[Freeipa-users] Re: ipa-healthcheck timeout too short for ClonesConnectivyAndDataCheck

Sam Morris via FreeIPA-users wrote:

All three of my IPA servers have this health check failing:

[root@ipa3 ~]# ipa-healthcheck --source pki.server.healthcheck.clones.connectivity_and_data --check ClonesConnectivyAndDataCheck --output-type=human
Internal server error 'Link'
ERROR: pki.server.healthcheck.clones.connectivity_and_data.ClonesConnectivyAndDataCheck

[root@ipa5 ~]# ipa-healthcheck --source=pki.server.healthcheck.clones.connectivity_and_data --check=ClonesConnectivyAndDataCheck   --output-type=human
Internal server error 'Link'
Unable to reach KRA at https://ipa5.ipa.robots.org.uk:443: Request timed out
ERROR: pki.server.healthcheck.clones.connectivity_and_data.ClonesConnectivyAndDataCheck
ERROR: pki.server.healthcheck.clones.connectivity_and_data.ClonesConnectivyAndDataCheck

[root@ipa6 ~]# ipa-healthcheck --source=pki.server.healthcheck.clones.connectivity_and_data --check=ClonesConnectivyAndDataCheck  --output-type=human
Unable to reach KRA at https://ipa6.ipa.robots.org.uk:443: Request timed out
ERROR: pki.server.healthcheck.clones.connectivity_and_data.ClonesConnectivyAndDataCheck
[root@ipa6 ~]# java.io.FileNotFoundException: /tmp/tmpc4h9ypzo/password.txt (No such file or directory)
        at java.base/java.io.FileInputStream.open0(Native Method)
        at java.base/java.io.FileInputStream.open(FileInputStream.java:216)
        at java.base/java.io.FileInputStream.<init>(FileInputStream.java:157)
        at java.base/java.io.FileInputStream.<init>(FileInputStream.java:111)
        at java.base/java.io.FileReader.<init>(FileReader.java:60)
        at com.netscape.cmstools.cli.MainCLI.loadPassword(MainCLI.java:241)
        at com.netscape.cmstools.cli.MainCLI.parseOptions(MainCLI.java:416)
        at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:647)
        at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:698)

The problem is the timeout mechanism implemented in ipahealthcheck.core.core:run_plugin; it turns out that 10 seconds is not sufficient in my case.

Plugin <pki.server.healthcheck.clones.connectivity_and_data.ClonesConnectivyAndDataCheck object at 0x7fe02c4992b0> elapsed time: 0:00:16.857277 sec

I've bumped the timeout to 30 seconds in /etc/ipahealthcheck/ipahealthcheck.conf and all is well.

I wonder if others are running into this problem as well? If so it may be worth making this change by default in ipa-healtcheck. Or maybe my IPA servers are slower than everyone else's... :)

The problem is that the timeout is applied for all checks so if something is going really wrong the overall execution time of healthcheck could be huge. Some folks run this pretty frequently with automation tools (I've seen, but don't recommend, every 5 minutes).

I agree it's pretty conservative at 10 seconds.

rob