Hello everyone. For several years i am using icinga2 stack for monitoring servers and noticed incorrect behavior for a while now but only today settled to write about it here \ ask possible solution.
Sometimes there is a need to clone existing virtual machine which is already monitored by icinga2 agent and it works as it should but problem arises when i boot up cloned virtual machine. now both original VM’s agent and new cloned one send same data and icinga2 server aggregates both under original host. after that i have flapping status of ssh, apt, http … on original VM’s services. my assumption is that icinga2 server accepts any input if has handshake with agent (original VM’s key is signed with icinga2 ca sign command ) even tho new source had different ip address. for me expected behavior is failed handshake if host has either different host name or ip address other than that specified in icinga2 servers configuration (for configuring i use icinga director).
my question is can i somehow enforce\configure icinga2 server to further check and restrict that it communicates with originally configured agent other than having signed certificate?
to reproduce this problem you need VM which is already monitored by icinga2 and clone it. new VM should have same network access with icinga2 server (bidirectional port 5665 tcp).
PS: i have “establish connection” on yes in icinga director > host > icinga agent and zone settings