Megaphone Commons

{{last_updated_at}} by {{last_updated_by}}

# Distributed Icinga2

### Overview

With a single instance of Icinga2, we can check the status of remote services that are publicly accessible.  For instance, we can check if SSH responds on a remote host.  However, we can NOT check information that is not publicly accessible - for instance, whether the remote server has low disk space.

To handle this, we use a distributed Icinga2 infrastructure.  Our original Icinga instance becomes a **master** instance.  We also install a minimal version of Icinga on remote servers, known as **satellite** instances.  Icinga2 has a wizard that establishes encrypted communication links between servers.  We use a [top-down configuration](https://docs.icinga.com/icinga2/latest/doc/module/icinga2/chapter/distributed-monitoring#distributed-monitoring-top-down), which means that all checks are initiated from the master instance - but some service checks are configured to run on a different endpoint.

In our instance, that means that some checks run entirely on the master - e.g. an SSH check - but a "low disk space" check is scheduled on the master instance, which contacts the satellite, instructs it to run the plugin, and return the result.

### Installing Icinga2 as a Satellite

Source: https://www.olindata.com/blog/2015/03/monitoring-remote-systems-icinga-2

#### Ansible

Run the Ansible playbook. E.g.:

```bash

ansible-playbook --tags icinga2 main-playbook.yml

```

The manual commands are here:

{{collapse(Show manual instructions,Hide manual instructions)

Run these commands on the satellite (assumes the satellite OS is Ubuntu)

```bash

apt install software-properties-common

add-apt-repository ppa:formorer/icinga

apt update

apt install icinga2

systemctl enable icinga2.service

systemctl start icinga2.service

```

Alternate instructions for Debian Jessie:

```bash

# Note: Ensure you have jessie-backports enabled: https://backports.debian.org/Instructions/

apt install software-properties-common

apt-get -t jessie-backports install icinga2

# Debian installs some some host definitions that interfere with being a satellite; delete them

rm /etc/icinga2/conf.d/hosts.conf

systemctl enable icinga2.service

systemctl start icinga2.service

```

#### Temporary: Add the updated check_apt

Until monitoring-plugins 2.3 comes out, copy the `check_apt` file from an existing server to the new satellite so that "only notify on security updates" is available as an option.  See #478.

#### Node Wizard

Then run the node wizard:

```bash

# Get the salt from the master node in /etc/icinga2/constants.conf

icinga2 pki ticket --cn 'orange.megaphonetech.com' --salt <salt goes here>

icinga2 node wizard

```

Here's an example of the node wizard setup for a red.megaphonetech.com:

```

Please specify if this is a satellite setup ('n' installs a master setup) [Y/n]: 

Starting the Node setup routine...

Please specify the common name (CN) [www.nwu.org]: 

Please specify the master endpoint(s) this node should connect to:

Master Common Name (CN from your master setup): orange.megaphonetech.com

Do you want to establish a connection to the master from this node? [Y/n]: 

Please fill out the master connection information:

Master endpoint host (Your master's IP address or FQDN): orange.megaphonetech.com

Master endpoint port [5665]: 

Add more master endpoints? [y/N]: 

Please specify the master connection for CSR auto-signing (defaults to master endpoint host):

Host [orange.megaphonetech.com]: 

Port [5665]: 

information/base: Writing private key to '/etc/icinga2/pki/nembhard.glocal.coop.key'.

information/base: Writing X509 certificate to '/etc/icinga2/pki/nembhard.glocal.coop.crt'.

information/cli: Fetching public certificate from master (orange.megaphonetech.com, 5665):

Certificate information:

 Subject:     CN = orange.megaphonetech.com

 Issuer:      CN = Icinga CA

 Valid From:  Jun  9 03:57:34 2017 GMT

 Valid Until: Jun  5 03:57:34 2032 GMT

 Fingerprint: C8 46 A0 A9 2A 47 AE 0D 51 BD 88 82 E8 CC BA 65 28 FD D7 EB 

Is this information correct? [y/N]: Y

information/cli: Received trusted master certificate.

Please specify the request ticket generated on your Icinga 2 master.

 (Hint: # icinga2 pki ticket --cn 'rh6.jmaconsulting.biz'): #Run this command on the master to generate a ticket number

information/cli: Requesting certificate with ticket '00a2aff74b3b3145630504276912a9addd714810'.

information/cli: Created backup file '/etc/icinga2/pki/rh6.jmaconsulting.biz.crt.orig'.

information/cli: Writing signed certificate to file '/etc/icinga2/pki/rh6.jmaconsulting.biz.crt'.

information/cli: Writing CA certificate to file '/etc/icinga2/pki/ca.crt'.

Please specify the API bind host/port (optional):

Bind Host []: 

Bind Port []: 

Accept config from master? [y/N]: Y

Accept commands from master? [y/N]: Y

information/cli: Disabling the Notification feature.

Disabling feature notification. Make sure to restart Icinga 2 for these changes to take effect.

information/cli: Enabling the Apilistener feature.

Enabling feature api. Make sure to restart Icinga 2 for these changes to take effect.

information/cli: Created backup file '/etc/icinga2/features-available/api.conf.orig'.

information/cli: Generating local zones.conf.

information/cli: Dumping config items to file '/etc/icinga2/zones.conf'.

information/cli: Created backup file '/etc/icinga2/zones.conf.orig'.

information/cli: Updating constants.conf.

information/cli: Created backup file '/etc/icinga2/constants.conf.orig'.

information/cli: Updating constants file '/etc/icinga2/constants.conf'.

information/cli: Updating constants file '/etc/icinga2/constants.conf'.

Done.

```

Now run `service icinga2 checkconfig && service icinga2 restart` to finish the installation on the satellite.

### Create Zones and Endpoints

You must also set up the `Zone` and `Endpoint` objects, stored in `/etc/icinga2/zones.conf`. In our model, each zone contains one and only one endpoint.

#### Zones and Endpoints on the Satellite

The node wizard mostly handles this for you on the satellite, it will generate a file with these constants.  Note that NodeName and ZoneName are defined in /etc/icinga2/constants.conf, and should both be the name of the host.

```

object Endpoint "orange.megaphonetech.com" {

        host = "orange.megaphonetech.com"

        port = "5665"

}

object Zone "master" {

        endpoints = [ "orange.megaphonetech.com" ]

}

object Endpoint NodeName {

}

object Zone ZoneName {

        endpoints = [ NodeName ]

        parent = "master"

}

```

Add the following Zone object on your satellite.  Files in this zone are synced to all Icinga2 instances, so you can distribute many configuration files this way:

```

/* sync global commands */

object Zone "global-templates" {

        global = true

}

```

#### Zones and Endpoints on the Master

Edit `/etc/icinga2/zones.conf`.  Add the Zone and Endpoint of the new satellite.  For instance, if the satellite has a ZoneName and NodeName of database.lavabrooklyn.org defined in its constants /etc/icinga2/constants.conf then you should add these objects on the master:

```

object Endpoint "database.lavabrooklyn.org" {

}

object Zone "database.lavabrooklyn.org" {

        endpoints = [ "database.lavabrooklyn.org" ]

        parent = "master"

}

```

#### Harden the TLS connection

Add this line to the bottom of the "api" object in `/etc/icinga2/features-available/api.conf`:

```tls_protocolmin = "TLSv1.2"```

#### How to change a satellite's hostname

Re-run `icinga2 node wizard` on the satellite.  This will fix the satellite's "constants.conf" and "zones.conf".

Edit `/etc/icinga2/zones.conf` Zone and Endpoint on the master to change the name.

}}

#### Testing the Zones/Endpoints

After reloading Icinga2 on both satellite and master (happens automatically with Ansible), you should be able to see the new checks reflected in Icingaweb2 immediately, though they might be listed as "Pending".  Click "Check now" to ensure they're working as expected.