- Version used (
icinga2 --version)
icinga2 - The Icinga 2 network monitoring daemon (version: v2.13.3)
Copyright (c) 2012-2022 Icinga GmbH (https://icinga.com/)
License GPLv2+: GNU GPL version 2 or later <https://gnu.org/licenses/gpl2.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
System information:
Platform: Debian GNU/Linux
Platform version: 11 (bullseye)
Kernel: Linux
Kernel version: 5.4.0-120-generic
Architecture: x86_64
Build information:
Compiler: GNU 10.2.1
Build host: 510a6fe8b7f5
OpenSSL version: OpenSSL 1.1.1n 15 Mar 2022
Application information:
General paths:
Config directory: /etc/icinga2
Data directory: /var/lib/icinga2
Log directory: /var/log/icinga2
Cache directory: /var/cache/icinga2
Spool directory: /var/spool/icinga2
Run directory: /run/icinga2
Old paths (deprecated):
Installation root: /usr
Sysconf directory: /etc
Run directory (base): /run
Local state directory: /var
Internal paths:
Package data directory: /usr/share/icinga2
State path: /var/lib/icinga2/icinga2.state
Modified attributes path: /var/lib/icinga2/modified-attributes.conf
Objects path: /var/cache/icinga2/icinga2.debug
Vars path: /var/cache/icinga2/icinga2.vars
PID path: /run/icinga2/icinga2.pid
- Operating System and version
Using docker imageicinga/icinga2
We are testing the viability of using an Icinga2 container deployed as an Agent at remote locations. The check(s) performed against the remote device downstream from the Agent host will be
- ICMP using hostalive4
- SNMP OID queries using ‘check_snmp’
‘check_snmp’ requires the presence of snmp in the container, which by default is not. An extended version of the ‘icinga/icinga2’ container was made. - Using a certificate from the established master ‘ca.crt’.
Here is the Dockerfile
FROM icinga/icinga2 AS icinga-snmp
USER root
RUN apt update;\
apt -y install snmp
RUN apt clean;\
rm -vrf /var/lib/apt/lists/*
USER icinga
CMD ["icinga2", "daemon"]
After building the Dockerfile for the Agent host, when initiating the Agent the steps fail for lack of credible certificate
docker run --rm --name icinga-agent -h velolabdock
07 -e ICINGA_ZONE=master -e ICINGA_ENDPOINT=icinga-master,velolabdock04.lab.local,5665 -e ICINGA_TICKET="2bc97d05d4cb358
7f10af6aa5046be33399b5644" icinga-snmp
The container stops, as expected do to lack of credible Certificate Authority:
Please copy the public CA certificate from your master/satellite
into '/var/lib/icinga2/certs//ca.crt' before starting Icinga 2.
But when the container is started with an explicit mapping to a valid certificate
docker run --rm --name icinga-agent -h velolabdock
07 -e ICINGA_ZONE=master -e ICINGA_ENDPOINT=icinga-master,velolabdock04.lab.local,5665 -e ICINGA_TICKET="2bc97d05d4cb358
7f10af6aa5046be33399b5644" icinga-snmp -v /docker-data/certs/ca.crt:/data/var/lib/icinga2/certs/ca.crt
The initialization process fails due to ‘mkdir’ permissions
[2022-06-25 14:56:36 +0000] critical/DockerEntrypoint: mkdir /data/var/cache: permission denied
The same thing happens when adding CA certificate during the extended container build
FROM icinga/icinga2 AS icinga-snmp
USER root
RUN apt update;\
apt -y install snmp
RUN apt clean;\
rm -vrf /var/lib/apt/lists/*
USER icinga
ADD ca.crt /data/var/lib/icinga2/certs/ca.crt
CMD ["icinga2", "daemon"]
Additionally, if ‘USER root’, instead of ‘USER icinga’ is used to initiate the extended container, the same permissions failures cause the container to stop. What step or process is missing to get a working Icinga2 container that has ‘check_snmp’ and can be deployed as a Top-Down Agent