On 08/16/2017 03:46 PM, Anthony Clark via FreeIPA-users wrote:
don't think soemthing IPA specific exists, but soemone can correct meHello All,
I was wondering if anyone has written a health check script for FreeIPA?
There are two approaches:
How do you all check replication (and IPA server health)?
1] check the individual agreements, especially the update status
2] check the RUV (replication update vector) as you did with your search below.
Both approaches need to be handled with care because of the dynamics of replication
1] you always only get the status of a single agreement, the update status can change and many "failure" states are transient. A documentation of the update states of an agreement can be found here:
https://access.redhat.com/documentation/en-US/Red_Hat_ Directory_Server/10/html- single/Configuration_Command_ and_File_Reference/index.html# replication_agreement_status
2] the RUV, as found by the search for "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff- ffffffff-ffffffff))" tracks the highest csn a server has seen for a specific replica id, the maxcsn which is the last csn in the output like:
nsds50ruv: {replica 97 ldap://ns02.dev.example.net:389 } 529d000000610000 58deae97000500610000
If replication is in sync the RUVs on all servers will be identical, but in a highly active environment you will probably never be in this state, there will be changes on soem servers not yet replicated to all others. But what you should see is that the maxcsns of each replicaid, if not equal, are changing and moving forward.
There is also a script delivered with 389-ds to monitor replication, but I myself usually look at the raw ruvs. You can have a look at the script:
https://access.redhat.com/documentation/en-US/Red_Hat_ Directory_Server/10/html- single/Configuration_Command_ and_File_Reference/index.html# repl_monitor.pl_Monitor_ replication_status
I did some digging and know that I can run this command to check replication:
ldapsearch -D "cn=directory manager" -W -b "o=ipaca" "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff- ffffffff-ffffffff))" nscpentrywsi
But the output didn't show an error:
ns01:
nscpentrywsi: nsDS5ReplicaId: 96nscpentrywsi: nsds50ruv: {replica 96 ldap://ns01.dev.example.net:389 } 5711528b000000600000 599444dd000000600000nscpentrywsi: nsds50ruv: {replica 97 ldap://ns02.dev.example.net:389 } 5711529d000000610000 58deae97000500610000
ns02:
nscpentrywsi: nsDS5ReplicaId: 97nscpentrywsi: nsds50ruv: {replica 97 ldap://ns02.dev.example.net:389 } 5711529d000000610000 58deae97000500610000nscpentrywsi: nsds50ruv: {replica 96 ldap://ns01.dev.example.net:389 } 5711528b000000600000 595a8aff000100600000
But running this showed a difference:
[root@ns02 ~]# ipa user-find example---------------0 users matched-------------------------------------------Number of entries returned 0----------------------------
[root@ns01 ~]# ipa user-find example--------------1 user matched--------------User login: example... extra lines removed ...----------------------------
Number of entries returned 1----------------------------
(running "ipa-replica-manage -v re-initialize --from ns01.dev.example.net" and then "ipa-csreplica-manage -v re-initialize --from ns01.dev.example.net" did fix the error, but I wasn't certain "why" it worked)
Which log files on my two hosts should I be looking at to find out if there's an error in IPA?
Normally I'd run a script and then, depending on the exit code, I'd use "zabbix_sender" to push a status code to my monitoring system. Does anyone else do something like that?
Sorry if this is a FAQ, I have a lot of freeipa-users in my gmail account and searched for a bunch of terms, but I could have missed something.
Thanks for any help on this, I'm very puzzled both on the health monitoring and the replication issue.
-Anthony
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists. fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
-- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org