Hi Rob,

On Tue, Nov 5, 2019 at 4:35 PM Rob Crittenden via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> I made an EPEL 7 build in COPR,
> https://copr.fedorainfracloud.org/coprs/rcritten/ipa-healthcheck/
> The more feedback I get on it the better and more useful I can make it.

Awesome work, thanks. I tried it running in my personal IPA instance. I get
the following:

WARNING "No DNA range defined. If no masters define a range then users and
groups cannot be created."

This is on my replica and was already reported by someone else. Fixed it by
adding and removing a user on the web ui of the replica, as you described.

CRITICAL "[Errno 2] No such file or directory: '/var/log/audit/'"

This also has been reported; my replica is running as an LXC container
under Proxmox. Hacked it by creating the directory.

WARNING "Unexpected SRV entry in DNS" "_ntp._udp.<my_domain>.:<replica

I think this is correct because I'm not running ntpd on the replica. I've
removed the entry.

WARNING "Got 1 ipa-ca A records, expected 2"
WARNING "Expected SRV record missing" "_<service>._(tcp|udp).<my
domain>.:<replica hostname>."

Those are problematic for me, I guess because I'm running a probably
unsupported configuration:

* My first master is public on the Internet
* My second master is not public on the Internet
* Public DNS contains entries for the first master
* The DNS server which servers in the second master's network use contains
entries for both masters
* My first public master uses another DNS server* which does not have
specific IPA entries and thus uses the public Internet DNS's entries, which
do not contain the second master
(* actually the DNS server for the first master is running on the same
host, using dnsmasq)

I "fixed" this by putting all the DNS entries in all my internal DNS
servers, but then healthcheck won't be verifying the public Internet's DNS
records. This is not ideal, but I think it's fine.


I now have clean runs in all my masters, so I'll work to add it on my
monitoring agent ( https://github.com/alexpdp7/ragent ). I'm running my
agent every minute, and ipa-healthcheck seems to be quite expensive to run,
so I'll probably run it in cron every hour or so and then have the agent
gather the results.



  ( Y )
 ()~*~()  mail: alex at corcoles dot net
 (_)-(_)  http://alex.corcoles.net/
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 

Reply via email to