Hi!
I am confused by how to register new endpoints to existing zones. I have 2 satellites in zone satellites (parent masters), need to automatically join other hosts to same zone by api, can I do it?
Regards,
Przemek
Hi @linkfan,
Could you describe your setup a bit (especially the icinga2 topology) and how exactly you would like to add Hosts
I have 2 masters and 2 satellites, all configured in /etc/icinga2/zones.conf - now I need to have different satellites that will register via api and add them to same zone as 2 static satellites. I am getting errors that zone is configured in api catalog and /etc/icinga2/zones.conf. I need this because I want to share configs.
Regards,
Przemek
I really need help - I have setup: 2 masters - zone masters and satellites, both configs are in /etc/icinga2/zones.d/. I have docker compose with icinga2 configured to register by api - it is working ok, and I am creating endpoint and zone by API with parent satellites, but config is not synchronized. I am clueless 
Regards,
Przemek
Take a look at icinga2-compose.
One key item between the Masters is the same ca.crt. I created shell scripts, that handle the setup. Just run the script on each Master and Satellite. And you will have an HA Cluster.
Yesterday I added some nrpe hosts to monitor.
BTW: This is not using the API yet. Just using the node wizard for now.
Hope it helps.
Especially when you use icinga-director it’s a little tricky to setup satellite zones.
- you have to add the zones manually on the master:
...
object Endpoint "${SATELLITE_CN}" {
}
object Zone "${SATELLITE_ZONE}" {
endpoints = [ "${SATELLITE_CN}" ]
parent = "master"
}
... - restart master
- run Kickstart-assistent in the director
- you need an API user to request a ticket later on:
/etc/icinga2/conf.d/icingaweb-api-users.conf
...
object ApiUser “satellite” {
password = “${SATELLITE_API_PASSWORD}”
permissions = [ “actions/generate-ticket” ]
}
...
It took me quite some time to come up with a very basic install on the satellite. My docker-compose looks like this:
services:
icinga2:
image: icinga/icinga2
container_name: icinga2
hostname: "${SATELLITE_CN}"
entrypoint: [ '/data/init.sh' ]
environment:
MONITORING_HOST: "${MONITORING_HOST}"
SATELLITE_CN: "${SATELLITE_CN}"
SATELLITE_ZONE: "${SATELLITE_ZONE}"
SATELLITE_API_PASSWORD: "${SATELLITE_API_PASSWORD}"
logging:
driver: "json-file"
options:
max-file: "10"
max-size: "1M"
restart: always
ports:
- 5665:5665
volumes:
- ./files/icinga2-satellite/data:/data
The real stuff is happening in the init.sh
I am using the icinga/icinga2 Image. There is some basic customization for the cold-start.
For the certificates I use the generate-ticket endpoint on the master and then continue with the node setup using that ticket.
It looks like this:
#!/bin/bash
if ! [ -d /var/lib/icinga2/certs ] || ! [ -f /etc/icinga2/icinga2.conf ] ; then
mkdir -p /data/var/{cache,log,run,spool}/icinga2
mkdir -p /data/var/lib/icinga2/certs
mkdir -p /data/etc/icinga2/features-{available,enabled}
touch /data/etc/icinga2/features-available/api.conf
cat <<EOF > /etc/icinga2/features-enabled/checker.conf
object CheckerComponent "checker" { }
EOF
cat <<EOF > /etc/icinga2/icinga2.conf
include "constants.conf"
include "zones.conf"
include "features-enabled/*.conf"
include <itl>
include <plugins>
include <plugins-contrib>
EOF
cat <<EOF > /etc/icinga2/constants.conf
const PluginDir = "/usr/lib/nagios/plugins"
const PluginContribDir = "/usr/lib/nagios/plugins"
const ManubulonPluginDir = "/usr/lib/nagios/plugins"
EOF
TICKET=$(curl -k -s -u "satellite:${SATELLITE_API_PASSWORD}" -H 'Accept: application/json' -X POST "https://${MONITORING_HOST}:5665/v1/actions/generate-ticket" -d "{ \"cn\": \"${SATELLITE_CN}\" }" | sed 's/^.*ticket":"//g;s/".*$//g')
icinga2 pki save-cert \
--host "${MONITORING_HOST}" \
--trustedcert /var/lib/icinga2/certs/master.crt
icinga2 node setup \
--cn "${SATELLITE_CN}" \
--zone "${SATELLITE_ZONE}" \
--endpoint "${MONITORING_HOST},${MONITORING_HOST},5665" \
--parent_host "${MONITORING_HOST},5665" \
--parent_zone master \
--ticket "${TICKET}" \
--disable-confd \
--accept-commands \
--accept-config \
--trustedcert /var/lib/icinga2/certs/master.crt
sleep 5
fi
icinga2 daemon
Thank you! Will try and let you know!
Regards,
Przemek
Did you take a look at icinga2-compose? Once i2m1, i2m2, i2s1, and i2s2 are up… You can down i2m1 and and they will have sync. When i2m1 is down, i2m2 can perform check now on the the Satellites.