Thank you!
On Wed, Aug 16, 2017 at 10:30 AM, Ludwig Krispenz via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
On 08/16/2017 03:46 PM, Anthony Clark via FreeIPA-users wrote:
Hello All,
I was wondering if anyone has written a health check script for FreeIPA?
don't think soemthing IPA specific exists, but soemone can correct me
How do you all check replication (and IPA server health)?
There are two approaches:
1] check the individual agreements, especially the update status
2] check the RUV (replication update vector) as you did with your search
below.
Both approaches need to be handled with care because of the dynamics of
replication
1] you always only get the status of a single agreement, the update status
can change and many "failure" states are transient. A documentation of the
update states of an agreement can be found here:
https://access.redhat.com/documentation/en-US/Red_Hat_
Directory_Server/10/html-single/Configuration_Command_
and_File_Reference/index.html#replication_agreement_status
2] the RUV, as found by the search for "(&(objectclass=nstombstone)(
nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))" tracks the highest csn
a server has seen for a specific replica id, the maxcsn which is the last
csn in the output like:
nsds50ruv: {replica 97 ldap://ns02.dev.example.net:389} 529d000000610000
58deae97000500610000
If replication is in sync the RUVs on all servers will be identical, but
in a highly active environment you will probably never be in this state,
there will be changes on soem servers not yet replicated to all others. But
what you should see is that the maxcsns of each replicaid, if not equal,
are changing and moving forward.
There is also a script delivered with 389-ds to monitor replication, but I
myself usually look at the raw ruvs. You can have a look at the script:
https://access.redhat.com/documentation/en-US/Red_Hat_
Directory_Server/10/html-single/Configuration_Command_
and_File_Reference/index.html#repl_monitor.pl_Monitor_replication_status
I did some digging and know that I can run this command to check
replication:
ldapsearch -D "cn=directory manager" -W -b "o=ipaca"
"(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))"
nscpentrywsi
But the output didn't show an error:
ns01:
nscpentrywsi: nsDS5ReplicaId: 96
nscpentrywsi: nsds50ruv: {replica 96 ldap://ns01.dev.example.net:389} 5711
528b000000600000 599444dd000000600000
nscpentrywsi: nsds50ruv: {replica 97 ldap://ns02.dev.example.net:389} 5711
529d000000610000 58deae97000500610000
ns02:
nscpentrywsi: nsDS5ReplicaId: 97
nscpentrywsi: nsds50ruv: {replica 97 ldap://ns02.dev.example.net:389} 5711
529d000000610000 58deae97000500610000
nscpentrywsi: nsds50ruv: {replica 96 ldap://ns01.dev.example.net:389} 5711
528b000000600000 595a8aff000100600000
But running this showed a difference:
[root@ns02 ~]# ipa user-find example
---------------
0 users matched
---------------
----------------------------
Number of entries returned 0
----------------------------
[root@ns01 ~]# ipa user-find example
--------------
1 user matched
--------------
User login: example
... extra lines removed ...
----------------------------
Number of entries returned 1
----------------------------
(running "ipa-replica-manage -v re-initialize --from ns01.dev.example.net"
and then "ipa-csreplica-manage -v re-initialize --from
ns01.dev.example.net" did fix the error, but I wasn't certain "why"
it
worked)
Which log files on my two hosts should I be looking at to find out if
there's an error in IPA?
Normally I'd run a script and then, depending on the exit code, I'd use
"zabbix_sender" to push a status code to my monitoring system. Does anyone
else do something like that?
Sorry if this is a FAQ, I have a lot of freeipa-users in my gmail account
and searched for a bunch of terms, but I could have missed something.
Thanks for any help on this, I'm very puzzled both on the health
monitoring and the replication issue.
-Anthony
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
--
Red Hat GmbH,
http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric
Shander
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org