#4008 [RFE] Create a tool to simplify troubleshooting
Opened 6 years ago by dpal. Modified a year ago

Create a tool that would help with diagnosis and collecting information about server/client deployment.


The tool should have at least following features:

  • Pluggable interface so that checks can be easily provided by developers/community/support (though only limited to Python language for start)
  • Clear division between root/non-root checks (skip the checks where current permissions are not enough)
  • Server and client checks
  • Optionally, admin/privileged person should be able to run it remotely (e.g. via OpenLMI) from FreeIPA Web UI.

Initial ideas
- Validate that keytabs are ok (known only, /etc/krb5.keytab, /etc/httpd/conf/ipa.keytab and /etc/dirsrv/ds.keytab)
- Get a host TGT
- Verify that the certificates are ok (start with HTTP and DS, maybe machine cert) - see #6302
- Connectivity, perhaps using the conncheck tool.
- Replication status

External Tools
Existing tools related tools (like https://github.com/peterpakos/checkipaconsistency or ds-replcheck) should be also evaluated.

Log collection

Optionally, the tool could make log collection easier for further debugs on freeipa-users list for example.

Initial ideas
- Version of the packages
- Is CA installed?
- Is it chained, self signed etc.
- How many replicas?
- Do replicas run DNS, CAs?
- What is the topology?
- Is NIS/Compat enabled?
- Is migration mode is on?
- What is the status of the internal certificates? How soon they expire? Is certmonger configured to renew them?
- Are trusts enabled?
- Home many trusts are three?
- Is sync is enabled?
- Collect install logs

We should investigate whether Ansible and related FreeIPA Ansible work would not be the best way for discovering the information.

Starting to shape next release

Bumping up a priority for 3.5. I think it will help us to better troubleshoot issues.

Related (and closed as duplicate) ticket with more information: #3631.

I was thinking more about this topic and I thought it may be nice to design this with a nice pluggable API to add the particular checks as code snippets instead of hardcoding it all one long single script. Part of the check (it may be one check per file, or several grouped checkes like all Kerberos related) should be a remediation advise. Something like what OpenScap does.

Too late to be included in 4.2 - moving to later release.

Metadata Update from @dpal:
- Issue assigned to mbasti
- Issue set to the milestone: FreeIPA 4.5 backlog

2 years ago

Metadata Update from @mbasti:
- Issue assigned to fbarreto (was: mbasti)
- Issue close_status updated to: None

2 years ago

It should check SELinux booleans as well.

Metadata Update from @ftweedal:
- Assignee reset

a year ago

Login to comment on this ticket.