Import and Sync of Zones and Endpoints

I am trying to finalize my icinga2 setup with the director. From ‘base’ icinga2 I configured my setup using zones and endpoints in a (1x) master - satellite - agent setup.

Now, I wish to import zones, endpoints, hosts and services and set sync rules. for zones I solved the import by setting a modifier combining ${certname}_${title} into my (new) target property ‘import_zone’. I am not sure if this is useful (I get zones like master.fqdn_satellite.fqdn and also satellite.fqdn_master.fqdn and this does not feel right - oh and btw: i set my zone names as the corresponding fqdn). for the sync rule i filter out director-global, global-templates and master and for the property it is sufficient to set ${parameters.parent} for the ‘parent’ destination field (leaves empty or sets parent parameter if given in the import).

My problem actually appears when I try to sync my endpoints. here, i import (from my puppetdb) with the key column name ‘certname’ and i have two property modifiers: 1. title -> import_endpoint, where i combine ${certname}_${title} as in the zones’ case. I furthermore add a regular expression filter to keep only matching rows for when certname == title. this does work (I get 3 endpoints: ‘master-master’, ‘satellite-satellite’ and ‘agent-agent’ (well, I have the certname key column name so I have the three fqdn’s).
It does fail when trying to define a sync rule and I think this has to do with me not understanding sync rules properly yet. As I understand it, my sync rule should basically just define the endpoints with an empty field. I tried to do it as in the zones’ case by setting the destination field to port and a custom expression ${parameters.port} but this gives me an error “Undefined offset: 3”.
i think of the zones.conf, where i have the imported endpoints like:

object Endpoint "my_endpoint" {
}

But i cannot set a property which just “does nothing”, compare with my example with the offset-error.

How can I resolve the issue to sync my imported endpoints? Do you see any fundamental missunderstanding in the use of import and sync rules as i describe it?

You should not need to create endpoints and zones “manually”, there is an option at the host object to mark it as agent which will automatically create endpoint and zone for the host using the hostname.

Sorry, I do not understand what you mean. I configured the basic stuff like zones and endpoints only using icinga2 (without director). Do you mean I should not do this but instead only define a zone and endpoint for the master and configure all the rest with the director?

For the master and satellite it makes sense to define them in file as the are needed in advance for synchronization and for agents using the automatism.

There is some documentation on the agent part at https://icinga.com/docs/icinga-director/latest/doc/24-Working-with-agents/

Ok thanks, I read it but obviously I did not understand it. So by now keys etc. where exchanged already and the machines are communicating already. Could it break anything if I remove the agent-stuff from my puppet-repo and try to do it in the director?

Also, then I’ve got two more questions: Does the director write to /etc/icinga2/zones.d or where does it save those zone/endpoint settings (-> directly in the director db?)? Also, I could not find my director database anywhere on my master-machine. Where can I find this database (e.g. for a manual backup)?

EDIT: At the end of the day this still wont solve my import/sync problem. I will probably later-on add more satellites, thus importing them using my puppet environment. for that I still need an import+sync rule, which is my problem at this point…

EDIT2: Can I reset my whole director configuration and start “vanilla”? By making the mistakes as above I cannot run the kickstart wizard anymore and I am stuck

It should not break as the agent needs the same configuration but it simplifies the configuration on the master/in the director.

No, it does not write to /etc, it uses the package API endpoint to send a rendered configuration based on its database which will result in files created in /var/lib/icinga2.
The database used is the one you configure for the director module, so you can simply back up it using database backup tools like mysqldump. Typically no need to backup the rendered files in addition.

In all environments I support there is no need to import/sync endpoints and zones. zones.conf on the master and satellite is manually managed or via config management to define the basic architecture and on the agents to include itself, the parent and global zone for the agent type. If some satellites are added, this goes to zones.conf and is then made available to the director using the kickstart.

You can simply drop the database and recreate it or create a second one and switch the configuration to start again. You can use baskets to export and import some configuration if you do not want to lose everything.

Thanks, then I guess my questions are answered. I am still unsure, though, how I may “drop the database”. My setup is handled via Puppet (as mentioned before…) so I guess removing the correct files/dirs on the master and re-running puppet should do the recreation but how do I delete it beforehands?

You have to login to the database server and run drop database director (or how it is named).

Thank you very much! I am still trying to fully understand the director (in my opinion the docs - especially on the director! - are very scarce) but slowly I get a feeling.

I totally understand as the docs are more focused on technical parts instead of how to do things best, but this is typical for documentation written by developers.