Icinga2 with Saltstack (WIP, questions)

Hey Community,

in our company i’m setting up an Icinga2 Three-Level-System and have a lot of questions here.
The docs are my daily newspaper but i have still questions.
First of all i must say, that i will automate the Icinga2 Setup for all instances (Master,Satellite,Agents,Icingaweb2,MySQL DB) completely with Saltstack, because we are using Saltstack for all our automation stuff here in our infrastructure.
We are using Debian Buster.

When i was setting up a first test environment manually i figured out that all docs are only describing the the setup of Icinga2 instances via the “node setup wizard”.
Now i must know all the magic about the steps what is this wizard doing.

Here is a list of me with things i found out that i have to do in Saltstack without the node setup wizard:

  • Install Icinga2 Debian package :white_check_mark:
  • Install python3 packages which are required for Saltstack to do MySQL Stuff :white_check_mark:
  • Install Icingaweb2 :white_check_mark:
  • Install MariaDB Server :white_check_mark:
  • Manage configuration files
    ** zones.conf :white_check_mark:
    ** folders and files under zones.d/ :white_check_mark:
    ** files under /etc/icinga2/features-enabled/* (–> symlink to &etc/icinga2/features-available/*) :white_check_mark:
  • Icinga2 Master:
    ** deactivate inclusion of /etc/icinga2/conf.d/ :x:
    ** create certificates from self signed pki of Icinga2 Api Setup for all Icinga2 Instances (Master,Satellite,Agents,Icingaweb2,MySQL DB) :white_check_mark:
    ** sign all created certificates for all Icinga2 Instances :white_check_mark:
    ** copy the cert files to each Icinga2 Instance under /var/lib/icinga2/certs -> including ca.crt :white_check_mark:

Of course i have a lot things to do but this is my situation at the moment and i need help to get all steps in mind to set it up in Saltstack.

After we get this finished i wanted to write all things down here to share the knowledge of my trip with Icinga2 and Saltstack.
So please help me with your knowledge about the steps that the “node setup wizard is doing” or i have to do.

Thank you!

Best regards,
Darkentik

For the step “deactivate inclusion of /etc/icinga2/conf.d/” i don’t find the trigger which i must set that the master isn’t including the conf.d folder.
Manipulating the icinga2.conf file does not have effect, because this file seems to be automatically overwritten by something of Icinga2 which i don’t know.
Can some one help me here?

Hi and welcome!

You are looking for the --disable-confd parameter for the node setup CLI.
Check the automation docs for the node setup CLI.

Greetz

1 Like

Hi,

I created with colleagues a full automated installation with salt. This doc helps a lot for some steps: https://icinga.com/docs/icinga2/latest/doc/06-distributed-monitoring/#automation.

If the Icinga CLI offers no switch or you don’t find options e.g. for manipulation files at the salt stack, keep in mind you can also run bash commands with “cmd.run”.
e.g. instead of the cli command to disable the confd-directory you could run this:

icinga2confreplace:
cmd.run:
  - name: sed -i 's,include_recursive "conf.d",//include_recursive "conf.d",' /etc/icinga2/icinga2.conf

I don’t want to use the node wizard. Instead i will write Saltstack code to do all the things.

Thanks for reply.
I already do this thing commenting out the line. :slight_smile:
Also i read the automation section too.
I already have some errors that i must check.
For example my separate server for Icingaweb2 loses connection to the active Icinga2 Master and says me in irregular times that the monitoring backend isn’t running. But for this i post an extra thread.
I thought there is more magic that i didn’t noticed yet.

At the beginning while writing our salt code we struggled into similar issues. But the most problems was with the firewall-function of salt itself. So we used as work arround “cmd.run” until the next salt version and working firewall functions.

There is no much magic behind. The easist way for us was to take the training documents from our workshops we visited at a Icinga Partner or the Icinga book. If there are CLI command we used this.

Thank you for reply.
@stevie-sy So do you have used the “node setup wizard” via cmd.run or did you manage the certificates, cfg files etc?

No, as I wrote our base for our Salt code was the Icinga book and the docs from our trainings we visited at a Icinga partner. We did a lot of manually configuraiton to understand how everything work.

For generating certification with automation tools you can use this doc: https://icinga.com/docs/icinga2/latest/doc/06-distributed-monitoring/#automation