Your company here — click to reach over 10,000 unique daily visitors

ipa-healthcheck - Man Page

Check on the health of an IPA installation


ipa-healthcheck [OPTION]...


An IPA installation is a complex system and identifying real or potential issues can be difficult and require a lot of analysis. This tool aims to reduce the burden of that and attempts to identify issues in advance so they can be corrected, ideally before the issue is critical.

This tool must be run as root in order to access all components of a system.


These areas of the system to check can be logically grouped together. This grouping is called a source. A source consists of one or more checks.

A check is as atomic as possible to limit the scope and complexity and provide a yes/no answer on whether that particular configuration is correct.

Each check will return a result, either a result of WARNING, ERROR or CRITICAL or SUCCESS. Returning SUCCESS tells you that the check was done and was deemed correct. This should help track when the last time something was examined.

Upon failure the output will include the source and check that detected the failure along with a message and name/value pairs indicating the problem. It may very well be that the check can't make a final determination and generally defaults to WARNING if it can't be sure so that it can be examined.

Implementation Details

There is no need for users to authenticate and get a ticket in advance for ipa-healthcheck to work. Existing tickets will not be used as ipa-healthcheck will leverage the host keytab and use a temporary credential cache.




Display a list of the available sources and the checks associated with those sources.

Optional Arguments


The configuration file to use. If an empty string is passed in then no configuration file is loaded. The default is /etc/ipahealthcheck/ipahealthcheck.conf.


Execute checks within the named source, or all sources in the given namespace.


Execute this particular check within a source. The exact source must also be specified via --source.


Set the output type. Supported variants are human, json, and prometheus. The default is json.


Exclude SUCCESS results on output. If stdin is a tty then this will default to True. In all other cases it defaults to False.


Report all results.


Only report errors in the requested severity of SUCCESS, WARNING, ERROR or CRITICAL. This can be provided multiple times to search on multiple levels.


Generate verbose output.


Generate additional debugging output.

JSON Output

The results are displayed as a list of result messages for each check executed in JSON format. This could be input for a monitoring system.


Write the output to this filename rather than stdout.


Read the results of a previous run and re-display them.


Pretty-print the JSON with this indention level. This can make the output more human-readable.

Human-Readable Output

The results are displayed in a more human-readable format.


Take as input a JSON results output and convert it to a more human-readable form.

Prometheus Output

The results are displayed in the Prometheus text metric exposition format.


Uses the JSON-formatted results output as metrics source.


Prefix to use for metric names.


Execute healthcheck with the default JSON output:

# ipa-healthcheck

Execute healthcheck with a prettier JSON output:

# ipa-healthcheck --indent 2

Execute healthcheck and only display errors:

# ipa-healthcheck --failures-only

Display in human-readable output a previous report:

# ipa-healthcheck --output-type human --input-file \



Exit Status

0 if all checks were successful

1 if any one check failed or the command failed to execute properly

Internet Resources

Main website:  https://www.freeipa.org/

Git repository for ipa-healthcheck:  https://www.github.com/freeipa/freeipa-healthcheck/

Other Resources

The ipa-healthcheck distribution includes a documentation file named README.md which contains detailed explanations on executed checks.

Referenced By


Jan 16 2020 FreeIPA Manual Pages