Unable to fetch configuration on satellite from master

sdb · May 5, 2020, 7:00pm

due to network-zone restrictions the master is not allowed to establish a connection to hosts in other network-zones (e.g: where satellites reside)
is it possible to fetch the configuration from satellites (how)?

blakehartshorn · May 5, 2020, 8:27pm

Are you saying your satellites can form a connection to the masters, but not vice versa? can the firewall rules be flipped on that? Its not uncommon to have satellites in a zone exposed to the master with a special firewall rule but nothing else in that zone. If the masters can connect to the satellites on port 5665, they can push all the config and retrieve the results without having access to the rest of that network.

sdb · May 6, 2020, 9:55am

masters are in service zone -> form connections only to own zone
satellites are in mgmt zone -> form connection to any direction
we do not want adjust the fw rules for any special case

Pooh · May 6, 2020, 10:27am

Provided the Master can connect to Satellite or Satellite can connect to
Master, and Satellite can connect to Client or Client can connect to
Satellite, Icinga is happy.

I have many situations where monitored machines are behind a firewall with
outbound-only traffic restrictions (and often also no fixed IP address that even
could be connected to inbound) - provided those machines can connect to the
Satellite, and the Satellite can then connect to the Master, all works fine.

Antony.

sdb · May 6, 2020, 11:45am

tx for the quick replies.
I am unable to configure icinga2 to sync the config (fetch) from the master to the satellite. can anyone provide an example?

Pooh · May 6, 2020, 12:08pm

https://icinga.com/docs/icinga2/latest/doc/06-distributed-monitoring/
#master-with-agents shows the part you need.

In each Endpoint definition for the Master and the Satellite, you include the
“host” parameter if you want the other end to try to connect to this
machine; you omit it if you do not.

Therefore for your scenario you would appear to want the Master definition to
include “host” with its DNS FQDN or IP address, but the Satellite definitions
do not have a “host” parameter. That then tells the Satellites to connect to
the Master, but the Master not to try connecting to the Satellites.

Remember that these definitions need to be on both the Master and the Satellite
machines, and must match

Antony.

sdb · May 12, 2020, 4:53pm

tx for your help, the definitions were not the same on both sides