Hi,
I am having some problems trying to configure Icinga agent with puppet. I have this in my manifest:
class hg_winmonit::agent{
exec{'PowerTools Epel':
command => "/bin/dnf install -y 'dnf-command(config-manager)' & /bin/dnf config-manager --set-enabled PowerTools",
}
$icinga_source = $facts['os']['distro']['release']['major'] ? {
'8' => 'https://packages.icinga.com/epel/icinga-rpm-release-8-latest.noarch.rpm',
'7' => 'https://packages.icinga.com/epel/icinga-rpm-release-7-latest.noarch.rpm'
}
package {'icinga-rpm-release':
name => 'icinga-rpm-release',
ensure => 'installed',
provider => 'rpm',
source => $icinga_source,
}
package {'epel-release':}
# Fix ownership that otherwise prevents icinga2 service to start
$conf_dir = '/etc/icinga2'
File <| title == "${conf_dir}/constants.conf" |> {
owner => 'icinga',
group => 'icinga',
}
File <| title == "${conf_dir}/icinga2.conf" |> {
owner => 'icinga',
group => 'icinga',
}
File <| title == "${conf_dir}/features-enabled" |> {
owner => 'icinga',
group => 'icinga',
}
class { '::icinga2':
manage_repo => true,
manage_package => true,
manage_selinux => true,
confd => false,
features => ['checker','mainlog','notification','statusdata','compatlog','command'],
constants => {
'NodeName' => $facts['fqdn'],
'ZoneName' => 'master',
'TicketSalt' => 'Managed in api.conf',
},
}
$api_conf='/etc/icinga2/features-available/api.conf'
File <| title == $api_conf |> {
path => "${teigi_temp}/api.conf" ,
}
teigi::secret::sub_file { $api_conf:
content => template('hg_winmonit/api.conf.erb'),
teigi_keys => ["icinga2_ticketsalt_prod"],
owner => 'icinga',
group => 'icinga',
}
$master_cert = '<master1>'
$second_master = '<master2>'
$master1_ip = '<ip1>'
$master2_ip = '<ip2>'
class { '::icinga2::feature::api':
pki => 'none',
ca_host => $master_ip,
#ticket_salt => 'Managed in api.conf',
ensure => 'present',
accept_config => true,
accept_commands => true,
endpoints => {
"${facts['fqdn']}" => {},
"${master_cert}" => {
'host' => $master1_ip,
},
"${second_master}" => {
'host' => $master2_ip,
}
},
zones => {
'master' => {
'endpoints' => [ $master_cert, $second_master ],
},
},
}
icinga2::object::zone { 'global-templates':
global => true,
}
icinga2::object::zone { 'director-global':
global => true,
}
icinga2::object::zone { "${facts['fqdn']}":
parent => 'master',
endpoints = ["${facts['fqdn']}",],
}
}
I get an error for the certificate:
Error: Systemd start for icinga2 failed!
journalctl log for icinga2:
-- Logs begin at Wed 2021-09-15 09:36:03 CEST, end at Wed 2021-09-15 10:58:16 CEST. --
Sep 15 10:58:16 c8-agent3.cern.ch systemd[1]: Starting Icinga host/service/network monitoring system...
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: [2021-09-15 10:58:16 +0200] information/cli: Icinga application loader (version: 2.13.1-1)
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: [2021-09-15 10:58:16 +0200] information/cli: Loading configuration file(s).
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: [2021-09-15 10:58:16 +0200] information/ConfigItem: Committing config item(s).
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: [2021-09-15 10:58:16 +0200] critical/SSL: Error on bio X509 AUX reading pem file '/var/lib/icinga2/certs//c8-agent3.cern.ch.crt': 33558530, "error:02001002:system library:fopen:No such file or directory"
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: [2021-09-15 10:58:16 +0200] critical/config: Error: Cannot get certificate from cert path: '/var/lib/icinga2/certs//c8-agent3.cern.ch.crt'.
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: Location: in /etc/icinga2/features-enabled/api.conf: 3:1-3:24
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: /etc/icinga2/features-enabled/api.conf(1): # This file is managed by Puppet. DO NOT EDIT.
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: /etc/icinga2/features-enabled/api.conf(2):
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: /etc/icinga2/features-enabled/api.conf(3): object ApiListener "api" {
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: ^^^^^^^^^^^^^^^^^^^^^^^^
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: /etc/icinga2/features-enabled/api.conf(4): accept_commands = true
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: /etc/icinga2/features-enabled/api.conf(5): accept_config = true
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: [2021-09-15 10:58:16 +0200] critical/config: 1 error
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: [2021-09-15 10:58:16 +0200] critical/cli: Config validation failed. Re-run with 'icinga2 daemon -C' after fixing the config.
Sep 15 10:58:16 c8-agent3.cern.ch systemd[1]: icinga2.service: Main process exited, code=exited, status=1/FAILURE
Sep 15 10:58:16 c8-agent3.cern.ch systemd[1]: icinga2.service: Failed with result 'exit-code'.
Sep 15 10:58:16 c8-agent3.cern.ch systemd[1]: Failed to start Icinga host/service/network monitoring system.
Error: /Stage[main]/Icinga2::Service/Service[icinga2]/ensure: change from 'stopped' to 'running' failed: Systemd start for icinga2 failed!
journalctl log for icinga2:
-- Logs begin at Wed 2021-09-15 09:36:03 CEST, end at Wed 2021-09-15 10:58:16 CEST. --
Sep 15 10:58:16 c8-agent3.cern.ch systemd[1]: Starting Icinga host/service/network monitoring system...
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: [2021-09-15 10:58:16 +0200] information/cli: Icinga application loader (version: 2.13.1-1)
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: [2021-09-15 10:58:16 +0200] information/cli: Loading configuration file(s).
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: [2021-09-15 10:58:16 +0200] information/ConfigItem: Committing config item(s).
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: [2021-09-15 10:58:16 +0200] critical/SSL: Error on bio X509 AUX reading pem file '/var/lib/icinga2/certs//c8-agent3.cern.ch.crt': 33558530, "error:02001002:system library:fopen:No such file or directory"
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: [2021-09-15 10:58:16 +0200] critical/config: Error: Cannot get certificate from cert path: '/var/lib/icinga2/certs//c8-agent3.cern.ch.crt'.
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: Location: in /etc/icinga2/features-enabled/api.conf: 3:1-3:24
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: /etc/icinga2/features-enabled/api.conf(1): # This file is managed by Puppet. DO NOT EDIT.
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: /etc/icinga2/features-enabled/api.conf(2):
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: /etc/icinga2/features-enabled/api.conf(3): object ApiListener "api" {
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: ^^^^^^^^^^^^^^^^^^^^^^^^
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: /etc/icinga2/features-enabled/api.conf(4): accept_commands = true
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: /etc/icinga2/features-enabled/api.conf(5): accept_config = true
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: [2021-09-15 10:58:16 +0200] critical/config: 1 error
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: [2021-09-15 10:58:16 +0200] critical/cli: Config validation failed. Re-run with 'icinga2 daemon -C' after fixing the config.
Sep 15 10:58:16 c8-agent3.cern.ch systemd[1]: icinga2.service: Main process exited, code=exited, status=1/FAILURE
Sep 15 10:58:16 c8-agent3.cern.ch systemd[1]: icinga2.service: Failed with result 'exit-code'.
Sep 15 10:58:16 c8-agent3.cern.ch systemd[1]: Failed to start Icinga host/service/network monitoring system.
I checked these links:
https://github.com/Icinga/puppet-icinga2
https://forge.puppet.com/modules/icinga/icinga2
But I can’t make it work. What is missing from the manifest?
Cheers,
Mike