We have an icinga set up with one master and multiple satellites/agents(version 2.6). The server we configured as our master node is nearing its end of life. So we want to configure a new VM/server as our master. What would be the most efficient way to accomplish this? I know we will have to generate a new CA and sign all the certs for our clients again so this isn’t an issue. I’m just curious if there is an efficient way to change master node or make the switch of master nodes easier for example could we make a DNS alias and point it at our current master? Looking around it looks like there is no shortcuts and we will just have to do the whole master config again.
I don’t see that you need to replace the CA.
The CA certificate and key are held in /var/lib/icinga2/ca/ - you should be
able to simply copy these from the old server to the new and (unless the
certificate itself is nearing its expiry date) continue using it with all the
satellites & slaves staying as they are.
As for the rest of the configuration, are you using Director or not?
If not, then I would think all you need to do is copy /etc/icinga2 and below
from one machine to the other.
Please let us know how it works out when you actually do it (and once anyone
else has chimed in with opinions, suggestions or experience) - this sounds
like something worth adding to the offical documentation.
Hey thanks for your response. So actually the reason for replacing the CA is because our ca.key was lost. I’m not sure if we are using director most of the icinga infrastructure was set up before my time. Is there anyway to check if we are using director? I will keep you updated once we migrate. So using a dns alias and pointing it our current master and then later migrating to a newer host/vm wouldn’t really make the process any easier ?
If you’ve lost the CA key then yes, you need to generate a new one and re-sign
all the certs throughout the system.
I don’t know how to know whether you’re using Director, simply because I know
I’m not I’m sure someone else can tell you this.
The DNS alias (or just setting up a new machine with a new IP and then
changing DNS for the existing name to point to the new IP) sounds like a
convenient way to make the transition easy (and also give you a simple back-
out if there are problems).
Set the TTL very low well in advance of wanting to change it, so that the
change gets picked up by all satellites and agents within a short time. That
will also help you be able to reverse the change quickly if needed.
Ok thank you for you responses they helped a lot. Now to do some research on the actual configuring of dns aliases. Thanks again!