Master - Satellite - Agent

Icinga Web Modules Icinga Director
1

Hello everyone,
I have some questions for the cooperation between Master->Saddles and Agents
I have an Icinga “master” with the director without Icingadb
I set everything up using the “NodeWizard”

Master- “Berlin”
zones.conf

/*

  • Generated by Icinga 2 node setup commands
  • on 2023-05-29 23:12:04 +0200
    */

object Endpoint “berlin” {
}

#Satellite
#Endpoint einrichten
object Endpoint “satellite.localdomain” {
host = “satellite”
}

object Zone “master” {
endpoints = [ “berlin” ]
}

object Zone “global-templates” {
global = true
}

object Zone “director-global” {
global = true
}

object Zone “satellite” {
endpoints = [ “satellite.localdomain” ]
parent = “master”
}

Mein Satellite
zones.conf

/*

  • Generated by Icinga 2 node setup commands
  • on 2023-05-30 00:31:04 +0200
    */

object Endpoint “berlin” {
host = “berlin”
port = “5665”
}

object Endpoint “satellite.localdomain” {
}

object Zone “master” {
endpoints = [ “berlinr” ]
}

/*
object Endpoint “satellite.localdomain” {
}
*/

object Zone “satellite” {
endpoints = [ “satellite.localdomain” ]
parent = “master”
}

object Zone “global-templates” {
global = true
}

object Zone “director-global” {
global = true
}

Mein Agent:
zones.conf

/*

  • Generated by Icinga 2 node setup commands
  • on 2023-06-16 17:00:15 +0000
    */

object Endpoint “satellite.localdomain” {
host = “192.168.0.200”
port = “5665”
}

object Endpoint “agent.localdomain” {
}

object Zone “satellite” {
endpoints = [ “satellite.localdomain” ]
}

object Zone “agent.localdomain” {
endpoints = [ “agent.localdomain” ]
parent = “satellite”
}

object Zone “global-templates” {
global = true
}

object Zone “director-global” {
global = true
}
When I integrated the agent via the NodeWizard, I got a ticket from the master.
I thought that was all good too, but I found that I had to sign the CA key on both the satellite and the “master” - is that correct?
I integrated the satellite into the director via kickstart. Unfortunately I have to reassign the user after each kickstart - is that correct, I thought it would be saved permanently.
If I have more satellites, that would be quite a lot of work after a kickstart…
Do I have to have one, the same API user including password, on the master, satellite and agent - for example user Sat_Agent with PW:123?
Shouldn’t I also see the agent as an end point, in the Director?
The topic cluster zone, end point, configuration is not described very well in the documentation and not at all for the director.
If I could understand it better, I would like to participate in creating documentation. I also do that professionally, for DAUS, which sometimes call themselves IT technicians. Who can I contact to help here?
What is the endpoint, is it the satellite or the agent at the end of the chain, which would actually make sense to me, or even the master?
Do I need to specify the endpoint when creating a satellite or creating an agent through the director?
The zone, as far as I understand it, is assigned by the director from the agent onwards, via the zonesconf on agent and satellite, correct?
How can I see in the LOG files that the constellation is communicating correctly.
Is my agent or my satellite set up correctly, see pictures:

Master:

master
master604×684 16.8 KB

Satellite

satellite
satellite531×707 18.2 KB

Agent

agent
agent526×717 17.8 KB

2

Your post is hard to read at least for me since it is not formatted as described here. But I can identify an error since object Endpoint “satellite.localdomain” is defined twice at your satellite’s zones.conf.

No, that’s wrong. I’d suspect you mean a signing request.

No, node wizard sent a signing request via satellite to master. This request needs to be signed at the master only.

Normally, this information needs to be entered just one time.

I have no idea what your question is about. In general, only one api user user is required at the master for the communication between icingaweb and icinga.

No, the director is manging all zone and endpoint objects for agents automatically. There is nothing to do manually, hence, it’s not visible.

You could go to icinga on github.com and create issues and PRs accordingly.

I’ve no idea what does this mean. In general, an endpoint object belong to a zone no matter if mast, satellite or agent.

Satellite zone and endpoint objects need to be created manually by editing zones.conf and then be imported using kickstart wizard. For agents there is no manually action required.

Such a message report a successful (re-)connect:

… information/JsonRpcConnection: The certificate for CN ‘satellite.localdomain’ is valid and uptodate. Skipping automated renewal.

3

Hello @rsx Roland Sommer,

Thank you for the feedback on my post.
Unfortunately, I’m only now getting back to my passion, but I had put it out of action for a little longer.
Sorry I haven’t gotten the formatting that good yet - I vow to get better.
I’ll take a look at the answer and will answer or specify the open questions.

4

[quote=“Roland Sommer, post:2, topic:12223, full:true, username:rsx”]
Your post is hard to read at least for me since it is not formatted as described here. But I can identify an error since object Endpoint “satellite.localdomain” is defined twice at your satellite’s zones.conf.

Thanks for the hint, in fact it was there twice, but commented out once.
I removed the duplicate entry from my configuration.

  icinga2 pki ticket --cn icinga2-agent1.localdomain

I think we mean the same thing here.
The documentation always refers to a ticket

So I only have to sign the certificates on the master? Don’t I need to sign it on the satellite?
Can I skip it with the wizard, the agent?

I don’t know why, but I still have to embed it after every kickstart

Does the API user on the master, satellite and agent have to have the same name and the same password?

Thanks, I’ll try to get involved…

So the end point can be the satellite from the agent and the master from the satellite, or is it always the master?

So I create all of them via the Zones.conf on the satellites and agents?

Perfect - that’s the case for me…

5

No. You can chose between CSR Auto-Signing and On-Demand CSR Signing.

In case of On-Demand CSR Signing: Yes

Yes

6

Hello all,

after reading so much about zones, endpoints agents. looking at different zones.conf i am confused.

I had imagined the following scenario:
master
satellites (at each location, monitoring, one, providing connection to master)
agents (=clients that provide and execute the checks)

Am I wrong in my thinking here?
Is it possible to do it this way?

So far I have connected the satellite to the master. I also think that I have established a connection from the agent to the satellite.
Now I have tried to create hosts on the master, I am not sure if I did it right, but one step at a time.

Can someone provide me with the individual zones.conf of a master/satellite/agent?

Have I configured mine correctly?

Master

object Endpoint "icinga2" {
}

object Zone "icinga2" {
        endpoints = [ "icinga2" ]
}

object Zone "global-templates" {
        global = true
}

object Zone "director-global" {
        global = true
}

object Endpoint "hro-05-satellite-1.localdomain" {
        host = "192.168.0.225"
}

object Zone "hro-05-satellite-1" {
  endpoints = [ "hro-05-satellite-1.localdomain" ]
  parent = "icinga2"
}

Satellite

object Endpoint "icinga2" {
//      host = "192.168.0.224"
        host = "icinga2"
        port = "5665"
}

object Zone "icinga2" {
        endpoints = [ "icinga2" ]
}

object Endpoint "hro-05-satellite-1.localdomain" {
}


object Zone "hro-05-satellite-1" {
        endpoints = [ "hro-05-satellite-1.localdomain" ]
        parent = "icinga2"
}

object Endpoint "hro-05-agent-1.localdomain" {
        host = "192.168.0.226"
}

object Zone "hro-05-agent-1" {
        endpoints = [ "hro-05-agent-1.localdomain" ]
        parent = "hro-05-satellite-1"
}


object Zone "global-templates" {
        global = true
}

object Zone "director-global" {
        global = true
}

Agent

object Endpoint "hro-05-satellite-1.localdomain" {
        host = "192.168.0.225"
        port = "5665"
}

object Zone "hro-05-satellite-1" {
        endpoints = [ "hro-05-satellite-1.localdomain" ]
}

object Endpoint "hro-05-agent-1.localdomain" {
}

object Zone "hro-05-satellite-1.localdomain" {
        endpoints = [ "hro-05-agent-1.localdomain" ]
        parent = "hro-05-satellite"
}

object Zone "global-templates" {
        global = true
}

object Zone "director-global" {
        global = true
}

Then I have another problem. After a kickstart, I always have to reassign the api-user at the endpoint “Satellite”. is that necessary? I don’t think so, if I understood @Roland Sommer rsx correctly.
After a kickstart, don’t I also have to see the endpoint “agent” in the director, or do I only see it when inspecting the endpoint “satellite”?