Redefine Icinga2 api port

icinga2-api-port
#1

Good Morning all.

I have to put the API Listener on a different port. Due to very restrictive network settings, I can only communicate over port 80 or 443. For a Distributed Setup I have specified the API Port “443” with the icinga2 node wizard. A restart of the icinga2 daemon fails but with the message:

"[2019-08-01 08:09:56 +0200] critical / TcpSocket: Invalid socket: Permission denied
(0) Activating object ‘api’ of type ‘ApiListener’
[2019-08-01 08:09:56 +0200] critical / ApiListener: Can not bind TCP socket for host ‘’ on port ‘443’.
(0) Activating object ‘api’ of type ‘ApiListener’
[2019-08-01 08:09:56 +0200] critical / ApiListener: Can not add listener on host '
’ for port ‘443’.
(0) Activating object ‘api’ of type ‘ApiListener’ "

How can I define a different port?

greetings
Josh

(Aflatto) #2

The issue is not the port, the issue is that ports 443 and 80 are “privileged” ports that only the root account or similar permissions can bind and use.
The problem is that the Icinga user does not have those permissions ( working as mostly unprivileged space and thus access using a port above 1024 for binding.

“[2019-08-01 08:09:56 +0200] critical / TcpSocket: Invalid socket: Permission denied”

So you can either modify the systemd file to delegate the permissions after the service started ( same as apahce web server is doing) or run Icinga with elevated permissions - which is very bad indeed.

Regards

1 Like
#3

Hi Aflatto.Thank you for your always informative answer :grinning: