[Freeipa-devel] ipa health check

Dmitri Pal dpal at redhat.com
Thu Sep 5 15:11:32 UTC 2013 

On 09/05/2013 08:56 AM, Simo Sorce wrote:
> On Thu, 2013-09-05 at 09:50 +0200, Petr Spacek wrote:
>> Honestly, as a former sysadmin, I don't think that built-in SMTP
>> client is a 
>> very good idea.
>>
>> 1) Each notification mechanism adds big complexity to the
>> implementation:
>> - message queue
>> - fail-over if 'upstream' SMTP server is down
>> - authentication to 'upstream server'
>> - flood/repeated message detection/limitation
>> - ...
>> - and configuration for all this.
>>
>> Some of points above can be solved by existing MTA, but not all of
>> them.
>>
>> 2) Besides implementation, it adds administrative burden during normal
>> system 
>> operation: You have to reconfigure all SMTP clients if something was
>> changed 
>> in SMTP server configuration.
>> For example:
>> - the organization started to require authentication/SSL for all SMTP
>> connections
>> - mail server's address was changed
>> - backup mail server was added
>> etc.
>>
>> Also, consider the situation where 'replica in trouble' is unable to
>> send a 
>> message for some reason (WAN link to/from branch office is down,
>> MTA/machine 
>> crashed etc.) This should be handled by some general monitoring
>> system.
>>
>> Another aspect is that admin could want to use another communication
>> channel 
>> than e-mail or combination of more channels at once (send
>> e-mail/Jabber 
>> message instantly + send SMS if severity >= CRITICAL).
>>
>> Yet another problem is that definition of 'severity' depends on
>> organization. 
>> You have to have a component which translates message from machine to
>> context 
>> organization-defined 'severity'.
>>
>> And then we have dependency problem: If authentication service is
>> down, then 
>> you don't need explicit notification that all 20 IMAP servers doesn't
>> work.
>>
>> etc. etc.
>>
>>
>> IMHO, for those reasons we should implement 'a tool for replica health
>> check' 
>> with reasonably detailed output and defer problems mentioned above to
>> generic 
>> monitoring systems. The monitoring problem is way more complex than it
>> seems 
>> after first look.
>>
>> If you takes monitoring seriously, you already have a monitoring
>> system. If 
>> you don't, then line 'ipa health-check | mail admin at example.com' in
>> cron is 
>> perfectly enough.
>>
>> Does it make sense?
>>
> Perfectly!
>
> Simo.
>
I agree too. I was not suggesting to replace any kind of deep monitoring
rather a spot check for which the command above should be totally fine.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list