Setting up icinga2 on QNAP

Icinga 2
1

I have a number of linux servers that are configured a ‘Icinga clients’ - that is, they send in reports to the master server from cron jobs. I have been using icinga2 node wizard to set up all the servers, but I have a NAS appliance that isn’t easy to install icinga2 on. The OS is based on a version of Linux - the version is displayted (in the web interface) as QuTS hero TVS-h1688X.

I remember some years ago, and it is possible that I mis-remember, that I set this up in another company without using the wizard; it was a more manual process involved key pairs etc, and I don’t think I had an icinga2 service running on the clients. Is this possible, and if so, are there instructions for it somewhere?

root@vogon:~# icinga2 --version
icinga2 - The Icinga 2 network monitoring daemon (version: r2.14.2-1)

Copyright (c) 2012-2024 Icinga GmbH (https://icinga.com/)
License GPLv2+: GNU GPL version 2 or later <https://gnu.org/licenses/gpl2.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

System information:
  Platform: Debian GNU/Linux
  Platform version: 11 (bullseye)
  Kernel: Linux
  Kernel version: 5.10.0-28-amd64
  Architecture: x86_64

Build information:
  Compiler: GNU 10.2.1
  Build host: runner-hh8q3bz2-project-575-concurrent-0
  OpenSSL version: OpenSSL 1.1.1w  11 Sep 2023

Application information:

General paths:
  Config directory: /etc/icinga2
  Data directory: /var/lib/icinga2
  Log directory: /var/log/icinga2
  Cache directory: /var/cache/icinga2
  Spool directory: /var/spool/icinga2
  Run directory: /run/icinga2

Old paths (deprecated):
  Installation root: /usr
  Sysconf directory: /etc
  Run directory (base): /run
  Local state directory: /var

Internal paths:
  Package data directory: /usr/share/icinga2
  State path: /var/lib/icinga2/icinga2.state
  Modified attributes path: /var/lib/icinga2/modified-attributes.conf
  Objects path: /var/cache/icinga2/icinga2.debug
  Vars path: /var/cache/icinga2/icinga2.vars
  PID path: /run/icinga2/icinga2.pid
2

Icinga2 is a service so it’s unlikely that is was not running as a service and I would advice to use a service definition to manage it.

If it runs on the QNAP then it’s only a question of configuration and permissions to get it running and connect to the Icinga2 master.

3

Maybe this helps:

If you are not using icinga director

Use the key creation part

Later you can either create the ticket on the master manually or use the

icinga2 node setup

Without a ticket and sign it manually on the master.

1 Like
4

Hi Dominik,

It doesn’t seem likely that it will possible to install icinga2 on the QNAP applicance; the list of dependencies revealed by ldd is long:

root@vogon:/var/lib/icinga2/certs# ldd /usr/lib/x86_64-linux-gnu/icinga2/sbin/icinga2
        linux-vdso.so.1 (0x00007fff45a80000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007febb8716000)
        libboost_coroutine.so.1.74.0 => /lib/x86_64-linux-gnu/libboost_coroutine.so.1.74.0 (0x00007febb8705000)
        libboost_filesystem.so.1.74.0 => /lib/x86_64-linux-gnu/libboost_filesystem.so.1.74.0 (0x00007febb86e3000)
        libboost_iostreams.so.1.74.0 => /lib/x86_64-linux-gnu/libboost_iostreams.so.1.74.0 (0x00007febb86ca000)
        libboost_thread.so.1.74.0 => /lib/x86_64-linux-gnu/libboost_thread.so.1.74.0 (0x00007febb86a7000)
        libboost_program_options.so.1.74.0 => /lib/x86_64-linux-gnu/libboost_program_options.so.1.74.0 (0x00007febb8637000)
        libboost_regex.so.1.74.0 => /lib/x86_64-linux-gnu/libboost_regex.so.1.74.0 (0x00007febb851a000)
        libssl.so.1.1 => /lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007febb8487000)
        libcrypto.so.1.1 => /lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007febb8193000)
        libsystemd.so.0 => /lib/x86_64-linux-gnu/libsystemd.so.0 (0x00007febb80de000)
        libedit.so.2 => /lib/x86_64-linux-gnu/libedit.so.2 (0x00007febb80a5000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007febb809e000)
        libstdc++.so.6 => /lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007febb7e39000)
        libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007febb7d5a000)
        libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007febb7d40000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007febb7b5e000)
        libboost_context.so.1.74.0 => /lib/x86_64-linux-gnu/libboost_context.so.1.74.0 (0x00007febb7b59000)
        libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007febb7b3a000)
        libbz2.so.1.0 => /lib/x86_64-linux-gnu/libbz2.so.1.0 (0x00007febb7b27000)
        liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007febb7aff000)
        libzstd.so.1 => /lib/x86_64-linux-gnu/libzstd.so.1 (0x00007febb7a3e000)
        libicui18n.so.67 => /lib/x86_64-linux-gnu/libicui18n.so.67 (0x00007febb7738000)
        libicuuc.so.67 => /lib/x86_64-linux-gnu/libicuuc.so.67 (0x00007febb754d000)
        librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007febb7548000)
        liblz4.so.1 => /lib/x86_64-linux-gnu/liblz4.so.1 (0x00007febb7525000)
        libgcrypt.so.20 => /lib/x86_64-linux-gnu/libgcrypt.so.20 (0x00007febb7405000)
        /lib64/ld-linux-x86-64.so.2 (0x00007febb94a0000)
        libtinfo.so.6 => /lib/x86_64-linux-gnu/libtinfo.so.6 (0x00007febb73d6000)
        libbsd.so.0 => /lib/x86_64-linux-gnu/libbsd.so.0 (0x00007febb73bd000)
        libicudata.so.67 => /lib/x86_64-linux-gnu/libicudata.so.67 (0x00007febb58a4000)
        libgpg-error.so.0 => /lib/x86_64-linux-gnu/libgpg-error.so.0 (0x00007febb587e000)
        libmd.so.0 => /lib/x86_64-linux-gnu/libmd.so.0 (0x00007febb5871000)

A lot of this is not on the appliance and would have to be installed manually, with no guarantee that it will work, as far as I can tell.

5

Hi Moreamazingnick,

I remember setting up a Pki object in the past - some 3 years ago, I think - which appears to something similar to what you are suggesting; but I can’t find documentation for this object in the docs now. Does that not work any more?

What I need is simply to be able you update the icinga2 master via the API; when I try to do this with a curl command, it fails with a message:

Could not find a suitable TLS CA certificate bundle, invalid path: /var/lib/icinga2/certs/ca.crt

This seems clear enough, and I can copy the ca.crt from the master, but looking at one of the clients that are already working, I can see :

root@ceres:/var/lib/icinga# ll /var/lib/icinga2/certs/
total 24
-rw-r--r-- 1 nagios nagios 1720 Jul  4 10:59 ca.crt
-rw-r--r-- 1 nagios nagios 1720 Mar 22  2023 ca.crt.orig
-rw-r--r-- 1 nagios nagios 1761 Jul  4 10:59 ceres.some.com.crt
-rw-r--r-- 1 nagios nagios 1769 Mar 22  2023 ceres.some.com.crt.orig
-rw------- 1 nagios nagios 3243 Mar 23  2023 ceres.some.com.key
-rw------- 1 nagios nagios 3243 Mar 22  2023 ceres.some.com.key.orig

I assume the other .crt and the .key file are created during the icinga2 node setup?

6

Luckily we’ve already documented Manual Certificate Creation:

https://icinga.com/docs/icinga-2/latest/doc/06-distributed-monitoring/#distributed-monitoring-advanced-hints-certificates-manual

1 Like