Sam Morris via FreeIPA-users wrote:
All three of my IPA servers have this health check failing:
[root@ipa3 ~]# ipa-healthcheck --source pki.server.healthcheck.clones.connectivity_and_data --check ClonesConnectivyAndDataCheck --output-type=human Internal server error 'Link' ERROR: pki.server.healthcheck.clones.connectivity_and_data.ClonesConnectivyAndDataCheck [root@ipa5 ~]# ipa-healthcheck --source=pki.server.healthcheck.clones.connectivity_and_data --check=ClonesConnectivyAndDataCheck --output-type=human Internal server error 'Link' Unable to reach KRA at https://ipa5.ipa.robots.org.uk:443: Request timed out ERROR: pki.server.healthcheck.clones.connectivity_and_data.ClonesConnectivyAndDataCheck ERROR: pki.server.healthcheck.clones.connectivity_and_data.ClonesConnectivyAndDataCheck [root@ipa6 ~]# ipa-healthcheck --source=pki.server.healthcheck.clones.connectivity_and_data --check=ClonesConnectivyAndDataCheck --output-type=human Unable to reach KRA at https://ipa6.ipa.robots.org.uk:443: Request timed out ERROR: pki.server.healthcheck.clones.connectivity_and_data.ClonesConnectivyAndDataCheck [root@ipa6 ~]# java.io.FileNotFoundException: /tmp/tmpc4h9ypzo/password.txt (No such file or directory) at java.base/java.io.FileInputStream.open0(Native Method) at java.base/java.io.FileInputStream.open(FileInputStream.java:216) at java.base/java.io.FileInputStream.<init>(FileInputStream.java:157) at java.base/java.io.FileInputStream.<init>(FileInputStream.java:111) at java.base/java.io.FileReader.<init>(FileReader.java:60) at com.netscape.cmstools.cli.MainCLI.loadPassword(MainCLI.java:241) at com.netscape.cmstools.cli.MainCLI.parseOptions(MainCLI.java:416) at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:647) at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:698)
The problem is the timeout mechanism implemented in ipahealthcheck.core.core:run_plugin; it turns out that 10 seconds is not sufficient in my case.
Plugin <pki.server.healthcheck.clones.connectivity_and_data.ClonesConnectivyAndDataCheck object at 0x7fe02c4992b0> elapsed time: 0:00:16.857277 sec
I've bumped the timeout to 30 seconds in /etc/ipahealthcheck/ipahealthcheck.conf and all is well.
I wonder if others are running into this problem as well? If so it may be worth making this change by default in ipa-healtcheck. Or maybe my IPA servers are slower than everyone else's... :)
The problem is that the timeout is applied for all checks so if something is going really wrong the overall execution time of healthcheck could be huge. Some folks run this pretty frequently with automation tools (I've seen, but don't recommend, every 5 minutes).
I agree it's pretty conservative at 10 seconds.
rob