How to setup icinga2 master-satellite-client using director module

Icinga2 documentation clearly describes the master->satelitte->client setup, but as of now everything can be configured using director module and top down approach, so you can easily monitor external remote networks that are not accessible from the master server.

Follow icinga2 plus icingaweb2 and director module installation procedures and add master host.

The goal is to access client www.sleeplessbeastie.eu (local network A) via the satellite system monitoring.sleeplessbeastie.eu (external address, local network A) from the master monitoring.fishsilentcruise.space (external address, local network B).

Log in to the monitoring system.

Add an additional API user.

Define additional API user.

Add satellite node that can be accessed from master and client.

Deploy configuration.

Generate request ticket on your Icinga2 master.

master$ sudo icinga2 pki ticket --cn 'monitoring.sleeplessbeastie.eu'
9f5f13fe804813c59d255eb017467f16db91a3ad

Install icinga2 on satellite node.

satellite$ sudo apt-get install icinga2

Setup satellite node.

satellite$ sudo icinga2 node wizard
Welcome to the Icinga 2 Setup Wizard!

We'll guide you through all required configuration details.



Please specify if this is a satellite setup ('n' installs a master setup) [Y/n]: 
Starting the Node setup routine...
Please specify the common name (CN) [monitoring]: monitoring.sleeplessbeastie.eu
Please specify the master endpoint(s) this node should connect to:
Master Common Name (CN from your master setup): monitoring.fishsilentcruise.space
Do you want to establish a connection to the master from this node? [Y/n]: 
Please fill out the master connection information:
Master endpoint host (Your master's IP address or FQDN): monitoring.fishsilentcruise.space
Master endpoint port [5665]: 
Add more master endpoints? [y/N]: 
Please specify the master connection for CSR auto-signing (defaults to master endpoint host):
Host [monitoring.fishsilentcruise.space]: 
Port [5665]: 
information/base: Writing private key to '/etc/icinga2/pki/monitoring.sleeplessbeastie.eu.key'.
information/base: Writing X509 certificate to '/etc/icinga2/pki/monitoring.sleeplessbeastie.eu.crt'.
information/cli: Fetching public certificate from master (monitoring.fishsilentcruise.space, 5665):

Certificate information:

 Subject:     CN = monitoring.fishsilentcruise.space
 Issuer:      CN = Icinga CA
 Valid From:  Oct 30 21:51:07 2017 GMT
 Valid Until: Oct 26 21:51:07 2032 GMT
 Fingerprint: F8 7D 9E C1 B0 8C 4D B5 D2 77 0C 52 91 F6 9F 54 86 46 DD D9 

Is this information correct? [y/N]: y
information/cli: Received trusted master certificate.

Please specify the request ticket generated on your Icinga 2 master.
 (Hint: # icinga2 pki ticket --cn 'monitoring.sleeplessbeastie.eu'): 9f5f13fe804813c59d255eb017467f16db
91a3ad
information/cli: Requesting certificate with ticket '9f5f13fe804813c59d255eb017467f16db91a3ad'.

information/cli: Created backup file '/etc/icinga2/pki/monitoring.sleeplessbeastie.eu.crt.orig'.
information/cli: Writing signed certificate to file '/etc/icinga2/pki/monitoring.sleeplessbeastie.eu.cr
t'.
information/cli: Writing CA certificate to file '/etc/icinga2/pki/ca.crt'.
Please specify the API bind host/port (optional):
Bind Host []: 
Bind Port []: 
Accept config from master? [y/N]: y                                                            [37/856]
Accept commands from master? [y/N]: y
information/cli: Disabling the Notification feature.
Disabling feature notification. Make sure to restart Icinga 2 for these changes to take effect.
information/cli: Enabling the Apilistener feature.
Enabling feature api. Make sure to restart Icinga 2 for these changes to take effect.
information/cli: Created backup file '/etc/icinga2/features-available/api.conf.orig'.
information/cli: Generating local zones.conf.
information/cli: Dumping config items to file '/etc/icinga2/zones.conf'.
information/cli: Created backup file '/etc/icinga2/zones.conf.orig'.
warning/cli: CN 'monitoring.sleeplessbeastie.eu' does not match the default FQDN 'monitoring'. Requires
 update for NodeName constant in constants.conf!
information/cli: Updating constants.conf.
information/cli: Created backup file '/etc/icinga2/constants.conf.orig'.
information/cli: Updating constants file '/etc/icinga2/constants.conf'.
information/cli: Updating constants file '/etc/icinga2/constants.conf'.
Done.

Now restart your Icinga 2 daemon to finish the installation!


Configure API user on satellite.

satellite$ cat << EOF | sudo tee /etc/icinga2/conf.d/api-users.conf 
/**
 * The APIUser objects are used for authentication against the API.
 */
object ApiUser "sleeplessbeastie_zone" {
  password = "UhfpgoRa5Vcz3JfD"
  // client_cn = ""

  permissions = [ "*" ]
}
EOF

Add director-global zone.

$ cat << EOF | sudo tee -a /etc/icinga2/zones.conf
object Zone "director-global" {
  global = true
}
EOF

Clean up local configuration.

$ sudo echo -n | sudo tee /etc/icinga2/conf.d/{apt.conf,commands.conf,groups.conf,hosts.conf,downtimes.conf,notifications.conf,satellite.conf,services.conf,templates.conf,timeperiods.conf,users.conf}

Restart icinga2 service.

$ sudo service restart icinga2

Add client node that can be accessed from satellite mode.

Deploy configuration.

Generate request ticket on your Icinga2 master.

master$ sudo icinga2 pki ticket --cn 'www.sleeplessbeastie.eu'
500d51eea82c6c2e595b9446fee16309d51d2009

Install icinga2 on client node.

client$ sudo apt-get install icinga2

Setup client node.

client$ sudo icinga2 node wizard
Welcome to the Icinga 2 Setup Wizard!

We'll guide you through all required configuration details.



Please specify if this is a satellite setup ('n' installs a master setup) [Y/n]: 
Starting the Node setup routine...
Please specify the common name (CN) [www.lxd]: www.sleeplessbeastie.eu
Please specify the master endpoint(s) this node should connect to:
Master Common Name (CN from your master setup): monitoring.sleeplessbeastie.eu
Do you want to establish a connection to the master from this node? [Y/n]: 
Please fill out the master connection information:
Master endpoint host (Your master's IP address or FQDN): monitoring.sleeplessbeastie.eu
Master endpoint port [5665]: 
Add more master endpoints? [y/N]: 
Please specify the master connection for CSR auto-signing (defaults to master endpoint host):
Host [monitoring.sleeplessbeastie.eu]: monitoring.fishsilentcruise.space
Port [5665]: 
information/base: Writing private key to '/etc/icinga2/pki/www.sleeplessbeastie.eu.key'.
information/base: Writing X509 certificate to '/etc/icinga2/pki/www.sleeplessbeastie.eu.crt'.
information/cli: Fetching public certificate from master (monitoring.fishsilentcruise.space, 5665):

Certificate information:

 Subject:     CN = monitoring.fishsilentcruise.space
 Issuer:      CN = Icinga CA
 Valid From:  Oct 30 21:51:07 2017 GMT
 Valid Until: Oct 26 21:51:07 2032 GMT
 Fingerprint: F8 7D 9E C1 B0 8C 4D B5 D2 77 0C 52 91 F6 9F 54 86 46 DD D9 

Is this information correct? [y/N]: y
information/cli: Received trusted master certificate.

Please specify the request ticket generated on your Icinga 2 master.
 (Hint: # icinga2 pki ticket --cn 'www.sleeplessbeastie.eu'): 500d51eea82c6c2e595b9446fee16309d51d2009
information/cli: Requesting certificate with ticket '500d51eea82c6c2e595b9446fee16309d51d2009'.

information/cli: Created backup file '/etc/icinga2/pki/www.sleeplessbeastie.eu.crt.orig'.
information/cli: Writing signed certificate to file '/etc/icinga2/pki/www.sleeplessbeastie.eu.crt'.
information/cli: Writing CA certificate to file '/etc/icinga2/pki/ca.crt'.
Please specify the API bind host/port (optional):
Bind Host []: 
Bind Port []: 
Accept config from master? [y/N]: y
Accept commands from master? [y/N]: y
information/cli: Disabling the Notification feature.
Disabling feature notification. Make sure to restart Icinga 2 for these changes to take effect.
information/cli: Enabling the Apilistener feature.
Enabling feature api. Make sure to restart Icinga 2 for these changes to take effect.
information/cli: Created backup file '/etc/icinga2/features-available/api.conf.orig'.
information/cli: Generating local zones.conf.
information/cli: Dumping config items to file '/etc/icinga2/zones.conf'.
information/cli: Created backup file '/etc/icinga2/zones.conf.orig'.
warning/cli: CN 'www.sleeplessbeastie.eu' does not match the default FQDN 'www.lxd'. Requires update fo
r NodeName constant in constants.conf!
information/cli: Updating constants.conf.
information/cli: Created backup file '/etc/icinga2/constants.conf.orig'.
information/cli: Updating constants file '/etc/icinga2/constants.conf'.
information/cli: Updating constants file '/etc/icinga2/constants.conf'.
Done.

Now restart your Icinga 2 daemon to finish the installation!

Add director-global zone.

$ cat << EOF | sudo tee -a /etc/icinga2/zones.conf
object Zone "director-global" {
  global = true
}
EOF

Clean up local configuration.

$ sudo echo -n | sudo tee /etc/icinga2/conf.d/{apt.conf,commands.conf,groups.conf,hosts.conf,downtimes.conf,notifications.conf,satellite.conf,services.conf,templates.conf,timeperiods.conf,users.conf}

Restart icinga2 service.

$ sudo service restart icinga2

Client cannot connect be accessed and configured at this moment.

Add additional zone for satellite setup.

Define additional zone.

Add an endpoint for created zone.

Define endpoint for created zone.

Assign satellite to the created zone.

Assign client to the created zone.

Deploy configuration.

Verify that it works.

All stations status green.

About Milosz Galazka

Milosz is a Linux Foundation Certified Engineer working for a successful Polish company as a system administrator and a long time supporter of Free Software Foundation and Debian operating system.