icinga2/doc/6-advanced-topics.md

# Advanced Topics

## Downtimes

TODO (move to basics?)

## Comments

TODO (move to basics?)

## Acknowledgements

TODO (move to basics?)

## Cluster

An Icinga 2 cluster consists of two or more nodes and can resist on multiple architectures. The base concept of Icinga 2 is the possibility to add additional features using components. In case of a cluster setup you have to add the cluster feature to all involved nodes. Before you start configuring the diffent nodes its necessary to setup the underlaying communication layer based on SSL.

### Certificate authority and Certificates

If you have no other way, we would suggest to use easy-rsa for certificate creation. You can get easy-rsa using your distribution package manager or the following git clone

	$ git clone https://github.com/OpenVPN/easy-rsa.git

Before you create your CA please add your minium local variables to /easy-rsa/vars

* KEY_COUNTRY
* KEY_PROVINCE
* KEY_CITY
* KEY_ORG
* KEY_EMAIL
* KEY_OU

After that you have to export the defined var and clean-up all previously created files

	source ./vars
	./clean-all

Then you can start CA creation using

	./build-ca

After that you can find your ca.crt and ca.key file in the keys directory and can create a server certificate for every node in the cluster using

	./build-key-server <node-name> 

Please don't use a passphrase during the certificate creation process.

Icinga 2 needs all certification information in one file which could be easily achieved using

	cat <node-name>.crt <node-name>.key > <node-name>.pem

Please create a key-file for every node in the Icinga 2 Cluster and save the CA-Key for additional nodes at a later date

### Enable the cluster configuration

Until the cluster-component is moved into an independent feature you have to enable the required libraries in the icinga2.conf

	library "cluster"

### Configure the ClusterListener Object

The ClusterListener needs to be configured on every node in the cluster with the following settings:

  Configuration Setting    |Value
  -------------------------|------------------------------------
  ca_path                  | path to ca.crt file
  cert_path                | path to server certificate
  bind_port                | port for incoming and outgoing conns
  peers                    | array of all reachable nodes
  ------------------------- ------------------------------------

A sample config part can look like this:

	/**
 	* Load cluster-library and configure Cluster-Listener using CA-files
 	*/
	library "cluster"
	object ClusterListener "cluster" {
    		ca_path = "/etc/icinga2/ca/ca.crt",
    		cert_path = "/etc/icinga2/ca/icinga-node-1.pem",
    		bind_port = 8888,
    		peers = [ "icinga-node-1", "icinga-node-2" ]
	}

Peers configures the direction used to connect multipe nodes together. If have a three node cluster consisting of 

* node-1
* node-2
* node-3

and node-3 is only reachable from node-2, you have to consider this in your peer configuration

### Configure Cluster Endpoints

In addition to the configured port and hostname every endpoint can have specific abilities to send configfiles to other nodes and limit the hosts allowed to send config-files.

  Configuration Setting    |Value
  -------------------------|------------------------------------
  host                     | hostname
  port                     | port
  accept_config            | defines all nodes allowed to send configs
  config_files             | defines all files to be send to other nodes
  ------------------------- ------------------------------------

A sample config part can look like this:

	/**
 	* Configure endpoints for cluster configuration
 	*/
	
	object Endpoint "icinga-node-1" {
    	host = "icinga-node-1.localdomain",
    	port = 8888
	}


## Dependencies

TODO

## Check Result Freshness

In Icinga 2 active check freshness is enabled by default. It is determined by the
`check_interval` attribute and no incoming check results in that period of time.

    threshold = last check execution time + check interval

Passive check freshness is calculated from the `check_interval` attribute if set.

    threshold = last check result time + check interval

If the freshness checks are invalid, a new check is executed defined by the
`check_command` attribute.

## Check Flapping

TODO

## Volatile Services

TODO

## Modified Attributes

TODO

## List of External Commands

TODO

## Plugin API

TODO

### Nagios Plugins
Implement mods-available/mods-enabled. Refs #4573 2013-09-27 10:44:24 +02:00			`# Advanced Topics`

Update documentation. refs #4797 2013-10-10 19:05:49 +02:00			`## Downtimes`

			`TODO (move to basics?)`

			`## Comments`

			`TODO (move to basics?)`

			`## Acknowledgements`

			`TODO (move to basics?)`

Implement mods-available/mods-enabled. Refs #4573 2013-09-27 10:44:24 +02:00			`## Cluster`

Add cluster documentation to advanced topic. 2013-10-16 09:18:18 +02:00			`An Icinga 2 cluster consists of two or more nodes and can resist on multiple architectures. The base concept of Icinga 2 is the possibility to add additional features using components. In case of a cluster setup you have to add the cluster feature to all involved nodes. Before you start configuring the diffent nodes its necessary to setup the underlaying communication layer based on SSL.`

			`### Certificate authority and Certificates`

			`If you have no other way, we would suggest to use easy-rsa for certificate creation. You can get easy-rsa using your distribution package manager or the following git clone`

			`$ git clone https://github.com/OpenVPN/easy-rsa.git`

			`Before you create your CA please add your minium local variables to /easy-rsa/vars`

			`* KEY_COUNTRY`
			`* KEY_PROVINCE`
			`* KEY_CITY`
			`* KEY_ORG`
			`* KEY_EMAIL`
			`* KEY_OU`

			`After that you have to export the defined var and clean-up all previously created files`

			`source ./vars`
			`./clean-all`

			`Then you can start CA creation using`

			`./build-ca`

			`After that you can find your ca.crt and ca.key file in the keys directory and can create a server certificate for every node in the cluster using`

			`./build-key-server <node-name>`

			`Please don't use a passphrase during the certificate creation process.`

			`Icinga 2 needs all certification information in one file which could be easily achieved using`

			`cat <node-name>.crt <node-name>.key > <node-name>.pem`

			`Please create a key-file for every node in the Icinga 2 Cluster and save the CA-Key for additional nodes at a later date`

			`### Enable the cluster configuration`

			`Until the cluster-component is moved into an independent feature you have to enable the required libraries in the icinga2.conf`

			`library "cluster"`

			`### Configure the ClusterListener Object`

			`The ClusterListener needs to be configured on every node in the cluster with the following settings:`

			`Configuration Setting \|Value`
			`-------------------------\|------------------------------------`
			`ca_path \| path to ca.crt file`
			`cert_path \| path to server certificate`
			`bind_port \| port for incoming and outgoing conns`
			`peers \| array of all reachable nodes`
			`------------------------- ------------------------------------`

			`A sample config part can look like this:`

			`/**`
			`* Load cluster-library and configure Cluster-Listener using CA-files`
			`*/`
			`library "cluster"`
			`object ClusterListener "cluster" {`
			`ca_path = "/etc/icinga2/ca/ca.crt",`
			`cert_path = "/etc/icinga2/ca/icinga-node-1.pem",`
			`bind_port = 8888,`
			`peers = [ "icinga-node-1", "icinga-node-2" ]`
			`}`

			`Peers configures the direction used to connect multipe nodes together. If have a three node cluster consisting of`

			`* node-1`
			`* node-2`
			`* node-3`

			`and node-3 is only reachable from node-2, you have to consider this in your peer configuration`

			`### Configure Cluster Endpoints`

			`In addition to the configured port and hostname every endpoint can have specific abilities to send configfiles to other nodes and limit the hosts allowed to send config-files.`

			`Configuration Setting \|Value`
			`-------------------------\|------------------------------------`
			`host \| hostname`
			`port \| port`
			`accept_config \| defines all nodes allowed to send configs`
			`config_files \| defines all files to be send to other nodes`
			`------------------------- ------------------------------------`

			`A sample config part can look like this:`

			`/**`
			`* Configure endpoints for cluster configuration`
			`*/`

			`object Endpoint "icinga-node-1" {`
			`host = "icinga-node-1.localdomain",`
			`port = 8888`
			`}`


Update documentation. refs #4797 2013-10-10 19:05:49 +02:00
			`## Dependencies`

			`TODO`

Documentation: Add freshness check changes. fixes #4759 2013-10-11 13:25:56 +02:00			`## Check Result Freshness`
Update documentation. refs #4797 2013-10-10 19:05:49 +02:00
Documentation: Add freshness check changes. fixes #4759 2013-10-11 13:25:56 +02:00			`In Icinga 2 active check freshness is enabled by default. It is determined by the`
			`check_interval` attribute and no incoming check results in that period of time.

			`threshold = last check execution time + check interval`

			Passive check freshness is calculated from the `check_interval` attribute if set.

			`threshold = last check result time + check interval`

			`If the freshness checks are invalid, a new check is executed defined by the`
			`check_command` attribute.
Update documentation. refs #4797 2013-10-10 19:05:49 +02:00
			`## Check Flapping`

			`TODO`

			`## Volatile Services`

			`TODO`

			`## Modified Attributes`

			`TODO`

			`## List of External Commands`

			`TODO`

			`## Plugin API`

			`TODO`

			`### Nagios Plugins`