Hello team,
we followed the instructions from https://icinga.com/blog/2020/10/01/how-to-set-up-high-availability-masters/ to add a second master to our environment. But it seems that the old master (monit1) doesn’t accept config updates from the new master (monit2). Neither the new master host with it services appear in icingaweb nor a new test host I creaeted on the new master.
In the logs from master 1 I see when the new master restarts:
[2022-07-28 17:02:22 +0200] information/ApiListener: New client connection for identity 'monit2' from [::ffff:192.168.9.78]:50364
[2022-07-28 17:02:22 +0200] information/JsonRpcConnection: Requesting new certificate for this Icinga instance from endpoint 'monit2'.
[2022-07-28 17:02:22 +0200] information/ApiListener: Sending config updates for endpoint 'monit2' in zone 'monit1'.
[2022-07-28 17:02:22 +0200] information/ApiListener: Syncing configuration files for zone 'monit1' to endpoint 'monit2'.
[2022-07-28 17:02:22 +0200] information/ApiListener: Syncing configuration files for global zone 'director-global' to endpoint 'monit2'.
[2022-07-28 17:02:22 +0200] information/ApiListener: Finished sending config file updates for endpoint 'monit2' in zone 'monit1'.
[2022-07-28 17:02:22 +0200] information/ApiListener: Syncing runtime objects to endpoint 'monit2'.
[2022-07-28 17:02:22 +0200] information/ApiListener: Finished syncing runtime objects to endpoint 'monit2'.
[2022-07-28 17:02:22 +0200] information/ApiListener: Finished sending runtime config updates for endpoint 'monit2' in zone 'monit1'.
[2022-07-28 17:02:22 +0200] information/ApiListener: Sending replay log for endpoint 'monit2' in zone 'monit1'.
[2022-07-28 17:02:22 +0200] information/ApiListener: Replayed 64 messages.
[2022-07-28 17:02:22 +0200] information/ApiListener: Finished sending replay log for endpoint 'monit2' in zone 'monit1'.
[2022-07-28 17:02:22 +0200] information/ApiListener: Finished syncing endpoint 'monit2' in zone 'monit1'.
[2022-07-28 17:02:22 +0200] information/JsonRpcConnection: Received certificate request for CN 'monit2' signed by our CA.
[2022-07-28 17:02:22 +0200] information/JsonRpcConnection: The certificate for CN 'monit2' is valid and uptodate. Skipping automated renewal.
[2022-07-28 17:02:22 +0200] information/ApiListener: Applying config update from endpoint 'monit2' of zone 'monit1'.
[2022-07-28 17:02:22 +0200] information/ApiListener: Ignoring config update from endpoint 'monit2' for zone 'director-global' because we have an authoritative version of the zone's config.
[2022-07-28 17:02:22 +0200] information/ApiListener: Ignoring config update from endpoint 'monit2' for zone 'monit1' because we have an authoritative version of the zone's config.
[2022-07-28 17:02:22 +0200] information/ApiListener: Received configuration updates (0) from endpoint 'monit2' are equal to production, skipping validation and reload.
What I tried to solve the problem witout success on both masters:
(It was accept_config = false before on the old master)
/etc/icinga2/features-available/api.conf
object ApiListener "api" {
accept_config = true
accept_commands = false
ticket_salt = TicketSalt
}
- setting the TicketSalt in constants.conf (same value as on old master - I don’t know if thats the right way?)
- changing the object Zone in constants.conf so that it matches with the old master
My zones configs look like this:
new master:
object Endpoint "monit1" {
host = "192.168.9.77"
port = "5665"
}
object Zone "monit1" {
endpoints = [ "monit1", "monit2" ]
}
object Endpoint "monit2" {
}
object Zone "global-templates" {
global = true
}
object Zone "director-global" {
global = true
}
old master:
object Endpoint "monit1" {
}
object Endpoint "monit2" {
host = "monit2"
}
object Zone "monit1" {
endpoints = [ "monit1", "monit2" ]
}
object Zone "global-templates" {
global = true
}
object Zone "director-global" {
global = true
}
Additionally, since we have icinga2 running on the new master, we also have some checks, especially for the old master, that are overdue. When clicking on “check now” for these overdue checks we get: Can’t send external Icinga command: 404 No objects found. We didn’t have overdue checks when there was only one master. When stopping icinga2 on the new master “check now” works again and there are no overdue checks anymore. Maybe this problem is related.
What did I wrong?
I juist want to make sure the new master also appears in icingaweb with all its (default) services and maybe later when I deploy with Icinga director on master2 I also have the changes on master1.
Really appreciate your help
Markus