tyler.durden/icinga2
1
0
Fork 0
mirror of https://github.com/Icinga/icinga2.git synced 2025-07-29 08:34:20 +02:00
Code Issues Packages Projects Releases Wiki Activity

Docs: Rename client to agent, step 1

Browse Source
This commit is contained in:
Michael Friedrich 2019-07-19 14:44:14 +02:00
parent e9f61ef234
commit 125fafeb08
7 changed files with 196 additions and 196 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
doc/03-monitoring-basics.md
View File

@ -678,7 +678,7 @@ attribute and reference an existing host attribute.
``` ```
object Service "ping4" { object Service "ping4" {
check_command = "ping4" check_command = "ping4"
host_name = "icinga2-client1.localdomain" host_name = "icinga2-agent1.localdomain"
} }
``` ```
@ -1599,7 +1599,7 @@ already provides an example for this question.
Specify the user and groups as nested custom variable on the host object: Specify the user and groups as nested custom variable on the host object:
``` ```
object Host "icinga2-client1.localdomain" { object Host "icinga2-agent1.localdomain" {
[...] [...]
vars.notification["mail"] = { vars.notification["mail"] = {
@ -2035,7 +2035,7 @@ If you prefer this being configured at the host instead of the service, modify t
object instead. The runtime macro resolving order is described [here](03-monitoring-basics.md#macro-evaluation-order). object instead. The runtime macro resolving order is described [here](03-monitoring-basics.md#macro-evaluation-order).
``` ```
object Host "icinga2-client1.localdomain { object Host "icinga2-agent1.localdomain {
... ...
vars.ssh_port = 2022 vars.ssh_port = 2022
} }
@ -2763,7 +2763,7 @@ The script only is executed if the service state is `CRITICAL`. Warning and Unkn
are ignored as they indicate not an immediate failure. are ignored as they indicate not an immediate failure.
``` ```
[root@icinga2-client1.localdomain /]# vim /usr/lib64/nagios/plugins/restart_service [root@icinga2-agent1.localdomain /]# vim /usr/lib64/nagios/plugins/restart_service
#!/bin/bash #!/bin/bash
@ -2794,7 +2794,7 @@ else
fi fi
fi fi
[root@icinga2-client1.localdomain /]# chmod +x /usr/lib64/nagios/plugins/restart_service [root@icinga2-agent1.localdomain /]# chmod +x /usr/lib64/nagios/plugins/restart_service
``` ```
Add a service on the master node which is executed via command endpoint on the client. Add a service on the master node which is executed via command endpoint on the client.
@ -2802,15 +2802,15 @@ Set the `event_command` attribute to `restart_service`, the name of the previous
EventCommand object. EventCommand object.
``` ```
[root@icinga2-master1.localdomain /]# vim /etc/icinga2/zones.d/master/icinga2-client1.localdomain.conf [root@icinga2-master1.localdomain /]# vim /etc/icinga2/zones.d/master/icinga2-agent1.localdomain.conf
object Service "Process httpd" { object Service "Process httpd" {
check_command = "procs" check_command = "procs"
event_command = "restart_service" event_command = "restart_service"
max_check_attempts = 4 max_check_attempts = 4
host_name = "icinga2-client1.localdomain" host_name = "icinga2-agent1.localdomain"
command_endpoint = "icinga2-client1.localdomain" command_endpoint = "icinga2-agent1.localdomain"
vars.procs_command = "httpd" vars.procs_command = "httpd"
vars.procs_warning = "1:10" vars.procs_warning = "1:10"
@ -2818,17 +2818,17 @@ object Service "Process httpd" {
} }
``` ```
In order to test this configuration just stop the `httpd` on the remote host `icinga2-client1.localdomain`. In order to test this configuration just stop the `httpd` on the remote host `icinga2-agent1.localdomain`.
``` ```
[root@icinga2-client1.localdomain /]# systemctl stop httpd [root@icinga2-agent1.localdomain /]# systemctl stop httpd
``` ```
You can enable the [debug log](15-troubleshooting.md#troubleshooting-enable-debug-output) and search for the You can enable the [debug log](15-troubleshooting.md#troubleshooting-enable-debug-output) and search for the
executed command line. executed command line.
``` ```
[root@icinga2-client1.localdomain /]# tail -f /var/log/icinga2/debug.log | grep restart_service [root@icinga2-agent1.localdomain /]# tail -f /var/log/icinga2/debug.log | grep restart_service
``` ```
#### Use Event Commands to Restart Service Daemon via Command Endpoint on Windows <a id="event-command-restart-service-daemon-command-endpoint-windows"></a> #### Use Event Commands to Restart Service Daemon via Command Endpoint on Windows <a id="event-command-restart-service-daemon-command-endpoint-windows"></a>
@ -2904,21 +2904,21 @@ Set the `event_command` attribute to `restart_service-windows`, the name of the
EventCommand object. EventCommand object.
``` ```
[root@icinga2-master1.localdomain /]# vim /etc/icinga2/zones.d/master/icinga2-client2.localdomain.conf [root@icinga2-master1.localdomain /]# vim /etc/icinga2/zones.d/master/icinga2-agent2.localdomain.conf
object Service "Service httpd" { object Service "Service httpd" {
check_command = "service-windows" check_command = "service-windows"
event_command = "restart_service-windows" event_command = "restart_service-windows"
max_check_attempts = 4 max_check_attempts = 4
host_name = "icinga2-client2.localdomain" host_name = "icinga2-agent2.localdomain"
command_endpoint = "icinga2-client2.localdomain" command_endpoint = "icinga2-agent2.localdomain"
vars.service_win_service = "httpd" vars.service_win_service = "httpd"
} }
``` ```
In order to test this configuration just stop the `httpd` on the remote host `icinga2-client1.localdomain`. In order to test this configuration just stop the `httpd` on the remote host `icinga2-agent1.localdomain`.
``` ```
C:> net stop httpd C:> net stop httpd
@ -3024,15 +3024,15 @@ object Host "remote-http-host" {
} }
``` ```
In order to test this configuration just stop the `httpd` on the remote host `icinga2-client1.localdomain`. In order to test this configuration just stop the `httpd` on the remote host `icinga2-agent1.localdomain`.
``` ```
[root@icinga2-client1.localdomain /]# systemctl stop httpd [root@icinga2-agent1.localdomain /]# systemctl stop httpd
``` ```
You can enable the [debug log](15-troubleshooting.md#troubleshooting-enable-debug-output) and search for the You can enable the [debug log](15-troubleshooting.md#troubleshooting-enable-debug-output) and search for the
executed command line. executed command line.
``` ```
[root@icinga2-client1.localdomain /]# tail -f /var/log/icinga2/debug.log | grep by_ssh [root@icinga2-agent1.localdomain /]# tail -f /var/log/icinga2/debug.log | grep by_ssh
``` ```

292
doc/06-distributed-monitoring.md
View File

@ -363,10 +363,10 @@ Required information:
--------------------|-------------------- --------------------|--------------------
Common name (CN) | **Required.** The common name for the satellite/client. By convention this should be the FQDN. Common name (CN) | **Required.** The common name for the satellite/client. By convention this should be the FQDN.
The following example shows how to generate a ticket on the master node `icinga2-master1.localdomain` for the client `icinga2-client1.localdomain`: The following example shows how to generate a ticket on the master node `icinga2-master1.localdomain` for the client `icinga2-agent1.localdomain`:
``` ```
[root@icinga2-master1.localdomain /]# icinga2 pki ticket --cn icinga2-client1.localdomain [root@icinga2-master1.localdomain /]# icinga2 pki ticket --cn icinga2-agent1.localdomain
``` ```
Querying the [Icinga 2 API](12-icinga2-api.md#icinga2-api) on the master requires an [ApiUser](12-icinga2-api.md#icinga2-api-authentication) Querying the [Icinga 2 API](12-icinga2-api.md#icinga2-api) on the master requires an [ApiUser](12-icinga2-api.md#icinga2-api-authentication)
@ -385,7 +385,7 @@ object ApiUser "client-pki-ticket" {
Retrieve the ticket on the master node `icinga2-master1.localdomain` with `curl`, for example: Retrieve the ticket on the master node `icinga2-master1.localdomain` with `curl`, for example:
[root@icinga2-master1.localdomain /]# curl -k -s -u client-pki-ticket:bea11beb7b810ea9ce6ea -H 'Accept: application/json' \ [root@icinga2-master1.localdomain /]# curl -k -s -u client-pki-ticket:bea11beb7b810ea9ce6ea -H 'Accept: application/json' \
-X POST 'https://localhost:5665/v1/actions/generate-ticket' -d '{ "cn": "icinga2-client1.localdomain" }' -X POST 'https://localhost:5665/v1/actions/generate-ticket' -d '{ "cn": "icinga2-agent1.localdomain" }'
``` ```
Store that ticket number for the satellite/client setup below. Store that ticket number for the satellite/client setup below.
@ -423,7 +423,7 @@ You can list pending certificate signing requests with the `ca list` CLI command
[root@icinga2-master1.localdomain /]# icinga2 ca list [root@icinga2-master1.localdomain /]# icinga2 ca list
Fingerprint | Timestamp | Signed | Subject Fingerprint | Timestamp | Signed | Subject
-----------------------------------------------------------------|---------------------|--------|-------- -----------------------------------------------------------------|---------------------|--------|--------
71700c28445109416dd7102038962ac3fd421fbb349a6e7303b6033ec1772850 | 2017/09/06 17:20:02 | | CN = icinga2-client2.localdomain 71700c28445109416dd7102038962ac3fd421fbb349a6e7303b6033ec1772850 | 2017/09/06 17:20:02 | | CN = icinga2-agent2.localdomain
``` ```
In order to show all requests, use the `--all` parameter. In order to show all requests, use the `--all` parameter.
@ -432,8 +432,8 @@ In order to show all requests, use the `--all` parameter.
[root@icinga2-master1.localdomain /]# icinga2 ca list --all [root@icinga2-master1.localdomain /]# icinga2 ca list --all
Fingerprint | Timestamp | Signed | Subject Fingerprint | Timestamp | Signed | Subject
-----------------------------------------------------------------|---------------------|--------|-------- -----------------------------------------------------------------|---------------------|--------|--------
403da5b228df384f07f980f45ba50202529cded7c8182abf96740660caa09727 | 2017/09/06 17:02:40 | * | CN = icinga2-client1.localdomain 403da5b228df384f07f980f45ba50202529cded7c8182abf96740660caa09727 | 2017/09/06 17:02:40 | * | CN = icinga2-agent1.localdomain
71700c28445109416dd7102038962ac3fd421fbb349a6e7303b6033ec1772850 | 2017/09/06 17:20:02 | | CN = icinga2-client2.localdomain 71700c28445109416dd7102038962ac3fd421fbb349a6e7303b6033ec1772850 | 2017/09/06 17:20:02 | | CN = icinga2-agent2.localdomain
``` ```
**Tip**: Add `--json` to the CLI command to retrieve the details in JSON format. **Tip**: Add `--json` to the CLI command to retrieve the details in JSON format.
@ -443,7 +443,7 @@ and pass its fingerprint as argument.
``` ```
[root@icinga2-master1.localdomain /]# icinga2 ca sign 71700c28445109416dd7102038962ac3fd421fbb349a6e7303b6033ec1772850 [root@icinga2-master1.localdomain /]# icinga2 ca sign 71700c28445109416dd7102038962ac3fd421fbb349a6e7303b6033ec1772850
information/cli: Signed certificate for 'CN = icinga2-client2.localdomain'. information/cli: Signed certificate for 'CN = icinga2-agent2.localdomain'.
``` ```
> **Note** > **Note**
@ -479,19 +479,19 @@ so already.
The next step is to run the `node wizard` CLI command. The next step is to run the `node wizard` CLI command.
In this example we're generating a ticket on the master node `icinga2-master1.localdomain` for the client `icinga2-client1.localdomain`: In this example we're generating a ticket on the master node `icinga2-master1.localdomain` for the client `icinga2-agent1.localdomain`:
``` ```
[root@icinga2-master1.localdomain /]# icinga2 pki ticket --cn icinga2-client1.localdomain [root@icinga2-master1.localdomain /]# icinga2 pki ticket --cn icinga2-agent1.localdomain
4f75d2ecd253575fe9180938ebff7cbca262f96e 4f75d2ecd253575fe9180938ebff7cbca262f96e
``` ```
Note: You don't need this step if you have chosen to use [On-Demand CSR Signing](06-distributed-monitoring.md#distributed-monitoring-setup-on-demand-csr-signing). Note: You don't need this step if you have chosen to use [On-Demand CSR Signing](06-distributed-monitoring.md#distributed-monitoring-setup-on-demand-csr-signing).
Start the wizard on the client `icinga2-client1.localdomain`: Start the wizard on the client `icinga2-agent1.localdomain`:
``` ```
[root@icinga2-client1.localdomain /]# icinga2 node wizard [root@icinga2-agent1.localdomain /]# icinga2 node wizard
Welcome to the Icinga 2 Setup Wizard! Welcome to the Icinga 2 Setup Wizard!
@ -510,7 +510,7 @@ this should be the FQDN.
``` ```
Starting the Client/Satellite setup routine... Starting the Client/Satellite setup routine...
Please specify the common name (CN) [icinga2-client1.localdomain]: icinga2-client1.localdomain Please specify the common name (CN) [icinga2-agent1.localdomain]: icinga2-agent1.localdomain
``` ```
Specify the direct parent for this node. This could be your primary master `icinga2-master1.localdomain` Specify the direct parent for this node. This could be your primary master `icinga2-master1.localdomain`
@ -573,7 +573,7 @@ Proceed with adding the optional client ticket for [CSR auto-signing](06-distrib
``` ```
Please specify the request ticket generated on your Icinga 2 master (optional). Please specify the request ticket generated on your Icinga 2 master (optional).
(Hint: # icinga2 pki ticket --cn 'icinga2-client1.localdomain'): (Hint: # icinga2 pki ticket --cn 'icinga2-agent1.localdomain'):
4f75d2ecd253575fe9180938ebff7cbca262f96e 4f75d2ecd253575fe9180938ebff7cbca262f96e
``` ```
@ -609,7 +609,7 @@ in the generated zone configuration file.
Set the local zone name to something else, if you are installing a satellite or secondary master instance. Set the local zone name to something else, if you are installing a satellite or secondary master instance.
``` ```
Local zone name [icinga2-client1.localdomain]: Local zone name [icinga2-agent1.localdomain]:
``` ```
Set the parent zone name to something else than `master` if this client connects to a satellite instance instead of the master. Set the parent zone name to something else than `master` if this client connects to a satellite instance instead of the master.
@ -657,7 +657,7 @@ Now restart your Icinga 2 daemon to finish the installation!
Restart Icinga 2 as requested. Restart Icinga 2 as requested.
``` ```
[root@icinga2-client1.localdomain /]# systemctl restart icinga2 [root@icinga2-agent1.localdomain /]# systemctl restart icinga2
``` ```
Here is an overview of all parameters in detail: Here is an overview of all parameters in detail:
@ -952,20 +952,20 @@ commands, you need to configure the `Zone` and `Endpoint` hierarchy
on all nodes. on all nodes.
* `icinga2-master1.localdomain` is the configuration master in this scenario. * `icinga2-master1.localdomain` is the configuration master in this scenario.
* `icinga2-client1.localdomain` acts as client which receives command execution messages via command endpoint from the master. In addition, it receives the global check command configuration from the master. * `icinga2-agent1.localdomain` acts as client which receives command execution messages via command endpoint from the master. In addition, it receives the global check command configuration from the master.
Include the endpoint and zone configuration on **both** nodes in the file `/etc/icinga2/zones.conf`. Include the endpoint and zone configuration on **both** nodes in the file `/etc/icinga2/zones.conf`.
The endpoint configuration could look like this, for example: The endpoint configuration could look like this, for example:
``` ```
[root@icinga2-client1.localdomain /]# vim /etc/icinga2/zones.conf [root@icinga2-agent1.localdomain /]# vim /etc/icinga2/zones.conf
object Endpoint "icinga2-master1.localdomain" { object Endpoint "icinga2-master1.localdomain" {
host = "192.168.56.101" host = "192.168.56.101"
} }
object Endpoint "icinga2-client1.localdomain" { object Endpoint "icinga2-agent1.localdomain" {
host = "192.168.56.111" host = "192.168.56.111"
} }
``` ```
@ -975,17 +975,17 @@ Next, you need to define two zones. There is no naming convention, best practice
**Note**: Each client requires its own zone and endpoint configuration. Best practice **Note**: Each client requires its own zone and endpoint configuration. Best practice
is to use the client's FQDN for all object names. is to use the client's FQDN for all object names.
The `master` zone is a parent of the `icinga2-client1.localdomain` zone: The `master` zone is a parent of the `icinga2-agent1.localdomain` zone:
``` ```
[root@icinga2-client1.localdomain /]# vim /etc/icinga2/zones.conf [root@icinga2-agent1.localdomain /]# vim /etc/icinga2/zones.conf
object Zone "master" { object Zone "master" {
endpoints = [ "icinga2-master1.localdomain" ] //array with endpoint names endpoints = [ "icinga2-master1.localdomain" ] //array with endpoint names
} }
object Zone "icinga2-client1.localdomain" { object Zone "icinga2-agent1.localdomain" {
endpoints = [ "icinga2-client1.localdomain" ] endpoints = [ "icinga2-agent1.localdomain" ]
parent = "master" //establish zone hierarchy parent = "master" //establish zone hierarchy
} }
@ -997,7 +997,7 @@ above. Therefore disable the inclusion of the `conf.d` directory
in `/etc/icinga2/icinga2.conf`. in `/etc/icinga2/icinga2.conf`.
``` ```
[root@icinga2-client1.localdomain /]# vim /etc/icinga2/icinga2.conf [root@icinga2-agent1.localdomain /]# vim /etc/icinga2/icinga2.conf
// Commented out, not required on a client as command endpoint // Commented out, not required on a client as command endpoint
//include_recursive "conf.d" //include_recursive "conf.d"
@ -1014,8 +1014,8 @@ on both nodes.
Example on CentOS 7: Example on CentOS 7:
``` ```
[root@icinga2-client1.localdomain /]# icinga2 daemon -C [root@icinga2-agent1.localdomain /]# icinga2 daemon -C
[root@icinga2-client1.localdomain /]# systemctl restart icinga2 [root@icinga2-agent1.localdomain /]# systemctl restart icinga2
[root@icinga2-master1.localdomain /]# icinga2 daemon -C [root@icinga2-master1.localdomain /]# icinga2 daemon -C
[root@icinga2-master1.localdomain /]# systemctl restart icinga2 [root@icinga2-master1.localdomain /]# systemctl restart icinga2
@ -1042,7 +1042,7 @@ You can also add multiple hosts which execute checks against remote services/cli
[root@icinga2-master1.localdomain /]# cd /etc/icinga2/zones.d/master [root@icinga2-master1.localdomain /]# cd /etc/icinga2/zones.d/master
[root@icinga2-master1.localdomain /etc/icinga2/zones.d/master]# vim hosts.conf [root@icinga2-master1.localdomain /etc/icinga2/zones.d/master]# vim hosts.conf
object Host "icinga2-client1.localdomain" { object Host "icinga2-agent1.localdomain" {
check_command = "hostalive" //check is executed on the master check_command = "hostalive" //check is executed on the master
address = "192.168.56.111" address = "192.168.56.111"
@ -1092,8 +1092,8 @@ The following steps will happen:
* Icinga 2 validates the configuration on `icinga2-master1.localdomain` and restarts. * Icinga 2 validates the configuration on `icinga2-master1.localdomain` and restarts.
* The `icinga2-master1.localdomain` node schedules and executes the checks. * The `icinga2-master1.localdomain` node schedules and executes the checks.
* The `icinga2-client1.localdomain` node receives the execute command event with additional command parameters. * The `icinga2-agent1.localdomain` node receives the execute command event with additional command parameters.
* The `icinga2-client1.localdomain` node maps the command parameters to the local check command, executes the check locally, and sends back the check result message. * The `icinga2-agent1.localdomain` node maps the command parameters to the local check command, executes the check locally, and sends back the check result message.
As you can see, no interaction from your side is required on the client itself, and it's not necessary to reload the Icinga 2 service on the client. As you can see, no interaction from your side is required on the client itself, and it's not necessary to reload the Icinga 2 service on the client.
@ -1130,20 +1130,20 @@ commands, you need to configure the `Zone` and `Endpoint` hierarchy
on all nodes. on all nodes.
* `icinga2-master1.localdomain` is the configuration master in this scenario. * `icinga2-master1.localdomain` is the configuration master in this scenario.
* `icinga2-client2.localdomain` acts as client which receives configuration from the master. Checks are scheduled locally. * `icinga2-agent2.localdomain` acts as client which receives configuration from the master. Checks are scheduled locally.
Include the endpoint and zone configuration on **both** nodes in the file `/etc/icinga2/zones.conf`. Include the endpoint and zone configuration on **both** nodes in the file `/etc/icinga2/zones.conf`.
The endpoint configuration could look like this: The endpoint configuration could look like this:
``` ```
[root@icinga2-client2.localdomain /]# vim /etc/icinga2/zones.conf [root@icinga2-agent2.localdomain /]# vim /etc/icinga2/zones.conf
object Endpoint "icinga2-master1.localdomain" { object Endpoint "icinga2-master1.localdomain" {
host = "192.168.56.101" host = "192.168.56.101"
} }
object Endpoint "icinga2-client2.localdomain" { object Endpoint "icinga2-agent2.localdomain" {
host = "192.168.56.112" host = "192.168.56.112"
} }
``` ```
@ -1153,28 +1153,28 @@ Next, you need to define two zones. There is no naming convention, best practice
**Note**: Each client requires its own zone and endpoint configuration. Best practice **Note**: Each client requires its own zone and endpoint configuration. Best practice
is to use the client's FQDN for all object names. is to use the client's FQDN for all object names.
The `master` zone is a parent of the `icinga2-client2.localdomain` zone: The `master` zone is a parent of the `icinga2-agent2.localdomain` zone:
``` ```
[root@icinga2-client2.localdomain /]# vim /etc/icinga2/zones.conf [root@icinga2-agent2.localdomain /]# vim /etc/icinga2/zones.conf
object Zone "master" { object Zone "master" {
endpoints = [ "icinga2-master1.localdomain" ] //array with endpoint names endpoints = [ "icinga2-master1.localdomain" ] //array with endpoint names
} }
object Zone "icinga2-client2.localdomain" { object Zone "icinga2-agent2.localdomain" {
endpoints = [ "icinga2-client2.localdomain" ] endpoints = [ "icinga2-agent2.localdomain" ]
parent = "master" //establish zone hierarchy parent = "master" //establish zone hierarchy
} }
``` ```
Edit the `api` feature on the client `icinga2-client2.localdomain` in Edit the `api` feature on the client `icinga2-agent2.localdomain` in
the `/etc/icinga2/features-enabled/api.conf` file and set the `/etc/icinga2/features-enabled/api.conf` file and set
`accept_config` to `true`. `accept_config` to `true`.
``` ```
[root@icinga2-client2.localdomain /]# vim /etc/icinga2/features-enabled/api.conf [root@icinga2-agent2.localdomain /]# vim /etc/icinga2/features-enabled/api.conf
object ApiListener "api" { object ApiListener "api" {
//... //...
@ -1188,8 +1188,8 @@ on both nodes.
Example on CentOS 7: Example on CentOS 7:
``` ```
[root@icinga2-client2.localdomain /]# icinga2 daemon -C [root@icinga2-agent2.localdomain /]# icinga2 daemon -C
[root@icinga2-client2.localdomain /]# systemctl restart icinga2 [root@icinga2-agent2.localdomain /]# systemctl restart icinga2
[root@icinga2-master1.localdomain /]# icinga2 daemon -C [root@icinga2-master1.localdomain /]# icinga2 daemon -C
[root@icinga2-master1.localdomain /]# systemctl restart icinga2 [root@icinga2-master1.localdomain /]# systemctl restart icinga2
@ -1206,7 +1206,7 @@ Navigate to `/etc/icinga2/zones.d` on your master node
name as your satellite/client zone name: name as your satellite/client zone name:
``` ```
[root@icinga2-master1.localdomain /]# mkdir -p /etc/icinga2/zones.d/icinga2-client2.localdomain [root@icinga2-master1.localdomain /]# mkdir -p /etc/icinga2/zones.d/icinga2-agent2.localdomain
``` ```
Add the host and service objects you want to monitor. There is Add the host and service objects you want to monitor. There is
@ -1217,10 +1217,10 @@ By convention a master/satellite/client host object should use the same name as
You can also add multiple hosts which execute checks against remote services/clients. You can also add multiple hosts which execute checks against remote services/clients.
``` ```
[root@icinga2-master1.localdomain /]# cd /etc/icinga2/zones.d/icinga2-client2.localdomain [root@icinga2-master1.localdomain /]# cd /etc/icinga2/zones.d/icinga2-agent2.localdomain
[root@icinga2-master1.localdomain /etc/icinga2/zones.d/icinga2-client2.localdomain]# vim hosts.conf [root@icinga2-master1.localdomain /etc/icinga2/zones.d/icinga2-agent2.localdomain]# vim hosts.conf
object Host "icinga2-client2.localdomain" { object Host "icinga2-agent2.localdomain" {
check_command = "hostalive" check_command = "hostalive"
address = "192.168.56.112" address = "192.168.56.112"
zone = "master" //optional trick: sync the required host object to the client, but enforce the "master" zone to execute the check zone = "master" //optional trick: sync the required host object to the client, but enforce the "master" zone to execute the check
@ -1231,10 +1231,10 @@ Given that you are monitoring a Linux client we'll just add a local [disk](10-ic
check. check.
``` ```
[root@icinga2-master1.localdomain /etc/icinga2/zones.d/icinga2-client2.localdomain]# vim services.conf [root@icinga2-master1.localdomain /etc/icinga2/zones.d/icinga2-agent2.localdomain]# vim services.conf
object Service "disk" { object Service "disk" {
host_name = "icinga2-client2.localdomain" host_name = "icinga2-agent2.localdomain"
check_command = "disk" check_command = "disk"
} }
@ -1257,8 +1257,8 @@ The following steps will happen:
* Icinga 2 validates the configuration on `icinga2-master1.localdomain`. * Icinga 2 validates the configuration on `icinga2-master1.localdomain`.
* Icinga 2 copies the configuration into its zone config store in `/var/lib/icinga2/api/zones`. * Icinga 2 copies the configuration into its zone config store in `/var/lib/icinga2/api/zones`.
* The `icinga2-master1.localdomain` node sends a config update event to all endpoints in the same or direct child zones. * The `icinga2-master1.localdomain` node sends a config update event to all endpoints in the same or direct child zones.
* The `icinga2-client2.localdomain` node accepts config and populates the local zone config store with the received config files. * The `icinga2-agent2.localdomain` node accepts config and populates the local zone config store with the received config files.
* The `icinga2-client2.localdomain` node validates the configuration and automatically restarts. * The `icinga2-agent2.localdomain` node validates the configuration and automatically restarts.
Again, there is no interaction required on the client Again, there is no interaction required on the client
itself. itself.
@ -1307,12 +1307,12 @@ to execute checks on the remote clients.
![Icinga 2 Distributed Master with Clients](images/distributed-monitoring/icinga2_distributed_scenarios_master_clients.png) ![Icinga 2 Distributed Master with Clients](images/distributed-monitoring/icinga2_distributed_scenarios_master_clients.png)
* `icinga2-master1.localdomain` is the primary master node. * `icinga2-master1.localdomain` is the primary master node.
* `icinga2-client1.localdomain` and `icinga2-client2.localdomain` are two child nodes as clients. * `icinga2-agent1.localdomain` and `icinga2-agent2.localdomain` are two child nodes as clients.
Setup requirements: Setup requirements:
* Set up `icinga2-master1.localdomain` as [master](06-distributed-monitoring.md#distributed-monitoring-setup-master). * Set up `icinga2-master1.localdomain` as [master](06-distributed-monitoring.md#distributed-monitoring-setup-master).
* Set up `icinga2-client1.localdomain` and `icinga2-client2.localdomain` as [client](06-distributed-monitoring.md#distributed-monitoring-setup-satellite-client). * Set up `icinga2-agent1.localdomain` and `icinga2-agent2.localdomain` as [client](06-distributed-monitoring.md#distributed-monitoring-setup-satellite-client).
Edit the `zones.conf` configuration file on the master: Edit the `zones.conf` configuration file on the master:
@ -1322,11 +1322,11 @@ Edit the `zones.conf` configuration file on the master:
object Endpoint "icinga2-master1.localdomain" { object Endpoint "icinga2-master1.localdomain" {
} }
object Endpoint "icinga2-client1.localdomain" { object Endpoint "icinga2-agent1.localdomain" {
host = "192.168.56.111" //the master actively tries to connect to the client host = "192.168.56.111" //the master actively tries to connect to the client
} }
object Endpoint "icinga2-client2.localdomain" { object Endpoint "icinga2-agent2.localdomain" {
host = "192.168.56.112" //the master actively tries to connect to the client host = "192.168.56.112" //the master actively tries to connect to the client
} }
@ -1334,14 +1334,14 @@ object Zone "master" {
endpoints = [ "icinga2-master1.localdomain" ] endpoints = [ "icinga2-master1.localdomain" ]
} }
object Zone "icinga2-client1.localdomain" { object Zone "icinga2-agent1.localdomain" {
endpoints = [ "icinga2-client1.localdomain" ] endpoints = [ "icinga2-agent1.localdomain" ]
parent = "master" parent = "master"
} }
object Zone "icinga2-client2.localdomain" { object Zone "icinga2-agent2.localdomain" {
endpoints = [ "icinga2-client2.localdomain" ] endpoints = [ "icinga2-agent2.localdomain" ]
parent = "master" parent = "master"
} }
@ -1361,21 +1361,21 @@ endpoint's attribute on the master node already, we don't want the clients to co
master. **Choose one [connection direction](06-distributed-monitoring.md#distributed-monitoring-advanced-hints-connection-direction).** master. **Choose one [connection direction](06-distributed-monitoring.md#distributed-monitoring-advanced-hints-connection-direction).**
``` ```
[root@icinga2-client1.localdomain /]# vim /etc/icinga2/zones.conf [root@icinga2-agent1.localdomain /]# vim /etc/icinga2/zones.conf
object Endpoint "icinga2-master1.localdomain" { object Endpoint "icinga2-master1.localdomain" {
//do not actively connect to the master by leaving out the 'host' attribute //do not actively connect to the master by leaving out the 'host' attribute
} }
object Endpoint "icinga2-client1.localdomain" { object Endpoint "icinga2-agent1.localdomain" {
} }
object Zone "master" { object Zone "master" {
endpoints = [ "icinga2-master1.localdomain" ] endpoints = [ "icinga2-master1.localdomain" ]
} }
object Zone "icinga2-client1.localdomain" { object Zone "icinga2-agent1.localdomain" {
endpoints = [ "icinga2-client1.localdomain" ] endpoints = [ "icinga2-agent1.localdomain" ]
parent = "master" parent = "master"
} }
@ -1385,21 +1385,21 @@ object Zone "global-templates" {
global = true global = true
} }
[root@icinga2-client2.localdomain /]# vim /etc/icinga2/zones.conf [root@icinga2-agent2.localdomain /]# vim /etc/icinga2/zones.conf
object Endpoint "icinga2-master1.localdomain" { object Endpoint "icinga2-master1.localdomain" {
//do not actively connect to the master by leaving out the 'host' attribute //do not actively connect to the master by leaving out the 'host' attribute
} }
object Endpoint "icinga2-client2.localdomain" { object Endpoint "icinga2-agent2.localdomain" {
} }
object Zone "master" { object Zone "master" {
endpoints = [ "icinga2-master1.localdomain" ] endpoints = [ "icinga2-master1.localdomain" ]
} }
object Zone "icinga2-client2.localdomain" { object Zone "icinga2-agent2.localdomain" {
endpoints = [ "icinga2-client2.localdomain" ] endpoints = [ "icinga2-agent2.localdomain" ]
parent = "master" parent = "master"
} }
@ -1426,13 +1426,13 @@ Add the two client nodes as host objects:
[root@icinga2-master1.localdomain /]# cd /etc/icinga2/zones.d/master [root@icinga2-master1.localdomain /]# cd /etc/icinga2/zones.d/master
[root@icinga2-master1.localdomain /etc/icinga2/zones.d/master]# vim hosts.conf [root@icinga2-master1.localdomain /etc/icinga2/zones.d/master]# vim hosts.conf
object Host "icinga2-client1.localdomain" { object Host "icinga2-agent1.localdomain" {
check_command = "hostalive" check_command = "hostalive"
address = "192.168.56.111" address = "192.168.56.111"
vars.client_endpoint = name //follows the convention that host name == endpoint name vars.client_endpoint = name //follows the convention that host name == endpoint name
} }
object Host "icinga2-client2.localdomain" { object Host "icinga2-agent2.localdomain" {
check_command = "hostalive" check_command = "hostalive"
address = "192.168.56.112" address = "192.168.56.112"
vars.client_endpoint = name //follows the convention that host name == endpoint name vars.client_endpoint = name //follows the convention that host name == endpoint name
@ -1495,13 +1495,13 @@ Overview:
* `icinga2-master1.localdomain` is the config master master node. * `icinga2-master1.localdomain` is the config master master node.
* `icinga2-master2.localdomain` is the secondary master master node without config in `zones.d`. * `icinga2-master2.localdomain` is the secondary master master node without config in `zones.d`.
* `icinga2-client1.localdomain` and `icinga2-client2.localdomain` are two child nodes as clients. * `icinga2-agent1.localdomain` and `icinga2-agent2.localdomain` are two child nodes as clients.
Setup requirements: Setup requirements:
* Set up `icinga2-master1.localdomain` as [master](06-distributed-monitoring.md#distributed-monitoring-setup-master). * Set up `icinga2-master1.localdomain` as [master](06-distributed-monitoring.md#distributed-monitoring-setup-master).
* Set up `icinga2-master2.localdomain` as [client](06-distributed-monitoring.md#distributed-monitoring-setup-satellite-client) (we will modify the generated configuration). * Set up `icinga2-master2.localdomain` as [client](06-distributed-monitoring.md#distributed-monitoring-setup-satellite-client) (we will modify the generated configuration).
* Set up `icinga2-client1.localdomain` and `icinga2-client2.localdomain` as [clients](06-distributed-monitoring.md#distributed-monitoring-setup-satellite-client) (when asked for adding multiple masters, set to `y` and add the secondary master `icinga2-master2.localdomain`). * Set up `icinga2-agent1.localdomain` and `icinga2-agent2.localdomain` as [clients](06-distributed-monitoring.md#distributed-monitoring-setup-satellite-client) (when asked for adding multiple masters, set to `y` and add the secondary master `icinga2-master2.localdomain`).
In case you don't want to use the CLI commands, you can also manually create and sync the In case you don't want to use the CLI commands, you can also manually create and sync the
required SSL certificates. We will modify and discuss all the details of the automatically generated configuration here. required SSL certificates. We will modify and discuss all the details of the automatically generated configuration here.
@ -1538,11 +1538,11 @@ object Endpoint "icinga2-master2.localdomain" {
host = "192.168.56.102" host = "192.168.56.102"
} }
object Endpoint "icinga2-client1.localdomain" { object Endpoint "icinga2-agent1.localdomain" {
host = "192.168.56.111" //the master actively tries to connect to the client host = "192.168.56.111" //the master actively tries to connect to the client
} }
object Endpoint "icinga2-client2.localdomain" { object Endpoint "icinga2-agent2.localdomain" {
host = "192.168.56.112" //the master actively tries to connect to the client host = "192.168.56.112" //the master actively tries to connect to the client
} }
@ -1550,14 +1550,14 @@ object Zone "master" {
endpoints = [ "icinga2-master1.localdomain", "icinga2-master2.localdomain" ] endpoints = [ "icinga2-master1.localdomain", "icinga2-master2.localdomain" ]
} }
object Zone "icinga2-client1.localdomain" { object Zone "icinga2-agent1.localdomain" {
endpoints = [ "icinga2-client1.localdomain" ] endpoints = [ "icinga2-agent1.localdomain" ]
parent = "master" parent = "master"
} }
object Zone "icinga2-client2.localdomain" { object Zone "icinga2-agent2.localdomain" {
endpoints = [ "icinga2-client2.localdomain" ] endpoints = [ "icinga2-agent2.localdomain" ]
parent = "master" parent = "master"
} }
@ -1577,7 +1577,7 @@ endpoint's attribute on the master node already, we don't want the clients to co
master nodes. **Choose one [connection direction](06-distributed-monitoring.md#distributed-monitoring-advanced-hints-connection-direction).** master nodes. **Choose one [connection direction](06-distributed-monitoring.md#distributed-monitoring-advanced-hints-connection-direction).**
``` ```
[root@icinga2-client1.localdomain /]# vim /etc/icinga2/zones.conf [root@icinga2-agent1.localdomain /]# vim /etc/icinga2/zones.conf
object Endpoint "icinga2-master1.localdomain" { object Endpoint "icinga2-master1.localdomain" {
//do not actively connect to the master by leaving out the 'host' attribute //do not actively connect to the master by leaving out the 'host' attribute
@ -1587,15 +1587,15 @@ object Endpoint "icinga2-master2.localdomain" {
//do not actively connect to the master by leaving out the 'host' attribute //do not actively connect to the master by leaving out the 'host' attribute
} }
object Endpoint "icinga2-client1.localdomain" { object Endpoint "icinga2-agent1.localdomain" {
} }
object Zone "master" { object Zone "master" {
endpoints = [ "icinga2-master1.localdomain", "icinga2-master2.localdomain" ] endpoints = [ "icinga2-master1.localdomain", "icinga2-master2.localdomain" ]
} }
object Zone "icinga2-client1.localdomain" { object Zone "icinga2-agent1.localdomain" {
endpoints = [ "icinga2-client1.localdomain" ] endpoints = [ "icinga2-agent1.localdomain" ]
parent = "master" parent = "master"
} }
@ -1605,7 +1605,7 @@ object Zone "global-templates" {
global = true global = true
} }
[root@icinga2-client2.localdomain /]# vim /etc/icinga2/zones.conf [root@icinga2-agent2.localdomain /]# vim /etc/icinga2/zones.conf
object Endpoint "icinga2-master1.localdomain" { object Endpoint "icinga2-master1.localdomain" {
//do not actively connect to the master by leaving out the 'host' attribute //do not actively connect to the master by leaving out the 'host' attribute
@ -1615,15 +1615,15 @@ object Endpoint "icinga2-master2.localdomain" {
//do not actively connect to the master by leaving out the 'host' attribute //do not actively connect to the master by leaving out the 'host' attribute
} }
object Endpoint "icinga2-client2.localdomain" { object Endpoint "icinga2-agent2.localdomain" {
} }
object Zone "master" { object Zone "master" {
endpoints = [ "icinga2-master1.localdomain", "icinga2-master2.localdomain" ] endpoints = [ "icinga2-master1.localdomain", "icinga2-master2.localdomain" ]
} }
object Zone "icinga2-client2.localdomain" { object Zone "icinga2-agent2.localdomain" {
endpoints = [ "icinga2-client2.localdomain" ] endpoints = [ "icinga2-agent2.localdomain" ]
parent = "master" parent = "master"
} }
@ -1652,13 +1652,13 @@ Add the two client nodes as host objects:
[root@icinga2-master1.localdomain /]# cd /etc/icinga2/zones.d/master [root@icinga2-master1.localdomain /]# cd /etc/icinga2/zones.d/master
[root@icinga2-master1.localdomain /etc/icinga2/zones.d/master]# vim hosts.conf [root@icinga2-master1.localdomain /etc/icinga2/zones.d/master]# vim hosts.conf
object Host "icinga2-client1.localdomain" { object Host "icinga2-agent1.localdomain" {
check_command = "hostalive" check_command = "hostalive"
address = "192.168.56.111" address = "192.168.56.111"
vars.client_endpoint = name //follows the convention that host name == endpoint name vars.client_endpoint = name //follows the convention that host name == endpoint name
} }
object Host "icinga2-client2.localdomain" { object Host "icinga2-agent2.localdomain" {
check_command = "hostalive" check_command = "hostalive"
address = "192.168.56.112" address = "192.168.56.112"
vars.client_endpoint = name //follows the convention that host name == endpoint name vars.client_endpoint = name //follows the convention that host name == endpoint name
@ -1724,19 +1724,19 @@ Overview:
* `icinga2-master1.localdomain` is the configuration master master node. * `icinga2-master1.localdomain` is the configuration master master node.
* `icinga2-master2.localdomain` is the secondary master master node without configuration in `zones.d`. * `icinga2-master2.localdomain` is the secondary master master node without configuration in `zones.d`.
* `icinga2-satellite1.localdomain` and `icinga2-satellite2.localdomain` are satellite nodes in a `master` child zone. They forward CSR signing requests to the master zone. * `icinga2-satellite1.localdomain` and `icinga2-satellite2.localdomain` are satellite nodes in a `master` child zone. They forward CSR signing requests to the master zone.
* `icinga2-client1.localdomain` and `icinga2-client2.localdomain` are two child nodes as clients. * `icinga2-agent1.localdomain` and `icinga2-agent2.localdomain` are two child nodes as clients.
Setup requirements: Setup requirements:
* Set up `icinga2-master1.localdomain` as [master](06-distributed-monitoring.md#distributed-monitoring-setup-master). * Set up `icinga2-master1.localdomain` as [master](06-distributed-monitoring.md#distributed-monitoring-setup-master).
* Set up `icinga2-master2.localdomain`, `icinga2-satellite1.localdomain` and `icinga2-satellite2.localdomain` as [clients](06-distributed-monitoring.md#distributed-monitoring-setup-satellite-client) (we will modify the generated configuration). * Set up `icinga2-master2.localdomain`, `icinga2-satellite1.localdomain` and `icinga2-satellite2.localdomain` as [clients](06-distributed-monitoring.md#distributed-monitoring-setup-satellite-client) (we will modify the generated configuration).
* Set up `icinga2-client1.localdomain` and `icinga2-client2.localdomain` as [clients](06-distributed-monitoring.md#distributed-monitoring-setup-satellite-client). * Set up `icinga2-agent1.localdomain` and `icinga2-agent2.localdomain` as [clients](06-distributed-monitoring.md#distributed-monitoring-setup-satellite-client).
When being asked for the parent endpoint providing CSR auto-signing capabilities, When being asked for the parent endpoint providing CSR auto-signing capabilities,
please add one of the satellite nodes. **Note**: This requires Icinga 2 v2.8+ please add one of the satellite nodes. **Note**: This requires Icinga 2 v2.8+
and the `CA Proxy` on all master, satellite and client nodes. and the `CA Proxy` on all master, satellite and client nodes.
Example for `icinga2-client1.localdomain`: Example for `icinga2-agent1.localdomain`:
``` ```
Please specify the parent endpoint(s) (master or satellite) where this node should connect to: Please specify the parent endpoint(s) (master or satellite) where this node should connect to:
@ -1774,7 +1774,7 @@ Proceed with adding the optional client ticket for [CSR auto-signing](06-distrib
``` ```
Please specify the request ticket generated on your Icinga 2 master (optional). Please specify the request ticket generated on your Icinga 2 master (optional).
(Hint: # icinga2 pki ticket --cn 'icinga2-client1.localdomain'): (Hint: # icinga2 pki ticket --cn 'icinga2-agent1.localdomain'):
4f75d2ecd253575fe9180938ebff7cbca262f96e 4f75d2ecd253575fe9180938ebff7cbca262f96e
``` ```
@ -1808,7 +1808,7 @@ Next you can optionally specify the local and parent zone names. This will be re
in the generated zone configuration file. in the generated zone configuration file.
``` ```
Local zone name [icinga2-client1.localdomain]: icinga2-client1.localdomain Local zone name [icinga2-agent1.localdomain]: icinga2-agent1.localdomain
``` ```
Set the parent zone name to `satellite` for this client. Set the parent zone name to `satellite` for this client.
@ -1942,26 +1942,26 @@ satellites where the connection information is needed as well.
[root@icinga2-master1.localdomain /]# mkdir -p /etc/icinga2/zones.d/{master,satellite,global-templates} [root@icinga2-master1.localdomain /]# mkdir -p /etc/icinga2/zones.d/{master,satellite,global-templates}
[root@icinga2-master1.localdomain /]# cd /etc/icinga2/zones.d/satellite [root@icinga2-master1.localdomain /]# cd /etc/icinga2/zones.d/satellite
[root@icinga2-master1.localdomain /etc/icinga2/zones.d/satellite]# vim icinga2-client1.localdomain.conf [root@icinga2-master1.localdomain /etc/icinga2/zones.d/satellite]# vim icinga2-agent1.localdomain.conf
object Endpoint "icinga2-client1.localdomain" { object Endpoint "icinga2-agent1.localdomain" {
host = "192.168.56.111" //the satellite actively tries to connect to the client host = "192.168.56.111" //the satellite actively tries to connect to the client
} }
object Zone "icinga2-client1.localdomain" { object Zone "icinga2-agent1.localdomain" {
endpoints = [ "icinga2-client1.localdomain" ] endpoints = [ "icinga2-agent1.localdomain" ]
parent = "satellite" parent = "satellite"
} }
[root@icinga2-master1.localdomain /etc/icinga2/zones.d/satellite]# vim icinga2-client2.localdomain.conf [root@icinga2-master1.localdomain /etc/icinga2/zones.d/satellite]# vim icinga2-agent2.localdomain.conf
object Endpoint "icinga2-client2.localdomain" { object Endpoint "icinga2-agent2.localdomain" {
host = "192.168.56.112" //the satellite actively tries to connect to the client host = "192.168.56.112" //the satellite actively tries to connect to the client
} }
object Zone "icinga2-client2.localdomain" { object Zone "icinga2-agent2.localdomain" {
endpoints = [ "icinga2-client2.localdomain" ] endpoints = [ "icinga2-agent2.localdomain" ]
parent = "satellite" parent = "satellite"
} }
@ -1975,10 +1975,10 @@ endpoint objects, the client node will actively try to connect to the satellite
endpoint's attribute on the satellite node already, we don't want the client node to connect to the endpoint's attribute on the satellite node already, we don't want the client node to connect to the
satellite nodes. **Choose one [connection direction](06-distributed-monitoring.md#distributed-monitoring-advanced-hints-connection-direction).** satellite nodes. **Choose one [connection direction](06-distributed-monitoring.md#distributed-monitoring-advanced-hints-connection-direction).**
Example for `icinga2-client1.localdomain`: Example for `icinga2-agent1.localdomain`:
``` ```
[root@icinga2-client1.localdomain /]# vim /etc/icinga2/zones.conf [root@icinga2-agent1.localdomain /]# vim /etc/icinga2/zones.conf
object Endpoint "icinga2-satellite1.localdomain" { object Endpoint "icinga2-satellite1.localdomain" {
//do not actively connect to the satellite by leaving out the 'host' attribute //do not actively connect to the satellite by leaving out the 'host' attribute
@ -1988,7 +1988,7 @@ object Endpoint "icinga2-satellite2.localdomain" {
//do not actively connect to the satellite by leaving out the 'host' attribute //do not actively connect to the satellite by leaving out the 'host' attribute
} }
object Endpoint "icinga2-client1.localdomain" { object Endpoint "icinga2-agent1.localdomain" {
//that's us //that's us
} }
@ -1996,8 +1996,8 @@ object Zone "satellite" {
endpoints = [ "icinga2-satellite1.localdomain", "icinga2-satellite2.localdomain" ] endpoints = [ "icinga2-satellite1.localdomain", "icinga2-satellite2.localdomain" ]
} }
object Zone "icinga2-client1.localdomain" { object Zone "icinga2-agent1.localdomain" {
endpoints = [ "icinga2-client1.localdomain" ] endpoints = [ "icinga2-agent1.localdomain" ]
parent = "satellite" parent = "satellite"
} }
@ -2012,10 +2012,10 @@ object Zone "director-global" {
} }
``` ```
Example for `icinga2-client2.localdomain`: Example for `icinga2-agent2.localdomain`:
``` ```
[root@icinga2-client2.localdomain /]# vim /etc/icinga2/zones.conf [root@icinga2-agent2.localdomain /]# vim /etc/icinga2/zones.conf
object Endpoint "icinga2-satellite1.localdomain" { object Endpoint "icinga2-satellite1.localdomain" {
//do not actively connect to the satellite by leaving out the 'host' attribute //do not actively connect to the satellite by leaving out the 'host' attribute
@ -2025,7 +2025,7 @@ object Endpoint "icinga2-satellite2.localdomain" {
//do not actively connect to the satellite by leaving out the 'host' attribute //do not actively connect to the satellite by leaving out the 'host' attribute
} }
object Endpoint "icinga2-client2.localdomain" { object Endpoint "icinga2-agent2.localdomain" {
//that's us //that's us
} }
@ -2033,8 +2033,8 @@ object Zone "satellite" {
endpoints = [ "icinga2-satellite1.localdomain", "icinga2-satellite2.localdomain" ] endpoints = [ "icinga2-satellite1.localdomain", "icinga2-satellite2.localdomain" ]
} }
object Zone "icinga2-client2.localdomain" { object Zone "icinga2-agent2.localdomain" {
endpoints = [ "icinga2-client2.localdomain" ] endpoints = [ "icinga2-agent2.localdomain" ]
parent = "satellite" parent = "satellite"
} }
@ -2060,26 +2060,26 @@ zone and endpoint configuration for the clients.
[root@icinga2-master1.localdomain /]# cd /etc/icinga2/zones.d/satellite [root@icinga2-master1.localdomain /]# cd /etc/icinga2/zones.d/satellite
``` ```
Add the host object configuration for the `icinga2-client1.localdomain` client. You should Add the host object configuration for the `icinga2-agent1.localdomain` client. You should
have created the configuration file in the previous steps and it should contain the endpoint have created the configuration file in the previous steps and it should contain the endpoint
and zone object configuration already. and zone object configuration already.
``` ```
[root@icinga2-master1.localdomain /etc/icinga2/zones.d/satellite]# vim icinga2-client1.localdomain.conf [root@icinga2-master1.localdomain /etc/icinga2/zones.d/satellite]# vim icinga2-agent1.localdomain.conf
object Host "icinga2-client1.localdomain" { object Host "icinga2-agent1.localdomain" {
check_command = "hostalive" check_command = "hostalive"
address = "192.168.56.111" address = "192.168.56.111"
vars.client_endpoint = name //follows the convention that host name == endpoint name vars.client_endpoint = name //follows the convention that host name == endpoint name
} }
``` ```
Add the host object configuration for the `icinga2-client2.localdomain` client configuration file: Add the host object configuration for the `icinga2-agent2.localdomain` client configuration file:
``` ```
[root@icinga2-master1.localdomain /etc/icinga2/zones.d/satellite]# vim icinga2-client2.localdomain.conf [root@icinga2-master1.localdomain /etc/icinga2/zones.d/satellite]# vim icinga2-agent2.localdomain.conf
object Host "icinga2-client2.localdomain" { object Host "icinga2-agent2.localdomain" {
check_command = "hostalive" check_command = "hostalive"
address = "192.168.56.112" address = "192.168.56.112"
vars.client_endpoint = name //follows the convention that host name == endpoint name vars.client_endpoint = name //follows the convention that host name == endpoint name
@ -2371,7 +2371,7 @@ First, add the client node as host object:
[root@icinga2-master1.localdomain /]# cd /etc/icinga2/zones.d/master [root@icinga2-master1.localdomain /]# cd /etc/icinga2/zones.d/master
[root@icinga2-master1.localdomain /etc/icinga2/zones.d/master]# vim hosts.conf [root@icinga2-master1.localdomain /etc/icinga2/zones.d/master]# vim hosts.conf
object Host "icinga2-client2.localdomain" { object Host "icinga2-agent2.localdomain" {
check_command = "hostalive" check_command = "hostalive"
address = "192.168.56.112" address = "192.168.56.112"
vars.client_endpoint = name //follows the convention that host name == endpoint name vars.client_endpoint = name //follows the convention that host name == endpoint name
@ -2434,14 +2434,14 @@ is the described in the ITL chapter for the [nscp_api](10-icinga-template-librar
Based on the [master with clients](06-distributed-monitoring.md#distributed-monitoring-master-clients) Based on the [master with clients](06-distributed-monitoring.md#distributed-monitoring-master-clients)
scenario we'll now add a local nscp check which queries the NSClient++ API to check the free disk space. scenario we'll now add a local nscp check which queries the NSClient++ API to check the free disk space.
Define a host object called `icinga2-client2.localdomain` on the master. Add the `nscp_api_password` Define a host object called `icinga2-agent2.localdomain` on the master. Add the `nscp_api_password`
custom variable and specify the drives to check. custom variable and specify the drives to check.
``` ```
[root@icinga2-master1.localdomain /]# cd /etc/icinga2/zones.d/master [root@icinga2-master1.localdomain /]# cd /etc/icinga2/zones.d/master
[root@icinga2-master1.localdomain /etc/icinga2/zones.d/master]# vim hosts.conf [root@icinga2-master1.localdomain /etc/icinga2/zones.d/master]# vim hosts.conf
object Host "icinga2-client1.localdomain" { object Host "icinga2-agent1.localdomain" {
check_command = "hostalive" check_command = "hostalive"
address = "192.168.56.111" address = "192.168.56.111"
vars.client_endpoint = name //follows the convention that host name == endpoint name vars.client_endpoint = name //follows the convention that host name == endpoint name
@ -2504,7 +2504,7 @@ If you want to monitor specific Windows services, you could use the following ex
[root@icinga2-master1.localdomain /]# cd /etc/icinga2/zones.d/master [root@icinga2-master1.localdomain /]# cd /etc/icinga2/zones.d/master
[root@icinga2-master1.localdomain /etc/icinga2/zones.d/master]# vim hosts.conf [root@icinga2-master1.localdomain /etc/icinga2/zones.d/master]# vim hosts.conf
object Host "icinga2-client1.localdomain" { object Host "icinga2-agent1.localdomain" {
check_command = "hostalive" check_command = "hostalive"
address = "192.168.56.111" address = "192.168.56.111"
vars.client_endpoint = name //follows the convention that host name == endpoint name vars.client_endpoint = name //follows the convention that host name == endpoint name
@ -2561,7 +2561,7 @@ First, add the client node as host object:
[root@icinga2-master1.localdomain /]# cd /etc/icinga2/zones.d/master [root@icinga2-master1.localdomain /]# cd /etc/icinga2/zones.d/master
[root@icinga2-master1.localdomain /etc/icinga2/zones.d/master]# vim hosts.conf [root@icinga2-master1.localdomain /etc/icinga2/zones.d/master]# vim hosts.conf
object Host "icinga2-client1.localdomain" { object Host "icinga2-agent1.localdomain" {
check_command = "hostalive" check_command = "hostalive"
address = "192.168.56.111" address = "192.168.56.111"
vars.client_endpoint = name //follows the convention that host name == endpoint name vars.client_endpoint = name //follows the convention that host name == endpoint name
@ -2715,24 +2715,24 @@ Nodes will attempt to connect to another node when its local [Endpoint](09-objec
configuration specifies a valid `host` attribute (FQDN or IP address). configuration specifies a valid `host` attribute (FQDN or IP address).
Example for the master node `icinga2-master1.localdomain` actively connecting Example for the master node `icinga2-master1.localdomain` actively connecting
to the client node `icinga2-client1.localdomain`: to the client node `icinga2-agent1.localdomain`:
``` ```
[root@icinga2-master1.localdomain /]# vim /etc/icinga2/zones.conf [root@icinga2-master1.localdomain /]# vim /etc/icinga2/zones.conf
//... //...
object Endpoint "icinga2-client1.localdomain" { object Endpoint "icinga2-agent1.localdomain" {
host = "192.168.56.111" //the master actively tries to connect to the client host = "192.168.56.111" //the master actively tries to connect to the client
log_duration = 0 log_duration = 0
} }
``` ```
Example for the client node `icinga2-client1.localdomain` not actively Example for the client node `icinga2-agent1.localdomain` not actively
connecting to the master node `icinga2-master1.localdomain`: connecting to the master node `icinga2-master1.localdomain`:
``` ```
[root@icinga2-client1.localdomain /]# vim /etc/icinga2/zones.conf [root@icinga2-agent1.localdomain /]# vim /etc/icinga2/zones.conf
//... //...
@ -2771,21 +2771,21 @@ Configuration on the master node `icinga2-master1.localdomain`:
//... //...
object Endpoint "icinga2-client1.localdomain" { object Endpoint "icinga2-agent1.localdomain" {
host = "192.168.56.111" //the master actively tries to connect to the client host = "192.168.56.111" //the master actively tries to connect to the client
log_duration = 0 log_duration = 0
} }
object Endpoint "icinga2-client2.localdomain" { object Endpoint "icinga2-agent2.localdomain" {
host = "192.168.56.112" //the master actively tries to connect to the client host = "192.168.56.112" //the master actively tries to connect to the client
log_duration = 0 log_duration = 0
} }
``` ```
Configuration on the client `icinga2-client1.localdomain`: Configuration on the client `icinga2-agent1.localdomain`:
``` ```
[root@icinga2-client1.localdomain /]# vim /etc/icinga2/zones.conf [root@icinga2-agent1.localdomain /]# vim /etc/icinga2/zones.conf
//... //...
@ -2974,8 +2974,8 @@ Make sure that the `/var/lib/icinga2/certs` directory exists and is owned by the
user (or the user Icinga 2 is running as). user (or the user Icinga 2 is running as).
``` ```
[root@icinga2-client1.localdomain /]# mkdir -p /var/lib/icinga2/certs [root@icinga2-agent1.localdomain /]# mkdir -p /var/lib/icinga2/certs
[root@icinga2-client1.localdomain /]# chown -R icinga:icinga /var/lib/icinga2/certs [root@icinga2-agent1.localdomain /]# chown -R icinga:icinga /var/lib/icinga2/certs
``` ```
First you'll need to generate a new local self-signed certificate. First you'll need to generate a new local self-signed certificate.
@ -2989,9 +2989,9 @@ Pass the following details to the `pki new-cert` CLI command:
Example: Example:
``` ```
[root@icinga2-client1.localdomain /]# icinga2 pki new-cert --cn icinga2-client1.localdomain \ [root@icinga2-agent1.localdomain /]# icinga2 pki new-cert --cn icinga2-agent1.localdomain \
--key /var/lib/icinga2/certs/icinga2-client1.localdomain.key \ --key /var/lib/icinga2/certs/icinga2-agent1.localdomain.key \
--cert /var/lib/icinga2/certs/icinga2-client1.localdomain.crt --cert /var/lib/icinga2/certs/icinga2-agent1.localdomain.crt
``` ```
Request the master certificate from the master host (`icinga2-master1.localdomain`) Request the master certificate from the master host (`icinga2-master1.localdomain`)
@ -3008,13 +3008,13 @@ Pass the following details to the `pki save-cert` CLI command:
Example: Example:
``` ```
[root@icinga2-client1.localdomain /]# icinga2 pki save-cert --key /var/lib/icinga2/certs/icinga2-client1.localdomain.key \ [root@icinga2-agent1.localdomain /]# icinga2 pki save-cert --key /var/lib/icinga2/certs/icinga2-agent1.localdomain.key \
--cert /var/lib/icinga2/certs/icinga2-client1.localdomain.crt \ --cert /var/lib/icinga2/certs/icinga2-agent1.localdomain.crt \
--trustedcert /var/lib/icinga2/certs/trusted-parent.crt \ --trustedcert /var/lib/icinga2/certs/trusted-parent.crt \
--host icinga2-master1.localdomain --host icinga2-master1.localdomain
``` ```
Continue with the additional node setup step. Specify a local endpoint and zone name (`icinga2-client1.localdomain`) Continue with the additional node setup step. Specify a local endpoint and zone name (`icinga2-agent1.localdomain`)
and set the master host (`icinga2-master1.localdomain`) as parent zone configuration. Specify the path to and set the master host (`icinga2-master1.localdomain`) as parent zone configuration. Specify the path to
the previously stored trusted master certificate. the previously stored trusted master certificate.
@ -3041,10 +3041,10 @@ Pass the following details to the `node setup` CLI command:
Example: Example:
``` ```
[root@icinga2-client1.localdomain /]# icinga2 node setup --ticket ead2d570e18c78abf285d6b85524970a0f69c22d \ [root@icinga2-agent1.localdomain /]# icinga2 node setup --ticket ead2d570e18c78abf285d6b85524970a0f69c22d \
--cn icinga2-client1.localdomain \ --cn icinga2-agent1.localdomain \
--endpoint icinga2-master1.localdomain \ --endpoint icinga2-master1.localdomain \
--zone icinga2-client1.localdomain \ --zone icinga2-agent1.localdomain \
--parent_zone master \ --parent_zone master \
--parent_host icinga2-master1.localdomain \ --parent_host icinga2-master1.localdomain \
--trustedcert /var/lib/icinga2/certs/trusted-parent.crt \ --trustedcert /var/lib/icinga2/certs/trusted-parent.crt \
@ -3089,14 +3089,14 @@ If this client node is configured as [remote command endpoint execution](06-dist
you can safely disable the `checker` feature. The `node setup` CLI command already disabled the `notification` feature. you can safely disable the `checker` feature. The `node setup` CLI command already disabled the `notification` feature.
``` ```
[root@icinga2-client1.localdomain /]# icinga2 feature disable checker [root@icinga2-agent1.localdomain /]# icinga2 feature disable checker
``` ```
Disable "conf.d" inclusion if this is a [top down](06-distributed-monitoring.md#distributed-monitoring-top-down) Disable "conf.d" inclusion if this is a [top down](06-distributed-monitoring.md#distributed-monitoring-top-down)
configured client. configured client.
``` ```
[root@icinga2-client1.localdomain /]# sed -i 's/include_recursive "conf.d"/\/\/include_recursive "conf.d"/g' /etc/icinga2/icinga2.conf [root@icinga2-agent1.localdomain /]# sed -i 's/include_recursive "conf.d"/\/\/include_recursive "conf.d"/g' /etc/icinga2/icinga2.conf
``` ```
**Note**: This is the default since v2.9. **Note**: This is the default since v2.9.
@ -3104,7 +3104,7 @@ configured client.
**Optional**: Add an ApiUser object configuration for remote troubleshooting. **Optional**: Add an ApiUser object configuration for remote troubleshooting.
``` ```
[root@icinga2-client1.localdomain /]# cat <<EOF >/etc/icinga2/conf.d/api-users.conf [root@icinga2-agent1.localdomain /]# cat <<EOF >/etc/icinga2/conf.d/api-users.conf
object ApiUser "root" { object ApiUser "root" {
password = "clientsupersecretpassword" password = "clientsupersecretpassword"
permissions = ["*"] permissions = ["*"]
@ -3116,25 +3116,25 @@ In case you've previously disabled the "conf.d" directory only
add the file file `conf.d/api-users.conf`: add the file file `conf.d/api-users.conf`:
``` ```
[root@icinga2-client1.localdomain /]# echo 'include "conf.d/api-users.conf"' >> /etc/icinga2/icinga2.conf [root@icinga2-agent1.localdomain /]# echo 'include "conf.d/api-users.conf"' >> /etc/icinga2/icinga2.conf
``` ```
Finally restart Icinga 2. Finally restart Icinga 2.
``` ```
[root@icinga2-client1.localdomain /]# systemctl restart icinga2 [root@icinga2-agent1.localdomain /]# systemctl restart icinga2
``` ```
Your automation tool must then configure master node in the meantime. Your automation tool must then configure master node in the meantime.
``` ```
# cat <<EOF >>/etc/icinga2/zones.conf # cat <<EOF >>/etc/icinga2/zones.conf
object Endpoint "icinga2-client1.localdomain" { object Endpoint "icinga2-agent1.localdomain" {
//client connects itself //client connects itself
} }
object Zone "icinga2-client1.localdomain" { object Zone "icinga2-agent1.localdomain" {
endpoints = [ "icinga2-client1.localdomain" ] endpoints = [ "icinga2-agent1.localdomain" ]
parent = "master" parent = "master"
} }
@ -3163,11 +3163,11 @@ When Icinga establishes a TLS connection to another cluster instance it automati
to signal which endpoint it is attempting to connect to. On its own this can already be used to position multiple to signal which endpoint it is attempting to connect to. On its own this can already be used to position multiple
Icinga instances behind a load balancer. Icinga instances behind a load balancer.
SNI example: `icinga2-client1.localdomain` SNI example: `icinga2-agent1.localdomain`
However, if the environment is configured to `production`, Icinga appends the environment name to the SNI hostname like this: However, if the environment is configured to `production`, Icinga appends the environment name to the SNI hostname like this:
SNI example with environment: `icinga2-client1.localdomain:production` SNI example with environment: `icinga2-agent1.localdomain:production`
Middleware like loadbalancers or TLS proxies can read the SNI header and route the connection to the appropriate target. Middleware like loadbalancers or TLS proxies can read the SNI header and route the connection to the appropriate target.
I.e., it uses a single externally-visible TCP port (usually 5665) and forwards connections to one or more Icinga I.e., it uses a single externally-visible TCP port (usually 5665) and forwards connections to one or more Icinga

6
doc/09-object-types.md
View File

@ -302,7 +302,7 @@ Icinga 2 instances. More details can be found in the [distributed monitoring cha
Example: Example:
``` ```
object Endpoint "icinga2-client1.localdomain" { object Endpoint "icinga2-agent1.localdomain" {
host = "192.168.56.111" host = "192.168.56.111"
port = 5665 port = 5665
log_duration = 1d log_duration = 1d
@ -312,7 +312,7 @@ object Endpoint "icinga2-client1.localdomain" {
Example (disable replay log): Example (disable replay log):
``` ```
object Endpoint "icinga2-client1.localdomain" { object Endpoint "icinga2-agent1.localdomain" {
host = "192.168.5.111" host = "192.168.5.111"
port = 5665 port = 5665
log_duration = 0 log_duration = 0
@ -364,7 +364,7 @@ A host.
Example: Example:
``` ```
object Host "icinga2-client1.localdomain" { object Host "icinga2-agent1.localdomain" {
display_name = "Linux Client 1" display_name = "Linux Client 1"
address = "192.168.56.111" address = "192.168.56.111"
address6 = "2a00:1450:4001:815::2003" address6 = "2a00:1450:4001:815::2003"

8
doc/11-cli-commands.md
View File

@ -342,12 +342,12 @@ Icinga 2 (version: v2.11.0)
Once connected you can inspect variables and execute other expressions by entering them at the prompt: Once connected you can inspect variables and execute other expressions by entering them at the prompt:
``` ```
<1> => var h = get_host("icinga2-client1.localdomain") <1> => var h = get_host("icinga2-agent1.localdomain")
null null
<2> => h.last_check_result <2> => h.last_check_result
{ {
active = true active = true
check_source = "icinga2-client1.localdomain" check_source = "icinga2-agent1.localdomain"
command = [ "/usr/local/sbin/check_ping", "-H", "127.0.0.1", "-c", "5000,100%", "-w", "3000,80%" ] command = [ "/usr/local/sbin/check_ping", "-H", "127.0.0.1", "-c", "5000,100%", "-w", "3000,80%" ]
execution_end = 1446653527.174983 execution_end = 1446653527.174983
execution_start = 1446653523.152673 execution_start = 1446653523.152673
@ -382,10 +382,10 @@ The `--syntax-only` option can be used in combination with `--eval` or `--file`
to check a script for syntax errors. In this mode the script is parsed to identify to check a script for syntax errors. In this mode the script is parsed to identify
syntax errors but not evaluated. syntax errors but not evaluated.
Here's an example that retrieves the command that was used by Icinga to check the `icinga2-client1.localdomain` host: Here's an example that retrieves the command that was used by Icinga to check the `icinga2-agent1.localdomain` host:
``` ```
$ ICINGA2_API_PASSWORD=icinga icinga2 console --connect 'https://root@localhost:5665/' --eval 'get_host("icinga2-client1.localdomain").last_check_result.command' | python -m json.tool $ ICINGA2_API_PASSWORD=icinga icinga2 console --connect 'https://root@localhost:5665/' --eval 'get_host("icinga2-agent1.localdomain").last_check_result.command' | python -m json.tool
[ [
"/usr/local/sbin/check_ping", "/usr/local/sbin/check_ping",
"-H", "-H",

4
doc/12-icinga2-api.md
View File

@ -1503,12 +1503,12 @@ Example:
``` ```
$ curl -k -s -u root:icinga -H 'Accept: application/json' \ $ curl -k -s -u root:icinga -H 'Accept: application/json' \
-X POST 'https://localhost:5665/v1/actions/generate-ticket' \ -X POST 'https://localhost:5665/v1/actions/generate-ticket' \
-d '{ "cn": "icinga2-client1.localdomain", "pretty": true }' -d '{ "cn": "icinga2-agent1.localdomain", "pretty": true }'
{ {
"results": [ "results": [
{ {
"code": 200.0, "code": 200.0,
"status": "Generated PKI ticket '4f75d2ecd253575fe9180938ebff7cbca262f96e' for common name 'icinga2-client1.localdomain'.", "status": "Generated PKI ticket '4f75d2ecd253575fe9180938ebff7cbca262f96e' for common name 'icinga2-agent1.localdomain'.",
"ticket": "4f75d2ecd253575fe9180938ebff7cbca262f96e" "ticket": "4f75d2ecd253575fe9180938ebff7cbca262f96e"
} }
] ]

38
doc/15-troubleshooting.md
View File

@ -393,10 +393,10 @@ $ curl -k -s -u root:icinga -H 'Accept: application/json' -H 'X-HTTP-Method-Over
"results": [ "results": [
{ {
"attrs": { "attrs": {
"__name": "icinga2-client1.localdomain!disk", "__name": "icinga2-agent1.localdomain!disk",
"last_check_result": { "last_check_result": {
"active": true, "active": true,
"check_source": "icinga2-client1.localdomain", "check_source": "icinga2-agent1.localdomain",
... ...
@ -404,7 +404,7 @@ $ curl -k -s -u root:icinga -H 'Accept: application/json' -H 'X-HTTP-Method-Over
}, },
"joins": {}, "joins": {},
"meta": {}, "meta": {},
"name": "icinga2-client1.localdomain!disk", "name": "icinga2-agent1.localdomain!disk",
"type": "Service" "type": "Service"
} }
] ]
@ -415,9 +415,9 @@ Example for using the `icinga2 console` CLI command evaluation functionality:
``` ```
$ ICINGA2_API_PASSWORD=icinga icinga2 console --connect 'https://root@localhost:5665/' \ $ ICINGA2_API_PASSWORD=icinga icinga2 console --connect 'https://root@localhost:5665/' \
--eval 'get_service("icinga2-client1.localdomain", "disk").last_check_result.check_source' | python -m json.tool --eval 'get_service("icinga2-agent1.localdomain", "disk").last_check_result.check_source' | python -m json.tool
"icinga2-client1.localdomain" "icinga2-agent1.localdomain"
``` ```
@ -475,7 +475,7 @@ in mind when using a different package.
This could happen with [clients as command endpoint execution](06-distributed-monitoring.md#distributed-monitoring-top-down-command-endpoint). This could happen with [clients as command endpoint execution](06-distributed-monitoring.md#distributed-monitoring-top-down-command-endpoint).
If you have for example a client host `icinga2-client1.localdomain` If you have for example a client host `icinga2-agent1.localdomain`
and a service `disk` check defined on the master, the warning and and a service `disk` check defined on the master, the warning and
critical thresholds are sometimes to applied and unwanted notification critical thresholds are sometimes to applied and unwanted notification
alerts are raised. alerts are raised.
@ -909,7 +909,7 @@ Certificate:
Client public certificate: Client public certificate:
``` ```
# openssl x509 -in icinga2-client1.localdomain.crt -text # openssl x509 -in icinga2-agent1.localdomain.crt -text
Certificate: Certificate:
Data: Data:
@ -921,7 +921,7 @@ Certificate:
Validity Validity
Not Before: Aug 20 16:20:05 2016 GMT Not Before: Aug 20 16:20:05 2016 GMT
Not After : Aug 17 16:20:05 2031 GMT Not After : Aug 17 16:20:05 2031 GMT
Subject: CN=icinga2-client1.localdomain Subject: CN=icinga2-agent1.localdomain
Subject Public Key Info: Subject Public Key Info:
Public Key Algorithm: rsaEncryption Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit) Public-Key: (4096 bit)
@ -932,7 +932,7 @@ Certificate:
X509v3 Basic Constraints: critical X509v3 Basic Constraints: critical
CA:FALSE CA:FALSE
X509v3 Subject Alternative Name: X509v3 Subject Alternative Name:
DNS:icinga2-client1.localdomain DNS:icinga2-agent1.localdomain
Signature Algorithm: sha256WithRSAEncryption Signature Algorithm: sha256WithRSAEncryption
... ...
``` ```
@ -944,14 +944,14 @@ both instances are signed by the **same CA**.
# openssl verify -verbose -CAfile /var/lib/icinga2/certs/ca.crt /var/lib/icinga2/certs/icinga2-master1.localdomain.crt # openssl verify -verbose -CAfile /var/lib/icinga2/certs/ca.crt /var/lib/icinga2/certs/icinga2-master1.localdomain.crt
icinga2-master1.localdomain.crt: OK icinga2-master1.localdomain.crt: OK
# openssl verify -verbose -CAfile /var/lib/icinga2/certs/ca.crt /var/lib/icinga2/certs/icinga2-client1.localdomain.crt # openssl verify -verbose -CAfile /var/lib/icinga2/certs/ca.crt /var/lib/icinga2/certs/icinga2-agent1.localdomain.crt
icinga2-client1.localdomain.crt: OK icinga2-agent1.localdomain.crt: OK
``` ```
Fetch the `ca.crt` file from the client node and compare it to your master's `ca.crt` file: Fetch the `ca.crt` file from the client node and compare it to your master's `ca.crt` file:
``` ```
# scp icinga2-client1:/var/lib/icinga2/certs/ca.crt test-client-ca.crt # scp icinga2-agent1:/var/lib/icinga2/certs/ca.crt test-client-ca.crt
# diff -ur /var/lib/icinga2/certs/ca.crt test-client-ca.crt # diff -ur /var/lib/icinga2/certs/ca.crt test-client-ca.crt
``` ```
@ -1122,7 +1122,7 @@ works (default port is `5665`).
# netstat -tulpen | grep icinga # netstat -tulpen | grep icinga
# nmap icinga2-client1.localdomain # nmap icinga2-agent1.localdomain
``` ```
### Cluster Troubleshooting SSL Errors <a id="troubleshooting-cluster-ssl-errors"></a> ### Cluster Troubleshooting SSL Errors <a id="troubleshooting-cluster-ssl-errors"></a>
@ -1136,10 +1136,10 @@ the following
* Verify the `Subject` containing your endpoint's common name (CN) * Verify the `Subject` containing your endpoint's common name (CN)
* Check the validity of the certificate itself * Check the validity of the certificate itself
Try to manually connect from `icinga2-client1.localdomain` to the master node `icinga2-master1.localdomain`: Try to manually connect from `icinga2-agent1.localdomain` to the master node `icinga2-master1.localdomain`:
``` ```
# openssl s_client -CAfile /var/lib/icinga2/certs/ca.crt -cert /var/lib/icinga2/certs/icinga2-client1.localdomain.crt -key /var/lib/icinga2/certs/icinga2-client1.localdomain.key -connect icinga2-master1.localdomain:5665 # openssl s_client -CAfile /var/lib/icinga2/certs/ca.crt -cert /var/lib/icinga2/certs/icinga2-agent1.localdomain.crt -key /var/lib/icinga2/certs/icinga2-agent1.localdomain.key -connect icinga2-master1.localdomain:5665
CONNECTED(00000003) CONNECTED(00000003)
--- ---
@ -1156,7 +1156,7 @@ Unauthenticated nodes are able to connect. This is required for client setups.
Master: Master:
``` ```
[2015-07-13 18:29:25 +0200] information/ApiListener: New client connection for identity 'icinga2-client1.localdomain' (unauthenticated) [2015-07-13 18:29:25 +0200] information/ApiListener: New client connection for identity 'icinga2-agent1.localdomain' (unauthenticated)
``` ```
Client as command execution bridge: Client as command execution bridge:
@ -1247,14 +1247,14 @@ If the client cannot authenticate, it's a more general [problem](15-troubleshoot
The client's endpoint is not configured on nor trusted by the master node: The client's endpoint is not configured on nor trusted by the master node:
``` ```
Discarding 'check result' message from 'icinga2-client1.localdomain': Invalid endpoint origin (client not allowed). Discarding 'check result' message from 'icinga2-agent1.localdomain': Invalid endpoint origin (client not allowed).
``` ```
The check result message sent by the client does not belong to the zone the checkable object is The check result message sent by the client does not belong to the zone the checkable object is
in on the master: in on the master:
``` ```
Discarding 'check result' message from 'icinga2-client1.localdomain': Unauthorized access. Discarding 'check result' message from 'icinga2-agent1.localdomain': Unauthorized access.
``` ```
@ -1297,7 +1297,7 @@ the `NodeName` constant with the FQDN. Ensure this is the same value
as the local endpoint object name. as the local endpoint object name.
``` ```
const NodeName = "windows-client1.domain.com" const NodeName = "windows-agent1.domain.com"
``` ```

8
doc/16-upgrading-icinga-2.md
View File

@ -534,8 +534,8 @@ The default certificate path was changed from `/etc/icinga2/pki` to
Old Path | New Path Old Path | New Path
---------------------------------------------------|--------------------------------------------------- ---------------------------------------------------|---------------------------------------------------
`/etc/icinga2/pki/icinga2-client1.localdomain.crt` | `/var/lib/icinga2/certs/icinga2-client1.localdomain.crt` `/etc/icinga2/pki/icinga2-agent1.localdomain.crt` | `/var/lib/icinga2/certs/icinga2-agent1.localdomain.crt`
`/etc/icinga2/pki/icinga2-client1.localdomain.key` | `/var/lib/icinga2/certs/icinga2-client1.localdomain.key` `/etc/icinga2/pki/icinga2-agent1.localdomain.key` | `/var/lib/icinga2/certs/icinga2-agent1.localdomain.key`
`/etc/icinga2/pki/ca.crt` | `/var/lib/icinga2/certs/ca.crt` `/etc/icinga2/pki/ca.crt` | `/var/lib/icinga2/certs/ca.crt`
This applies to Windows clients in the same way: `%ProgramData%\etc\icinga2\pki` This applies to Windows clients in the same way: `%ProgramData%\etc\icinga2\pki`
@ -543,8 +543,8 @@ was moved to `%ProgramData%\var\lib\icinga2\certs`.
Old Path | New Path Old Path | New Path
----------------------------------------------------------------|---------------------------------------------------------------- ----------------------------------------------------------------|----------------------------------------------------------------
`%ProgramData%\etc\icinga2\pki\icinga2-client1.localdomain.crt` | `%ProgramData%\var\lib\icinga2\certs\icinga2-client1.localdomain.crt` `%ProgramData%\etc\icinga2\pki\icinga2-agent1.localdomain.crt` | `%ProgramData%\var\lib\icinga2\certs\icinga2-agent1.localdomain.crt`
`%ProgramData%\etc\icinga2\pki\icinga2-client1.localdomain.key` | `%ProgramData%\var\lib\icinga2\certs\icinga2-client1.localdomain.key` `%ProgramData%\etc\icinga2\pki\icinga2-agent1.localdomain.key` | `%ProgramData%\var\lib\icinga2\certs\icinga2-agent1.localdomain.key`
`%ProgramData%\etc\icinga2\pki\ca.crt` | `%ProgramData%\var\lib\icinga2\certs\ca.crt` `%ProgramData%\etc\icinga2\pki\ca.crt` | `%ProgramData%\var\lib\icinga2\certs\ca.crt`