others. But
> what you should see is that the maxcsns of each replicaid, if not equal,
> are changing and moving forward.
>
> There is also a script delivered with 389-ds to monitor replication, but I
> myself usually look at the raw ruvs. You can have a look at the script:
> https://access.redhat.com/documentation/en-US/Red_Hat_
> Directory_Server/10/html-single/Configuration_Command_
> and_File_Reference/index.html#repl_monitor.pl_Monitor_replication_status
>
>
> I did some digging and know that I can run this command to check
> replication:
>
> ldapsearch -D "cn=directory manager" -W -b "o=ipaca"
> "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))"
> nscpentrywsi
>
> But the output didn't show an error:
>
> ns01:
>
> nscpentrywsi: nsDS5ReplicaId: 96
> nscpentrywsi: nsds50ruv: {replica 96 ldap://ns01.dev.example.net:389} 5711
>  528b000000600000 599444dd000000600000
> nscpentrywsi: nsds50ruv: {replica 97 ldap://ns02.dev.example.net:389} 5711
>  529d000000610000 58deae97000500610000
>
> ns02:
>
> nscpentrywsi: nsDS5ReplicaId: 97
> nscpentrywsi: nsds50ruv: {replica 97 ldap://ns02.dev.example.net:389} 5711
>  529d000000610000 58deae97000500610000
> nscpentrywsi: nsds50ruv: {replica 96 ldap://ns01.dev.example.net:389} 5711
>  528b000000600000 595a8aff000100600000
>
> But running this showed a difference:
>
> [root@ns02 ~]# ipa user-find example
> ---------------
> 0 users matched
> ---------------
> ----------------------------
> Number of entries returned 0
> ----------------------------
>
> [root@ns01 ~]# ipa user-find example
> --------------
> 1 user matched
> --------------
>   User login: example
> ... extra lines removed ...
> ----------------------------
> Number of entries returned 1
> ----------------------------
>
> (running "ipa-replica-manage -v re-initialize --from ns01.dev.example.net"
> and then "ipa-csreplica-manage -v re-initialize --from
> ns01.dev.example.net" did fix the error, but I wasn't certain "why" it
> worked)
>
> Which log files on my two hosts should I be looking at to find out if
> there's an error in IPA?
>
> Normally I'd run a script and then, depending on the exit code, I'd use
> "zabbix_sender" to push a status code to my monitoring system.  Does anyone
> else do something like that?
>
> Sorry if this is a FAQ, I have a lot of freeipa-users in my gmail account
> and searched for a bunch of terms, but I could have missed something.
>
> Thanks for any help on this, I'm very puzzled both on the health
> monitoring and the replication issue.
>
> -Anthony
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
>
> --
> Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
> Commercial register: Amtsgericht Muenchen, HRB 153243,
> Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, 
> Eric Shander
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to