RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1776687 - ipa-healthcheck command takes some extra time to complete when dirsrv instance is stopped.
Summary: ipa-healthcheck command takes some extra time to complete when dirsrv instanc...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa-healthcheck
Version: 8.2
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: 8.0
Assignee: Rob Crittenden
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-11-26 07:26 UTC by Sudhir Menon
Modified: 2022-05-10 14:33 UTC (History)
3 users (show)

Fixed In Version: ipa-healthcheck-0.7-7.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-05-10 14:08:44 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Debug output (33.11 KB, text/plain)
2019-11-26 09:20 UTC, Sudhir Menon 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FREEIPA-7045 0 None None None 2021-10-06 22:22:34 UTC
Red Hat Product Errata RHEA-2022:1884 0 None None None 2022-05-10 14:09:05 UTC

Description Sudhir Menon 2019-11-26 07:26:31 UTC 
Description of problem: ipa-healthcheck command takes some extra time to complete when dirsrv instance is stopped.

Version-Release number of selected component (if applicable):

[root@master ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.2 Beta (Ootpa)

ipa-healthcheck-0.3-4.module+el8.1.0+4098+f286395e.noarch


How reproducible:
Always

Steps to Reproduce:
1. Install IPA server and healthcheck
2. Run #ipa-healtcheck
3. Now stop the dirsrv instance for IPA and run #ipa-healthcheck
e.g systemctl stop dirsrv

Actual results:

When dirsrv is running on the system and #ipa-healthcheck command is run
real	0m7.722s
user	0m3.437s
sys	0m0.283s

When dirsrv is not running on the system and #ipa-healthcheck command is run
real	1m0.191s
user	0m7.374s
sys	0m5.335s

Expected results: Although the tool does display the output on the console, but its taking considerably more time than when dirsrv was running on the system.

Additional info: Logging this as bug as per the observation seen on test system and also to see if this is expected or can be improved.
Comment 1 Sudhir Menon 2019-11-26 09:20:34 UTC 
Created attachment 1639726 [details]
Debug output

Observations:
When the debug option is used it does show LDAP connection is not happening also the check is done multiple times for ipa-dnskeysyncd.service.
Comment 2 Rob Crittenden 2019-12-06 18:57:30 UTC 
  {
    "source": "ipahealthcheck.ipa.host",
    "check": "IPAHostKeytab",
    "result": "ERROR",
    "uuid": "48fdf3ad-7ad5-4d5a-9183-8b8258f5e3a4",
    "when": "20191206185609Z",
    "duration": "0.003379",
    "kw": {
      "msg": "Failed to obtain host TGT: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529638972): Generic error (see e-text)"
    }
  }

ipahealthcheck.ipa.host needs a dependency on dirsrv

For the repeated ipa-dnskeysyncd.service what ends up getting called to see if the service is up is: systemctl is-active ipa-dnskeysyncd.service

When dirsrv is down systemctl is returning activating which suggests the process is still in the startup phase.

ipa-dnskeysyncd needs a ticket to run but it can't get one because the KDC can't connect to 389-ds because it was shut down.

So this is sort of expected, perhaps a little less-than-optimal, but probably not a big deal. The end result is correct (or will be once the host check dependency is added).
Comment 5 Rob Crittenden 2021-05-05 19:40:27 UTC 
Upstream PR https://github.com/freeipa/freeipa-healthcheck/pull/199
Comment 6 Rob Crittenden 2021-06-08 15:55:32 UTC 
Fixed in master:
https://github.com/freeipa/freeipa-healthcheck/commit/c5a48fb2ba1d1b229d94178f9f7b2d374275fb49
Comment 8 Michal Polovka 2021-12-15 10:51:52 UTC 
Pre-verified manually using ipa-healthcheck-0.7-7.module+el8.6.0+12936+736896b2.noarch on RHEL8.6 machine. FQDNs were replaced as they contain sensitive information.

1. dnf install ipa-server-dns ipa-healthcheck
2. ipa-server-install --domain dom-$(hostname -f) --realm DOM-$(hostname -f | tr '[:lower:]' '[:upper:]') -a Secret123 -p Secret123 -U
3. systemctl status dirsrv
...
Active: active (running) since Wed 2021-12-15 05:38:25 EST; 4min 21s ago
...
4. time ipa-healthcheck
real	0m18.967s
user	0m8.296s
sys	0m1.257s
5. systemctl stop dirsrv
6. systemctl status dirsrv
...
   Active: inactive (dead) since Wed 2021-12-15 05:42:54 EST; 1s ago
...
7. time ipa-healthcheck
real	0m6.537s
user	0m5.058s
sys	0m0.837s

(Note, each time measurement was run 3 times to ensure consistency).
Run time increment not present, therefore marking as verified - tested.
Comment 12 Michal Polovka 2022-01-06 14:41:15 UTC 
Verified manually using nightly build on RHEL8.6 machine with ipa-healthcheck-0.7-7.module+el8.6.0+12936+736896b2.noarch                                                                                                                                  

1. dnf install ipa-server-dns ipa-healthcheck
2. ipa-server-install --domain dom-$(hostname -f) --realm DOM-$(hostname -f | tr '[:lower:]' '[:upper:]') -a Secret123 -p Secret123 -U
3. systemctl status dirsrv
...

Active: active (running) since Thu 2022-01-06 06:09:36 EST; 3h 24min ago
...
4.1 time ipa-healthcheck
real	0m13.647s
user	0m7.660s
sys	0m1.256s
4.2 time ipa-healthcheck
real	0m12.040s
user	0m7.470s
sys	0m1.144s
4.3 time ipa-healthcheck
real	0m11.721s
user	0m7.606s
sys	0m1.182s
5. systemctl stop dirsrv
6. systemctl status dirsrv
...

   Active: inactive (dead) since Thu 2022-01-06 09:37:50 EST; 20s ago
...
7.1 time ipa-healthcheck
real	0m5.632s
user	0m4.482s
sys	0m0.727s
7.2 time ipa-healthcheck
real	0m5.960s
user	0m4.512s
sys	0m0.723s
7.3 time ipa-healthcheck
real	0m5.906s
user	0m4.384s
sys	0m0.695s


Previously observed run time increment not present, therefore marking as Verified. This bug will not be automated as per its nature.
Comment 15 errata-xmlrpc 2022-05-10 14:08:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (idm:client and idm:DL1 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:1884
Note You need to log in before you can comment on or make changes to this bug.