HA - agent connection direction

jason.agility · June 16, 2021, 5:43pm

I have a question about HA icinga2 and agent connection direction.

I am current testing HA in a test environment and in my production environment my agents connect to the master.

object Endpoint "nms.internal" {
    host = "nms.internal"
}
object Zone "master" {
    endpoints = [ "nms.internal" ]
}

object Zone "global-templates" {
        global = true
}
object Zone "director-global" {
        global = true
}

/* Individual hosts */

object Endpoint "agent.internal" {
}
object Zone "agent.internal" {
        endpoints = [ "agent.internal" ]
        parent = "master"
}

Now once I deploy HA, is it possible to still have that connection direction? and it possible is a problem?

object Endpoint "master01.internal" {
    host = "172.30.0.136"
}
object Endpoint "master02.internal" {
    host = "172.30.0.137"
}

object Zone "master" {
        endpoints = [ "master01.internal","master02.internal" ]
}

object Endpoint "agent.internal" {
}

object Zone "agent.internal" {
        endpoints = [ "agent.internal" ]
        parent = "master"
}

object Zone "global-templates" {
        global = true
}

object Zone "director-global" {
        global = true
}

Version used (icinga2 --version) r2.12.4-1
Operating System and version 20.04.1 LTS (Focal Fossa)
Enabled features (icinga2 feature list) api checker ido-mysql influxdb mainlog notification
Icinga Web 2 version and modules (System - About) 2.8.2
Config validation (icinga2 daemon -C) valid
If you run multiple Icinga 2 instances, the zones.conf file (or icinga2 object list --type Endpoint and icinga2 object list --type Zone) from all affected nodes
config master

object Endpoint "nmstest01.agilitypr.internal" {
}
object Endpoint "nmstest02.agilitypr.internal" {

        host = "172.30.0.137"

}
object Zone "master" {
    endpoints = [ "nmstest01.agilitypr.internal","nmstest02.agilitypr.internal" ]
}
object Zone "global-templates" {
        global = true
}

dgoetz · June 17, 2021, 6:35am

No, it is perfectly fine and what I always recommend to have the agent initialize the connect, so the master has no load while trying to connect to unavailable agents.

Another recommendation while you are touching every system, remove the global zones “global-templates” and “director-global” from the agent and use some more specific ones like “agent-linux” and “agent-windows” instead. By doing so not every global object is synced to the agent which reduces load especially caused by the reload after the sync and information leaked by the agent as it is not holding users and other objects.