Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a way to exclude sources, checks and/or keys from results #228

Merged
merged 4 commits into from Feb 4, 2022
Merged

Add a way to exclude sources, checks and/or keys from results #228

merged 4 commits into from Feb 4, 2022

Conversation

rcritten
Copy link
Collaborator

We allow to exclude on three different levels:

  • source
  • check
  • key

Excluding a source could be used to disable a misbehaving set of
checks, particularly one not provided by upstream. A check would
be similar.

Not all results have a key but most do. If we run into corner
cases we can address them as they come up.

The example I had in mind is an untracked certificate that is
otherwise legitimate. This could be marked as excluded by key
so ipa-healthcheck will no longer return failures.

Filtering happens twice. Any sources or checks excluded will simply
not be executed. keys are excluded after execution.

This adds new section, [exclusions], which will contain three types
of exclusions and can be repeated:

source
config
key

#176

Signed-off-by: Rob Crittenden rcritten@redhat.com

@rcritten
Copy link
Collaborator Author

An example config file may look like:

[default]

[excludes]
#source=ipahealthcheck.ipa.certs
#check=IPACertTracking
#check=IPADNSSystemRecordsCheck
key=20210910141452

So you can have source=ipahealthcheck.ipa to block out all but the pki healthchecks.

antoniotorresm
antoniotorresm reviewed Jan 17, 2022
View reviewed changes
man/man5/ipahealthcheck.conf.5 Outdated
@@ -31,11 +31,33 @@ Values should not be quoted, the quotes will not be stripped.
Options must appear in the section named [default]. There are no other sections defined or used currently.

Options may be defined that are not used. Be careful of misspellings, they will not be rejected.
.SH "EXCLUDES"
There may be reasons that a user will want to suppress some results. One example is a customer certificate that is generating a warning because it is unknown to IPA. Excluding a result byu key does not prevent it from running, it is filtered from the reported results. Excluding by source or key will prevent it from running at all. Services will not be excluded because other checks may rely on them (ipahealthcheck.meta.services).
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typo: "byu"

antoniotorresm
antoniotorresm reviewed Jan 17, 2022
View reviewed changes
src/ipahealthcheck/core/config.py Outdated
from ipahealthcheck.core.constants import DEFAULT_CONFIG

logger = logging.getLogger()


class DuplicateOrderedDict(OrderedDict):
def __setitem__(self, key, value):
"""Duplicate keys will be concatonated strings separated by new-line"""
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typo: "concatonated"

@antoniotorresm
Copy link
Collaborator

antoniotorresm commented Jan 17, 2022
edited

Is it possible to use excludes_key, excludes_source and excludes_check options outside the [excludes] section? The man update gives that impression, but testing on my side fails:

[default]
excludes_key=DSVIRTLE0001

Traceback (most recent call last):
  File "/root/freeipa-healthcheck/venv/bin/ipa-healthcheck", line 33, in <module>
    sys.exit(load_entry_point('ipahealthcheck', 'console_scripts', 'ipa-healthcheck')())
  File "/root/freeipa-healthcheck/src/ipahealthcheck/core/main.py", line 52, in main
    sys.exit(ipachecks.run_healthcheck())
  File "/root/freeipa-healthcheck/src/ipahealthcheck/core/core.py", line 420, in run_healthcheck
    results = exclude_keys(config, results)
  File "/root/freeipa-healthcheck/src/ipahealthcheck/core/core.py", line 256, in exclude_keys
    result.kw.get("key") in config.excludes_key
TypeError: 'in <string>' requires string as left operand, not NoneType

@antoniotorresm
Copy link
Collaborator

Do you think it would be useful to have these options on the CLI as well?

@rcritten
Copy link
Collaborator Author

Is it possible to use excludes_key, excludes_source and excludes_check options outside the [excludes] section?

The excludes_ options should not have been in the man page. That was from a previous incarnation of the change. I dropped it.

But you're right, it was semi-processed anyway. The intention was to only process those in the new section so that format so I made excludes_* be skipped when processing [default] just to be certain.

Do you think it would be useful to have these options on the CLI as well?

Probably but I couldn't think of a use-case. One might do it for a one-off but then you'd need to remember to skip it with each run. I think in the config file one could log the reason for the skip.

@antoniotorresm
Copy link
Collaborator

Maybe you could add an example usage to the ipahealtcheck.conf man page. Other than that this LGTM.

@rcritten
Copy link
Collaborator Author

rcritten commented Feb 1, 2022

Man page updated.

@rcritten
Add a way to exclude sources, checks and/or keys from results
940ceb0 
We allow to exclude on three different levels:

 * source
 * check
 * key

Excluding a source could be used to disable a misbehaving set of
checks, particularly one not provided by upstream. A check would
be similar.

Not all results have a key but most do. If we run into corner
cases we can address them as they come up.

The example I had in mind is an untracked certificate that is
otherwise legitimate. This could be marked as excluded by key
so ipa-healthcheck will no longer return failures.

Filtering happens twice. Any sources or checks excluded will simply
not be executed. keys are excluded after execution.

This adds new section, [exclusions], which will contain three types
of exclusions and can be repeated:

source
config
key

freeipa#176

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
@rcritten
Add keys to some Results that were missing
8fc9d01 
Being able to suppress a specific key rather than a whole
source or check is better.

I'm not ready yet to assert that there is a key in each
Result since that would be a rather impactful change but
for the purposes of this change I added an assert and ran
it through the unit tests.

freeipa#176

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
@rcritten
Test suppressing results
12a74ed 
Create a new source and register two plugins to it.

Use an Output plugin to collect the results in a global
variable so the results can be evaluated after the run is
complete.

Use a temporary configuration file to set the test
configuration.

Test suppressing:

- nothing
- the source
- one check
- one key

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

freeipa#176
@rcritten
Update timeout test to use new API in run_plugins
56029bf 
A config option was added which needs to be passed in during
the test call.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
@rcritten rcritten merged commit 896824f into freeipa:master Feb 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@antoniotorresm antoniotorresm antoniotorresm left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@rcritten @antoniotorresm