The output of ipactl looks very similar to systemctl status. Is it doing much more than that? I'm already monitoring systemd failed units so I wonder if it's running checking ipactl.
On Wed, Sep 19, 2018 at 1:33 PM Neal Harrington via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi Tony,
I'm monitoring using the following userparameter (basically run "ipactl status" and grep out lines which are known good so only errors are returned):
UserParameter=ipa.status,sudo /usr/sbin/ipactl status 2>&1 | egrep -v "(INFO: The ipactl command was successful$|: RUNNING$)"
ipactl needs root access so I have a file in /etc/sudoers.d/zabbix with these lines to allow the zabbix user to sudo the ipactl status command only without a password:
## Allow zabix to query ipa status Defaults:zabbix !requiretty zabbix ALL = (root) NOPASSWD: /usr/sbin/ipactl status
The final challenge I had was selinux which I had to create a custom rule for (but most people seem to just disable selinux).
Then just create a trigger to alert if the returned value contains any characters. eg this matches on any char apart from whitespace:
{Custom Template IPA Server:ipa.status.regexp([^\s],1200)}=1
If anyone else has a better way to do this I'd be interested to hear it.
Regards,
Neal.
*From:* Tony Brian Albers via FreeIPA-users < freeipa-users@lists.fedorahosted.org> *Sent:* 24 August 2018 10:50 *To:* freeipa-users@lists.fedorahosted.org *Cc:* Tony Brian Albers *Subject:* [Freeipa-users] zabbix for monitoring FreeIPA server?
Hi guys,
Anyone got this working?
And if so, how did you do it?
I know I can monitor the components separately, but if you know of anything that can do it easier I'd be happy to know about it.
/tony
-- Tony Albers Systems administrator, IT-development Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. Tel: +45 2566 2383 / +45 8946 2316 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost... _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
It’s not really doing anything more, except doing the status on all of the units with one command. If units were to be added/removed, the command would stay the same. But I wouldn’t call this monitoring, it’s more like a health check, you get a binary (good/bad). Monitoring would expect metrics IMO, and even health checks you’d want to do on the WebUI, REST server, LDAP, KDC to see if they are responding in an expected way.
The service can be up (according to systems or ipactl) but still produce garbage.
John
On 27 May 2019, at 10:25, Alex Corcoles via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
The output of ipactl looks very similar to systemctl status. Is it doing much more than that? I'm already monitoring systemd failed units so I wonder if it's running checking ipactl.
On Wed, Sep 19, 2018 at 1:33 PM Neal Harrington via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org> wrote: Hi Tony,
I'm monitoring using the following userparameter (basically run "ipactl status" and grep out lines which are known good so only errors are returned):
UserParameter=ipa.status,sudo /usr/sbin/ipactl status 2>&1 | egrep -v "(INFO: The ipactl command was successful$|: RUNNING$)"
ipactl needs root access so I have a file in /etc/sudoers.d/zabbix with these lines to allow the zabbix user to sudo the ipactl status command only without a password:
## Allow zabix to query ipa status Defaults:zabbix !requiretty zabbix ALL = (root) NOPASSWD: /usr/sbin/ipactl status
The final challenge I had was selinux which I had to create a custom rule for (but most people seem to just disable selinux).
Then just create a trigger to alert if the returned value contains any characters. eg this matches on any char apart from whitespace: {Custom Template IPA Server:ipa.status.regexp([^\s],1200)}=1
If anyone else has a better way to do this I'd be interested to hear it.
Regards, Neal.
From: Tony Brian Albers via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org> Sent: 24 August 2018 10:50 To: freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org Cc: Tony Brian Albers Subject: [Freeipa-users] zabbix for monitoring FreeIPA server?
Hi guys,
Anyone got this working?
And if so, how did you do it?
I know I can monitor the components separately, but if you know of anything that can do it easier I'd be happy to know about it.
/tony
-- Tony Albers Systems administrator, IT-development Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. Tel: +45 2566 2383 / +45 8946 2316 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost... https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/WGYZNKOBXBHHVCGA66GTFVDOG3WJOG5T/ _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
-- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/ http://alex.corcoles.net/
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Yes, we've had a few threads about monitoring.
I was hopeful about ipactl, but I already have a monitor for failed systemd units in all my systems (which is nice). I would add port/URL checks easily, but I'm not sure they will add a lot of value.
On Mon, May 27, 2019 at 10:30 AM John Keates john@keates.nl wrote:
It’s not really doing anything more, except doing the status on all of the units with one command. If units were to be added/removed, the command would stay the same. But I wouldn’t call this monitoring, it’s more like a health check, you get a binary (good/bad). Monitoring would expect metrics IMO, and even health checks you’d want to do on the WebUI, REST server, LDAP, KDC to see if they are responding in an expected way.
The service can be up (according to systems or ipactl) but still produce garbage.
John
On 27 May 2019, at 10:25, Alex Corcoles via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
The output of ipactl looks very similar to systemctl status. Is it doing much more than that? I'm already monitoring systemd failed units so I wonder if it's running checking ipactl.
On Wed, Sep 19, 2018 at 1:33 PM Neal Harrington via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi Tony,
I'm monitoring using the following userparameter (basically run "ipactl status" and grep out lines which are known good so only errors are returned):
UserParameter=ipa.status,sudo /usr/sbin/ipactl status 2>&1 | egrep -v "(INFO: The ipactl command was successful$|: RUNNING$)"
ipactl needs root access so I have a file in /etc/sudoers.d/zabbix with these lines to allow the zabbix user to sudo the ipactl status command only without a password:
## Allow zabix to query ipa status Defaults:zabbix !requiretty zabbix ALL = (root) NOPASSWD: /usr/sbin/ipactl status
The final challenge I had was selinux which I had to create a custom rule for (but most people seem to just disable selinux).
Then just create a trigger to alert if the returned value contains any characters. eg this matches on any char apart from whitespace: {Custom Template IPA Server:ipa.status.regexp([^\s],1200)}=1
If anyone else has a better way to do this I'd be interested to hear it.
Regards, Neal.
*From:* Tony Brian Albers via FreeIPA-users < freeipa-users@lists.fedorahosted.org> *Sent:* 24 August 2018 10:50 *To:* freeipa-users@lists.fedorahosted.org *Cc:* Tony Brian Albers *Subject:* [Freeipa-users] zabbix for monitoring FreeIPA server?
Hi guys,
Anyone got this working?
And if so, how did you do it?
I know I can monitor the components separately, but if you know of anything that can do it easier I'd be happy to know about it.
/tony
-- Tony Albers Systems administrator, IT-development Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. Tel: +45 2566 2383 / +45 8946 2316 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost... _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
-- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Alex Corcoles via FreeIPA-users wrote:
Yes, we've had a few threads about monitoring.
I was hopeful about ipactl, but I already have a monitor for failed systemd units in all my systems (which is nice). I would add port/URL checks easily, but I'm not sure they will add a lot of value.
FWIW, speaking of healthcheck, you might want to look at the freeipa-healthcheck package in Fedora 28+. It produces JSON output of checks a bunch of things including whether services are running.
It is still in pretty early development and the JSON output is likely to change but I'm not expecting anything earth shattering.
rob
On Mon, May 27, 2019 at 10:30 AM John Keates <john@keates.nl mailto:john@keates.nl> wrote:
It’s not really doing anything more, except doing the status on all of the units with one command. If units were to be added/removed, the command would stay the same. But I wouldn’t call this monitoring, it’s more like a health check, you get a binary (good/bad). Monitoring would expect metrics IMO, and even health checks you’d want to do on the WebUI, REST server, LDAP, KDC to see if they are responding in an expected way. The service can be up (according to systems or ipactl) but still produce garbage. JohnOn 27 May 2019, at 10:25, Alex Corcoles via FreeIPA-users <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> wrote: The output of ipactl looks very similar to systemctl status. Is it doing much more than that? I'm already monitoring systemd failed units so I wonder if it's running checking ipactl. On Wed, Sep 19, 2018 at 1:33 PM Neal Harrington via FreeIPA-users <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> wrote: Hi Tony, I'm monitoring using the following userparameter (basically run "ipactl status" and grep out lines which are known good so only errors are returned): UserParameter=ipa.status,sudo /usr/sbin/ipactl status 2>&1 | egrep -v "(INFO\: The ipactl command was successful$|: RUNNING$)" ipactl needs root access so I have a file in /etc/sudoers.d/zabbix with these lines to allow the zabbix user to sudo the ipactl status command only without a password: ## Allow zabix to query ipa status Defaults:zabbix !requiretty zabbix ALL = (root) NOPASSWD: /usr/sbin/ipactl status The final challenge I had was selinux which I had to create a custom rule for (but most people seem to just disable selinux). Then just create a trigger to alert if the returned value contains any characters. eg this matches on any char apart from whitespace: {Custom Template IPA Server:ipa.status.regexp([^\s],1200)}=1 If anyone else has a better way to do this I'd be interested to hear it. Regards, Neal. ------------------------------------------------------------------------ *From:* Tony Brian Albers via FreeIPA-users <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> *Sent:* 24 August 2018 10:50 *To:* freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> *Cc:* Tony Brian Albers *Subject:* [Freeipa-users] zabbix for monitoring FreeIPA server? Hi guys, Anyone got this working? And if so, how did you do it? I know I can monitor the components separately, but if you know of anything that can do it easier I'd be happy to know about it. /tony -- -- Tony Albers Systems administrator, IT-development Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. Tel: +45 2566 2383 / +45 8946 2316 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/WGYZNKOBXBHHVCGA66GTFVDOG3WJOG5T/ _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org -- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/ _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org-- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On Tue, May 28, 2019 at 8:17 PM Rob Crittenden rcritten@redhat.com wrote:
FWIW, speaking of healthcheck, you might want to look at the freeipa-healthcheck package in Fedora 28+. It produces JSON output of checks a bunch of things including whether services are running.
It is still in pretty early development and the JSON output is likely to change but I'm not expecting anything earth shattering.
That is fantastic news! I'm sorry I missed this development, I will try to set it up and see what happens.
Software which provides health checks is better software! Thanks!
freeipa-users@lists.fedorahosted.org
-
Alex Corcoles -
John Keates -
Rob Crittenden