I don't get the cluster logic

  • Hi all,

    so, what I want to build, explained as short as possible (names and IPs are changed)

    1 Master - Used to write and spread configs only, has icingaweb2 running and later also will run grafana , assigned to zone master. The master should not do checks actively.

    2 Sat - They should work as Checker in HA/LB, so they are both in a zone called satellite. parent is the master zone, where they get their config from.

    X clients - they are the monitored server.


    Ubuntu 16.04.2

    Icinga2 : r2.6.2-1

    Icingaweb2: 2.4.1


    So I build 3 Zones: global, master, satellite.

    The config above is also on sat 1 and sat 2. Both are signed with the master.


    Now in master zone I defined one host and several services:

    Also I defined in satellite zone my 2 sat server and a ping check:

    My global zone consists of global templates and commands only, as suggested in Icinga2 doc:

    Code
    1. :/etc/icinga2/zones.d/global-templates# ls -l
    2. total 24
    3. drwxr-xr-x 2 root root 4096 Feb 17 11:30 commands
    4. drwxr-xr-x 2 root root 4096 Feb 17 11:35 hostgroups
    5. drwxr-xr-x 2 root root 4096 Feb 17 11:33 servicegroups
    6. drwxr-xr-x 2 root root 4096 Feb 17 12:17 templates
    7. -rw-r--r-- 1 root root 906 Feb 13 23:20 timeperiods.conf
    8. -rw-r--r-- 1 root root 284 Feb 17 11:51 users.conf


    Problem 1:

    Every Server gets every service assigned.

    Master has the disk etc included ping, which is only defined in sat zone and the sat server have all master checks.

    Why???

    Master should not get the ping check because it is only defined in sat zone and sat server should only get the ping check and not the disk, load, etc out of master zone.


    Problem 2:

    How do I have to assign clients (server which are the really monitored ones) to my 2 "Checker" Satelites, when I want to use Icinga2 agent (Linux only)?


    Thanks in advance!

  • X clients - they are the monitored server.


    Ubuntu 16.04.2

    Icinga2 : r2.6.2-1

    Icingaweb2: 2.4.1


    So I build 3 Zones: global, master, satellite.

    ...and in addition a zone for each client controled by the satellites.

    An endpoint runs checks against host and service objects

    or

    An endpoint tells another endpoint to execute a check_command


    In any case, the client would be an endpoint and thus needs to be a member in a zone.

    That was the answer for Problem #2.


    Every Server gets every service assigned.

    Master has the disk etc included ping, which is only defined in sat zone and the sat server have all master checks.

    Known problem.

    Fix it by filter the apply rules by the zone needed:

    Code
    1. apply Service "load" {
    2. import "generic-service"
    3. ...
    4. assign where host.zone=="myzone"
    5. }

    The post was edited 1 time, last by sru ().

  • Quote

    ...and in addition a zone for each client controled by the satellites.

    A zone for EVERY client? Seriously, who should admin this? That is much more effort you have to do compared to checking it by NRPE / SSH.

    In my single icinga2 instance, where I use NRPE I just need 3 lines for a host to add and check it with a bunch of checks, thanks to my templates. I don't See the sense of having a zone for each client. At most one more zone for all Clients makes sense for me. And since there are 2 Sats, the checks should run loadbalanced and not pinned to one specific sat.

    Quote

    Known problem.

    Fix it by filter the apply rules by the zone needed:

    Sorry to say that this hard, but imho this makes the whole zones concept obsolete. Is this a bug ? If no, why the zone for global-templates, when services are rolled out globally, doesn't matter where they are stored in my file tree?

  • A zone for EVERY client? Seriously, who should admin this?

    A client is an endpoint object, a node in the cluster - and not a host object.

    And an endpoint object requires a zone.

    Read about clients in the documentation.


    If you want to use other agent based / agent less connections to run a check on a host or service, that is not bad.

    But the topic of your thread is the cluster logic.


    At most one more zone for all Clients makes sense for me

    Wont work.

    1. There is a limitation of 2 endpoints per zone, afaik.

    2. That would build a load sharing scenario - every client would receive all service and host objects for that zone and would agree with other endpoints in the same zone about who is checking what.

    Is this a bug

    My opinion is: Yes.

    But individual persons might have a different point of view.


    this makes the whole zones concept obsolete

    Think of an organisation that manages the IT for different customers.

    • Zones build a boundary of trust and as such separate the customers from each other by using strong encryption.
    • These different customers need different configuration objects - and zones enable exactly the distribution of this per-zone-information.
    • If one customer has multiple locations, zones provide you with the features of a HA- and load-sharing scenario.

    So, there might be persons in the wild that do not share above quote completely :/.

    when services are rolled out globally

    They are not.

    But the master believes they are. And sees "Fake late checks" for these.

    Check that on the satellites via icinga object list --type service --name SomeServiceNotInSatelliteZone.

  • well, watching in the docs, it is a bug imho:

    • Zones cannot interfere with other zones and influence each other. Each checkable host or service object is assigned to one zone only.

    But here we have influence between sat and master zone.

    So let's say, I want to bring this setup running like:

    Master: still just for config and web2, notifications, etc... No active checking

    Sats: check the Clients and get their config from master

    Clients: checked via NRPE


    How and where would you suggest defining the host and service objects?

  • well, watching in the docs, it is a bug imho:

    Fully agreed. But that is my personal opinion.


    How and where would you suggest defining the host and service objects?

    Satellite related objects at the masters

    /etc/icinga2/zones.d/satellite/hosts.conf

    /etc/icinga2/zones.d/satellite/services.conf (at every apply statements 'assign', limit the zone to satellite)


    Master related objects either in conf.d or, to be consistent *and* to be prepared for a 2master HA setup:

    /etc/icinga2/zones.d/master/hosts.conf

    /etc/icinga2/zones.d/master/services.conf (at every apply statements 'assign', limit the zone to master)


    And objects you like to have in all zones below global-templates:

    /etc/icinga2/zones.d/global-templates/checkcommands.conf

    /etc/icinga2/zones.d/global-templates/notifications.conf


    but ymmv.

  • Correct.

    The satellite runs the check against the host object it gets replicated by the master.

    So the nrpe objects go to zones.d/satellite.