[Freeipa-devel] Check if server is fully installed and ready

Christian Heimes cheimes at redhat.com
Thu Apr 14 09:16:01 UTC 2016 

Hi,

while I was working on my Ansible playbook I ran into an issue. It is
hard to detect if a FreeIPA server instance is fully installed and all
its services are ready to handle requests. It's even harder to check it
remotely. I have figured out some heuristics to detect that a sever is
*not* fully installed (e.g. /etc/ipa/default.conf is missing or
http://ipa-ca.ipa.example/ipa/crl/MasterCRL.bin returns 404). The
presence of these resources is no guarantee that all FreeIPA services
fully up and running.

Two days ago on IRC Jan came up with the same problem with containers.
He ran into a problem related to containers and DNS updates. Since I'm
no longer alone with the problem and my own workarounds are not
completely stable, I like to address the problem in FreeIPA directly.
Now you might wonder why it is so hard to check if FreeIPA is ready or
why nobody ran into the issue before.

Let's start with the second question. A typical admin first installs a
FreeIPA server on one machine. It takes a couple of seconds until he
notices that the installer has finished. The admin ssh-es into another
machine, sudo -s and then runs ipa-client-install with some arguments.
It takes a couple of seconds, maybe even a minute. With containers and
automation tools it's more like milliseconds.

Now for the first question. Under some conditions a FreeIPA service
might be started but not yet ready to serve requests or aren't fully
operation yet. For example ticket
https://fedorahosted.org/freeipa/ticket/5813 is an example of a problem
with ipa-kra-install, 389-DS restarts and bind-dyndb-ldap.


Proposal

1) A new boolean attribute ipaReady=TRUE/FALSE in
cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX tracks whether or not an
FreeIPA instance is ready to handle requests.

2) A new HTTP route http[s]://$FQDN/ipa/ready is added. The route does
not need authentication. When ipaReady=TRUE the route simple returns 200
OK with some text like READY. When the attribute is not present or
FALSE, it returns an error to the client (412, 408?).

3) All ipa install and upgrade commands set the attribute to FALSE
before any tasks.

4) A final step in all ipa install and upgrade commands checks that all
services have been started and are ready to handle requests. Eventually
the ipaReady attribute is set to true.

Christian

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160414/554ed15e/attachment.sig>

More information about the Freeipa-devel mailing list