Úprava Icinga2 na použitie modelu Master/Client na CentOS 6 alebo CentOS 7

Icinga2 je výkonný monitorovací systém a pri použití v modeli master-client môže nahradiť potrebu monitorovacích kontrol založených na NRPE. Model master-client je bezpečnejší z rôznych dôvodov . Umožňuje tiež distribuovanejšie monitorovanie tým, že umožňuje modifikovať kontroly na jednom serveri a šíriť ich do iných. Poskytuje tiež jedno centralizované miesto pre zmeny.

Napríklad: Povedzme, že máte 4 rôzne webové servery s vyváženou záťažou. Ak viete, že sa blíži nárast zaťaženia (možno predaj alebo niečo, pri čom predpokladáte veľkú aktivitu), možno budete chcieť zvýšiť úrovne, pri ktorých vysoké využitie procesora upozorní správcov systému. Ak používate kontroly NRPE, budete musieť prejsť na každý server a upraviť /etc/nrpe.d/common_commands.cfgdokument na každom z nich. V modeli master-client môžete jednoducho upraviť ich hostiteľské definície v /etc/icinga2/repository.d/hosts/priečinku a potom znova načítať Icinga. Šeky sa rozšíria na každý server a budú automaticky vyberané. Kontroly môžete tiež veľmi jednoducho pridávať úpravou /etc/icinga2/repository.d/services/súborov a tie sa budú automaticky šíriť a rozpoznať, pokiaľ budú na klientskych serveroch zásuvné moduly existovať.

Predpoklady

• Inštancia servera s už nainštalovanými a nakonfigurovanými ( inštrukciami ) Icinga2 a Icingaweb2 s názvom icinga2master.example.com.
• Nová inštancia servera Vultr CentOS 6 alebo 7, ktorú chcete monitorovať, je pomenovaná icinga2client.example.com.
• Sudo prístup.

Niektoré z tejto príručky budú odzrkadľovať vyššie uvedené inštalačné pokyny, ale musíte to urobiť na klientskom počítači, nie na serveri.

Krok 1: Aktualizujte systém

Pridajte repozitár "ICINGA" do klientskeho systému a nainštalujte balíky Icinga.

sudo cat > /etc/yum.repos.d/ICINGA-release.repo << 'EOF'
[icinga-stable-release]
name=ICINGA (stable release for epel)
baseurl=http://packages.icinga.org/epel/$releasever/release/
enabled=1
gpgcheck=1
gpgkey=http://packages.icinga.org/icinga.key
EOF

Krok 2: Nainštalujte požadované balíčky

Nainštalujte požadované balíčky.

# CentOS 6
sudo yum -y install icinga2 mysql-server mysql icinga2-ido-mysql nagios-plugins-disk nagios-plugins-load nagios-plugins-procs nagios-plugins-ssh nagios-plugins-users nagios-plugins-swap nagios-plugins-ping icingacli

# CentOS 7
sudo yum -y install icinga2 mariadb-server mysql icinga2-ido-mysql nagios-plugins-disk nagios-plugins-load nagios-plugins-procs nagios-plugins-ssh nagios-plugins-users nagios-plugins-swap nagios-plugins-ping icingacli

CentOS 7 používa MariaDB namiesto MySQL, takže potrebné balíčky sú mierne odlišné. Spustite služby a nastavte ich spustenie pri štarte.

sudo chkconfig icinga2 on
sudo service icinga2 start

Nastavte službu MySQL tak, aby sa spustila pri štarte a spustite ju teraz, aby sme ju mohli zabezpečiť.

# CentOS 6
sudo chkconfig mysqld on
sudo service mysqld start

#CentOS 7
sudo systemctl enable mariadb.service
sudo systemctl start mariadb.service

Zabezpečte inštaláciu MySQL/MariaDB. CentOS 6 aj 7 používajú rovnaký príkaz.

sudo mysql_secure_installation

Počas procesu odpovedzte na otázky, ako je uvedené:

Enter current password for root (enter for none): Enter
Set root password? [Y/n]: Y
New password: $newRootPassword
Re-enter new password: $newRootPassword
Remove anonymous users? [Y/n]: Y
Disallow root login remotely? [Y/n]: Y
Remove test database and access to it? [Y/n]: Y
Reload privilege tables now? [Y/n]: Y

Poznamenajte si to, $newRootPasswordpretože to budete potrebovať niekoľkokrát a resetovanie je náročné.

Krok 3: Nastavte databázu

Musíte vytvoriť icingapoužívateľské meno a importovať schému do databázy. To sa robí rovnakým spôsobom na CentOS 6 a 7.

sudo mysql -u root -p
>CREATE DATABASE icinga;
>GRANT SELECT, INSERT, UPDATE, DELETE, DROP, CREATE VIEW, INDEX, EXECUTE ON icinga.* TO 'icinga'@'localhost' IDENTIFIED BY '$someIcingaPassword'; 
>exit

Potom importujte schému do databázy, ktorú ste práve vytvorili.

sudo mysql -u root -p icinga < /usr/share/icinga2-ido-mysql/schema/mysql.sql

Budete musieť zadať $newRootPasswordMySQL mariadb heslo / ste použili pri mysql_secure_installationpríkaz zhora, nie$someIcingaPassword ste práve vytvorili - ktorý z nich je použiť neskôr.

Aktivujte idomodul (databáza).

sudo icinga2 feature enable ido-mysql

Ak /etc/icinga2/features-enabled/ido-mysql.confchcete pridať informácie o databáze, musíte súbor upraviť . Môžete tak urobiť pomocou nasledujúceho príkazu.

sudo vi /etc/icinga2/features-enabled/ido-mysql.conf

V tomto súbore nájdite riadky, ktoré sú zakomentované (začnite znakom //).

//user = "icinga"
//password = "icinga"
//host = "localhost"
//database = "icinga"

...a upravte ich pomocou používateľa/hesla, ktoré ste práve vytvorili.

user = "icinga"
password = "$someIcingaPassword"
host = "localhost"
database = "icinga"

Uistite sa, že ste odkomentovali riadky odstránením prvých dvoch lomiek.

Potom reštartujte službu, aby ste prevzali zmeny.

sudo service icinga2 restart

Budete musieť pridať pripojenie medzi klientsky server a Icinga2 master, ktoré už bolo nakonfigurované. Budete to musieť urobiť pomocou brány Firewalld na CentOS 7 alebo IPTables v CentOS 6 alebo 7.

# CentOS 6
sudo vi /etc/sysconfig/iptables
...
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5665 -j ACCEPT
...
#Icinga2 Master
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 5665 -j ACCEPT

sudo iptables restart

# CentOS 7    
sudo firewall-cmd --add-port=5665/tcp --permanent
sudo firewall-cmd --reload

Teraz upravte súbor hostiteľov a pridajte hlavný názov ako názov lokálnej domény.

sudo vi /etc/hosts
...
$masterIP  icinga2master icinga2master.example.com

Krok 4: Inicializujte master

Tento krok je potrebné vykonať na masteri Icinga2. Budete ho musieť inicializovať ako hlavný a potom vygenerovať žiadosť o podpis certifikátu, ktorú bude váš klient používať na komunikáciu.

sudo icinga2 node wizard

This will run the node wizard, which will ask several questions. The screen will look like the following, and the answers you will give are listed.

Welcome to the Icinga 2 Setup Wizard!

We'll guide you through all required configuration details.

Please specify if this is a satellite setup ('n' installs a master setup) [Y/n]: n
Starting the Master setup routine...
Please specify the common name (CN) [icinga2-master1.localdomain]: icinga2master.example.com
Checking for existing certificates for common name 'icinga2master.example.com'...
Certificates not yet generated. Running 'api setup' now.
information/cli: Generating new CA.
information/base: Writing private key to '/var/lib/icinga2/ca/ca.key'.
information/base: Writing X509 certificate to '/var/lib/icinga2/ca/ca.crt'.
information/cli: Generating new CSR in '/etc/icinga2/pki/icinga2master.example.com.csr'.
information/base: Writing private key to '/etc/icinga2/pki/icinga2master.example.com.key'.
information/base: Writing certificate signing request to '/etc/icinga2/pki/icinga2master.example.com.csr'.
information/cli: Signing CSR with CA and writing certificate to '/etc/icinga2/pki/icinga2master.example.com.crt'.
information/cli: Copying CA certificate to '/etc/icinga2/pki/ca.crt'.
Generating master configuration for Icinga 2.
information/cli: Adding new ApiUser 'root' in '/etc/icinga2/conf.d/api-users.conf'.
information/cli: Enabling the 'api' feature.
Enabling feature api. Make sure to restart Icinga 2 for these changes to take effect.
information/cli: Dumping config items to file '/etc/icinga2/zones.conf'.
information/cli: Created backup file '/etc/icinga2/zones.conf.orig'.
Please specify the API bind host/port (optional):
Bind Host []: <hit enter>
Bind Port []: <hit enter>
information/cli: Created backup file '/etc/icinga2/features-available/api.conf.orig'.
information/cli: Updating constants.conf.
information/cli: Created backup file '/etc/icinga2/constants.conf.orig'.
information/cli: Updating constants file '/etc/icinga2/constants.conf'.
information/cli: Updating constants file '/etc/icinga2/constants.conf'.
information/cli: Updating constants file '/etc/icinga2/constants.conf'.
Done.

Now restart your Icinga 2 daemon to finish the installation!

Then, restart Icinga2 to pick up the changes.

sudo service icinga2 restart

Now that it's a master, you can use it to generate the certificate signing request string.

sudo icinga2 pki ticket --cn icinga2client.example.com

You will get some string $pkiString. Copy that string, as you'll need it on the client.

Step 5: Initialize the client

Run the node wizard to generate the certificates and connect to the master.

sudo icinga2 node wizard

It will come up with a similar page to the above. This page is shown below with answers included.

Welcome to the Icinga 2 Setup Wizard!

We'll guide you through all required configuration details.



Please specify if this is a satellite setup ('n' installs a master setup) [Y/n]: Y
Starting the Node setup routine...
Please specify the common name (CN) [icinga2client.example.com]:
Please specify the master endpoint(s) this node should connect to:
Master Common Name (CN from your master setup): icinga2master.example.com
Do you want to establish a connection to the master from this node? [Y/n]: Y
Please fill out the master connection information:
Master endpoint host (Your master's IP address or FQDN): icinga2master.example.com
Master endpoint port [5665]: 5665
Add more master endpoints? [y/N]: N
Please specify the master connection for CSR auto-signing (defaults to master endpoint host):
Host [icinga2master.example.com]: icinga2master.example.com
Port [5665]: 5665
information/cli: Created backup file '/etc/icinga2/pki/icinga2client.example.com.key.orig'.
information/cli: Created backup file '/etc/icinga2/pki/icinga2client.example.com.crt.orig'.
information/base: Writing private key to '/etc/icinga2/pki/icinga2client.example.com.key'.
information/base: Writing X509 certificate to '/etc/icinga2/pki/icinga2client.example.com.crt'.
information/cli: Fetching public certificate from master (icinga2master.example.com, 5665):

Certificate information:

 Subject:     CN = icinga2master.example.com
 Issuer:      CN = Icinga CA
 Valid From:  Jan 10 21:08:37 2017 GMT
 Valid Until: Jan  7 21:08:37 2032 GMT
 Fingerprint: FE 72 AB F3 18 A5 12 E0 0C 5D 94 8B 96 C4 57 3B 00 5C E0 04

Is this information correct? [y/N]: Y
information/cli: Received trusted master certificate.

Please specify the request ticket generated on your Icinga 2 master.
 (Hint: # icinga2 pki ticket --cn 'icinga2client.example.com'): $pkiString

information/cli: Requesting certificate with ticket '$pkiString'.

warning/cli: Backup file '/etc/icinga2/pki/icinga2client.example.com.crt.orig' already exists. Skipping backup.
information/cli: Writing signed certificate to file '/etc/icinga2/pki/icinga2client.example.com.crt'.
information/cli: Writing CA certificate to file '/etc/icinga2/pki/ca.crt'.
Please specify the API bind host/port (optional):
Bind Host []: <enter key>
Bind Port []: <enter key>
Accept config from master? [y/N]: Y
Accept commands from master? [y/N]: Y
information/cli: Disabling the Notification feature.
Disabling feature notification. Make sure to restart Icinga 2 for these changes to take effect.
information/cli: Enabling the Apilistener feature.
warning/cli: Feature 'api' already enabled.
information/cli: Created backup file '/etc/icinga2/features-available/api.conf.orig'.
information/cli: Generating local zones.conf.
information/cli: Dumping config items to file '/etc/icinga2/zones.conf'.
information/cli: Created backup file '/etc/icinga2/zones.conf.orig'.
information/cli: Updating constants.conf.
information/cli: Created backup file '/etc/icinga2/constants.conf.orig'.
information/cli: Updating constants file '/etc/icinga2/constants.conf'.
information/cli: Updating constants file '/etc/icinga2/constants.conf'.
Done.

Now restart your Icinga 2 daemon to finish the installation!

Go ahead and restart Icinga2 to pick up the changes.

sudo icinga2 restart

This may already be done, but you need to ensure that the command and API features are enabled.

sudo icinga2 feature enable command
sudo icinga2 feature enable api

If they weren't enabled, it will say "feature enabled", so you'll need to restart the Icinga2 daemon. But first, you need to change ownership of the files in the /etc/icinga2 directory, as some of them have the wrong permissions after running the node wizard. They should all have their owner and group set to icinga. Change the permissions by using the following command:

sudo chown -R icinga:icinga /etc/icinga2/

Now, you can restart the Icinga2 daemon.

sudo service icinga2 restart

Step 6: Configure the client

The client configuration requires editing a few different files.

• /etc/icinga2/zones.conf: Contains the endpoints (servers) and zones that contain them. This is how the servers are partitioned. Make sure the client names match the server names.
• /etc/icinga2/icinga2.conf: You are accepting commands and configs from the master, so you need to do a minor edit on this file to avoid duplicate command definitions.

First, we're going to modify the zones.conf file to define the server and the zone it's in, as well as creating a "global" zone for command definitions that are universal to ALL servers, instead of unique to each (such as disk checks).

sudo vi /etc/icinga2/zones.conf

object Zone clientZone { 
        endpoints = [ "icinga2master.example.com" ]
}

object Zone "global-templates" { # Add global templates zone
        global = true
}

object Endpoint NodeName {
        host = "$icinga2clientIP" 
}

object Zone ZoneName {
        endpoints = [ NodeName ]
        parent = clientZone
} 

It is important to know, there can only be 2 nodes per zone at the moment. You can make as many zones as you wish, but if there are more than 2 nodes per zone there is a chance that the Icinga2 service will not work properly. This is not a problem on the client, unless you already have 2 nodes in the zone clientZone, in which case you will need to make another zone name.

Now, make the modification in the /etc/icinga2/icinga2.conf file. You need to comment out the line include_recursive "conf.d".

sudo vi /etc/icinga2/icinga2.conf
...
//include_recursive "conf.d"
...

Verify config to ensure that everything is formatted correctly.

sudo icinga2 daemon -C

If you get permissions problems, it's likely because the item is owned by root:root. Chown to icinga:icinga to resolve.

sudo chown -R icinga:icinga /etc/icinga2/

There are other issues with the configs, generally the information given from the output of the sudo icinga2 daemon -C command will be verbose enough to track them down. Addressing every potential issue that arises is outside the scope of this guide.

If the verification succeeds, go ahead and reload the service:

sudo service icinga2 restart

You'll need to give the icinga user sudo permissions so that the commands can be run. These sudo permissions will be restricted to the specific plugin directory. This can just be put at the end of the file.

sudo vi /etc/sudoers
...
Defaults:icinga !requiretty
icinga          ALL=(ALL) NOPASSWD: /usr/lib64/nagios/plugins/

Now the client configuration is officially finished. You shouldn't need to make any more modifications, any service checks will configured on the master and will propagate down to the client. You will need to install any additional plug-ins you might need, however. Plug-ins can also be written using python, perl, BASH, PHP, and other scripted languages.

Step 7: Add client to master config

You will need to get back onto the master to configure the client so that it can be connected. There are a few steps that will need to be taken:

1. Add host config to repository.d.
2. Add host to zone as endpoint.
3. Configure any checks for the client. This is slightly out of scope of this guide, I'll provide only a basic explanation of the steps involved.

The host config will be entered in the /etc/icinga2/repository.d/hosts/icinga2client.example.com.conf file.

sudo vi /etc/icinga2/repository.d/hosts/icinga2client.example.com.conf
object Host "icinga2client.example.com" {
  import "satellite-host"
  address = "$icinga2clientIP"
  vars.os = "Linux"
}
sudo chown icinga:icinga /etc/icinga2/repository.d/hosts/icinga2client.example.com.conf

Hostiteľ teraz existuje v konfigurácii klienta, ale je potrebné ho umiestniť do zóny. Táto zóna bude v /etc/icinga2/repository.d/zonespriečinku s rovnakým názvom ako názov zóny, aby sa uľahčilo sledovanie.

sudo vi /etc/icinga2/repository.d/zones/clientZone.conf
object Zone "clientZone" {
        endpoints = [ "icinga2client.example.com" ]
        parent = "icinga2master.example.com"
}

Ďalej musíte pridať global-templateszónu.

sudo vi /etc/icinga2/repository.d/zones/global-templates.conf
object Zone "global-templates" {
        global = true
}

Nakoniec pridajte koncový bod klienta, aby sa pole koncových bodov "clientZone" pri spustení vyplnilo.

sudo vi /etc/icinga2/repository.d/endpoints/icinga2client.example.com.conf

#Change values to match the host you're adding
object Endpoint "icinga2client.example.com" {
        host = "$icinga2clientIP"
}

Aby ste sa uistili, že neexistujú žiadne problémy s povoleniami, pokračujte a znova zmeňte vlastníka/skupinu.

sudo chown -R icinga:icinga /etc/icinga2

Overte zmeny konfigurácie, aby ste sa uistili, že neexistujú žiadne ďalšie problémy.

sudo icinga2 daemon -C

Ak overenie prebehne úspešne, pokračujte v opätovnom načítaní.

sudo service icinga2 restart

Ak navštívite svoju webovú stránku Icinga2, uvidíte, že server bude prístupný.

Krok 8: Vlastné príkazy a kontroly

Môžete naraziť na chyby týkajúce sa „príkaz nenájdený“ alebo „kontrola nie je definovaná“. Tu vstupuje do hry zóna globálnych šablón. Budete musieť skopírovať konfiguráciu do /etc/icinga2/conf.d/súborov a vložiť ich do /etc/icinga2/zones.d/global-templates/súborov. Ak chcete napríklad vytvoriť príkaz „check_software“, musíte urobiť nasledovné.

sudo mkdir /etc/icinga2/zones.d/global-templates
sudo vi /etc/icinga2/zones.d/global-templates/commands.conf
object CheckCommand "check_software" {
  import "plugin-check-command"
  command = [ "/usr/bin/sudo",  PluginDir + "/software_service_check.sh" ]
}

software_service_check.shSúboru budú musieť existovať v /usr/lib64/nagios/pluginspriečinku na klientovi .

Potom do /etc/icinga2/repository.d/hosts/services.confsúboru pridajte kontrolu služby .

sudo vi /etc/icinga2/repository.d/hosts/services/services.conf
apply Service "Check Software Service" {
  import "mail-service"
  check_command = "check_software" # This check command is the same name as the one you defined in global-templates/commands.conf

  assign where host.vars.client_endpoint # This will apply to every client server. If you need it to be more restrictive, you should look into custom variables
}

Budete musieť znova zmeniť povolenia.

sudo chown -R icinga:icinga /etc/icinga2

Potom znova overte konfiguráciu.

sudo icinga2 daemon -C

Nakoniec, ak sa to podarí, znova načítajte:

sudo service icinga2 restart

Gratulujem! Teraz používate Icinga2 v modeli master-client a teraz sa môžete vyhnúť tomu, aby ste museli používať neisté kontroly NRPE!