17 KiB
Icinga 2 API
Introduction
The Icinga 2 API allows you to manage configuration objects and resources in a simple, programmatic way using HTTP requests.
The endpoints are logically separated allowing you to easily make calls to
- retrieve information (status, config)
- run actions (reschedule checks, etc.)
- create/update/delete configuration objects
- manage configuration modules
- subscribe to event streams
This chapter will start with a general overview followed by detailed information about specific endpoints.
<a id="icinga2-api-requests> Requests
Any tool capable of making HTTP requests can communicate with the API, for example curl.
Requests are only allowed to use the HTTPS protocol so that traffic remains encrypted.
By default the Icinga 2 API listens on port 5665
sharing this
port with the cluster communication protocol. This can be changed
by setting the bind_port
attribute in the ApiListener
configuration object in the /etc/icinga2/features-available/api.conf
file.
Supported request methods:
Method | Usage |
---|---|
GET | Retrieve information about configuration objects. Any request using the GET method is read-only and does not affect any objects. |
POST | Update attributes of a specified configuration object. |
PUT | Create a new object. The PUT request must include all attributes required to create a new object. |
DELETE | Remove an object created by the API. The DELETE method is idempotent and does not require any check if the object actually exists. |
<a id="icinga2-api-http-statuses> HTTP Statuses
The API will return standard HTTP statuses including error codes.
When an error occurs, the response body will contain additional information about the problem and its source.
A status in the range of 200 generally means that the request was succesful and no error was encountered.
Return codes within the 400 range indicate that there was a problem with the request. Either you did not authenticate correctly, you are missing the authorization for your requested action, the requested object does not exist or the request was malformed.
A status in the range of 500 generally means that there was a server-side problem and Icinga 2 is unable to process your request currently.
Ask your Icinga 2 system administrator to check the icinga2.log
file for further
troubleshooting.
<a id="icinga2-api-responses> Responses
Succesful requests will send back a response body containing a results
list. Depending on the number of affected objects in your request, the
results may contain one or more entries.
The output will be sent back as JSON object:
{
"results": [
{
"code": 200.0,
"status": "Object was created."
}
]
}
<a id="icinga2-api-authentication> Authentication
There are two different ways for authenticating against the Icinga 2 API:
- username and password using HTTP basic auth
- X.509 certificate with client CN
In order to configure a new API user you'll need to add a new ApiUser
configuration object. In this example root
will be the basic auth username
and the password
attribute contains the basic auth password.
vim /etc/icinga2/conf.d/api-users.conf
object ApiUser "root" {
password = icinga"
}
Alternatively you can use X.509 client certificates by specifying the client_cn
the API should trust.
vim /etc/icinga2/conf.d/api-users.conf
object ApiUser "api-clientcn" {
password = "CertificateCommonName"
}
An ApiUser
object can have both methods configured. Sensitive information
such as the password will not be exposed through the API itself.
New installations of Icinga 2 will automatically generate a new ApiUser
named root
with a generated password in the /etc/icinga2/conf.d/api-users.conf
file.
You can manually invoke the cli command icinga2 api setup
which will generate
a new local CA, self-signed certificate and a new API user configuration.
Once the API user is configured make sure to restart Icinga 2:
# service icinga2 restart
Now pass the basic auth information to curl and send a GET request to the API:
$ curl -u root:icinga -k -s 'https://nbmif.int.netways.de:5665/v1' -X GET
In case you will get Unauthorized
make sure to check the API user credentials.
<a id="icinga2-api-permissions> Permissions
TODO https://dev.icinga.org/issues/9088
<a id="icinga2-api-parameters> Parameters
Depending on the request method there are two ways of passing parameters to the request:
- JSON body (
POST
,PUT
) - Query string (
GET
,DELETE
)
Reserved characters by the HTTP protocol must be passed url-encoded as query string, e.g. a
whitespace becomes %20
.
Example for query string:
/v1/hosts?filter=match(%22nbmif*%22,host.name)&attrs=host.name&attrs=host.state
Example for JSON body:
{ "attrs": { "address": "8.8.4.4", "vars.os" : "Windows" } }
TODO
<a id="icinga2-api-filters> Filters
Use the same syntax as for apply rule expressions for filtering specific objects.
Example for all services in NOT-OK state:
https://localhost:5665/v1/services?filter=service.state!=0
Example for matching all hosts by name (Note: "
are url-encoded as %22
):
https://localhost:5665/v1/hosts?filter=match(%22nbmif*%22,host.name)
TODO
<a id="icinga2-api-output-format>Output Format
The request and reponse body contain a JSON encoded string.
<a id="icinga2-api-version>Version
Each url contains the version string as prefix (currently "/v1").
<a id="icinga2-api-url-overview>Url Overview
The Icinga 2 API provides multiple url endpoints
Url Endpoints | Description |
---|---|
/v1/actions | Endpoint for running specific API actions. |
/v1/config | Endpoint for managing configuration modules. |
/v1/events | Endpoint for subscribing to API events. |
/v1/types | Endpoint for listing Icinga 2 configuration object types and their attributes. |
Additionally there are endpoints for each config object type:
TODO Update
Url Endpoints | Description |
---|---|
/v1/hosts | Endpoint for retreiving and updating Host objects. |
/v1/services | Endpoint for retreiving and updating Service objects. |
/v1/notifications | Endpoint for retreiving and updating Notification objects. |
/v1/dependencies | Endpoint for retreiving and updating Dependency objects. |
/v1/users | Endpoint for retreiving and updating User objects. |
/v1/checkcommands | Endpoint for retreiving and updating CheckCommand objects. |
/v1/eventcommands | Endpoint for retreiving and updating EventCommand objects. |
/v1/notificationcommands | Endpoint for retreiving and updating NotificationCommand objects. |
/v1/hostgroups | Endpoint for retreiving and updating HostGroup objects. |
/v1/servicegroups | Endpoint for retreiving and updating ServiceGroup objects. |
/v1/usergroups | Endpoint for retreiving and updating UserGroup objects. |
/v1/zones | Endpoint for retreiving and updating Zone objects. |
/v1/endpoints | Endpoint for retreiving and updating Endpoint objects. |
/v1/timeperiods | Endpoint for retreiving and updating TimePeriod objects. |
<a id="icinga2-api-actions> Actions
There are several actions available for Icinga 2 provided by the actions
url endpoint.
In case you have been using the external commands in the past, the API actions provide a yet more powerful interface with filters and even more functionality.
Actions require specific target types (e.g. type=Host
) and a filter
TODO
Action name | Parameters | Target types | Notes |
---|---|---|---|
process-check-result | exit_status; plugin_output; check_source; performance_data[]; check_command[]; execution_end; execution_start; schedule_end; schedule_start | Service; Host | - |
reschedule-check | {next_check}; {(force_check)} | Service; Host | - |
acknowledge-problem | author; comment; {timestamp}; {(sticky)}; {(notify)} | Service; Host | - |
remove-acknowledgement | - | Service; Host | - |
add-comment | author; comment | Service; Host | - |
remove-comment | - | Service;Host | - |
remove-comment-by-id | comment_id | - | - |
delay-notifications | timestamp | Service;Host | - |
add-downtime | start_time; end_time; duration; author; comment; {trigger_id}; {(fixed)} | Service; Host; ServiceGroup; HostGroup | Downtime for all services on host x? |
remove-downtime | - | Service; Host | - |
remove-downtime-by-id | downtime_id | - | - |
send-custom-notification | options[]; author; comment | Service; Host | - |
enable-passive-checks | - | Service; Host; ServiceGroup; HostGroup | "System" as target? disable-passive-checks | - | Service; Host; ServiceGroup; HostGroup | diable all passive checks for services of hosts y in hostgroup x? enable-active-checks | - | Host; HostGroup | - disable-active-checks | - | Host; HostGroup | - enable-notifications | - | Service; Host; ServiceGroup; HostGroup | Enable all notifications for services of host x? disable-notifications | - | Service; Host; ServiceGroup; HostGroup | - enable-flap-detection | - | Service; Host; ServiceGroup; HostGroup | - disable-flap-detection | - | Service; Host; ServiceGroup; HostGroup | - enable-event-handler | - | Service; Host | - disable-event-handler | - | Service; Host | -
enable-global-notifications | - | - | - disable-global-notifications | - | - | - enable-global-flap-detection | - | - | - disable-global-flap-detection | - | - | - enable-global-event-handlers | - | - | - disable-global-event-handlers | - | - | - enable-global-performance-data | - | - | - disable-global-performance-data | - | - | - start-global-executing-svc-checks | - | - | - stop-global-executing-svc-checks | - | - | - start-global-executing-host-checks | - | - | - stop-global-executing-host-checks | - | - | - shutdown-process | - | - | - restart-process | - | - | -
Examples:
Reschedule a service check for all services in NOT-OK state:
$ curl -u root:icinga -k -s 'https://localhost:5665/v1/actions/reschedule-check?filter=service.state!=0&type=Service' -X POST | python -m json.tool
{
"results": [
{
"code": 200.0,
"status": "Successfully rescheduled check for nbmif.int.netways.de!http."
},
{
"code": 200.0,
"status": "Successfully rescheduled check for nbmif.int.netways.de!disk."
},
{
"code": 200.0,
"status": "Successfully rescheduled check for nbmif.int.netways.de!disk /."
}
]
}
<a id="icinga2-api-config-management> Configuration Management
/v1/config
TODO Depends on https://dev.icinga.org/issues/9953
<a id="icinga2-api-events> Events
TODO
<a id="icinga2-api-hosts> Hosts
All object attributes are prefixed with their respective object type.
Example:
host.address
Output listing and url parameters use the same syntax.
<a id="icinga2-api-hosts-list> List All Hosts
Send a GET
request to /v1/hosts
to list all host objects and
their attributes.
$ curl -u root:icinga -k -s 'https://localhost:5665/v1/hosts' -X GET
<a id="icinga2-api-hosts-create> Create New Host Object
New objects must be created by sending a PUT request. The following parameters need to be passed inside the JSON body:
Parameters | Description |
---|---|
name | Optional. If not specified inside the url, this is required. |
templates | Optional. Import existing configuration templates, e.g. generic-host . |
attrs | Required. Set specific Host object attributes. |
If attributes are of the Dictionary type, you can also use the indexer format:
"attrs": { "vars.os": "Linux" }
Example:
$ curl -u root:icinga -k -s 'https://localhost:5665/v1/hosts/google.com' \
-X PUT \
-d '{ "templates": [ "generic-host" ], "attrs": { "address": "8.8.8.8", "vars.os" : "Linux" } }' \
| python -m json.tool
{
"results": [
{
"code": 200.0,
"status": "Object was created."
}
]
}
Note: Host objects require the check_command
attribute. In the example above the generic-host
template already provides such.
If the configuration validation fails, the new object will not be created and the response body
contains a detailed error message. The following example omits the required check_command
attribute.
$ curl -u root:icinga -k -s 'https://localhost:5665/v1/hosts/google.com' \
-X PUT \
-d '{ "attrs": { "address": "8.8.8.8", "vars.os" : "Linux" } }' \
| python -m json.tool
{
"results": [
{
"code": 500.0,
"errors": [
"Error: Validation failed for object 'google.com' of type 'Host'; Attribute 'check_command': Attribute must not be empty."
],
"status": "Object could not be created."
}
]
}
<a id="icinga2-api-hosts-show> Show Host
Send a GET
request including the host name inside the url:
$ curl -u root:icinga -k -s 'https://localhost:5665/v1/hosts/google.com' -X GET
You can select specific attributes by adding them as url parameters using ?attrs=...
. Multiple
attributes must be added one by one, e.g. ?attrs=host.address&attrs=host.name
.
$ curl -u root:icinga -k -s 'https://localhost:5665/v1/hosts/google.com?attrs=host.name&attrs=host.address' -X GET | python -m json.tool
{
"results": [
{
"attrs": {
"host.address": "8.8.8.8",
"host.name": "google.com"
}
}
]
}
<a id="icinga2-api-hosts-modify> Modify Host
Existing objects must be modifed by sending a POST
request. The following
parameters need to be passed inside the JSON body:
Parameters | Description |
---|---|
name | Optional. If not specified inside the url, this is required. |
templates | Optional. Import existing configuration templates, e.g. generic-host . |
attrs | Required. Set specific Host object attributes. |
If attributes are of the Dictionary type, you can also use the indexer format:
"attrs": { "vars.os": "Linux" }
Example for existing object google.com
:
$ curl -u root:icinga -k -s 'https://localhost:5665/v1/hosts/google.com' \
-X POST \
-d '{ "attrs": { "address": "8.8.4.4", "vars.os" : "Windows" } }' \
| python -m json.tool
{
"results": [
{
"code": 200.0,
"name": "google.com",
"status": "Attributes updated.",
"type": "Host"
}
]
}
<a id="icinga2-api-hosts-delete> Delete Host
You can delete objects created using the API by sending a DELETE
request. Specify the object name inside the url.
Parameters | Description |
---|---|
cascade | Optional. Delete objects depending on the deleted objects (e.g. services on a host). |
Example:
$ curl -u root:icinga -k -s 'https://localhost:5665/v1/hosts/google.com?cascade=1' -X DELETE | python -m json.tool
{
"results": [
{
"code": 200.0,
"name": "google.com",
"status": "Object was deleted.",
"type": "Host"
}
]
}
TODO Add more config objects