Icinga 2: Master node (Part 4)
Welcome to Part 4 of the Icinga 2 setup guide. In Part 1 and Part 2 we installed Icinga 2 and Icinga Web 2. In Part 3 we went through each step of the configuration wizard. Now in Part 4 we will prepare the master Icinga 2 (the one we have installed in part 1) to accept remote nodes to monitor.
Lets begin.
Firewall
Icinga allows for connections on port 5665. In order to allow remote nodes that we intend on monitoring, we need to allow traffic to this port through the firewall. Again, we will make use of firewalld but you are welcome to use what ever package you are familiar with. Do not forget to make the rules permanent otherwise on server reboot the port will be closed once again.
$ firewall-cmd --add-port=5665/tcp
$ firewall-cmd --permanent --add-port=5665/tcpNode setup
Now that we are able to receive connections, we need to configure the master node itself. This setup ensures communication will be secure but it also defines a few more details the master node needs in order to act as the master Icinga instance.
This setup comes in the form of a wizard. It has been created in such a way that it is very easy to understand. We will go through each step now.
To kick off the wizard, run the following on your master Icinga 2 server.
$ icinga2 node wizardOnce the wizard has begun, you will see the following output:
Welcome to the Icinga 2 Setup Wizard!We will guide you through all required configuration details.Please specify if this is a satellite/client setup ('n' installs a master setup) [Y/n]:
We are setting up the master node, so we need to input n now. Push enter to submit the response.
Please specify if this is a satellite/client setup ('n' installs a master setup) [Y/n]: nStarting the Master setup routine...Please specify the common name (CN) [ip-xxx-xxx-xxx-xxx.eu-west-1.compute.internal]:
The wizard now asks you to choose a common name for the master node. I usually stick to using its FQDN. In this case we will use the one supplied by AWS. This is not ideal as it can change. To solve this problem assign an Elastic IP to your instance and setup proper DNS entries with who ever manages your domain names.
In the above snippet we see that common name is contained within the square brackets. This means it is the default entry. Should we want the default, we can just push enter, which is what we will do in this case.
Reconfiguring Icinga...Checking for existing certificates for common name 'ip-xxx-xxx-xxx-xxx.eu-west-1.compute.internal'...Certificate '/var/lib/icinga2/certs//ip-xxx-xxx-xxx-xxx.eu-west-1.compute.internal.crt' for CN 'ip-xxx-xxx-xxx-xxx.eu-west-1.compute.internal' already existing. Skipping certificate generation.Generating master configuration for Icinga 2.'api' feature already enabled.Please specify the API bind host/port (optional):Bind Host []:
After hitting enter, the wizard will create a few certificates and enable the API feature if it has not been enabled already. In the snippet above we can see the certificate was already created and the API feature was already enabled.
Next we are asked for a bind host. This is optional so we will just push enter to move on.
Bind Port []:Again, this is optional. Just push enter when asked for a bind port.
The wizard should now have completed. You will see output that looks something like the following:
Done.Now restart your Icinga 2 daemon to finish the installation!
Restart Icinga 2 to let the changes take effect.
$ systemctl restart icinga2Final thoughts
That concludes part 4. It was a really quick part however it gets everything ready for the subsequent steps.
We will also see that when adding nodes to monitor, the process is similar to what we have just done on the master Icinga 2 node.
Thank you for reading! I hope it was of some use.
