tyler.durden
/
icinga2
mirror of https://github.com/Icinga/icinga2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update the agent setup scripts. 

Refs #6107
This commit is contained in:
Gunnar Beutner 2014-05-12 14:46:02 +02:00
parent 5c54dc7846
commit 9864af3d12
2 changed files with 86 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

154
pki/icinga2-setup-agent.cmake
View File

@ -2,8 +2,12 @@
ICINGA2PKIDIR=@CMAKE_INSTALL_FULL_DATADIR@/icinga2/pki ICINGA2PKIDIR=@CMAKE_INSTALL_FULL_DATADIR@/icinga2/pki
ICINGA2CONFIG=@CMAKE_INSTALL_FULL_SYSCONFDIR@/icinga2 ICINGA2CONFIG=@CMAKE_INSTALL_FULL_SYSCONFDIR@/icinga2
name=`hostname --fqdn`
echo "Agent name: $name"
if [ -n "$1" ]; then if [ -n "$1" ]; then
if [ ! -e $ICINGA2CONFIG/pki/agent/agent.key ]; then if [ ! -e $ICINGA2CONFIG/pki/$name.key ]; then
echo "You haven't generated a private key for this Icinga 2 instance" echo "You haven't generated a private key for this Icinga 2 instance"
echo "yet. Please run this script without any parameters to generate a key." echo "yet. Please run this script without any parameters to generate a key."
exit 1 exit 1
@ -53,38 +57,19 @@ if [ -n "$1" ]; then
done done
fi fi
listener_port=""
while true; do while true; do
echo -n "Do you want this agent instance to listen on a TCP port? [y] " echo -n "Which TCP port should the agent listen on? [5665] "
if ! read listener; then if ! read listener_port; then
exit 1 exit 1
fi fi
if [ "$listener" = "y" -o "$listener" = "n" -o -z "$listener" ]; then break
break
fi
echo "Please enter 'y' or 'n'."
done done
if [ -z "$listener" ]; then if [ -z "$listener_port" ]; then
listener=y listener_port=5665
fi
listener_port=""
if [ "$listener" = "y" ]; then
while true; do
echo -n "Which TCP port should the agent listen on? [5665] "
if ! read listener_port; then
exit 1
fi
break
done
if [ -z "$listener_port" ]; then
listener_port=5665
fi
fi fi
upstream_connect=n upstream_connect=n
@ -108,77 +93,88 @@ if [ -n "$1" ]; then
fi fi
if [ "$upstream_connect" = "y" ]; then if [ "$upstream_connect" = "y" ]; then
while true; do echo -n "Master instance IP address/hostname [$upstream_name]: "
echo -n "Master instance IP address/hostname: " if ! read upstream_host; then
if ! read upstream_host; then exit 1
exit 1 fi
fi
if [ -n "$upstream_host" ]; then if [ -z "$upstream_host" ]; then
break upstream_host=$upstream_name
fi fi
echo "Please enter the master instance's hostname." echo -n "Master instance port [5665]: "
done if ! read upstream_port; then
exit 1
fi
while true; do if [ -z "$upstream_port" ]; then
echo -n "Master instace port: " upstream_port=5665
if ! read upstream_port; then fi
exit 1
fi
if [ -n "$upstream_port" ]; then
break
fi
echo "Please enter the master instance's port."
done
fi fi
fi fi
echo "Installing the certificate bundle..." echo "Installing the certificate bundle..."
base64 -d < $1 | tar -C $ICINGA2CONFIG/pki/agent/ -zx || exit 1 base64 -d < $1 | tar -C $ICINGA2CONFIG/pki/ -zx || exit 1
chown @ICINGA2_USER@:@ICINGA2_GROUP@ $ICINGA2CONFIG/pki/agent/* || exit 1 chown @ICINGA2_USER@:@ICINGA2_GROUP@ $ICINGA2CONFIG/pki/* || exit 1
echo "Setting up agent configuration..." echo "Setting up api.configuration..."
cat >$ICINGA2CONFIG/features-available/agent.conf <<AGENT cat >$ICINGA2CONFIG/features-available/api.conf <<AGENT
/** /**
* The agent listener accepts checks from agents. * The API listener is used for distributed monitoring setups.
*/ */
library "agent" object ApiListener "api" {
cert_path = SysconfDir + "/icinga2/pki/" + NodeName + ".crt"
key_path = SysconfDir + "/icinga2/pki/" + NodeName + ".key"
ca_path = SysconfDir + "/icinga2/pki/ca.crt"
bind_port = "$listener_port"
}
object Endpoint NodeName {
host = NodeName
object AgentListener "agent" {
cert_path = SysconfDir + "/icinga2/pki/agent/agent.crt"
key_path = SysconfDir + "/icinga2/pki/agent/agent.key"
ca_path = SysconfDir + "/icinga2/pki/agent/ca.crt"
AGENT AGENT
if [ "$master" = "n" ]; then if [ "$master" = "n" ]; then
cat >>$ICINGA2CONFIG/features-available/agent.conf <<AGENT cat >>$ICINGA2CONFIG/features-available/api.conf <<AGENT
upstream_name = "$upstream_name" upstream_name = "$upstream_name"
AGENT AGENT
fi fi
if [ "$listener" = "y" ]; then cat >>$ICINGA2CONFIG/features-available/api.conf <<AGENT
cat >>$ICINGA2CONFIG/features-available/agent.conf <<AGENT }
bind_port = "$listener_port"
object Zone ZoneName {
AGENT AGENT
fi
if [ "$upstream_connect" = "y" ]; then if [ "$upstream_connect" = "y" ]; then
cat >>$ICINGA2CONFIG/features-available/agent.conf <<AGENT cat >>$ICINGA2CONFIG/features-available/api.conf <<AGENT
upstream_host = "$upstream_host" parent = "$upstream_name"
upstream_port = "$upstream_port"
AGENT AGENT
fi fi
cat >>$ICINGA2CONFIG/features-available/agent.conf <<AGENT cat >>$ICINGA2CONFIG/features-available/api.conf <<AGENT
endpoints = [ NodeName ]
} }
AGENT AGENT
echo "Enabling agent feature..." if [ "$upstream_connect" = "y" ]; then
@CMAKE_INSTALL_FULL_SBINDIR@/icinga2-enable-feature agent cat >>$ICINGA2CONFIG/features-available/api.conf <<AGENT
object Endpoint "$upstream_name" {
host = "$upstream_host"
port = "$upstream_port"
}
object Zone "$upstream_name" {
endpoints = [ "$upstream_name" ]
}
AGENT
fi
echo "Enabling API feature..."
@CMAKE_INSTALL_FULL_SBINDIR@/icinga2-enable-feature api
if [ ! -e "@CMAKE_INSTALL_FULL_SYSCONFDIR@/monitoring" ]; then if [ ! -e "@CMAKE_INSTALL_FULL_SYSCONFDIR@/monitoring" ]; then
ln -s $ICINGA2CONFIG/conf.d/hosts/localhost @CMAKE_INSTALL_FULL_SYSCONFDIR@/monitoring ln -s $ICINGA2CONFIG/conf.d/hosts/localhost @CMAKE_INSTALL_FULL_SYSCONFDIR@/monitoring
@ -196,28 +192,22 @@ AGENT
exit 0 exit 0
fi fi
name=$(hostname --fqdn) mkdir -p $ICINGA2CONFIG/pki
echo "Host name: $name"
mkdir -p $ICINGA2CONFIG/pki/agent
chmod 700 $ICINGA2CONFIG/pki chmod 700 $ICINGA2CONFIG/pki
chown @ICINGA2_USER@:@ICINGA2_GROUP@ $ICINGA2CONFIG/pki || exit 1 chown @ICINGA2_USER@:@ICINGA2_GROUP@ $ICINGA2CONFIG/pki || exit 1
chmod 700 $ICINGA2CONFIG/pki/agent
chown @ICINGA2_USER@:@ICINGA2_GROUP@ $ICINGA2CONFIG/pki/agent || exit 1
if [ -e $ICINGA2CONFIG/pki/agent/agent.key ]; then if [ -e $ICINGA2CONFIG/pki/$name.crt ]; then
echo "You already have agent certificates in $ICINGA2CONFIG/pki/agent/" echo "You already have agent certificates in $ICINGA2CONFIG/pki/"
exit 1 exit 1
fi fi
REQ_COMMON_NAME="$name" KEY_DIR="$ICINGA2CONFIG/pki/agent" openssl req -config $ICINGA2PKIDIR/openssl-quiet.cnf -new -newkey rsa:4096 -keyform PEM -keyout $ICINGA2CONFIG/pki/agent/agent.key -outform PEM -out $ICINGA2CONFIG/pki/agent/agent.csr -nodes && \ REQ_COMMON_NAME="$name" KEY_DIR="$ICINGA2CONFIG/pki/" openssl req -config $ICINGA2PKIDIR/openssl-quiet.cnf -new -newkey rsa:4096 -keyform PEM -keyout $ICINGA2CONFIG/pki/$name.key -outform PEM -out $ICINGA2CONFIG/pki/$name.csr -nodes && \
chmod 600 $ICINGA2CONFIG/pki/agent/agent.key chmod 600 $ICINGA2CONFIG/pki/$name.key
echo "Please sign the following CSR using the Agent CA:" echo "Please sign the following CSR using the Agent CA:"
echo "" echo ""
cat $ICINGA2CONFIG/pki/agent/agent.csr cat $ICINGA2CONFIG/pki/$name.csr
echo "" echo ""

19
pki/icinga2-sign-key.cmake
View File

@ -28,12 +28,21 @@ fi
openssl x509 -days "$REQ_DAYS" -CA $ICINGA_CA/ca.crt -CAkey $ICINGA_CA/ca.key -req -in $ICINGA_CA/$csrfile -outform PEM -out $ICINGA_CA/$pubkfile.crt -CAserial $ICINGA_CA/serial openssl x509 -days "$REQ_DAYS" -CA $ICINGA_CA/ca.crt -CAkey $ICINGA_CA/ca.key -req -in $ICINGA_CA/$csrfile -outform PEM -out $ICINGA_CA/$pubkfile.crt -CAserial $ICINGA_CA/serial
cn=`openssl x509 -in $pubkfile.crt -subject | grep -Eo '/CN=[^ ]+' | cut -f2- -d=`
case "$cn" in
*/*)
echo "commonName contains invalid character (/)."
exit 1
;;
esac
mv $pubkfile.crt $cn.crt
pubkfile=$cn
# Make an agent bundle file # Make an agent bundle file
mkdir -p $ICINGA_CA/agent tar cz -C $ICINGA_CA $pubkfile.crt ca.crt | base64 > $ICINGA_CA/$pubkfile.bundle
cp $ICINGA_CA/$pubkfile.crt $ICINGA_CA/agent/agent.crt
cp $ICINGA_CA/ca.crt $ICINGA_CA/agent/ca.crt
tar cz -C $ICINGA_CA/agent/ ca.crt agent.crt | base64 > $ICINGA_CA/$pubkfile.bundle
rm -rf $ICINGA_CA/agent
echo "Done. $pubkfile.crt and $pubkfile.bundle files were written." echo "Done. $pubkfile.crt and $pubkfile.bundle files were written."
exit 0 exit 0