IcingaDB docker environment value for Redis with TLS

Icinga DB
,
1

In putting together an Icinga2 and IcingaWeb2 containerized setup, it was discovered that IcingaDB was a frequently mentioned requirement, but was not provided with either docker container images.
Icinga DB version docker icinga/icingadb:1.0.0-rc2

Configuration of docker-compose.yml

icingadb:
image: icinga/icingadb
environment:
- ICINGADB_REDIS_ADDRESS=redis04:6379
- ICINGADB_REDIS_TLS=enable
- ICINGADB_REDIS_CERT=/data/ssl/icinga.pem
- ICINGADB_REDIS_KEY=/data/ssl/icinga-key.pem
- ICINGADB_REDIS_CA=/data/ssl/allcacerts.pem
- ICINGADB_LOGGING_LEVEL=debug
- ICINGADB_LOGGING_OUTPUT=console

Error during container start:

icingadb | 2022-04-17T07:25:07.517Z DEBUG entrypoint/main.go:40 translating env vars to YAML config
icingadb | 2022-04-17T07:25:07.518Z DEBUG entrypoint/main.go:85 checking SQL database
icingadb | 2022-04-17T07:25:07.528Z DEBUG entrypoint/main.go:79 starting actual daemon via exec(3)
icingadb | panic: can’t parse YAML file /etc/icingadb/config.ini: cannot unmarshal string into Go struct field Config.Redis of type bool
icingadb |
icingadb | goroutine 1 [running]:
icingadb | github.com/icinga/icingadb/pkg/utils.Fatal(...)
icingadb | /github/workspace/pkg/utils/utils.go:118
icingadb | github.com/icinga/icingadb/internal/command.New()
icingadb | /github/workspace/internal/command/command.go:41 +0x173
icingadb | main.run()
icingadb | /github/workspace/cmd/icingadb/main.go:38 +0x57
icingadb | main.main()
icingadb | /github/workspace/cmd/icingadb/main.go:34 +0x19
icingadb exited with code 2

The IcingaDB docker page states that each of the configuration options for IcingaDB has and environment that corresponds to it.
The question is what is the value of ‘ICINGADB_REDIS_TLS=enable’ supposed to be, or if the environment form is even correct? The configuration documentation is not very forthcoming. It simply states ‘Option TLS, Optional, Whether to use TLS’. The IcingaDB configuration file example does not address have the TLS example either, unfortunately. The following values have been tried with no difference in behaviour:

  • true
  • yes
  • enable

There are other questions about how the Postgre DB option is supposed to work with the IcingaDB container configuration, but that is for another post.

2

It ends up in a YAML file, so true should work fine. You also need to define a client-certificate, client-key and CA-certificate, of course.

Though, you may also be facing this issue. Try the master tag of the image instead.

1 Like
3

After changing the image to icinga/icingadb:master, and using ‘- ICINGADB_REDIS_TLS=true’ in the environment the result did not change:

[+] Running 3/3
⠿ Container redis Running 0.0s
⠿ Container mysql Running 0.0s
⠿ Container icingadb Recreated 1.7s
Attaching to icingadb
icingadb | 2022-04-27T20:12:58.991Z DEBUG entrypoint/main.go:40 translating env vars to YAML config
icingadb | 2022-04-27T20:12:58.993Z DEBUG entrypoint/main.go:85 checking SQL database
icingadb | 2022-04-27T20:12:59.005Z DEBUG entrypoint/main.go:79 starting actual daemon via exec(3)
icingadb | panic: can’t parse YAML file /etc/icingadb/config.ini: cannot unmarshal string into Go struct field Config.Redis of type bool
icingadb |
icingadb | goroutine 1 [running]:
icingadb | github.com/icinga/icingadb/pkg/utils.Fatal(...)
icingadb | /github/workspace/pkg/utils/utils.go:114
icingadb | github.com/icinga/icingadb/internal/command.New()
icingadb | /github/workspace/internal/command/command.go:41 +0x185
icingadb | main.run()
icingadb | /github/workspace/cmd/icingadb/main.go:40 +0x57
icingadb | main.main()
icingadb | /github/workspace/cmd/icingadb/main.go:36 +0x19
icingadb exited with code 2

Regarding the possible bug Unfortunately I do not understand what the ENV form should be for enabling REDIS TLS.

4

Hm, it could also be a bug in the image’s entrypoint. It’s probably not designed to handle boolean environment variables. You could file a bug in the issue tracker to get a definite answer on this.

5

Thank you for the recommendation. Bug report has been filed here