fedora-infrastructure

Clone
Source Code
GIT

#11737 Figure out what to do about check_ipa_replication: nagios check
Closed: Fixed a year ago by zlopez. Opened a year ago by kevin.

Closed: Fixed
Reopen Issue

roles/nagios_client/files/scripts/check_ipa_replication checks the replication between ipa servers.
It uses 'pynag' (a python based nagios package).

However, this package is retired in Fedora/EPEL now and not available in rhel9.

So, we should rework this script/check to use something else so we can monitor replication between ipa servers.

Metadata Update from @zlopez:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: high-gain, ops
a year ago

Could we leverage zabbix in this case?

@kevin @zlopez could you assign this to me ? , I can take a look .

Metadata Update from @zlopez:
- Issue assigned to seddik
a year ago

@seddik I assigned it to you, have fun :-)

@kevin or @zlopez could you please run ipa command on ipa servers ?? 

/sbin/ipa-replica-manage -p ${ipa_passwd} list -v $(hostname) | grep replica | awk -F: '{print $1}'

and 

/sbin/ipa-replica-manage -p ${ipa_passwd} list -v $(hotname) | grep "last update status" | awk -F\( '{print $2}' | awk -F\) '{print $1}'

Thanks

So, on ipa03:

# ipa-replica-manage list -v ipa03.iad2.fedoraproject.org | grep replica | aw
k -F: '{print $1}'
Directory Manager password: 
ipa01.iad2.fedoraproject.org
ipa02.iad2.fedoraproject.org

# ipa-replica-manage list -v ipa03.iad2.fedoraproject.org | grep "last update status" | awk -F\( '{print $2}' | awk -F\) '{print $1}'
Directory Manager password: 
0
0

@kevin could you test this simple script to check replica status .
https://paste.centos.org/view/43423762

The password is set as argument ;)

Thanks

Very nice. I will try and look tomorrow if no one else has. ;)

Can you also attach it here? (pastes expire in 1 day)

ok... the script does work and return 0 in staging (which is replicating ok).

A few comments:

  • Is there any way we can avoid needing the directory manager password? If we do it this way that password will be on noc01... or I suppose we could read it from a file on ipa servers, but thats still not great. The directory manager password basically lets you do anything to the backend. ;( If there's any way to avoid it that would sure be good.

  • Consider using $() instead of ``

  • a --help or error explaining what it is expecting if not passed any arguments would be nice.

ok... the script does work and return 0 in staging (which is replicating ok).

A few comments:

  • Is there any way we can avoid needing the directory manager password? If we do it this way that password will be on noc01... or I suppose we could read it from a file on ipa servers, but thats still not great. The directory manager password basically lets you do anything to the backend. ;( If there's any way to avoid it that would sure be good.

it's really quick version to check replication status, i know we can do something better, and avoiding password it's more secure .
I will setup the check on another way

  • Consider using $() instead of ``
    totally agree

  • a --help or error explaining what it is expecting if not passed any arguments would be nice.
Edited a year ago by seddik

@kevin could you test this version of check_ipa_replication script ??
I push PR here : https://pagure.io/fedora-infra/ansible/pull-request/1800#

check_ipa_replication is re-deployed
Let's close this issue

Metadata Update from @zlopez:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)
a year ago

Log in to comment on this ticket.

Metadata

high-gain ops

None
None
Waiting on Assignee
Boards 1
ops Status: Backlog
Attachments 1
check_replica.sh
Attached a year ago View Comment
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.