I see what you're saying now. I'll update it once I hear back from
Dmitri whether this feature is going to be upstream or not. I don't see
the point of not doing it upstream but he's the boss.
I did a rather mixed job of flushing out my head on some of these
details. I'll fix them when I can.
rob
Petr Vobornik via FreeIPA-devel wrote:
On Wed, Nov 21, 2018 at 5:14 PM Rob Crittenden
<rcritten(a)redhat.com> wrote:
>
> Petr Vobornik via FreeIPA-devel wrote:
>> Hi,
>>
>> could the design also contains the proposed set of commands(including
>> an installation of the feature) in a specific example including also
>> anticipated output of CLI. I.e to see a workflow which the
>> user(admistrator) of this enhancement would need to do. And how the
>> information he/she would get would look like. It will help us to
>> determine how usable it will be without actually implementing it. So
>> that we can save some time on a possible redesign.
>
> I added sample usage in the
>
https://www.freeipa.org/page/V4/Healthcheck#CLI section and an
> installation section in
>
https://www.freeipa.org/page/V4/Healthcheck#Installation
Thanks this helps. But I was not clear about the thing to solve. The
design page is consumed by people with different roles also a design
page has several sections. Nobody except developers reads "design
part" as you need knowledge of IPA internals to understand that
section. Non-developers will read "Overview", "Use cases", "How
to
use". In some cases also "Feature management". So people should be
able to understand how to use the feature only from these sections.
Also, the sections should not mention implementation details. The "how
to use" section has instructions in the design template:
"""
This a starting point for design discussions.
Easy to follow instructions on how to use the new feature according to
the use cases described above. FreeIPA user needs to be able to follow
the steps and demonstrate the new features.
The chapter may be divided in sub-sections per Use Case.
"""
The Healtch Check desing page doesn't contain this information in the
section, there are only very generic sentences with bit of
implementation details.
The use cases section lists only on general use case + bunch of
checks. I tried to expand this use case to some bit more specific, to
give I idea what si meant by the "easy to follow instructions":
Use case: new server/replica installation, just checking status:
---------------------------------------------------------------
# install server
$ dnf install freeipa-server
$ ipa-server-install
# Check if there are issues after installation
ipa healthcheck-find
# I expect that it will return nothing.
# Q: How will the admin know that health check was run and what checks
it did? The output of a no health check was done and all is all right
is the same.
It leads to question:
Q: how will I know that automatic health check is running is not broken?
Use case: some error happened, couple months/years after install,
taking corrective actions:
--------------------------------------------------------------------------------------------
# ipa healthcheck-find
UUID: 25003678-bae7-4d1a-a071-b6d42e3840c1
Source: certcheck
Check: bad_permissions
Severity: Error
Message: The file /etc/httpd/alias/key3.db has incorrect permissions.
Expected 0640, got 0755
Solution: See URL
Reported: Wed Nov 14 18:35:11 2018 UTC
Ignored: FALSE
# taking corrective action, let's assume that `ipactl restart` was there as well
ipa healthcheck-find
# What will be the result? Will it be empty or there will be new line:
"Resolved: TRUE"?
If it will be present with a resolved line. How the records will be
sorted. Will "not resolved" be on top and "resolved" on the bottom?
General questions:
------------------
Why the command is called "healthcheck-find" when the use case is
"show me the errors" not "show me the available checks"? Should it
be
more " ipa problem-find"
How people will know what can be passed to --source and --check
options? Is it produced in help?
How people will know what the various checks check?
ipa-healhcheck command
----------------------
"""
$ ipa-healthcheck
Check certificate renewal
Check file permissions
...
The ipa-healthcheck command failed.
"""
Does "The ipa-healthcheck command failed" mean that there were issues
when executing the checks (I assume this one) or that an issue was
found?
--source, how will I know what are the available checks?
"Check certificate renewal", ... does it mean that the tool just
listed the checks or the tool ran them? If it was run, shouldn't it be
more like a: "Checking: certificate renewal: ... OK"
>
>> The example could be some check which will be implemented later. E.g.
>> expired RA certificate.
>
> I'm not sure I follow.
Just an example check. You've pick expired certs and wrong permissions.
>
> rob
>
>>
>> Thank you
>> On Wed, Oct 24, 2018 at 10:49 PM Rob Crittenden via FreeIPA-devel
>> <freeipa-devel(a)lists.fedorahosted.org> wrote:
>>>
>>> I started a design of an IPA healthcheck framework at
>>>
https://www.freeipa.org/page/V4/Healthcheck
>>>
>>> Have at it.
>>>
>>> Note that this concentrates more on how it will work big picture and
>>> less on individual checks that may be performed. I'm happy to add any
>>> ideas you come up with for specific tests.
>>>
>>> rob
>>> _______________________________________________
>>> FreeIPA-devel mailing list -- freeipa-devel(a)lists.fedorahosted.org
>>> To unsubscribe send an email to freeipa-devel-leave(a)lists.fedorahosted.org
>>> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
>>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedoraho...
>>
>>
>>
>