Bug 1776687

Created attachment 1639726 [details]
Debug output

Observations:
When the debug option is used it does show LDAP connection is not happening also the check is done multiple times for ipa-dnskeysyncd.service.

  {
    "source": "ipahealthcheck.ipa.host",
    "check": "IPAHostKeytab",
    "result": "ERROR",
    "uuid": "48fdf3ad-7ad5-4d5a-9183-8b8258f5e3a4",
    "when": "20191206185609Z",
    "duration": "0.003379",
    "kw": {
      "msg": "Failed to obtain host TGT: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529638972): Generic error (see e-text)"
    }
  }

ipahealthcheck.ipa.host needs a dependency on dirsrv

For the repeated ipa-dnskeysyncd.service what ends up getting called to see if the service is up is: systemctl is-active ipa-dnskeysyncd.service

When dirsrv is down systemctl is returning activating which suggests the process is still in the startup phase.

ipa-dnskeysyncd needs a ticket to run but it can't get one because the KDC can't connect to 389-ds because it was shut down.

So this is sort of expected, perhaps a little less-than-optimal, but probably not a big deal. The end result is correct (or will be once the host check dependency is added).

Upstream PR https://github.com/freeipa/freeipa-healthcheck/pull/199

Fixed in master:
https://github.com/freeipa/freeipa-healthcheck/commit/c5a48fb2ba1d1b229d94178f9f7b2d374275fb49

Pre-verified manually using ipa-healthcheck-0.7-7.module+el8.6.0+12936+736896b2.noarch on RHEL8.6 machine. FQDNs were replaced as they contain sensitive information.

1. dnf install ipa-server-dns ipa-healthcheck
2. ipa-server-install --domain dom-$(hostname -f) --realm DOM-$(hostname -f | tr '[:lower:]' '[:upper:]') -a Secret123 -p Secret123 -U
3. systemctl status dirsrv
...
Active: active (running) since Wed 2021-12-15 05:38:25 EST; 4min 21s ago
...
4. time ipa-healthcheck
real	0m18.967s
user	0m8.296s
sys	0m1.257s
5. systemctl stop dirsrv
6. systemctl status dirsrv
...
   Active: inactive (dead) since Wed 2021-12-15 05:42:54 EST; 1s ago
...
7. time ipa-healthcheck
real	0m6.537s
user	0m5.058s
sys	0m0.837s

(Note, each time measurement was run 3 times to ensure consistency).
Run time increment not present, therefore marking as verified - tested.

Verified manually using nightly build on RHEL8.6 machine with ipa-healthcheck-0.7-7.module+el8.6.0+12936+736896b2.noarch                                                                                                                                  

1. dnf install ipa-server-dns ipa-healthcheck
2. ipa-server-install --domain dom-$(hostname -f) --realm DOM-$(hostname -f | tr '[:lower:]' '[:upper:]') -a Secret123 -p Secret123 -U
3. systemctl status dirsrv
...

Active: active (running) since Thu 2022-01-06 06:09:36 EST; 3h 24min ago
...
4.1 time ipa-healthcheck
real	0m13.647s
user	0m7.660s
sys	0m1.256s
4.2 time ipa-healthcheck
real	0m12.040s
user	0m7.470s
sys	0m1.144s
4.3 time ipa-healthcheck
real	0m11.721s
user	0m7.606s
sys	0m1.182s
5. systemctl stop dirsrv
6. systemctl status dirsrv
...

   Active: inactive (dead) since Thu 2022-01-06 09:37:50 EST; 20s ago
...
7.1 time ipa-healthcheck
real	0m5.632s
user	0m4.482s
sys	0m0.727s
7.2 time ipa-healthcheck
real	0m5.960s
user	0m4.512s
sys	0m0.723s
7.3 time ipa-healthcheck
real	0m5.906s
user	0m4.384s
sys	0m0.695s


Previously observed run time increment not present, therefore marking as Verified. This bug will not be automated as per its nature.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (idm:client and idm:DL1 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:1884