"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "doc/06-distributed-monitoring.md" between
icinga2-2.11.5.tar.gz and icinga2-2.12.0.tar.gz

About: Icinga 2 is an enterprise grade monitoring system which keeps watch over networks and any conceivable network resource.

06-distributed-monitoring.md  (icinga2-2.11.5):06-distributed-monitoring.md  (icinga2-2.12.0)
skipping to change at line 691 skipping to change at line 691
Now restart your Icinga 2 daemon to finish the installation! Now restart your Icinga 2 daemon to finish the installation!
``` ```
> **Note** > **Note**
> >
> If you have chosen not to connect to the parent node, you cannot start > If you have chosen not to connect to the parent node, you cannot start
> Icinga 2 yet. The wizard asked you to manually copy the master's public > Icinga 2 yet. The wizard asked you to manually copy the master's public
> CA certificate file into `/var/lib/icinga2/certs/ca.crt`. > CA certificate file into `/var/lib/icinga2/certs/ca.crt`.
> >
> You need to manually sign the CSR on the master node. > You need to [manually sign the CSR on the master node](06-distributed-monitori ng.md#distributed-monitoring-setup-on-demand-csr-signing-master).
Restart Icinga 2 as requested. Restart Icinga 2 as requested.
``` ```
[root@icinga2-agent1.localdomain /]# systemctl restart icinga2 [root@icinga2-agent1.localdomain /]# systemctl restart icinga2
``` ```
Here is an overview of all parameters in detail: Here is an overview of all parameters in detail:
Parameter | Description Parameter | Description
skipping to change at line 790 skipping to change at line 790
The graphical installer offers to run the [Icinga Agent setup wizard](06-distrib uted-monitoring.md#distributed-monitoring-setup-agent-windows-configuration-wiza rd) The graphical installer offers to run the [Icinga Agent setup wizard](06-distrib uted-monitoring.md#distributed-monitoring-setup-agent-windows-configuration-wiza rd)
after the installation. Select the check box to proceed. after the installation. Select the check box to proceed.
> **Tip** > **Tip**
> >
> You can also run the Icinga agent setup wizard from the Start menu later. > You can also run the Icinga agent setup wizard from the Start menu later.
#### Agent Setup on Windows: Configuration Wizard <a id="distributed-monitoring- setup-agent-windows-configuration-wizard"></a> #### Agent Setup on Windows: Configuration Wizard <a id="distributed-monitoring- setup-agent-windows-configuration-wizard"></a>
On a fresh installation the setup wizard guides you through the initial configur ation. On a fresh installation the setup wizard guides you through the initial configur ation.
It also provides a mechanism to send a certificate request to the [CSR signing m aster](distributed-monitoring-setup-sign-certificates-master). It also provides a mechanism to send a certificate request to the [CSR signing m aster](06-distributed-monitoring.md#distributed-monitoring-setup-sign-certificat es-master).
The following configuration details are required: The following configuration details are required:
Parameter | Description Parameter | Description
--------------------|-------------------- --------------------|--------------------
Instance name | **Required.** By convention this should be the host's FQ DN. Defaults to the FQDN. Instance name | **Required.** By convention this should be the host's FQ DN. Defaults to the FQDN.
Setup ticket | **Optional.** Paste the previously generated [ticket num ber](06-distributed-monitoring.md#distributed-monitoring-setup-csr-auto-signing) . If left blank, the certificate request must be [signed on the master node](06- distributed-monitoring.md#distributed-monitoring-setup-on-demand-csr-signing). Setup ticket | **Optional.** Paste the previously generated [ticket num ber](06-distributed-monitoring.md#distributed-monitoring-setup-csr-auto-signing) . If left blank, the certificate request must be [signed on the master node](06- distributed-monitoring.md#distributed-monitoring-setup-on-demand-csr-signing).
Fill in the required information and click `Add` to add a new master connection. Fill in the required information and click `Add` to add a new master connection.
skipping to change at line 3317 skipping to change at line 3317
``` ```
[root@icinga2-master1.localdomain /]# icinga2 node setup --master --disable-conf d [root@icinga2-master1.localdomain /]# icinga2 node setup --master --disable-conf d
``` ```
<!-- Keep this for compatibility --> <!-- Keep this for compatibility -->
<a id="distributed-monitoring-automation-cli-node-setup-satellite-client"></a> <a id="distributed-monitoring-automation-cli-node-setup-satellite-client"></a>
#### Node Setup with Agents/Satellites <a id="distributed-monitoring-automation- cli-node-setup-agent-satellite"></a> #### Node Setup with Agents/Satellites <a id="distributed-monitoring-automation- cli-node-setup-agent-satellite"></a>
##### Preparations
Make sure that the `/var/lib/icinga2/certs` directory exists and is owned by the `icinga` Make sure that the `/var/lib/icinga2/certs` directory exists and is owned by the `icinga`
user (or the user Icinga 2 is running as). user (or the user Icinga 2 is running as).
``` ```
[root@icinga2-agent1.localdomain /]# mkdir -p /var/lib/icinga2/certs [root@icinga2-agent1.localdomain /]# mkdir -p /var/lib/icinga2/certs
[root@icinga2-agent1.localdomain /]# chown -R icinga:icinga /var/lib/icinga2/cer ts [root@icinga2-agent1.localdomain /]# chown -R icinga:icinga /var/lib/icinga2/cer ts
``` ```
First you'll need to generate a new local self-signed certificate. First you'll need to generate a new local self-signed certificate.
Pass the following details to the `pki new-cert` CLI command: Pass the following details to the `pki new-cert` CLI command:
skipping to change at line 3341 skipping to change at line 3343
Client certificate files | **Required.** These generated files will be put i nto the specified location (--key and --file). By convention this should be usin g `/var/lib/icinga2/certs` as directory. Client certificate files | **Required.** These generated files will be put i nto the specified location (--key and --file). By convention this should be usin g `/var/lib/icinga2/certs` as directory.
Example: Example:
``` ```
[root@icinga2-agent1.localdomain /]# icinga2 pki new-cert --cn icinga2-agent1.lo caldomain \ [root@icinga2-agent1.localdomain /]# icinga2 pki new-cert --cn icinga2-agent1.lo caldomain \
--key /var/lib/icinga2/certs/icinga2-agent1.localdomain.key \ --key /var/lib/icinga2/certs/icinga2-agent1.localdomain.key \
--cert /var/lib/icinga2/certs/icinga2-agent1.localdomain.crt --cert /var/lib/icinga2/certs/icinga2-agent1.localdomain.crt
``` ```
Request the master certificate from the master host (`icinga2-master1.localdomai ##### Verify Parent Connection
n`)
and store it as `trusted-master.crt`. Review it and continue. In order to verify the parent connection and avoid man-in-the-middle attacks,
fetch the parent instance's certificate and verify that it matches the connectio
n.
The `trusted-parent.crt` file is a temporary file passed to `node setup` in the
next step and does not need to be stored for later usage.
Pass the following details to the `pki save-cert` CLI command: Pass the following details to the `pki save-cert` CLI command:
Parameter | Description Parameter | Description
--------------------|-------------------- --------------------|--------------------
Client certificate files | **Required.** Pass the previously generated files u sing the `--key` and `--cert` parameters.
Trusted parent certificate | **Required.** Store the parent's certificate file . Manually verify that you're trusting it. Trusted parent certificate | **Required.** Store the parent's certificate file . Manually verify that you're trusting it.
Parent host | **Required.** FQDN or IP address of the parent host. Parent host | **Required.** FQDN or IP address of the parent host.
Example: Request the master certificate from the master host (`icinga2-master1.localdomai
n`)
and store it as `trusted-parent.crt`. Review it and continue.
``` ```
[root@icinga2-agent1.localdomain /]# icinga2 pki save-cert --key /var/lib/icinga 2/certs/icinga2-agent1.localdomain.key \ [root@icinga2-agent1.localdomain /]# icinga2 pki save-cert \
--trustedcert /var/lib/icinga2/certs/trusted-parent.crt \ --trustedcert /var/lib/icinga2/certs/trusted-parent.crt \
--host icinga2-master1.localdomain --host icinga2-master1.localdomain
information/cli: Retrieving TLS certificate for 'icinga2-master1.localdomain:566
5'.
Subject: CN = icinga2-master1.localdomain
Issuer: CN = icinga2-master1.localdomain
Valid From: Feb 4 08:59:05 2020 GMT
Valid Until: Jan 31 08:59:05 2035 GMT
Fingerprint: B4 90 DE 46 81 DD 2E BF EE 9D D5 47 61 43 EF C6 6D 86 A6 CC
***
*** You have to ensure that this certificate actually matches the parent
*** instance's certificate in order to avoid man-in-the-middle attacks.
***
information/pki: Writing certificate to file '/var/lib/icinga2/certs/trusted-par
ent.crt'.
``` ```
Continue with the additional node setup step. Specify a local endpoint and zone ##### Node Setup
name (`icinga2-agent1.localdomain`)
Continue with the additional `node setup` step. Specify a local endpoint and zon
e name (`icinga2-agent1.localdomain`)
and set the master host (`icinga2-master1.localdomain`) as parent zone configura tion. Specify the path to and set the master host (`icinga2-master1.localdomain`) as parent zone configura tion. Specify the path to
the previously stored trusted master certificate. the previously stored trusted parent certificate (`trusted-parent.crt`).
Pass the following details to the `node setup` CLI command: Pass the following details to the `node setup` CLI command:
Parameter | Description Parameter | Description
--------------------|-------------------- --------------------|--------------------
Common name (CN) | **Optional.** Specified with the `--cn` parameter. By co nvention this should be the host's FQDN. Common name (CN) | **Optional.** Specified with the `--cn` parameter. By co nvention this should be the host's FQDN.
Request ticket | **Required.** Add the previously generated [ticket numbe r](06-distributed-monitoring.md#distributed-monitoring-setup-csr-auto-signing). Request ticket | **Required.** Add the previously generated [ticket numbe r](06-distributed-monitoring.md#distributed-monitoring-setup-csr-auto-signing).
Trusted master certificate | **Required.** Add the previously fetched trusted master certificate (this step means that you've verified its origin). Trusted parent certificate | **Required.** Trusted parent certificate file as connection verification (received via 'pki save-cert').
Parent host | **Optional.** FQDN or IP address of the parent host. Thi s is where the command connects for CSR signing. If not specified, you need to m anually copy the parent's public CA certificate file into `/var/lib/icinga2/cert s/ca.crt` in order to start Icinga 2. Parent host | **Optional.** FQDN or IP address of the parent host. Thi s is where the command connects for CSR signing. If not specified, you need to m anually copy the parent's public CA certificate file into `/var/lib/icinga2/cert s/ca.crt` in order to start Icinga 2.
Parent endpoint | **Required.** Specify the parent's endpoint name. Parent endpoint | **Required.** Specify the parent's endpoint name.
Local zone name | **Required.** Specify the agent/satellite zone name. Local zone name | **Required.** Specify the agent/satellite zone name.
Parent zone name | **Optional.** Specify the parent's zone name. Parent zone name | **Optional.** Specify the parent's zone name.
Accept config | **Optional.** Whether this node accepts configuration sy nc from the master node (required for [config sync mode](06-distributed-monitori ng.md#distributed-monitoring-top-down-config-sync)). Accept config | **Optional.** Whether this node accepts configuration sy nc from the master node (required for [config sync mode](06-distributed-monitori ng.md#distributed-monitoring-top-down-config-sync)).
Accept commands | **Optional.** Whether this node accepts command executio n messages from the master node (required for [command endpoint mode](06-distrib uted-monitoring.md#distributed-monitoring-top-down-command-endpoint)). Accept commands | **Optional.** Whether this node accepts command executio n messages from the master node (required for [command endpoint mode](06-distrib uted-monitoring.md#distributed-monitoring-top-down-command-endpoint)).
Global zones | **Optional.** Allows to specify more global zones in add ition to `global-templates` and `director-global`. Global zones | **Optional.** Allows to specify more global zones in add ition to `global-templates` and `director-global`.
Disable conf.d | **Optional.** Specified with the `disable-confd` paramet er. If provided, this disables the `include_recursive "conf.d"` directive in `ic inga2.conf`. Available since v2.9+. Not set by default for compatibility reasons with Puppet, Ansible, Chef, etc. Disable conf.d | **Optional.** Specified with the `disable-confd` paramet er. If provided, this disables the `include_recursive "conf.d"` directive in `ic inga2.conf`. Available since v2.9+. Not set by default for compatibility reasons with Puppet, Ansible, Chef, etc.
> **Note** > **Note**
skipping to change at line 3426 skipping to change at line 3448
``` ```
--global_zones linux-templates --global_zones linux-templates
``` ```
The `--parent-host` parameter is optional since v2.9 and allows you to perform a connection-less setup. The `--parent-host` parameter is optional since v2.9 and allows you to perform a connection-less setup.
You cannot restart Icinga 2 yet, the CLI command asked to to manually copy the p arent's public CA You cannot restart Icinga 2 yet, the CLI command asked to to manually copy the p arent's public CA
certificate file in `/var/lib/icinga2/certs/ca.crt`. Once Icinga 2 is started, i t sends certificate file in `/var/lib/icinga2/certs/ca.crt`. Once Icinga 2 is started, i t sends
a ticket signing request to the parent node. If you have provided a ticket, the master node a ticket signing request to the parent node. If you have provided a ticket, the master node
signs the request and sends it back to the agent/satellite which performs a cert ificate update in-memory. signs the request and sends it back to the agent/satellite which performs a cert ificate update in-memory.
In case you did not provide a ticket, you need to manually sign the CSR on the m aster node In case you did not provide a ticket, you need to [manually sign the CSR on the master node](06-distributed-monitoring.md#distributed-monitoring-setup-on-demand -csr-signing-master)
which holds the CA's key pair. which holds the CA's key pair.
**You can find additional best practices below.** **You can find additional best practices below.**
If this agent node is configured as [remote command endpoint execution](06-distr ibuted-monitoring.md#distributed-monitoring-top-down-command-endpoint) If this agent node is configured as [remote command endpoint execution](06-distr ibuted-monitoring.md#distributed-monitoring-top-down-command-endpoint)
you can safely disable the `checker` feature. The `node setup` CLI command alrea dy disabled the `notification` feature. you can safely disable the `checker` feature. The `node setup` CLI command alrea dy disabled the `notification` feature.
``` ```
[root@icinga2-agent1.localdomain /]# icinga2 feature disable checker [root@icinga2-agent1.localdomain /]# icinga2 feature disable checker
``` ```
Disable "conf.d" inclusion if this is a [top down](06-distributed-monitoring.md#
distributed-monitoring-top-down)
configured agent.
```
[root@icinga2-agent1.localdomain /]# sed -i 's/include_recursive "conf.d"/\/\/in
clude_recursive "conf.d"/g' /etc/icinga2/icinga2.conf
```
**Note**: This is the default since v2.9.
**Optional**: Add an ApiUser object configuration for remote troubleshooting. **Optional**: Add an ApiUser object configuration for remote troubleshooting.
``` ```
[root@icinga2-agent1.localdomain /]# cat <<EOF >/etc/icinga2/conf.d/api-users.co nf [root@icinga2-agent1.localdomain /]# cat <<EOF >/etc/icinga2/conf.d/api-users.co nf
object ApiUser "root" { object ApiUser "root" {
password = "agentsupersecretpassword" password = "agentsupersecretpassword"
permissions = ["*"] permissions = ["*"]
} }
EOF EOF
``` ```
In case you've previously disabled the "conf.d" directory only
add the file file `conf.d/api-users.conf`:
```
[root@icinga2-agent1.localdomain /]# echo 'include "conf.d/api-users.conf"' >> /
etc/icinga2/icinga2.conf
```
Finally restart Icinga 2. Finally restart Icinga 2.
``` ```
[root@icinga2-agent1.localdomain /]# systemctl restart icinga2 [root@icinga2-agent1.localdomain /]# systemctl restart icinga2
``` ```
Your automation tool must then configure master node in the meantime. Your automation tool must then configure master node in the meantime.
``` ```
# cat <<EOF >>/etc/icinga2/zones.conf # cat <<EOF >>/etc/icinga2/zones.conf
 End of changes. 14 change blocks. 
32 lines changed or deleted 39 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)