Icinga2 is an outstanding open source tool for monitoring all of your data center servers. With this tool, you can empower your IT staff to manage issues before they snowball into something much larger. Out of the box, Icinga2 makes this task significantly easier, yet the simple method of configuring a node in the hosts.conf file is not as secure as you might like.
With a bit of work, Icinga2 can monitor a data center node’s internal health parameters (such as CPU load, disk space, memory, and the number of running processes) via a secured channel master/client setup.
I will configure an Icinga2 master/client set up. I’ll use Ubuntu Server for both instances and will assume you already have Icinga2 up and running on the master. (See: How to install the Icinga2 Monitoring tool on Ubuntu Server 16.04 and How to add remote hosts to the Icinga2 monitoring system.)
SEE: Configuration management policy (Tech Pro Research)
Let’s install.
Setting up the master
The first thing to do is configure the master. My master is at IP address 192.168.1.193. It is important to know the full hostname of both master and client. The hostname of my master is ubuntu16.04 (issue the command less /etc/hosts to find yours). The hostname of my test client is localhost.localdomain. As this is only for testing purposes, it’s okay to use localhost.localdomain. Do not, however, use this for your servers.
Even though you already have Icinga2 up and running, you still have to run the set up for it to be a master to an agent. Fortunately, this is quite simple. Log into your Icinga2 server and issue the command:
sudo icinga2 node wizard
You will be asked a few easy questions (answers are in caps):
Please specify if this is a satellite setup ('n' installs a master setup) [Y/n]: N
Please specify the common name (CN) [icinga]: HOSTNAME OF SERVER
Please specify the API bind host/port (optional): LEAVE BLANK
Bind Host []: LEAVE BLANK
Bind Port []: LEAVE BLANK
When the above completes, restart the Icinga2 service with the command:
sudo systemctl restart icinga2
Now we have to generate a client ticket for your node. Issue the command:
icinga2 pki ticket --cn 'NODE_NAME'
Where NODE_NAME is the full hostname of your client (in my case, localhost.localdomain). It is important that you get this right, otherwise the Icinga2 client won’t be able to connect to the master. Copy the generated string.
Setting up the client
Move over to the client you want to connect to the master. If Icinga2 isn’t installed on this server, do so with the command:
sudo apt-get install icinga2 -y
Once it’s installed, run the node wizard with the command:
sudo icinga2 node wizard
Answer the questions as shown in caps:
Please specify if this is a satellite setup ('n' installs a master setup) [Y/n]: Y
Please specify the common name (CN) [localhost.localdomain]: LEAVE BLANK
Master Common Name (CN from your master setup): HOSTNAME OF MASTER
Do you want to establish a connection to the parent node? From this node [Y/n]: y
Master endpoint host (Your master's IP address or FQDN): MASTER IP
Master endpoint port [5665]: LEAVE BLANKAdd more master endpoints? [y/N]: n
Please specify the master connection for CSR auto-signing (defaults to master endpoint host): LEAVE BLANK
Host [10.25.32.120]: LEAVE BLANK
Port [5665]: LEAVE BLANK
Where:
- HOSTNAME OF MASTER is the full hostname of the master server.
- MASTER IP is the IP address of the master
- LEAVE BLANK means to simply hit Enter on your keyboard
You will then be asked if the information is correct. Type y and hit Enter on your keyboard. Next you’ll be asked to paste the PKI key from your server (Figure A). Do this and hit Enter on your keyboard.
Figure A
Finally, you’ll be asked another short round of questions:
Please specify the API bind host/port (optional): LEAVE THIS BLANK
Bind Host []: LEAVE THIS BLANK
Bind Port []: LEAVE THIS BLANK
Accept config from master? [y/N]: y
Accept commands from master? [y/N]: y
Once you’ve answered the above, restart the Icinga2 daemon on the node with the command:
sudo systemctl restart icinga2
Create the configuration files
Next we need to create a new directory to house a couple of configuration files. Issue the command:
sudo mkdir /etc/icinga2/zones.d/NODE_NAME
Where NODE_NAME is the name of your node (for my example, localhost.localdomain).
Next create the two configuration files, with the commands:
sudo touch /etc/icinga2/zones.d/NODE_NAME/NODE_NAME.conf
sudo touch /etc/icinga2/zones.d/NODE_NAME/services.conf
Where NODE_NAME is the name of your node (for my example, localhost.localdomain)
In the NODE_NAME.conf file, paste the following:
object Zone "NODE_NAME" {
endpoints = [ "NODE_NAME" ]
parent = "SERVER_NODE"
}
object Endpoint "NODE_NAME" {
host = "NODE_IP"
}
object Host "NODE_NAME" {
import "generic-host"
address = "NODE_IP"
vars.http_vhosts["http"] = {
http_uri = "/"
}
vars.notification["mail"] = {
groups = [ "icingaadmins" ]
}
vars.client_endpoint = name
}
Where NODE_NAME is the name of the node, SERVER_NODE is the name of the Icinga2 master, and NODE_IP is the IP address of the node. Save and close that file.
Next, in the services.conf file, paste the following:
apply Service "load" {
import "generic-service"
check_command = "load"
command_endpoint = host.vars.client_endpoint
assign where host.vars.client_endpoint
}
apply Service "procs" {
import "generic-service"
check_command = "procs"
command_endpoint = host.vars.client_endpoint
assign where host.vars.client_endpoint
}
Save and close that file.
Once you’ve taken care of that, restart Icinga2 with the command:
sudo systemctl restart icinga2
After a moment, the new agent will appear, and Icinga2 will start monitoring it with more than just a ping test, using a more secure method of connection (than just a standard hosts.conf configuration).
If you find the node isn’t showing up, refer back to How to add remote hosts to the Icinga2 monitoring system.