Icinga2

From Gentoo Wiki
Jump to:navigation Jump to:search
This article is a stub. You can help by expanding it.
Resources

Introduction

Icinga2 is similar to Icinga and Nagios and was officially released in 2014. It enables monitoring of hosts and services. This includes:

  • A local host running Gentoo Linux, e.g. a server at home
  • A remote host offering Icinga2 services
  • Any remote host offering services like SSH or HTTP, not running any part of Icinga2
Warning
A monitoring tool adds attack surface to the host it runs on. Plan carefully exposed ports, accounts and privileges. Also, backup the configuration including data stored in databases.
Warning
Do not copy passwords from here. Instead, create unique secrets for each installation. Also, reflect upon suggestions from external sources. For example, PostgreSQL's pg_hba.conf must not contain md5 as password hashing.

Installation

Gentoo Host

The following steps setup Icinga2-monitoring with web interface on a host running Gentoo. The Icinga2-service can then be used to monitor remote hosts, too. But the focus is on monitoring of the Icinga2-enabled host. PostgreSQL is the authentication backend and will hold monitoring data, too.

Packages:

  • postgresql
  • icinga2
  • monitoring-plugins
  • icingaweb2

Optional:

  • lm-sensors for hardware monitoring

What will be monitored out of the box:

  • /proc statistics, load
  • mounted volumes/ disks
  • HTTP-endpoints
  • validity of TLS-certificates

Add apache user to group icingaweb2 so resources can be accessed:

root #gpasswd -a apache icingaweb2

PostgreSQL[1]:

user $psql -c "CREATE ROLE icinga WITH ENCRYPTED LOGIN PASSWORD 'yourSecret'"
user $createdb -O icinga -E UTF8 icinga

Configure DB-access:

FILE /etc/icinga2/features-enabled/ido-pgsql.conf
object IdoPgsqlConnection "ido-pgsql" {
  user = "icinga"
  password = "yourSecret"
  //assuming host = "localhost"
  database = "icinga"
}

IcingaWeb2

PostgreSQL:

create user icingaweb2 with encrypted password 'icingaweb2';
create database icingaweb2;
GRANT ALL PRIVILEGES ON DATABASE icingaweb2 TO icingaweb2;
  1. use /usr/share/icingaweb2/bin/icingacli
  2. create token
  3. configure rest through web interface
Warning
Setup TLS to protect the web interface. Especially basic authentication without TLS leaks username and password of icingaadmin in plain text
Note
Without admin module in Icingaweb2 it is necessary to create dashboards in /etc/icingaweb2/dashboards/icingaadmin/dashboard.ini. Afterwards it is possible to add Dashlets from within Icingaweb2 without file editing.

Hardware Monitoring through lm-sensors

  • broken configuration, see bug #759595
  • create local shell script
  • setup CheckCommand manually
Note
Icinga2's linked wrapper for sensors is broken. Argument order yields only error output. Also scraping of sensors' output is broken. See https://github.com/jackbenny/check_temp/issues/9 and https://github.com/jackbenny/check_temp/issues/9.

Graphs through pnp4nagios

  • Package: net-analyzer/pnp4nagios, USE=-nagios icinga
  • Package: www-apps/icingaweb2-module-pnp4nagios
  • module pnp must be enabled in icinga2web
  • /etc/icinga2/features-enabled +perfdata.conf (issues with icingacli, must be done as root/ manually)
  • filling perfdata.conf is a bit fragile, default paths after installation don't match between icinga2 and npcd ingester
Note
Host- and service-template are missing. So there are no action_url-properties in icingaweb2. Must be added manually to templates.conf.
Note
It is useful to link directly from Icingaweb2 to Graphs. Icinga2/ IcingaWeb2 deprecated action_url-properties. Instead navigation/host-actions.ini is to be used.
Warning
This does not work out of the box, Permissions/ ownership of perdata-directory is wrong. Log file of icingaweb2 complains about missing permissions
FILE /etc/icingaweb2/navigation/host-actions.ini
[Graphs]
type = "host-action"
target = "_blank"
url = "/pnp4nagios?host=$host_name$"
owner = "icingaadmin"
groups = "icinga2admins"
FILE /etc/icinga2/features-enabled/perdata.conf
/**
 * The PerfdataWriter type writes performance data files and rotates
 * them in a regular interval.
 */
object PerfdataWriter "perfdata" { 
    /* this is where npcd will read from */
    host_perfdata_path = "/var/lib/pnp/perfdata/host-perfdata"
    service_perfdata_path = "/var/lib/pnp/perfdata/service-perfdata"

    /* Do not adjust host_format_template - discouraged in Icinga2 docs */
    /* Do not adjust service_format_template - discouraged in Icinga2 docs */

    rotation_interval = 15s
}

Not running out of the box:

Gentoo Remote

Note
Collecting statistics from a Gentoo remote host