Director config not correctly applied in HA setup

Icinga 2
, ,
1

Hi there, I still seem to have a problem with a proper HA setup for Icinga2. I noticed that while deploying Notifications and Downtimes via the director (Setup is director managed, no local files used). It seems both masters seem to ignore each for zones as they think to have the autoritative version. Though only master01 should have autoritative version, right?

The setup is deployed via the official ansible-collection-icinga in combination with Linuxfabrik-Monitoring-Plugins.

For the monitoring-plugins part I am using their initial basket and noticed that assign where match("A*", host.vars.criticality) does not seem to be working correctly because the Infra-Team testuser is not applied to the hosts accordingly for Notifications on Host/Services. Also no notifications (also Custom / + forced is not working). As soon as I switch back to C/B/A only and change from a wildcard to hardcoded criticalities it starts working (though, still no visible user for hosts/services). But I have a feeling this is relied to the underlying sync problem.

I now noticed that a scheduled downtime is not applied to a host and only to 12 of 24 services of a host. Or another scenario where I have i.e. 10 hosts, the downtime is applied only to 3/10 hosts.

As soon as I stop the second master, everything seems to be read / applied currently a few minutes later. Full host and services coverage, the Notification user visible even with the wildcard applied.

Please let me know if I forgot a config needed here which is needed to drill down.

Thanks in advance for your help and time!

Passwords etc. are randomized or if I forgot, it does not matter since its a test cluster.

Setup Details per opening
  • Version used (icinga2 --version)
    • r2.14.5-1
  • Operating System and version
    • Ubuntu 22.04.5 LTS
  • Enabled features (icinga2 feature list)
    • BOTH MASTERS
Disabled features: command compatlog debuglog elasticsearch gelf graphite influxdb influxdb2 journald livestatus opentsdb perfdata syslog
Enabled features: api checker icingadb mainlog notification
  • Icinga Web 2 version and modules (System - About)
    • 2.12.4
  • Config validation (icinga2 daemon -C
[2025-05-25 12:34:40 +0200] information/ConfigItem: Instantiated 7 NotificationCommands.
[2025-05-25 12:34:40 +0200] information/ConfigItem: Instantiated 1 Notification.
[2025-05-25 12:34:40 +0200] information/ConfigItem: Instantiated 1 IcingaApplication.
[2025-05-25 12:34:40 +0200] information/ConfigItem: Instantiated 1 Host.
[2025-05-25 12:34:40 +0200] information/ConfigItem: Instantiated 12 Downtimes.
[2025-05-25 12:34:40 +0200] information/ConfigItem: Instantiated 1 IcingaDB.
[2025-05-25 12:34:40 +0200] information/ConfigItem: Instantiated 1 FileLogger.
[2025-05-25 12:34:40 +0200] information/ConfigItem: Instantiated 5 Zones.
[2025-05-25 12:34:40 +0200] information/ConfigItem: Instantiated 1 CheckerComponent.
[2025-05-25 12:34:40 +0200] information/ConfigItem: Instantiated 4 Endpoints.
[2025-05-25 12:34:40 +0200] information/ConfigItem: Instantiated 1 ApiUser.
[2025-05-25 12:34:40 +0200] information/ConfigItem: Instantiated 2 Users.
[2025-05-25 12:34:40 +0200] information/ConfigItem: Instantiated 1 ApiListener.
[2025-05-25 12:34:40 +0200] information/ConfigItem: Instantiated 1 NotificationComponent.
[2025-05-25 12:34:40 +0200] information/ConfigItem: Instantiated 799 CheckCommands.
[2025-05-25 12:34:40 +0200] information/ConfigItem: Instantiated 5 TimePeriods.
[2025-05-25 12:34:40 +0200] information/ConfigItem: Instantiated 25 ScheduledDowntimes.
[2025-05-25 12:34:40 +0200] information/ConfigItem: Instantiated 24 Services.
[2025-05-25 12:34:40 +0200] information/ScriptGlobal: Dumping variables to file '/var/cache/icinga2/icinga2.vars'
[2025-05-25 12:34:40 +0200] information/cli: Finished validating the configuration file(s).
  • If you run multiple Icinga 2 instances, the zones.conf file (or icinga2 object list --type Endpoint and icinga2 object list --type Zone) from all affected nodes
    • see below
Ansible Playbook

Play

- hosts: icinga_masters
  become: yes
  tasks:
    - ansible.builtin.include_role:
        name: mrlesmithjr.mariadb-galera-cluster
        apply:
          tags: mariadb
      tags: always
    - ansible.builtin.include_role:
        name: icinga.icinga.repos
    - ansible.builtin.include_role:
        name: icinga.icinga.icinga2
    - ansible.builtin.include_role:
        name: icinga.icinga.icingadb
    - ansible.builtin.include_role:
        name: icinga.icinga.icingadb_redis
    - ansible.builtin.include_role:
        name: icinga.icinga.icingaweb2

Group Vars

# Variables for mrlesmithjr.mariadb-galera-cluster
mariadb_version: "*"
mariadb_upgrade: true
galera_enable_mariadb_repo: false
mariadb_bind_address: 0.0.0.0
galera_cluster_bind_interface: "{{ ansible_default_ipv4['interface'] }}"
galera_cluster_name: icinga-cluster
galera_cluster_nodes_group: icinga_masters
mariadb_databases:
  - name: icingadb
  - name: icingaweb
  - name: vspheredb
  - name: "{{ icingaweb2_resources['director_db']['dbname'] }}"
mariadb_mysql_users:
  - name: icingaweb
    hosts:
      - "%"
      - "127.0.0.1"
      - "::1"
      - "localhost"
    password: "{{ icingaweb2_db['password'] }}"
    priv: "icingaweb.*:ALL"
  - name: icingadb
    hosts:
      - "%"
      - "127.0.0.1"
      - "::1"
      - "localhost"
    password: "{{ icingadb_database_password }}"
    priv: "icingadb.*:ALL"
  - name: vspheredb
    hosts:
      - "%"
      - "127.0.0.1"
      - "::1"
      - "localhost"
    password: 12379KJDAHueu231
    priv: "vspheredb.*:ALL"
  - name: "{{ icingaweb2_resources['director_db']['username'] }}"
    hosts:
      - "%"
      - "127.0.0.1"
      - "::1"
      - "localhost"
    password: "{{ icingaweb2_resources['director_db']['password'] }}"
    priv: "{{ icingaweb2_resources['director_db']['dbname'] }}.*:ALL"
mariadb_mysql_root_password: 12731UWA71233z7hd

# Variables for collection icinga role icinga2
icinga2_constants:
  TicketSalt: "{{ icinga2_global_ticketsalt }}"
  NodeName: "{{ inventory_hostname }}"
  ZoneName: "main"

icinga2__api_root_password: 12837HJJAWDhd
icinga2__api_root_user: ApiRootUser

icinga2_confd: local.d
icinga2_purge_features: yes
icinga2_config_directories:
  - zones.d/main/commands
  - zones.d/main/hosts
  - zones.d/main/services
  - "{{ icinga2_confd }}"
icinga2_objects:
  - name: "{{ icinga2__api_root_user }}"
    type: ApiUser
    file: "{{ icinga2_confd }}/api-users.conf"
    password: "{{ icinga2__api_root_password }}"
    permissions:
      - "*"

# Variables for collection icinga role icingadb
icingadb_database_type: mysql
icingadb_database_host: localhost
icingadb_database_user: icingadb
icingadb_database_password: 981273HdkawjuZ
icingadb_database_import_schema: true

# Variables for collection icinga role icingaweb2
icingaweb2_db:
  type: mysql
  name: icingaweb
  host: localhost
  user: icingaweb
  password: 71623Hawdaw
icingaweb2_db_import_schema: true
icingaweb2_admin_username: devadmin
icingaweb2_admin_password: 986354hdzWe
icingaweb2_authentication:
  icingaweb2:
    backend: db
    resource: icingaweb2_db
icingaweb2_groups:
  icingaweb2:
    backend: db
    resource: icingaweb2_db
icingaweb2_modules:
  director:
    enabled: true
    source: package
    import_schema: true
    run_kickstart: true
    kickstart:
      config:
        endpoint: "{{ inventory_hostname }}"
        host: 127.0.0.1
        username: "{{ icinga2__api_root_user }}"
        password: "{{ icinga2__api_root_password }}"
    config:
      db:
        resource: director_db
  icingadb:
    enabled: true
    source: package
    commandtransports:
      instance01:
        transport: api
        host: 127.0.0.1
        username: "{{ icinga2__api_root_user }}"
        password: "{{ icinga2__api_root_password }}"
    config:
      icingadb:
        resource: icingadb
      redis:
        tls: '0'
    redis:
      redis1:
        host: 127.0.0.1
  businessprocess:
    enabled: true
    source: package
icingaweb2_resources:
  director_db:
    type: db
    db: mysql
    host: localhost
    dbname: directordb
    username: director
    password: 123456abcd
    charset: utf8
  icingadb:
    type: db
    db: mysql
    host: localhost
    dbname: icingadb
    username: icingadb
    password: "{{ icingadb_database_password }}"
    charset: utf8mb4

Host vars icingamaster01

# Variables for collection icinga role icinga2
icinga2_features:
  - name: icingadb
    host: 127.0.0.1
  - name: notification
  - name: checker
  - name: mainlog
  - name: api
    ca_host: none
    cert_name: "{{ inventory_hostname }}"
    force_newcert: no
    accept_config: true
    accept_commands: true
    endpoints:
      - name: NodeName
      - name: "{{ groups['icinga_masters'][1] }}"
        host: "{{ hostvars[groups['icinga_masters'][1]]['ansible_host'] }}"
      - name: "{{ groups['icinga_satellites'][0] }}"
        host: "{{ hostvars[groups['icinga_satellites'][0]]['ansible_host'] }}"
    zones:
      - name: ZoneName
        endpoints:
          - NodeName
          - "{{ groups['icinga_masters'][1] }}"
      - name: satellite
        parent: ZoneName
        endpoints:
          - "{{ groups['icinga_satellites'][0] }}"
      - name: global-templates
        global: true
      - name: director-global
        global: true

Host vars icingamaster01

# Variables for collection icinga role icinga2
icinga2_features:
  - name: icingadb
    host: 127.0.0.1
  - name: notification
  - name: checker
  - name: mainlog
  - name: api
    ca_host: "{{ groups['icinga_masters'][0] }}"
    cert_name: "{{ inventory_hostname }}"
    force_newcert: no
    accept_config: true
    accept_commands: true
    endpoints:
      - name: NodeName
      - name: "{{ groups['icinga_masters'][0] }}"
      - name: "{{ groups['icinga_satellites'][0] }}"
        host: "{{ hostvars[groups['icinga_satellites'][0]]['ansible_host'] }}"
    zones:
      - name: ZoneName
        endpoints:
          - "{{ groups['icinga_masters'][0] }}"
          - NodeName
      - name: satellite
        parent: ZoneName
        endpoints:
          - "{{ groups['icinga_satellites'][0] }}"
      - name: global-templates
        global: true
      - name: director-global
        global: true
Master01

/etc/icinga2/constants.conf

const PluginDir = "/usr/lib/nagios/plugins"
const ManubulonPluginDir = "/usr/lib/nagios/plugins"
const PluginContribDir = "/usr/lib/nagios/plugins"
const NodeName = "icingamaster01"
const ZoneName = "main"
const TicketSalt = "12345"

/etc/icinga2/zones.conf

object Endpoint NodeName {
}

object Endpoint "icingamaster02" {
  host = "192.168.2.81"
}

object Endpoint "icingasatellite" {
  host = "192.168.2.82"
}

object Zone ZoneName {
  endpoints = [ NodeName, "icingamaster02", ]
}

object Zone "director-global" {
  global = true
}

object Zone "global-templates" {
  global = true
}

object Zone "satellite" {
  parent = ZoneName
  endpoints = [ "icingasatellite", ]
}

/etc/icinga2/features-enabled/api.conf

object ApiListener "api" {
  accept_config = true
  accept_commands = true
  ticket_salt = TicketSalt
}

/var/lib/icinga2/icingadb.env

"db1afb3c781b8ab36b02a04d03f15d9636a9c6fc"

/etc/icinga2/local.d/api-users.conf

object ApiUser "ApiRootUser" {
  password = "987654"
  permissions = [ "*", ]
}
Master02

/etc/icinga2/constants.conf

const PluginDir = "/usr/lib/nagios/plugins"
const ManubulonPluginDir = "/usr/lib/nagios/plugins"
const PluginContribDir = "/usr/lib/nagios/plugins"
const NodeName = "icingamaster02"
const ZoneName = "main"
const TicketSalt = "12345"

/etc/icinga2/zones.conf

object Endpoint NodeName {
}

object Endpoint "icingamaster01" {
}

object Endpoint "icingasatellite" {
  host = "192.168.2.82"
}

object Zone ZoneName {
  endpoints = [ "icingamaster01", NodeName, ]
}

object Zone "director-global" {
  global = true
}

object Zone "global-templates" {
  global = true
}

object Zone "satellite" {
  parent = ZoneName
  endpoints = [ "icingasatellite", ]
}

/etc/icinga2/features-enabled/api.conf

object ApiListener "api" {
  accept_config = true
  accept_commands = true
  ticket_salt = TicketSalt
}

/var/lib/icinga2/icingadb.env

"db1afb3c781b8ab36b02a04d03f15d9636a9c6fc"

/etc/icinga2/local.d/api-users.conf

object ApiUser "ApiRootUser" {
  password = "987654"
  permissions = [ "*", ]
}
2

I hit the character limit. Here is the rest.

Deployment log from Downtimes

icingamaster01

master01

[2025-05-25 12:05:03 +0200] information/HttpServerConnection: Request GET /v1/config/packages (from [::ffff:192.168.2.80]:60084), user: ApiRootUser, agent: , status: OK) took total 0ms.
[2025-05-25 12:05:03 +0200] information/HttpServerConnection: Request DELETE /v1/config/stages/director/073070e1-f285-41e4-820d-26f3dc12d08e (from [::ffff:192.168.2.80]:60084), user: ApiRootUser, agent: , status: OK) took total 1ms.
[2025-05-25 12:05:03 +0200] information/HttpServerConnection: Request GET /v1/config/packages (from [::ffff:192.168.2.80]:60084), user: ApiRootUser, agent: , status: OK) took total 0ms.
[2025-05-25 12:05:03 +0200] information/ConfigPackageUtility: Updating configuration file: /var/lib/icinga2/api/packages/director/f541c51c-bce5-4ba8-930c-3276caa98d62/zones.d/director-global/001-director-basics.conf
[2025-05-25 12:05:03 +0200] information/ConfigPackageUtility: Updating configuration file: /var/lib/icinga2/api/packages/director/f541c51c-bce5-4ba8-930c-3276caa98d62/zones.d/director-global/commands.conf
[2025-05-25 12:05:03 +0200] information/ConfigPackageUtility: Updating configuration file: /var/lib/icinga2/api/packages/director/f541c51c-bce5-4ba8-930c-3276caa98d62/zones.d/director-global/service_templates.conf
[2025-05-25 12:05:03 +0200] information/ConfigPackageUtility: Updating configuration file: /var/lib/icinga2/api/packages/director/f541c51c-bce5-4ba8-930c-3276caa98d62/zones.d/director-global/servicesets.conf
[2025-05-25 12:05:03 +0200] information/ConfigPackageUtility: Updating configuration file: /var/lib/icinga2/api/packages/director/f541c51c-bce5-4ba8-930c-3276caa98d62/zones.d/director-global/timeperiods.conf
[2025-05-25 12:05:03 +0200] information/ConfigPackageUtility: Updating configuration file: /var/lib/icinga2/api/packages/director/f541c51c-bce5-4ba8-930c-3276caa98d62/zones.d/director-global/user_templates.conf
[2025-05-25 12:05:03 +0200] information/ConfigPackageUtility: Updating configuration file: /var/lib/icinga2/api/packages/director/f541c51c-bce5-4ba8-930c-3276caa98d62/zones.d/main/host_templates.conf
[2025-05-25 12:05:03 +0200] information/ConfigPackageUtility: Updating configuration file: /var/lib/icinga2/api/packages/director/f541c51c-bce5-4ba8-930c-3276caa98d62/zones.d/main/notification_apply.conf
[2025-05-25 12:05:03 +0200] information/ConfigPackageUtility: Updating configuration file: /var/lib/icinga2/api/packages/director/f541c51c-bce5-4ba8-930c-3276caa98d62/zones.d/main/notification_templates.conf
[2025-05-25 12:05:03 +0200] information/ConfigPackageUtility: Updating configuration file: /var/lib/icinga2/api/packages/director/f541c51c-bce5-4ba8-930c-3276caa98d62/zones.d/main/scheduled_downtime_apply.conf
[2025-05-25 12:05:03 +0200] information/ConfigPackageUtility: Updating configuration file: /var/lib/icinga2/api/packages/director/f541c51c-bce5-4ba8-930c-3276caa98d62/zones.d/main/services.conf
[2025-05-25 12:05:03 +0200] information/ConfigPackageUtility: Updating configuration file: /var/lib/icinga2/api/packages/director/f541c51c-bce5-4ba8-930c-3276caa98d62/zones.d/main/users.conf
[2025-05-25 12:05:03 +0200] information/ConfigPackageUtility: Updating configuration file: /var/lib/icinga2/api/packages/director/f541c51c-bce5-4ba8-930c-3276caa98d62/zones.d/satellite/agent_endpoints.conf
[2025-05-25 12:05:03 +0200] information/ConfigPackageUtility: Updating configuration file: /var/lib/icinga2/api/packages/director/f541c51c-bce5-4ba8-930c-3276caa98d62/zones.d/satellite/agent_zones.conf
[2025-05-25 12:05:03 +0200] information/ConfigPackageUtility: Updating configuration file: /var/lib/icinga2/api/packages/director/f541c51c-bce5-4ba8-930c-3276caa98d62/zones.d/satellite/host_templates.conf
[2025-05-25 12:05:03 +0200] information/ConfigPackageUtility: Updating configuration file: /var/lib/icinga2/api/packages/director/f541c51c-bce5-4ba8-930c-3276caa98d62/zones.d/satellite/hosts.conf
[2025-05-25 12:05:03 +0200] information/ConfigPackageUtility: Updating configuration file: /var/lib/icinga2/api/packages/director/f541c51c-bce5-4ba8-930c-3276caa98d62/zones.d/satellite/servicesets.conf
[2025-05-25 12:05:03 +0200] information/HttpServerConnection: Request POST /v1/config/stages/director (from [::ffff:192.168.2.80]:60084), user: ApiRootUser, agent: , status: OK) took total 17ms.
[2025-05-25 12:05:03 +0200] information/HttpServerConnection: HTTP client disconnected (from [::ffff:192.168.2.80]:60084)
[2025-05-25 12:05:03 +0200] information/ApiListener: New client connection from [::ffff:192.168.2.80]:60088 (no client certificate)
[2025-05-25 12:05:03 +0200] information/HttpServerConnection: Request GET /v1/ (from [::ffff:192.168.2.80]:60088), user: ApiRootUser, agent: , status: OK) took total 0ms.
[2025-05-25 12:05:03 +0200] information/HttpServerConnection: Request GET /v1/config/packages (from [::ffff:192.168.2.80]:60088), user: ApiRootUser, agent: , status: OK) took total 0ms.
[2025-05-25 12:05:03 +0200] information/HttpServerConnection: HTTP client disconnected (from [::ffff:192.168.2.80]:60088)
[2025-05-25 12:05:05 +0200] information/Application: Received request to shut down.
[2025-05-25 12:05:05 +0200] information/Application: Shutting down...
[2025-05-25 12:05:05 +0200] information/CheckerComponent: 'checker' stopped.
[2025-05-25 12:05:05 +0200] information/NotificationComponent: 'notification' stopped.
[2025-05-25 12:05:05 +0200] information/IcingaDB: Flushing history data buffer to Redis.
[2025-05-25 12:05:05 +0200] information/IcingaDB: 'icingadb' stopped.
[2025-05-25 12:05:05 +0200] information/ApiListener: 'api' stopped.
[2025-05-25 12:05:05 +0200] information/FileLogger: 'main-log' started.
[2025-05-25 12:05:05 +0200] information/ApiListener: 'api' started.
[2025-05-25 12:05:05 +0200] information/ApiListener: Copying 6 zone configuration files for zone 'main' to '/var/lib/icinga2/api/zones/main'.
[2025-05-25 12:05:05 +0200] information/ApiListener: Updating configuration file: /var/lib/icinga2/api/zones/main//director/host_templates.conf
[2025-05-25 12:05:05 +0200] information/ApiListener: Updating configuration file: /var/lib/icinga2/api/zones/main//director/notification_apply.conf
[2025-05-25 12:05:05 +0200] information/ApiListener: Updating configuration file: /var/lib/icinga2/api/zones/main//director/notification_templates.conf
[2025-05-25 12:05:05 +0200] information/ApiListener: Updating configuration file: /var/lib/icinga2/api/zones/main//director/scheduled_downtime_apply.conf
[2025-05-25 12:05:05 +0200] information/ApiListener: Updating configuration file: /var/lib/icinga2/api/zones/main//director/services.conf
[2025-05-25 12:05:05 +0200] information/ApiListener: Updating configuration file: /var/lib/icinga2/api/zones/main//director/users.conf
[2025-05-25 12:05:06 +0200] information/ApiListener: Copying 6 zone configuration files for zone 'director-global' to '/var/lib/icinga2/api/zones/director-global'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Updating configuration file: /var/lib/icinga2/api/zones/director-global//director/001-director-basics.conf
[2025-05-25 12:05:06 +0200] information/ApiListener: Updating configuration file: /var/lib/icinga2/api/zones/director-global//director/commands.conf
[2025-05-25 12:05:06 +0200] information/ApiListener: Updating configuration file: /var/lib/icinga2/api/zones/director-global//director/service_templates.conf
[2025-05-25 12:05:06 +0200] information/ApiListener: Updating configuration file: /var/lib/icinga2/api/zones/director-global//director/servicesets.conf
[2025-05-25 12:05:06 +0200] information/ApiListener: Updating configuration file: /var/lib/icinga2/api/zones/director-global//director/timeperiods.conf
[2025-05-25 12:05:06 +0200] information/ApiListener: Updating configuration file: /var/lib/icinga2/api/zones/director-global//director/user_templates.conf
[2025-05-25 12:05:06 +0200] information/ApiListener: Copying 5 zone configuration files for zone 'satellite' to '/var/lib/icinga2/api/zones/satellite'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Updating configuration file: /var/lib/icinga2/api/zones/satellite//director/agent_endpoints.conf
[2025-05-25 12:05:06 +0200] information/ApiListener: Updating configuration file: /var/lib/icinga2/api/zones/satellite//director/agent_zones.conf
[2025-05-25 12:05:06 +0200] information/ApiListener: Updating configuration file: /var/lib/icinga2/api/zones/satellite//director/host_templates.conf
[2025-05-25 12:05:06 +0200] information/ApiListener: Updating configuration file: /var/lib/icinga2/api/zones/satellite//director/hosts.conf
[2025-05-25 12:05:06 +0200] information/ApiListener: Updating configuration file: /var/lib/icinga2/api/zones/satellite//director/servicesets.conf
[2025-05-25 12:05:06 +0200] information/ApiListener: Started new listener on '[::]:5665'
[2025-05-25 12:05:06 +0200] information/ApiListener: Reconnecting to endpoint 'icingamaster02' via host '192.168.2.81' and port '5665'
[2025-05-25 12:05:06 +0200] information/IcingaDB: 'icingadb' started.
[2025-05-25 12:05:06 +0200] information/ApiListener: Reconnecting to endpoint 'icingasatellite' via host '192.168.2.82' and port '5665'
[2025-05-25 12:05:06 +0200] information/IcingaDB: Trying to connect to Redis server (async) on host '127.0.0.1:6380'
[2025-05-25 12:05:06 +0200] information/NotificationComponent: 'notification' started.
[2025-05-25 12:05:06 +0200] information/CheckerComponent: 'checker' started.
[2025-05-25 12:05:06 +0200] information/ConfigItem: Activated all objects.
[2025-05-25 12:05:06 +0200] information/IcingaDB: Connected to Redis server
[2025-05-25 12:05:06 +0200] information/ApiListener: New client connection for identity 'icingamaster02' to [192.168.2.81]:5665
[2025-05-25 12:05:06 +0200] information/ApiListener: Finished reconnecting to endpoint 'icingamaster02' via host '192.168.2.81' and port '5665'
[2025-05-25 12:05:06 +0200] information/JsonRpcConnection: Requesting new certificate for this Icinga instance from endpoint 'icingamaster02'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Sending config updates for endpoint 'icingamaster02' in zone 'main'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Syncing configuration files for zone 'main' to endpoint 'icingamaster02'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Syncing configuration files for global zone 'director-global' to endpoint 'icingamaster02'.
[2025-05-25 12:05:06 +0200] information/JsonRpcConnection: Received certificate request for CN 'icingamaster02' signed by our CA.
[2025-05-25 12:05:06 +0200] information/JsonRpcConnection: The certificates for CN 'icingamaster02' and its root CA are valid and uptodate. Skipping automated renewal.
[2025-05-25 12:05:06 +0200] information/ApiListener: New client connection for identity 'icingasatellite' to [192.168.2.82]:5665
[2025-05-25 12:05:06 +0200] information/ApiListener: Finished reconnecting to endpoint 'icingasatellite' via host '192.168.2.82' and port '5665'
[2025-05-25 12:05:06 +0200] information/ApiListener: Sending config updates for endpoint 'icingasatellite' in zone 'satellite'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Syncing configuration files for global zone 'director-global' to endpoint 'icingasatellite'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Syncing configuration files for zone 'satellite' to endpoint 'icingamaster02'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Syncing configuration files for global zone 'global-templates' to endpoint 'icingamaster02'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Finished sending config file updates for endpoint 'icingamaster02' in zone 'main'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Syncing runtime objects to endpoint 'icingamaster02'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Finished syncing runtime objects to endpoint 'icingamaster02'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Finished sending runtime config updates for endpoint 'icingamaster02' in zone 'main'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Sending replay log for endpoint 'icingamaster02' in zone 'main'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Finished sending replay log for endpoint 'icingamaster02' in zone 'main'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Finished syncing endpoint 'icingamaster02' in zone 'main'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Syncing configuration files for zone 'satellite' to endpoint 'icingasatellite'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Syncing configuration files for global zone 'global-templates' to endpoint 'icingasatellite'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Finished sending config file updates for endpoint 'icingasatellite' in zone 'satellite'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Syncing runtime objects to endpoint 'icingasatellite'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Finished syncing runtime objects to endpoint 'icingasatellite'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Finished sending runtime config updates for endpoint 'icingasatellite' in zone 'satellite'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Sending replay log for endpoint 'icingasatellite' in zone 'satellite'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Finished sending replay log for endpoint 'icingasatellite' in zone 'satellite'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Finished syncing endpoint 'icingasatellite' in zone 'satellite'.
[2025-05-25 12:05:06 +0200] information/IcingaDB: Starting initial config/status dump
[2025-05-25 12:05:06 +0200] information/JsonRpcConnection: Received certificate request for CN 'icingasatellite' signed by our CA.
[2025-05-25 12:05:06 +0200] information/JsonRpcConnection: The certificates for CN 'icingasatellite' and its root CA are valid and uptodate. Skipping automated renewal.
[2025-05-25 12:05:06 +0200] information/ApiListener: Applying config update from endpoint 'icingamaster02' of zone 'main'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Ignoring config update from endpoint 'icingamaster02' for zone 'director-global' because we have an authoritative version of the zone's config.
[2025-05-25 12:05:06 +0200] information/ApiListener: Received configuration for zone 'global-templates' from endpoint 'icingamaster02'. Comparing the timestamp and checksums.
[2025-05-25 12:05:06 +0200] information/ApiListener: Applying configuration file update for path '/var/lib/icinga2/api/zones-stage/global-templates' (0 Bytes).
[2025-05-25 12:05:06 +0200] information/ApiListener: Ignoring config update from endpoint 'icingamaster02' for zone 'satellite' because we have an authoritative version of the zone's config.
[2025-05-25 12:05:06 +0200] information/ApiListener: Received configuration updates (1) from endpoint 'icingamaster02' are equal to production, skipping validation and reload.
[2025-05-25 12:05:06 +0200] information/IcingaDB: Initial config/status dump finished in 0.207343 seconds.
[2025-05-25 12:05:06 +0200] information/ApiListener: New client connection from [::ffff:192.168.2.80]:37348 (no client certificate)
[2025-05-25 12:05:06 +0200] information/HttpServerConnection: Request GET /v1/ (from [::ffff:192.168.2.80]:37348), user: ApiRootUser, agent: , status: OK) took total 0ms.
[2025-05-25 12:05:06 +0200] information/HttpServerConnection: Request GET /v1/config/packages (from [::ffff:192.168.2.80]:37348), user: ApiRootUser, agent: , status: OK) took total 0ms.
[2025-05-25 12:05:06 +0200] information/HttpServerConnection: HTTP client disconnected (from [::ffff:192.168.2.80]:37348)

[2025-05-25 12:06:06 +0200] information/ConfigObjectUtility: Created and activated object 'icingaclient!File Ownership!0887342c-9ea4-4d2d-ab45-e8b8a3683250' of type 'Downtime'.
[2025-05-25 12:06:06 +0200] information/Downtime: Added downtime 'icingaclient!File Ownership!0887342c-9ea4-4d2d-ab45-e8b8a3683250' between '2025-05-25 14:00:00' and '2025-05-25 14:30:00', author: 'admin', fixed
[2025-05-25 12:06:06 +0200] information/ConfigObjectUtility: Created and activated object 'icingaclient!About me!23a7e49b-bc8d-4ae9-8cf9-a05e522f38a7' of type 'Downtime'.
[2025-05-25 12:06:06 +0200] information/Downtime: Added downtime 'icingaclient!About me!23a7e49b-bc8d-4ae9-8cf9-a05e522f38a7' between '2025-05-25 14:00:00' and '2025-05-25 14:30:00', author: 'admin', fixed
[2025-05-25 12:06:06 +0200] information/ConfigObjectUtility: Created and activated object 'icingaclient!Systemd Units Failed!aac732da-de3d-4e1a-9d73-3d6bd33ffe97' of type 'Downtime'.
[2025-05-25 12:06:06 +0200] information/Downtime: Added downtime 'icingaclient!Systemd Units Failed!aac732da-de3d-4e1a-9d73-3d6bd33ffe97' between '2025-05-25 14:00:00' and '2025-05-25 14:30:00', author: 'admin', fixed
[2025-05-25 12:06:06 +0200] information/ConfigObjectUtility: Created and activated object 'icingaclient!Systemd Unit - sshd.service!88b8f3bc-5685-43a7-8fd2-b23fd44cf0e3' of type 'Downtime'.
[2025-05-25 12:06:06 +0200] information/Downtime: Added downtime 'icingaclient!Systemd Unit - sshd.service!88b8f3bc-5685-43a7-8fd2-b23fd44cf0e3' between '2025-05-25 14:00:00' and '2025-05-25 14:30:00', author: 'admin', fixed
[2025-05-25 12:06:06 +0200] information/ConfigObjectUtility: Created and activated object 'icingaclient!Network I/O!26432883-0824-440d-a65d-d56fdd37ecb4' of type 'Downtime'.
[2025-05-25 12:06:06 +0200] information/Downtime: Added downtime 'icingaclient!Network I/O!26432883-0824-440d-a65d-d56fdd37ecb4' between '2025-05-25 14:00:00' and '2025-05-25 14:30:00', author: 'admin', fixed
[2025-05-25 12:06:06 +0200] information/ConfigObjectUtility: Created and activated object 'icingaclient!Network Connections!7e134cea-4c43-4d02-9ba6-8d01c52821ce' of type 'Downtime'.
[2025-05-25 12:06:06 +0200] information/Downtime: Added downtime 'icingaclient!Network Connections!7e134cea-4c43-4d02-9ba6-8d01c52821ce' between '2025-05-25 14:00:00' and '2025-05-25 14:30:00', author: 'admin', fixed
[2025-05-25 12:06:06 +0200] information/ConfigObjectUtility: Created and activated object 'icingaclient!DNS!1251596b-6b0c-4186-b90e-a63e31c280d1' of type 'Downtime'.
[2025-05-25 12:06:06 +0200] information/Downtime: Added downtime 'icingaclient!DNS!1251596b-6b0c-4186-b90e-a63e31c280d1' between '2025-05-25 14:00:00' and '2025-05-25 14:30:00', author: 'admin', fixed
[2025-05-25 12:06:06 +0200] information/ConfigObjectUtility: Created and activated object 'icingaclient!CPU Usage!c5e25453-557b-4695-a539-38dc599a96d0' of type 'Downtime'.
[2025-05-25 12:06:06 +0200] information/Downtime: Added downtime 'icingaclient!CPU Usage!c5e25453-557b-4695-a539-38dc599a96d0' between '2025-05-25 14:00:00' and '2025-05-25 14:30:00', author: 'admin', fixed
[2025-05-25 12:06:06 +0200] information/ConfigObjectUtility: Created and activated object 'icingaclient!FS Inodes!23a0f054-e2e2-4549-8a12-0c674b471455' of type 'Downtime'.
[2025-05-25 12:06:06 +0200] information/Downtime: Added downtime 'icingaclient!FS Inodes!23a0f054-e2e2-4549-8a12-0c674b471455' between '2025-05-25 14:00:00' and '2025-05-25 14:30:00', author: 'admin', fixed
[2025-05-25 12:06:06 +0200] information/ConfigObjectUtility: Created and activated object 'icingaclient!Icinga!66292af0-43f5-4d36-8a16-f2ede59f8bba' of type 'Downtime'.
[2025-05-25 12:06:06 +0200] information/Downtime: Added downtime 'icingaclient!Icinga!66292af0-43f5-4d36-8a16-f2ede59f8bba' between '2025-05-25 14:00:00' and '2025-05-25 14:30:00', author: 'admin', fixed
[2025-05-25 12:06:06 +0200] information/ConfigObjectUtility: Created and activated object 'icingaclient!bee53753-0b26-4146-98ff-57c553b15cd5' of type 'Downtime'.
[2025-05-25 12:06:06 +0200] information/Downtime: Added downtime 'icingaclient!bee53753-0b26-4146-98ff-57c553b15cd5' between '2025-05-25 14:00:00' and '2025-05-25 14:30:00', author: 'admin', fixed
[2025-05-25 12:06:06 +0200] information/ConfigObjectUtility: Created and activated object 'icingaclient!Procs!d2c54d5d-b5a4-4f59-bbce-4d6e496e2952' of type 'Downtime'.
[2025-05-25 12:06:06 +0200] information/Downtime: Added downtime 'icingaclient!Procs!d2c54d5d-b5a4-4f59-bbce-4d6e496e2952' between '2025-05-25 14:00:00' and '2025-05-25 14:30:00', author: 'admin', fixed

icingamaster02

master02

[2025-05-25 12:05:05 +0200] warning/ApiListener: Removing API client for endpoint 'icingamaster01'. 0 API clients left.
[2025-05-25 12:05:05 +0200] warning/JsonRpcConnection: API client disconnected for identity 'icingamaster01'
[2025-05-25 12:05:06 +0200] information/ApiListener: New client connection for identity 'icingamaster01' from [::ffff:192.168.2.80]:44610
[2025-05-25 12:05:06 +0200] information/JsonRpcConnection: Requesting new certificate for this Icinga instance from endpoint 'icingamaster01'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Sending config updates for endpoint 'icingamaster01' in zone 'main'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Syncing configuration files for global zone 'director-global' to endpoint 'icingamaster01'.
[2025-05-25 12:05:06 +0200] information/JsonRpcConnection: Received certificate request for CN 'icingamaster01' signed by our CA.
[2025-05-25 12:05:06 +0200] information/JsonRpcConnection: The certificates for CN 'icingamaster01' and its root CA are valid and uptodate. Skipping automated renewal.
[2025-05-25 12:05:06 +0200] information/ApiListener: Syncing configuration files for global zone 'global-templates' to endpoint 'icingamaster01'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Syncing configuration files for zone 'satellite' to endpoint 'icingamaster01'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Finished sending config file updates for endpoint 'icingamaster01' in zone 'main'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Syncing runtime objects to endpoint 'icingamaster01'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Finished syncing runtime objects to endpoint 'icingamaster01'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Finished sending runtime config updates for endpoint 'icingamaster01' in zone 'main'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Sending replay log for endpoint 'icingamaster01' in zone 'main'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Finished sending replay log for endpoint 'icingamaster01' in zone 'main'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Finished syncing endpoint 'icingamaster01' in zone 'main'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Applying config update from endpoint 'icingamaster01' of zone 'main'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Received configuration for zone 'director-global' from endpoint 'icingamaster01'. Comparing the timestamp and checksums.
[2025-05-25 12:05:06 +0200] information/ApiListener: Stage: Updating received configuration file '/var/lib/icinga2/api/zones-stage/director-global//director/001-director-basics.conf' for zone 'director-global'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Stage: Updating received configuration file '/var/lib/icinga2/api/zones-stage/director-global//director/commands.conf' for zone 'director-global'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Stage: Updating received configuration file '/var/lib/icinga2/api/zones-stage/director-global//director/service_templates.conf' for zone 'director-global'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Stage: Updating received configuration file '/var/lib/icinga2/api/zones-stage/director-global//director/servicesets.conf' for zone 'director-global'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Stage: Updating received configuration file '/var/lib/icinga2/api/zones-stage/director-global//director/timeperiods.conf' for zone 'director-global'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Stage: Updating received configuration file '/var/lib/icinga2/api/zones-stage/director-global//director/user_templates.conf' for zone 'director-global'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Applying configuration file update for path '/var/lib/icinga2/api/zones-stage/director-global' (885753 Bytes).
[2025-05-25 12:05:06 +0200] information/ApiListener: Received configuration for zone 'global-templates' from endpoint 'icingamaster01'. Comparing the timestamp and checksums.
[2025-05-25 12:05:06 +0200] information/ApiListener: Applying configuration file update for path '/var/lib/icinga2/api/zones-stage/global-templates' (0 Bytes).
[2025-05-25 12:05:06 +0200] information/ApiListener: Ignoring config update from endpoint 'icingamaster01' for zone 'main' because we have an authoritative version of the zone's config.
[2025-05-25 12:05:06 +0200] information/ApiListener: Received configuration for zone 'satellite' from endpoint 'icingamaster01'. Comparing the timestamp and checksums.
[2025-05-25 12:05:06 +0200] information/ApiListener: Stage: Updating received configuration file '/var/lib/icinga2/api/zones-stage/satellite//director/agent_endpoints.conf' for zone 'satellite'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Stage: Updating received configuration file '/var/lib/icinga2/api/zones-stage/satellite//director/agent_zones.conf' for zone 'satellite'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Stage: Updating received configuration file '/var/lib/icinga2/api/zones-stage/satellite//director/host_templates.conf' for zone 'satellite'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Stage: Updating received configuration file '/var/lib/icinga2/api/zones-stage/satellite//director/hosts.conf' for zone 'satellite'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Stage: Updating received configuration file '/var/lib/icinga2/api/zones-stage/satellite//director/servicesets.conf' for zone 'satellite'.
[2025-05-25 12:05:06 +0200] information/ApiListener: Applying configuration file update for path '/var/lib/icinga2/api/zones-stage/satellite' (6591 Bytes).
[2025-05-25 12:05:06 +0200] information/ApiListener: Received configuration updates (3) from endpoint 'icingamaster01' are equal to production, skipping validation and reload.

[2025-05-25 12:06:06 +0200] information/ConfigObjectUtility: Created and activated object 'icingaclient!File Ownership!0887342c-9ea4-4d2d-ab45-e8b8a3683250' of type 'Downtime'.
[2025-05-25 12:06:06 +0200] information/ConfigObjectUtility: Created and activated object 'icingaclient!About me!23a7e49b-bc8d-4ae9-8cf9-a05e522f38a7' of type 'Downtime'.
[2025-05-25 12:06:06 +0200] information/ConfigObjectUtility: Created and activated object 'icingaclient!Systemd Units Failed!aac732da-de3d-4e1a-9d73-3d6bd33ffe97' of type 'Downtime'.
[2025-05-25 12:06:06 +0200] information/ConfigObjectUtility: Created and activated object 'icingaclient!Systemd Unit - sshd.service!88b8f3bc-5685-43a7-8fd2-b23fd44cf0e3' of type 'Downtime'.
[2025-05-25 12:06:06 +0200] information/ConfigObjectUtility: Created and activated object 'icingaclient!Network I/O!26432883-0824-440d-a65d-d56fdd37ecb4' of type 'Downtime'.
[2025-05-25 12:06:06 +0200] information/ConfigObjectUtility: Created and activated object 'icingaclient!Network Connections!7e134cea-4c43-4d02-9ba6-8d01c52821ce' of type 'Downtime'.
[2025-05-25 12:06:06 +0200] information/ConfigObjectUtility: Created and activated object 'icingaclient!DNS!1251596b-6b0c-4186-b90e-a63e31c280d1' of type 'Downtime'.
[2025-05-25 12:06:06 +0200] information/ConfigObjectUtility: Created and activated object 'icingaclient!CPU Usage!c5e25453-557b-4695-a539-38dc599a96d0' of type 'Downtime'.
[2025-05-25 12:06:06 +0200] information/ConfigObjectUtility: Created and activated object 'icingaclient!FS Inodes!23a0f054-e2e2-4549-8a12-0c674b471455' of type 'Downtime'.
[2025-05-25 12:06:06 +0200] information/ConfigObjectUtility: Created and activated object 'icingaclient!Icinga!66292af0-43f5-4d36-8a16-f2ede59f8bba' of type 'Downtime'.
[2025-05-25 12:06:06 +0200] information/ConfigObjectUtility: Created and activated object 'icingaclient!bee53753-0b26-4146-98ff-57c553b15cd5' of type 'Downtime'.
[2025-05-25 12:06:06 +0200] information/ConfigObjectUtility: Created and activated object 'icingaclient!Procs!d2c54d5d-b5a4-4f59-bbce-4d6e496e2952' of type 'Downtime'.
3

Hi,

Could you clarify how many mysql databases you have, and if you have two, how they are synchronised?
Also, do you run Director on both masters at the same time?

Thank you,

Jean

4

Hi,

I run one mariadb instance on each master in a galera-cluster.

The director runs on both masters as per Deployment architecture - Director HA icinga Web servers - #2 by log1c. Both setups are identical from what is deployed.

I noticed a small error in my config and adjusted the kickstart config endpoint / host to icingamaster01 (as per group_var this is rolled out to both). But this did not change anything so far for i.e. the downtime situation mentioned above. I made several config deployments yesterday.

icingaweb2_modules:
  director:
    enabled: true
    source: package
    import_schema: true
    run_kickstart: true
    kickstart:
      config:
        endpoint: "{{ groups['icinga_masters'][0] }}"
        host: "{{ hostvars[groups['icinga_masters'][0]]['ansible_host'] }}"
        username: "{{ icinga2__api_root_user }}"
        password: "{{ icinga2__api_root_password }}"
    config:
      db:
        resource: director_db

One thing that is left now which could be the problem but I do not find a proper explanation is the command transports from the icingadb module. ansible-collection-icinga/doc/role-icingaweb2/module-icingadb.md at b2ce676ffb52173bc3ec01c285c39a4677c04607 · Icinga/ansible-collection-icinga · GitHub

Or do I get this right and I need to configure two command transports? One to the primary, one to the secondary? Configuration - Icinga DB Web

EDIT: I just rendered the config again

Last Render

master01

[2025-05-26 11:49:43 +0200] information/IcingaDB: Starting initial config/status dump
[2025-05-26 11:49:43 +0200] information/ApiListener: Finished syncing runtime objects to endpoint 'icingasatellite'.
[2025-05-26 11:49:43 +0200] information/ApiListener: Finished sending runtime config updates for endpoint 'icingasatellite' in zone 'satellite'.
[2025-05-26 11:49:43 +0200] information/ApiListener: Sending replay log for endpoint 'icingasatellite' in zone 'satellite'.
[2025-05-26 11:49:43 +0200] information/ApiListener: Finished sending replay log for endpoint 'icingasatellite' in zone 'satellite'.
[2025-05-26 11:49:43 +0200] information/ApiListener: Finished syncing endpoint 'icingasatellite' in zone 'satellite'.
[2025-05-26 11:49:43 +0200] information/ApiListener: Finished syncing runtime objects to endpoint 'icingamaster02'.
[2025-05-26 11:49:43 +0200] information/ApiListener: Finished sending runtime config updates for endpoint 'icingamaster02' in zone 'main'.
[2025-05-26 11:49:43 +0200] information/ApiListener: Sending replay log for endpoint 'icingamaster02' in zone 'main'.
[2025-05-26 11:49:43 +0200] information/ApiListener: Finished sending replay log for endpoint 'icingamaster02' in zone 'main'.
[2025-05-26 11:49:43 +0200] information/ApiListener: Finished syncing endpoint 'icingamaster02' in zone 'main'.
[2025-05-26 11:49:43 +0200] information/ApiListener: Applying config update from endpoint 'icingamaster02' of zone 'main'.
[2025-05-26 11:49:43 +0200] information/ApiListener: Ignoring config update from endpoint 'icingamaster02' for zone 'director-global' because we have an authoritative version of the zone's config.
[2025-05-26 11:49:43 +0200] information/ApiListener: Received configuration for zone 'global-templates' from endpoint 'icingamaster02'. Comparing the timestamp and checksums.
[2025-05-26 11:49:43 +0200] information/ApiListener: Applying configuration file update for path '/var/lib/icinga2/api/zones-stage/global-templates' (0 Bytes).
[2025-05-26 11:49:43 +0200] information/ApiListener: Ignoring config update from endpoint 'icingamaster02' for zone 'satellite' because we have an authoritative version of the zone's config.
[2025-05-26 11:49:43 +0200] information/ApiListener: Received configuration updates (1) from endpoint 'icingamaster02' are equal to production, skipping validation and reload.

master02

[2025-05-26 11:49:43 +0200] information/ApiListener: New client connection for identity 'icingamaster01' from [::ffff:192.168.2.80]:59140
[2025-05-26 11:49:43 +0200] information/JsonRpcConnection: Requesting new certificate for this Icinga instance from endpoint 'icingamaster01'.
[2025-05-26 11:49:43 +0200] information/ApiListener: Sending config updates for endpoint 'icingamaster01' in zone 'main'.
[2025-05-26 11:49:43 +0200] information/ApiListener: Syncing configuration files for global zone 'director-global' to endpoint 'icingamaster01'.
[2025-05-26 11:49:43 +0200] information/JsonRpcConnection: Received certificate request for CN 'icingamaster01' signed by our CA.
[2025-05-26 11:49:43 +0200] information/JsonRpcConnection: The certificates for CN 'icingamaster01' and its root CA are valid and uptodate. Skipping automated renewal.
[2025-05-26 11:49:43 +0200] information/ApiListener: Syncing configuration files for zone 'satellite' to endpoint 'icingamaster01'.
[2025-05-26 11:49:43 +0200] information/ApiListener: Syncing configuration files for global zone 'global-templates' to endpoint 'icingamaster01'.
[2025-05-26 11:49:43 +0200] information/ApiListener: Finished sending config file updates for endpoint 'icingamaster01' in zone 'main'.
[2025-05-26 11:49:43 +0200] information/ApiListener: Syncing runtime objects to endpoint 'icingamaster01'.
[2025-05-26 11:49:43 +0200] information/ApiListener: Finished syncing runtime objects to endpoint 'icingamaster01'.
[2025-05-26 11:49:43 +0200] information/ApiListener: Finished sending runtime config updates for endpoint 'icingamaster01' in zone 'main'.
[2025-05-26 11:49:43 +0200] information/ApiListener: Sending replay log for endpoint 'icingamaster01' in zone 'main'.
[2025-05-26 11:49:43 +0200] information/ApiListener: Finished sending replay log for endpoint 'icingamaster01' in zone 'main'.
[2025-05-26 11:49:43 +0200] information/ApiListener: Finished syncing endpoint 'icingamaster01' in zone 'main'.
[2025-05-26 11:49:43 +0200] information/ApiListener: Applying config update from endpoint 'icingamaster01' of zone 'main'.
[2025-05-26 11:49:43 +0200] information/ApiListener: Received configuration for zone 'director-global' from endpoint 'icingamaster01'. Comparing the timestamp and checksums.
[2025-05-26 11:49:43 +0200] information/ApiListener: Stage: Updating received configuration file '/var/lib/icinga2/api/zones-stage/director-global//director/001-director-basics.conf' for zone 'director-global'.
[2025-05-26 11:49:43 +0200] information/ApiListener: Stage: Updating received configuration file '/var/lib/icinga2/api/zones-stage/director-global//director/commands.conf' for zone 'director-global'.
[2025-05-26 11:49:43 +0200] information/ApiListener: Stage: Updating received configuration file '/var/lib/icinga2/api/zones-stage/director-global//director/service_templates.conf' for zone 'director-global'.
[2025-05-26 11:49:43 +0200] information/ApiListener: Stage: Updating received configuration file '/var/lib/icinga2/api/zones-stage/director-global//director/servicesets.conf' for zone 'director-global'.
[2025-05-26 11:49:43 +0200] information/ApiListener: Stage: Updating received configuration file '/var/lib/icinga2/api/zones-stage/director-global//director/timeperiods.conf' for zone 'director-global'.
[2025-05-26 11:49:43 +0200] information/ApiListener: Stage: Updating received configuration file '/var/lib/icinga2/api/zones-stage/director-global//director/user_templates.conf' for zone 'director-global'.
[2025-05-26 11:49:43 +0200] information/ApiListener: Applying configuration file update for path '/var/lib/icinga2/api/zones-stage/director-global' (887464 Bytes).
[2025-05-26 11:49:43 +0200] information/ApiListener: Received configuration for zone 'global-templates' from endpoint 'icingamaster01'. Comparing the timestamp and checksums.
[2025-05-26 11:49:43 +0200] information/ApiListener: Applying configuration file update for path '/var/lib/icinga2/api/zones-stage/global-templates' (0 Bytes).
[2025-05-26 11:49:43 +0200] information/ApiListener: Ignoring config update from endpoint 'icingamaster01' for zone 'main' because we have an authoritative version of the zone's config.
[2025-05-26 11:49:43 +0200] information/ApiListener: Received configuration for zone 'satellite' from endpoint 'icingamaster01'. Comparing the timestamp and checksums.
[2025-05-26 11:49:43 +0200] information/ApiListener: Stage: Updating received configuration file '/var/lib/icinga2/api/zones-stage/satellite//director/agent_endpoints.conf' for zone 'satellite'.
[2025-05-26 11:49:43 +0200] information/ApiListener: Stage: Updating received configuration file '/var/lib/icinga2/api/zones-stage/satellite//director/agent_zones.conf' for zone 'satellite'.
[2025-05-26 11:49:43 +0200] information/ApiListener: Stage: Updating received configuration file '/var/lib/icinga2/api/zones-stage/satellite//director/host_templates.conf' for zone 'satellite'.
[2025-05-26 11:49:43 +0200] information/ApiListener: Stage: Updating received configuration file '/var/lib/icinga2/api/zones-stage/satellite//director/hosts.conf' for zone 'satellite'.
[2025-05-26 11:49:43 +0200] information/ApiListener: Stage: Updating received configuration file '/var/lib/icinga2/api/zones-stage/satellite//director/servicesets.conf' for zone 'satellite'.
[2025-05-26 11:49:43 +0200] information/ApiListener: Applying configuration file update for path '/var/lib/icinga2/api/zones-stage/satellite' (6591 Bytes).
[2025-05-26 11:49:43 +0200] information/ApiListener: Received configuration updates (3) from endpoint 'icingamaster01' are equal to production, skipping validation and reload.

Why does master02 state: Ignoring config update from endpoint 'icingamaster01' for zone 'main' because we have an authoritative version of the zone's config.

master01

/var/lib/icinga2/api/zones/director-global/.authoritative
/var/lib/icinga2/api/zones/main/.authoritative
/var/lib/icinga2/api/zones/satellite/.authoritative

master02
no result

5

Imo there should be three nodes in a galera cluster, or you could run into a split brain scenario pretty quick.

Check your /etc/icinga2/features-enabled/api.conf on both systems.
Both files should have

  accept_config = true
  accept_commands = true

in them

6

I might think about that, but only if this would be the culprit for the problem here. The reason for the setup is that both masters are physical infrastructure, while the primary master is supported by a UPS (might get added to the secondary master, too, but only the primary master has a notification gateway attached).

This is set on both systems as per my introduction. Please have a look there. Maybe I missed a config which could help here?

I already applied the changes mentioned above now in Director config not correctly applied in HA setup - #4 by thesefer

regards
sefer

7

Ah, missed the spoilers, sorry!

is this the actual path?
Did you include that in your icinga2.conf?
Do you have config under /etc/icinga2/zones.d|conf.d on you second master?
If so, that needs to be cleared (e.g. comment the include_recursive in icinga2.conf)

8

icinga2.conf: include_recursive "local.d" on both masters. Yes. The default one is not included per ansible-collection.Within resides the api-users.conf.

tree of /etc/icinga2/zones.d on both identical. Everything shall be director managed as of now.

/etc/icinga2/zones.d/
├── main
│   ├── commands
│   ├── hosts
│   └── services
└── README

EDIT:

I enabled debug log on both masters and started investigating Notifications because I see custom notifications triggered in the log but the command (which should fail on purpose) is not issued on neither the master01 or master02.

Debug Snipped 
[2025-05-26 20:20:15 +0200] notice/JsonRpcConnection: Received 'log::SetLogPosition' message from identity 'icingamaster02'.
[2025-05-26 20:20:15 +0200] debug/JsonRpcConnection: Processed JSON-RPC 'log::SetLogPosition' message for identity 'icingamaster02' (took total 0ms).
[2025-05-26 20:20:15 +0200] notice/JsonRpcConnection: Received 'log::SetLogPosition' message from identity 'icingasatellite'.
[2025-05-26 20:20:15 +0200] debug/JsonRpcConnection: Processed JSON-RPC 'log::SetLogPosition' message for identity 'icingasatellite' (took total 0ms).
[2025-05-26 20:20:15 +0200] notice/CheckerComponent: Pending checkables: 0; Idle checkables: 0; Checks/s: 0.333333
[2025-05-26 20:20:15 +0200] debug/ApiListener: Not checking connection to Zone 'director-global' because it's not in the same zone, a parent or a child zone.
[2025-05-26 20:20:15 +0200] debug/ApiListener: Not checking connection to Zone 'icingaclient' because it's not in the same zone, a parent or a child zone.
[2025-05-26 20:20:15 +0200] debug/ApiListener: Not checking connection to Zone 'global-templates' because it's not in the same zone, a parent or a child zone.
[2025-05-26 20:20:15 +0200] debug/IcingaDB: Firing and forgetting query: 'XADD' 'icinga:stats' 'MAXLEN' '1' '*' 'ApiListener' '{"perfdata":[{"counter":false,"crit":null,"label":"api_num_co...' ...
[2025-05-26 20:20:15 +0200] notice/NotificationComponent: Reminder notification 'icingaclient!FS RO!notification-service (7x24)': HA cluster active, this endpoint does not have the authority (paused=true). Skipping.
[2025-05-26 20:20:15 +0200] notice/NotificationComponent: Reminder notification 'icingaclient!Kernel Ring Buffer (dmesg)!notification-service (7x24)': HA cluster active, this endpoint does not have the authority (paused=true). Skipping.
[2025-05-26 20:20:15 +0200] notice/NotificationComponent: Reminder notification 'icingaclient!notification-host (7x24)': HA cluster active, this endpoint does not have the authority (paused=true). Skipping.
[2025-05-26 20:20:15 +0200] notice/ApiListener: Setting log position for identity 'icingamaster02': 2025/05/26 20:20:13
[2025-05-26 20:20:15 +0200] notice/ApiListener: Setting log position for identity 'icingasatellite': 2025/05/26 19:58:08

I reverted back to a single master setup (shutting down master02, removing from all configs) and almost instantly all notifications work and downtimes are applied correctly.

Honestly I think about doing this at work, too. I am testing in my private lab for a month now and HA simply does not work no matter what I try. It could be very much on my side, but I have never seen a working example anywhere nor configs supplied by others. Maybe HA just isn’t ready.

9

This will be the culprit.
Only the config master is allowed to have config in zones.d
I’m not sure about the local.d directory, but I would move the api-user.conf to zones.d/main on the config master.

From Distributed Monitoring - Icinga 2
Overview:

  • icinga2-master1.localdomain is the config master master node.
  • icinga2-master2.localdomain is the secondary master master node without config in zones.d.
  • icinga2-agent1.localdomain and icinga2-agent2.localdomain are two child nodes as agents.

And from: Troubleshooting - Icinga 2
Typical errors are:

  • The api feature doesn’t accept config. This is logged into /var/lib/icinga2/icinga2.log.
  • The received configuration zone is not configured in zones.conf and Icinga denies it. This is logged into /var/lib/icinga2/icinga2.log.
  • The satellite/agent has local configuration in /etc/icinga2/zones.d and thinks it is authoritive for this zone. It then denies the received update. Purge the content from /etc/icinga2/zones.d, /var/lib/icinga2/api/zones/* and restart Icinga to fix this.
  • Configuration parts stored outside of /etc/icinga2/zones.d on the master, for example a constant in /etc/icinga2/constants.conf, are then missing on the satellite/agent.
10

You are right about the distributed monitoring section. But no config resides there. I commented it out and just left local.d on both with api-users.conf (since this feature is active as per High-Availability for Icinga 2 Features).

As per The conf.d Directory the default is excluded and via the help of the collection the local.d gets created. The folder zones.d is being autocreated with a README inside (from the debian package itself). So for the moment I doubt that this will be a problem for the tests.

I went ahead and wiped both masters and tried:

  • zones.d on default on both (since its empty anyways and not needed for kickstart), api-users in local.d
    • Notifications seem to be load balanced now (though I have to dig further here, won’t help if only master01 has the notification gateway attached and looses connection to master02 due to an outage)
    • downtime applied to everything

So what I changed now:

Changed the kickstart config to icingamaster01 for both. I don’t know whether this was necessary, I would to test each scenario otherwise.

Director Kickstart 
  director:
    enabled: true
    source: package
    import_schema: true
    run_kickstart: true
    kickstart:
      config:
        endpoint: "{{ groups['icinga_masters'][0] }}"
        host: "{{ hostvars[groups['icinga_masters'][0]]['ansible_host'] }}"
        username: "{{ icinga2__api_root_user }}"
        password: "{{ icinga2__api_root_password }}"
    config:
      db:
        resource: director_db

Commandtransports config pointing to icingamaster01 and icingamaster02 (backup) for both

IcingaDB commandtransports 
  icingadb:
    enabled: true
    source: package
    commandtransports:
      icingamaster01:
        transport: api
        host: "{{ hostvars[groups['icinga_masters'][0]]['ansible_host'] }}"
        username: "{{ icinga2__api_root_user }}"
        password: "{{ icinga2__api_root_password }}"
      icingamaster02:
        transport: api
        host: "{{ hostvars[groups['icinga_masters'][1]]['ansible_host'] }}"
        username: "{{ icinga2__api_root_user }}"
        password: "{{ icinga2__api_root_password }}"
    config:
      icingadb:
        resource: icingadb
      redis:
        tls: '0'
    redis:
      redis1:
        host: 127.0.0.1

On both I removed zones.d config directory creation by the collection, kept the local.d config directory for api-users.conf on both (Not sure whether both icinga masters need that api-users.conf).
This change made the difference and notifications/downtimes seem to work now

Icinga2 Config Directories 
icinga2_confd: local.d
icinga2_purge_features: yes
icinga2_config_directories:
  - "{{ icinga2_confd }}"

When I’m back at work next week I’ll try to replicate this setup. I hope I do not have to wipe everything again because hosts are not automated yet and I would have to re-add our infrastructure manually (since for whatever reason the director cannot export host objects oO)

Thank you very much @log1c for your help so far. I’ll report back if it doesn’t work at work.

11

Hosts should be save in the director DB.

Host agents are verified by the PKI so save the CA certificate and key from the master before wiping.

12

Even the empty folders in the zones.d directory will afaik trigger your experienced behaviour.

Yes, that is also necessary. The Director must only be connected to the config master.

That is correct, otherwise you wouldn’t be able to issue re-checks/downtimes/acks if the primary endpoint (see web: /health#!/icingadb/health) is not available.

They do, as you use this user for the Director and the command transport.

As Dominik said, unless your purge your Director database, the hosts will be there.
Tinkering with the Icinga Core usally doesn’t impact the Director. Only changes to the zone/endpoint structure should be imported into the Director via kickstart.

Imo you don’t need to wipe/clean the whole cluster.
Simply empty the zones.d directory on the secondary master and clean the /var/lib/icinga2/api/zones folder and you should be good to go.

13

During my tests this was fine for the last 24hours.

It is being shipped by the debian package icinga2-common on every client. If it would be a general problem it wouldn’t (and shouldn’t) be shipped I guess. And on an update this folder will be back.

Thanks for all other clarifications made! I am now sure I can repair the setup without any further troubles in a few days.