Four level setup does not work

We have a setup with

                         / endpoints
master - dmz-satellite - 
                         \ customer-satellite - endpoints

Used Icinga2 version on all machines is 2.11.3, operating system is Debian on master, satellites and Windows on endpoints.
Connections are initiated from endpoint => customer-satellite => dmz-satellite => master (one direction)

All config is done from Icingaweb2 Director. Config sync works, there are current files on all machines in /var/lib/icinga2/api/…

The first way master - dmz-satellite - endpoints works like a charm.

My problem is to get the four level setup master - dmz-satellite - customer-satellite - endpoints to work. Initial config on each host is done by icinga2 node wizard. The config in /etc/icinga2:
(Sorry for obfuscation but it’s a production environment)

master

constants.conf

/* Our local instance name. By default this is the server's hostname as returned by `hostname --fqdn`.
 * This should be the common name from the API certificate.
 */
const NodeName = "***-***-check.**.******.**"
/* Our local zone name. */
const ZoneName = "master"
/* Secret key for remote node tickets */
const TicketSalt = "c9ca7a2466b0c1fbc8c3853fcb7dc286"

zones.conf

object Endpoint "***-***-check.**.******.**" {
}
object Zone "master" {
        endpoints = [ "***-***-check.**.******.**" ]
}
object Zone "global-templates" {
        global = true
}
object Zone "director-global" {
        global = true
}

dmz-satellite

constants.conf

/* Our local instance name. By default this is the server's hostname as returned by `hostname --fqdn`.
 * This should be the common name from the API certificate.
 */
const NodeName = "***-***-sat.**.******.**"
/* Our local zone name. */
const ZoneName = "satellite"
/* Secret key for remote node tickets */
const TicketSalt = ""

zones.conf

object Endpoint "***-***-check.**.******.**" {
        host = "10.xx.yy.zz"
        port = "5665"
}
object Zone "master" {
        endpoints = [ "***-***-check.**.******.**" ]
}
object Endpoint "***-***-sat.**.******.**" {
}
object Zone "satellite" {
        endpoints = [ "***-***-sat.**.******.**" ]
        parent = "master"
}
object Zone "global-templates" {
        global = true
}
object Zone "director-global" {
        global = true
}

customer-satellite

constants.conf

/* Our local instance name. By default this is the server's hostname as returned by `hostname --fqdn`.
 * This should be the common name from the API certificate.
 */
const NodeName = "hal01n005.b*******-h****.**"
/* Our local zone name. */
const ZoneName = "bau******-h****"
/* Secret key for remote node tickets */
const TicketSalt = ""

zones.conf

object Endpoint "***-***-sat.**.******.**" {
        host = "10..20.41"
        port = "5665"
}
object Zone "satellite" {
        endpoints = [ "***-***-sat.**.******.**" ]
}
object Endpoint "hal01n005.b*******-h****.**" {
}
object Zone "bau******-h****" {
        endpoints = [ "hal01n005.b*******-h****.**" ]
        parent = "satellite"
}
object Zone "global-templates" {
        global = true
}
object Zone "director-global" {
        global = true
}

All hosts are created in Icingaweb2 Director in the corresponding zones:
***-***-check.**.******.** in zone master
***-***-sat.**.******.**in zone satellite
hal01n005.b*******-h****.**in zone bau******-h****

The checks against hal01n005.b*******-h****.** (hostalive and as service the icinga check) do not work. And I think therefore the checks for the endpoints behind this satellite aren’t working too.
I have no idea where to look for the reason. Debug logs are enabled but I don’t know what to look for. I would be glad to get a hint where to start.

You need to define every zone and endpoint object of master and satellites in zones.conf only. Your master needs to know about the dmz-satellite and customer-satellite. Your dmz-satellite needs to know the master (which you have already properly defined) and your customer-satellite. Agents do not need to be added manually to zones.conf because the director takes care about zone end endpoint objects.

1 Like

Hi Roland,
a VERY big Thank You! Your precise answer saved me from losing my mind.

It is confusing if you can define zone in director but you have to in zones.conf. Lesson learned!

1 Like