[Freeipa-users] Re: Documented monitoring best practices

2018-08-13 Thread Andrew Meyer via FreeIPA-users 
I know this is an old thread, but there are no changes to FreeIPA that 
cnmonitor might conflict with are there? 

On Thursday, February 1, 2018 1:34 PM, Rob Crittenden via FreeIPA-users 
 wrote:
 

 Alex Corcoles via FreeIPA-users wrote:
> On Thu, Feb 1, 2018 at 5:25 PM, Jochen Hein  > wrote:
> 
>    I'm using https://github.com/peterpakos/checkipaconsistency
>     to monitor
>    my replicas.
> 
> 
> Yeah, but I'm not exactly reassured by choosing on of the many plugins
> out there- or running them all. It would be great to push for an
> official check.

There are not that many plugins doing this that I know of.

I'm pretty sure there is a nagios script that looks at the agreement in
LDAP, or the output of ipa-replica-manage list -v `hostname` to look for
replication issues.

For a more full-blown view there is http://cnmonitor.sourceforge.net/

389-ds instructions for this are at
http://directory.fedoraproject.org/docs/389ds/howto/howto-cn-equals-monitor-ldap-monitoring.html

The team has talked about a monitoring script but for now Peter's script
is filling the void.

> 
> I'm might be willing to help, but I'd need documentation about what (and
> how) to check, but that's basically 90% of the work. I would propose
> assimilating the best-looking plugin out there and expanding it every
> time sometime reports some broken thing that needs proactive fixing.
> 
> Any way we can help this happen?
> 
>    Right now we had some problems with certificates not/halfway renewing,
>    so some tool to check LDAP against the different cert-stores might be
>    helpful.
> 
> 
> $ ipa cert-find --validnotafter-to=$(date --date="3 years" +"%Y-%m-%d")
> 
> Actually changing "3 years" to something inferior to the margin FreeIPA
> starts renewing certificates should warn you that something is amiss.

Server certs in IPA are good for 2 years.

We have in mind a tool to troubleshoot cert issues but haven't yet
started work on it.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/UIEJ5BBTMILSUB67A6GJWD2HR5PRESLL/

[Freeipa-users] Re: Documented monitoring best practices

2018-02-01 Thread Rob Crittenden via FreeIPA-users 
Alex Corcoles via FreeIPA-users wrote:
> On Thu, Feb 1, 2018 at 5:25 PM, Jochen Hein  > wrote:
> 
> I'm using https://github.com/peterpakos/checkipaconsistency
>  to monitor
> my replicas.
> 
> 
> Yeah, but I'm not exactly reassured by choosing on of the many plugins
> out there- or running them all. It would be great to push for an
> official check.

There are not that many plugins doing this that I know of.

I'm pretty sure there is a nagios script that looks at the agreement in
LDAP, or the output of ipa-replica-manage list -v `hostname` to look for
replication issues.

For a more full-blown view there is http://cnmonitor.sourceforge.net/

389-ds instructions for this are at
http://directory.fedoraproject.org/docs/389ds/howto/howto-cn-equals-monitor-ldap-monitoring.html

The team has talked about a monitoring script but for now Peter's script
is filling the void.

> 
> I'm might be willing to help, but I'd need documentation about what (and
> how) to check, but that's basically 90% of the work. I would propose
> assimilating the best-looking plugin out there and expanding it every
> time sometime reports some broken thing that needs proactive fixing.
> 
> Any way we can help this happen?
> 
> Right now we had some problems with certificates not/halfway renewing,
> so some tool to check LDAP against the different cert-stores might be
> helpful.
> 
> 
> $ ipa cert-find --validnotafter-to=$(date --date="3 years" +"%Y-%m-%d")
> 
> Actually changing "3 years" to something inferior to the margin FreeIPA
> starts renewing certificates should warn you that something is amiss.

Server certs in IPA are good for 2 years.

We have in mind a tool to troubleshoot cert issues but haven't yet
started work on it.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Documented monitoring best practices

2018-02-01 Thread Alex Corcoles via FreeIPA-users 
On Thu, Feb 1, 2018 at 5:25 PM, Jochen Hein  wrote:

> I'm using https://github.com/peterpakos/checkipaconsistency to monitor
> my replicas.
>

Yeah, but I'm not exactly reassured by choosing on of the many plugins out
there- or running them all. It would be great to push for an official check.

I'm might be willing to help, but I'd need documentation about what (and
how) to check, but that's basically 90% of the work. I would propose
assimilating the best-looking plugin out there and expanding it every time
sometime reports some broken thing that needs proactive fixing.

Any way we can help this happen?

Right now we had some problems with certificates not/halfway renewing,
> so some tool to check LDAP against the different cert-stores might be
> helpful.
>

$ ipa cert-find --validnotafter-to=$(date --date="3 years" +"%Y-%m-%d")

Actually changing "3 years" to something inferior to the margin FreeIPA
starts renewing certificates should warn you that something is amiss.
-- 
   ___
 {~._.~}
  ( Y )
 ()~*~()  mail: alex at corcoles dot net
 (_)-(_)  http://alex.corcoles.net/
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Documented monitoring best practices

2018-02-01 Thread Jochen Hein via FreeIPA-users 
Alex Corcoles via FreeIPA-users 
writes:

> Is there any official literature about how to monitor FreeIPA?

I'm using https://github.com/peterpakos/checkipaconsistency to monitor
my replicas.

> Is there any plan to provide an official way to monitor FreeIPA? My
> foremost concern would be to ensure that all clients are correctly enrolled
> and sudo/ssh work, so I am not locked out of my systems. Ensuring that
> replication works seems good and popular. Of course I can check that all
> services are running and ports respond.
>
> What are the most common ways for FreeIPA to break?

Right now we had some problems with certificates not/halfway renewing,
so some tool to check LDAP against the different cert-stores might be
helpful.

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Documented monitoring best practices

2018-02-01 Thread Andrew Radygin via FreeIPA-users 
Wow! It's really important question.
I'm joining with it. It's good to be able to know what happening with
IPA-infra.
Espesially - ssh/sudo working (in general at least, with out concearning
about HBAC+Policy groups).

2018-01-31 22:04 GMT+03:00 Alex Corcoles via FreeIPA-users <
freeipa-users@lists.fedorahosted.org>:

> Hi all,
>
> Is there any official literature about how to monitor FreeIPA?
>
> The upstream guide mentions:
>
> 1) Testing clients using id
>
> https://access.redhat.com/documentation/en-us/red_hat_
> enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_
> guide/client-test
>
> 2) Adding a user on a replica and verifying it appears on another server
>
> https://access.redhat.com/documentation/en-us/red_hat_
> enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_
> guide/replica-verify
>
> There's also some troubleshooting appendices which look interesting.
>
> I see also ipactl, "ipa ping", there seems to be:
>
> https://www.freeipa.org/page/V4/Tool_to_Check_Status_of_All_Replicas
> (but it seems dead)
>
> https://www.freeipa.org/page/V4/Monitor_Replication_Topology
>
> , and also some indepedent initiatives all over the web.
>
> Is there any plan to provide an official way to monitor FreeIPA? My
> foremost concern would be to ensure that all clients are correctly enrolled
> and sudo/ssh work, so I am not locked out of my systems. Ensuring that
> replication works seems good and popular. Of course I can check that all
> services are running and ports respond.
>
> What are the most common ways for FreeIPA to break?
>
> Thoughts?
>
> Álex
>
> --
>___
>  {~._.~}
>   ( Y )
>  ()~*~()  mail: alex at corcoles dot net
>  (_)-(_)  http://alex.corcoles.net/
>
>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
>


-- 
Best regards, Andrew.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org