Kees Bakker via FreeIPA-users wrote:
> Thanks Rob
>
> Here are my findings, mainly as an FYI.
>
> On the CA master it reports the following (which I have to investigate)
> [
> {
> "source": "ipahealthcheck.ipa.certs",
> "kw": {
> "msg": "Unknown certmonger id 20190412141828",
> "key": "20190412141828"
> },
> "uuid": "f3d6ccb9-fb82-49ac-aa02-f485d08826c3",
> "duration": "0.980984",
> "when": "20191106095349Z",
> "check": "IPACertTracking",
> "result": "WARNING"
> }
> ]
To see what the request is run:
# getcert list -i 20190412141828
It may be perfectly fine, it is acceptable to track other certs on the
master, it is just unexpected so healthcheck is warning about it.
> One replica reports no problems. Another replica reports the following.
> This replica is installed and running in a LXC container (Ubuntu host).
> Healthcheck reports:
> [
> {
> "source": "ipahealthcheck.system.filesystemspace",
> "kw": {
> "exception": "[Errno 2] No such file or directory: '/var/log/audit/'"
> },
> "uuid": "087b9370-7d5a-4814-8a0b-956bdeed5ae7",
> "duration": "0.000464",
> "when": "20191106094813Z",
> "check": "FileSystemSpaceCheck",
> "result": "CRITICAL"
> }
> ]
> Strangely enough the package audit wasn't installed, only audit-libs and
> audit-libs-python.
> It seems to function alright though.
It isn't dependent upon installed packages, it just checks a bunch of
filesystems. I'd have sworn we've seen a similar issue when someone ran
healthcheck in a docker container and I thought we considered the
context when checking. I'll take a look.
This is one of those false-positives I was worried about :/
thanks
rob
> -- Kees
>
> On 05-11-19 16:34, Rob Crittenden via FreeIPA-users wrote:
>> *** EXTERNAL E-MAIL ***
>>
>>
>> Over the summer we announced the freeipa-healthcheck project which is
>> designed to look at an IdM cluster and look for common problems so you
>> can have some level of assurance that the system is running as it should.
>>
>> It was built against the IPA 4.8.x branch and originally released only
>> for Fedora 29+. It is also included in the newly released RHEL 8.1.0.
>>
>> My curious nature led me to see if it would also work in in the IPA
>> 4.6.x branch. It was a bit of a challenge backing down to Python 2 but I
>> was able to get something working. I tested primarily on Fedora 27 but
>> it should also work in RHEL/CentOS 7 (I smoke tested 7.8).
>>
>> I made an EPEL 7 build in COPR,
>> https://copr.fedorainfracloud.org/coprs/rcritten/ipa-healthcheck/
>>
>> Enable the repo and do: yum install freeipa-healthcheck
>>
>> Then run: ipa-healthcheck --failures-only
>>
>> Ideally there will be no output but an empty list []. Otherwise the
>> output is JSON and hopefully has enough information to point you in the
>> right direction. Feel free to ask if need help.
>>
>> False positives are always a possibility and many of the checks run
>> independently so it's possible to get multiple issues from a single root
>> problem. It's hard to predict all possible installations so some
>> fine-tuning may be required.
>>
>> I'd recommend running it every now and then at least, like prior to
>> updating IPA packages, creating a new master, etc, if not daily. It
>> will, for example, warn of impending cert expiration.
>>
>> The more feedback I get on it the better and more useful I can make it.
>>
>> This is my own personal backport and is not officially supported by
>> anyone but me. It's preferred to report issues on this mailing list.
>> I'll see them and others may be able to chime in as well.
>>
>> rob
>> _______________________________________________
>> FreeIPA-users mailing list -- [email protected]
>> To unsubscribe send an email to [email protected]
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/[email protected]
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
>
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
