Icinga2 docker container will not deploy due to folder permission

  • Version used (icinga2 --version)
icinga2 - The Icinga 2 network monitoring daemon (version: v2.13.3)

Copyright (c) 2012-2022 Icinga GmbH (https://icinga.com/)
License GPLv2+: GNU GPL version 2 or later <https://gnu.org/licenses/gpl2.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

System information:
  Platform: Debian GNU/Linux
  Platform version: 11 (bullseye)
  Kernel: Linux
  Kernel version: 5.4.0-120-generic
  Architecture: x86_64

Build information:
  Compiler: GNU 10.2.1
  Build host: 510a6fe8b7f5
  OpenSSL version: OpenSSL 1.1.1n  15 Mar 2022

Application information:

General paths:
  Config directory: /etc/icinga2
  Data directory: /var/lib/icinga2
  Log directory: /var/log/icinga2
  Cache directory: /var/cache/icinga2
  Spool directory: /var/spool/icinga2
  Run directory: /run/icinga2

Old paths (deprecated):
  Installation root: /usr
  Sysconf directory: /etc
  Run directory (base): /run
  Local state directory: /var

Internal paths:
  Package data directory: /usr/share/icinga2
  State path: /var/lib/icinga2/icinga2.state
  Modified attributes path: /var/lib/icinga2/modified-attributes.conf
  Objects path: /var/cache/icinga2/icinga2.debug
  Vars path: /var/cache/icinga2/icinga2.vars
  PID path: /run/icinga2/icinga2.pid
  • Operating System and version
    Using docker image icinga/icinga2

We are testing the viability of using an Icinga2 container deployed as an Agent at remote locations. The check(s) performed against the remote device downstream from the Agent host will be

  • ICMP using hostalive4
  • SNMP OID queries using ‘check_snmp’
    ‘check_snmp’ requires the presence of snmp in the container, which by default is not. An extended version of the ‘icinga/icinga2’ container was made.
  • Using a certificate from the established master ‘ca.crt’.
    Here is the Dockerfile
FROM icinga/icinga2 AS icinga-snmp
USER root
RUN apt update;\
        apt -y install snmp
RUN apt clean;\
        rm -vrf /var/lib/apt/lists/*

USER icinga
CMD ["icinga2", "daemon"]

After building the Dockerfile for the Agent host, when initiating the Agent the steps fail for lack of credible certificate

docker run --rm --name icinga-agent -h velolabdock
07 -e ICINGA_ZONE=master -e ICINGA_ENDPOINT=icinga-master,velolabdock04.lab.local,5665 -e ICINGA_TICKET="2bc97d05d4cb358
7f10af6aa5046be33399b5644" icinga-snmp

The container stops, as expected do to lack of credible Certificate Authority:

Please copy the public CA certificate from your master/satellite
into '/var/lib/icinga2/certs//ca.crt' before starting Icinga 2.

But when the container is started with an explicit mapping to a valid certificate

docker run --rm --name icinga-agent -h velolabdock
07 -e ICINGA_ZONE=master -e ICINGA_ENDPOINT=icinga-master,velolabdock04.lab.local,5665 -e ICINGA_TICKET="2bc97d05d4cb358
7f10af6aa5046be33399b5644" icinga-snmp -v /docker-data/certs/ca.crt:/data/var/lib/icinga2/certs/ca.crt

The initialization process fails due to ‘mkdir’ permissions

[2022-06-25 14:56:36 +0000] critical/DockerEntrypoint: mkdir /data/var/cache: permission denied

The same thing happens when adding CA certificate during the extended container build

FROM icinga/icinga2 AS icinga-snmp
USER root
RUN apt update;\
        apt -y install snmp
RUN apt clean;\
        rm -vrf /var/lib/apt/lists/*

USER icinga
ADD ca.crt /data/var/lib/icinga2/certs/ca.crt

CMD ["icinga2", "daemon"]

Additionally, if ‘USER root’, instead of ‘USER icinga’ is used to initiate the extended container, the same permissions failures cause the container to stop. What step or process is missing to get a working Icinga2 container that has ‘check_snmp’ and can be deployed as a Top-Down Agent