Hier war gerade (letzte zwei Wochen) ? ein änlicher "Fall" mit RHEL /CENTOS; es handelte sich um eine SELINUX Sache.
Ist es dir möglich das mal probehalber etwas niedriger als "enforce" einzustellen ?
Posts by sru
This forum was archived to /woltlab and is now in read-only mode.
-
-
-
Back to the screenshot; We see that localhost seems to resolve to two different IP's, perhaps that confuses something.
Can you try to connect using psql -h 127.0.0.1 -U icinga -p 5432 and if that works, change the host and port fields in icingaweb2 accordingly.Also an idea:
-
i feel that it should - as long as the postgresql service and the webserver are both at the same machine.
-
does netstat -an | grep ':5432' list 127.0.0.1 as well as ::1 ? not that localhost resolves to an adress the daemon does not serve...
-
I'm not sure how it got messed up. All the purging/file deletion happened before I installed the icinga2 packages again on the master, so the box should have looked clean to the installer.
Same here.
Can not tell what leads to the creation of the selfsigned cert at master.
Anyhow, great that it worked out.
-
'vmMONp01': Invalid endpoint origin (client not allowed).
could be that the following is missing in features-available/api.conf: accept_commands = true
selfsigned certificate looks like the certificates are not correct. Here is an example from my half-working machines:
The masters cluster check considers the client to be successful connected, but checks at the client are not executed.
In icinga.log we see that "selfsigned cert" line.
The reason is that the masters certificate is not issued by the ca (as is at the client) but selfsigned.
Client:
Code- root@debian:/var/lib/icinga2/certs# openssl x509 -in ca.crt -noout -text | grep -i 'issuer\|subject'
- Issuer: CN=Icinga CA
- Subject: CN=Icinga CA
- Subject Public Key Info:
- root@debian:/var/lib/icinga2/certs# openssl x509 -in debian.local.crt -noout -text | grep -i 'issuer\|subject'
- Issuer: CN=Icinga CA
- Subject: CN=debian.local
Master:
Code- root@debian88:/var/lib/icinga2/certs# openssl x509 -in ca.crt -noout -text | grep -i 'issuer\|subject'
- Issuer: CN=Icinga CA
- Subject: CN=Icinga CA
- Subject Public Key Info:
- root@debian88:/var/lib/icinga2/certs# openssl x509 -in debian88.local.crt -noout -text | grep -i 'issuer\|subject'
- Issuer: CN=debian88.local <- wrong ! must be: Icinga CA
- Subject: CN=debian88.local
Now, that we know what the problem is, we fix that at the master:
Code- cd var/lib/icinga2/certs
- rm debian88*
- icinga2 pki new-cert --cn debian88.local --key debian88.local.key --csr de.csr
- icinga2 pki sign-csr --csr de.csr --cert debian88.local.crt
- rm de.csr
- service icinga2 restart
- openssl x509 -in debian88.local.crt -noout -text | grep -i 'issuer\|subject'
- Issuer: CN=Icinga CA
- Subject: CN=debian88.local
After a few minutes the remote checks are running.
-
Great that it worked out !
-
thanks for the clarification !
-
Michael already told you that:
-
Zones.conf (same on Sat and Client )
If these are the same on both and there are no host= attributes, no endpoint will create a connection to a partner.
- At the client, put a line host="IP_OF_Satellite" in the endpoint definition of the satellite.
- At the satellite, you must set the master to be the parent of the satellite.
That is why the zones.conf file can not be the same at both machines.
-
Sorry, i did not checked it out myself, but here are some pointers (the second answers your question best, i guess):
https://www.icinga.com/docs/ic…mand-signing-and-ca-proxy
https://www.icinga.com/2017/11/13/how-to-icinga-2-ca-proxy/
-
So, you are telling us that:
- You modify i. e. zones.conf or constants.conf
- You validate the config and restart icinga2
- You re-check above files and they are at the state were you left them after editing
- you wait 20 minutes
- you recheck the files and find them to be at the state before editing them
Is this correct ?
any unintentional rollback of a former snapshot of the VM ?
-
Initially did exactly that to get a state as clean as possible.
Did it multiple times, it never worked out.
A few days later the same process worked.
But thanks anyway.
-
You place all configuration objects at the master below /etc/icinga2/zones.d/[ZONENAME] .
The icinga cluster protocol will then distribute it to the target machines of the given Zone for you.
-
Re-did it at the problematic machine, went OK without any issues.
I can not tell what it was, thanks again.
-
First of all, interval is a property of the notification object, not the host object.
You could create a template that sets the interval to 0:
Display MoreCode- template Notification "mail-host-notification-wo-renotification" {
- command = "mail-host-notification"
- states = [ OK, Warning, Critical, Unknown ]
- types = [ Problem, Recovery, Custom,FlappingStart, FlappingEnd ]
- interval = 0
- period = "24x7"
- }
- template Notification "mail-service-notification-wo-renotification" {
- command = "mail-service-notification"
- states = [ OK, Warning, Critical, Unknown ]
- types = [ Problem, Recovery, Custom,FlappingStart, FlappingEnd ]
- interval = 0
- period = "24x7"
- }
And import that into your notification objects.
In the host configuration, set a variable to indicate that you do not like renotifications for it, i.e.:
Display MoreCode- object Host NodeName {
- /* Import the default host template defined in `templates.conf`. */
- import "generic-host"
- /* Specify the address attributes for checks e.g. `ssh` or `http`. */
- address = "127.0.0.1"
- address6 = "::1"
- /* Set custom attribute `os` for hostgroup assignment in `groups.conf`. */
- vars.os = "Linux"
- /* Define http vhost attributes for service apply rules in `services.conf`. */
- vars.http_vhosts["http"] = {
- http_uri = "/"
- }
- /* Uncomment if you've sucessfully installed Icinga Web 2. */
- vars.http_vhosts["Icinga Web 2"] = {
- http_uri = "/icingaweb2"
- }
- /* Define disks and attributes for service apply rules in `services.conf`. */
- vars.disks["disk"] = {
- /* No parameters. */
- }
- vars.disks["disk /"] = {
- disk_partitions = "/"
- }
- /* Define notification mail attributes for notification apply rules in `notifications.conf`. */
- vars.notification["mail"] = {
- /* The UserGroup `icingaadmins` is defined in `users.conf`. */
- groups = [ "icingaadmins" ]
- }
- vars.wo_renotification = 1
- }
And use that variable to create the notification:
Hope that helps.
-
thanks to both of you - will check with a vm first.
-
Thanks, here is my output. Perhaps a pakaging thing ?
That is intended to be a client once i managed to bring it up, thus *ido* and *web* are missing.
-
hello,
did the below multiple times, cleaned up between the attempts:
Display MoreCode- apt-get update
- apt-get upgrade
- apt-get install icinga2
- icinga2 feature list
- Disabled features:
- Enabled features:
- icinga2 --version
- icinga2 - The Icinga 2 network monitoring daemon (version: r2.8.0-1)
- Copyright (c) 2012-2017 Icinga Development Team (https://www.icinga.com/)
- License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl2.html>
- This is free software: you are free to change and redistribute it.
- There is NO WARRANTY, to the extent permitted by law.
- Application information:
- Installation root: /usr
- Sysconf directory: /etc
- Run directory: /run
- Local state directory: /var
- Package data directory: /usr/share/icinga2
- State path: /var/lib/icinga2/icinga2.state
- Modified attributes path: /var/lib/icinga2/modified-attributes.conf
- Objects path: /var/cache/icinga2/icinga2.debug
- Vars path: /var/cache/icinga2/icinga2.vars
- PID path: /run/icinga2/icinga2.pid
- System information:
- Platform: Ubuntu
- Platform version: 16.04.3 LTS (Xenial Xerus)
- Kernel: Linux
- Kernel version: 4.4.0-93-generic
- Architecture: x86_64
- Build information:
- Compiler: GNU 5.3.1
- Build host: e3e567db57ba
Could it be that features need to be installed individually for 2.8 ?