[Freeipa-devel] ipa health check (was: certmonger/oddjob for DNSSEC key maintenance)

Simo Sorce simo at redhat.com
Thu Sep 5 12:56:30 UTC 2013 

On Thu, 2013-09-05 at 09:50 +0200, Petr Spacek wrote:
> Honestly, as a former sysadmin, I don't think that built-in SMTP
> client is a 
> very good idea.
> 
> 1) Each notification mechanism adds big complexity to the
> implementation:
> - message queue
> - fail-over if 'upstream' SMTP server is down
> - authentication to 'upstream server'
> - flood/repeated message detection/limitation
> - ...
> - and configuration for all this.
> 
> Some of points above can be solved by existing MTA, but not all of
> them.
> 
> 2) Besides implementation, it adds administrative burden during normal
> system 
> operation: You have to reconfigure all SMTP clients if something was
> changed 
> in SMTP server configuration.
> For example:
> - the organization started to require authentication/SSL for all SMTP
> connections
> - mail server's address was changed
> - backup mail server was added
> etc.
> 
> Also, consider the situation where 'replica in trouble' is unable to
> send a 
> message for some reason (WAN link to/from branch office is down,
> MTA/machine 
> crashed etc.) This should be handled by some general monitoring
> system.
> 
> Another aspect is that admin could want to use another communication
> channel 
> than e-mail or combination of more channels at once (send
> e-mail/Jabber 
> message instantly + send SMS if severity >= CRITICAL).
> 
> Yet another problem is that definition of 'severity' depends on
> organization. 
> You have to have a component which translates message from machine to
> context 
> organization-defined 'severity'.
> 
> And then we have dependency problem: If authentication service is
> down, then 
> you don't need explicit notification that all 20 IMAP servers doesn't
> work.
> 
> etc. etc.
> 
> 
> IMHO, for those reasons we should implement 'a tool for replica health
> check' 
> with reasonably detailed output and defer problems mentioned above to
> generic 
> monitoring systems. The monitoring problem is way more complex than it
> seems 
> after first look.
> 
> If you takes monitoring seriously, you already have a monitoring
> system. If 
> you don't, then line 'ipa health-check | mail admin at example.com' in
> cron is 
> perfectly enough.
> 
> Does it make sense?
> 

Perfectly!

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list