On Аўт, 22 кас 2024, gahee jung via FreeIPA-users wrote:
Hello,
I would like to inquire about the healthcheck API of IPA.
First of all, I set up 5 freeipa core servers and these core servers
are located behind the load balancer. (to distribute clients' traffic)
(* The freeipa version is v4.11)
FreeIPA team does not support putting load balancers in front of FreeIPA
servers. See, for example, http://ssimo.org/blog/id_019.html.
And I am trying to configure the healthcheck method on my load balancer
to avoid sending client's traffic to unhealthy server. I know that
there is a command named 'ipa-healcheck' provied by freeipa. But, our
load balancer only supports HTTP, HTTPS, and HTTP2 protocol for
healthcheck. So I couldn't use ipa-healthcheck command for our load
balancer.
So, I tried to create additional API '/healthcheck' in httpd server.
and each call to HTTP path /healthcheck will trigger a local execution
of ipa-healthcheck command to return the status of all services.
: ipa-healthcheck --source 'ipahealthcheck.meta.services' --all
And today we just test using ipa-healthcheck command with rpcservers.
But, Unfortunately, the CPU usage of the ipa-healthcheck command is
pretty high (~80% CPU). So, we can not use this method for our
healthcheck.
ipa-healthcheck is a tool to validate server's configuration. It is not
a tool to quickly check whether a system is running and answers your
calls.
It really depends on what you are trying to achieve here. IPA servers
are all-or-nothing services. E.g. if KDC does not work, all other
services should not be accessed on this host as well. If LDAP server
does not work, all other services should be considered inaccessible as
well.
What kind of traffic you are load-balancing?
So, Could you let me know is there an API provided by Freeipa for
healthcheck? or Please share me if there is a best way to configure
healthcheck with HTTP protocol.
If your load-balancer only supports HTTP protocols, chances are that it
is unable to utilize Kerberos over HTTPS either, so it cannot access any
of IPA API end-points. It also means it cannot really validate IPA
server HTTP end-points are working beyond a simple 'yes, it responded,
with whatever status code'.
If you want a minimal non-authenticated response, may be do
curl -X POST \
-H 'Accept-Language: en'
--data '{"method":"i18n_messages", "params":[[],{}]}' \
--referer https://ipa-server.hostname/ipa/ \
https://ipa-server.hostname/ipa/i18n_messages
It would return JSON of translations used by the FreeIPA Web UI for the
chosen language ('en' in this case). It exercises IPA RPC infrastructure
but otherwise doesn't look at any system state.
If you'd do authentication using username/password, then that's going to
give you exercise of Kerberos + LDAP + IPA RPC infrastructure:
https://freeipa.readthedocs.io/en/latest/api/jsonrpc_usage.html#password-authentication
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
