[Freeipa-users] Re: IPA healthcheck for older versions

[Rob Crittenden via FreeIPA-users]

Alex Corcoles via FreeIPA-users wrote:
> Hi Rob,
> 
> On Tue, Nov 5, 2019 at 4:35 PM Rob Crittenden via FreeIPA-users
>  > wrote:
> 
> I made an EPEL 7 build in COPR,
> https://copr.fedorainfracloud.org/coprs/rcritten/ipa-healthcheck/
> 
> The more feedback I get on it the better and more useful I can make it.
> 
> 
> Awesome work, thanks. I tried it running in my personal IPA instance. I
> get the following:
> 
> WARNING "No DNA range defined. If no masters define a range then users
> and groups cannot be created."
> 
> This is on my replica and was already reported by someone else. Fixed it
> by adding and removing a user on the web ui of the replica, as you
> described.

I'm open to suggestions on this. I don't mean for it to scare anyone but
the consequences can be head scratching. I have a blog entry on it that
gets quite a few views.

> CRITICAL "[Errno 2] No such file or directory: '/var/log/audit/'"
> 
> This also has been reported; my replica is running as an LXC container
> under Proxmox. Hacked it by creating the directory.

I've got a PR upstream to not enforce /var/log/audit when healthcheck is
executed inside a container. I will hopefully have an updated build
later this week.

> WARNING "Unexpected SRV entry in DNS" "_ntp._udp..: hostname>."
> 
> I think this is correct because I'm not running ntpd on the replica.
> I've removed the entry.

Ok, that very well could be true.

> WARNING "Got 1 ipa-ca A records, expected 2"
> WARNING "Expected SRV record missing" "_._(tcp|udp). domain>.:."
> 
> Those are problematic for me, I guess because I'm running a probably
> unsupported configuration:
> 
> * My first master is public on the Internet
> * My second master is not public on the Internet
> * Public DNS contains entries for the first master
> * The DNS server which servers in the second master's network use
> contains entries for both masters
> * My first public master uses another DNS server* which does not have
> specific IPA entries and thus uses the public Internet DNS's entries,
> which do not contain the second master
> (* actually the DNS server for the first master is running on the same
> host, using dnsmasq)
> 
> I "fixed" this by putting all the DNS entries in all my internal DNS
> servers, but then healthcheck won't be verifying the public Internet's
> DNS records. This is not ideal, but I think it's fine.

Ok yes, this is certainly not a scenario I imagined.

> ...
> 
> I now have clean runs in all my masters, so I'll work to add it on my
> monitoring agent ( https://github.com/alexpdp7/ragent ). I'm running my
> agent every minute, and ipa-healthcheck seems to be quite expensive to
> run, so I'll probably run it in cron every hour or so and then have the
> agent gather the results.

You can probably get away with running it once a day. With the exception
of the replication checks these aren't all that dynamic. You would catch
things like permission and FS space issues earlier I suppose.

I'll make a mental note to see if I can categorize things that can be
frequently run vs those that can probably get by on a daily basis. I
don't want to explode the number of switches but it might make sense to
check services frequently and certs daily, for example.

This is great feedback, thanks!

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA 4.8.1 on Fedora 31 (upgraded from F30) fails to start

[Wulf C. Krueger via FreeIPA-users]

On 2019-11-02 13:47, Wulf C. Krueger wrote:
my FreeIPA installation was working well on Fedora 30. After upgrading 
to F31, though, it fails to start:


For posterity's sake as well as that of anyone facing the same issue:

For some reason, the IP of the host FreeIPA runs on, changed which, 
admittedly, can upset the most mild-mannered server. Especially if the 
local DNS doesn't get updated either.


I didn't notice it because the FreeIPA host is behind a reverse proxy.

Best regards, Wulf
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org