chrnie / ansible-role-icinga2 Goto Github PK
View Code? Open in Web Editor NEWinstall icinga2 on rhel or debian
License: Apache License 2.0
install icinga2 on rhel or debian
License: Apache License 2.0
Since not every system in a network can get a ticket via API from the Master/Director system (firewall, zones, vlan etc), the implementation of the "CA Proxy Certificate Signing Request" method would be necessary.
The playbook:
---
- hosts: monitoring.hostname.tld
roles:
- geerlingguy.mysql
- chrnie.icinga2
vars:
- icinga2_role: master
The failing task:
TASK [chrnie.icinga2 : create cert] **********************************************************************************************************************************************
fatal: [monitoring.hostname.tld]: FAILED! => {
"changed": true,
"cmd": "/usr/sbin/icinga2 pki new-cert --cn monitoring --key '/var/lib/icinga2/certs/monitoring.key' --cert '/var/lib/icinga2/certs/monitoring.crt'",
"delta": "0:00:02.024617",
"end": "2018-05-09 13:53:21.146083",
"rc": 1,
"start": "2018-05-09 13:53:19.121466"
}STDOUT:
[2018-05-09 13:53:19 +0000] warning/icinga-app: Sysconfig file '/etc/sysconfig/icinga2' cannot be read. Using default values.
information/base: Writing private key to '/var/lib/icinga2/certs/monitoring.key'.
critical/SSL: Error while opening private RSA key file '/var/lib/icinga2/certs/monitoring.key': 33558530, "error:02001002:system library:fopen:No such file or directory"MSG:
non-zero return code
Hi @chrnie
there is an error in the include of the pki.yml:
- name: Manage Certificates
include_tasks: "pki.yml"
creates: "/var/lib/icinga2/certs/{{ icinga2_nodename }}.crt"
when: inventory_hostname != icinga2_ca_host
tags:
- install
- update
FAILED! => {"reason": "'creates' is not a valid attribute for a TaskInclude\n\nThe error appears to have been in '/data/icinga2-vagrant-ansible/roles/chrnie.icinga2/tasks/config-master.yml': line 38, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: Manage Certificates\n ^ here\n\nThis error can be suppressed as a warning using the \"invalid_task_attribute_failed\" configuration"}
can you fix this please? it seems that creates is not supported anymore in this case.
When running this task:
- name: Test config before restart icinga 2
shell: "{{ icinga2_binary }} daemon -C"
register: configTest
changed_when: configTest.rc == 0
notify: Restart Icinga 2
This is the error when running with -vvv:
RUNNING HANDLER [chrnie.icinga2 : Test config before restart icinga 2] ****
task path: /Users/cjefferies/Documents/code/gitlab/ansible/base/roles/chrnie.icinga2/handlers/main.yml:3
9-03-20 18:40:43 +0000] critical/config: 1 error",
"stdout_lines": [
"[2019-03-20 18:40:43 +0000] information/cli: Icinga application loader (version: r2.10.4-1)",
"[2019-03-20 18:40:43 +0000] information/cli: Loading configuration file(s).",
"[2019-03-20 18:40:43 +0000] information/ConfigItem: Committing config item(s).",
"[2019-03-20 18:40:43 +0000] information/ApiListener: My API identity: mon.my.int",
"[2019-03-20 18:40:43 +0000] critical/SSL: Error loading and verifying locations in ca key file '/var/lib/icinga2/certs//ca.crt': 33558530, \"error:02001002:system library:fopen:No such file or directory\"",
"[2019-03-20 18:40:43 +0000] critical/config: Error: Cannot make SSL context for cert path: '/var/lib/icinga2/certs//mon.my.int.crt' key path: '/var/lib/icinga2/certs//mon.my.int.key' ca path: '/var/lib/icinga2/certs//ca.crt'.",
"Location: in /etc/icinga2/features-enabled/api.conf: 4:1-4:24",
"/etc/icinga2/features-enabled/api.conf(2): * The API listener is used for distributed monitoring setups.",
"/etc/icinga2/features-enabled/api.conf(3): */",
"/etc/icinga2/features-enabled/api.conf(4): object ApiListener \"api\" {",
" ^^^^^^^^^^^^^^^^^^^^^^^^",
"/etc/icinga2/features-enabled/api.conf(5): ",
"/etc/icinga2/features-enabled/api.conf(6): accept_config = false",
"",
"[2019-03-20 18:40:43 +0000] critical/config: 1 error"
]
}
I defined the ca host variable like this: icinga2_ca_host: "mon.my.int"
- This is the master monitoring server that I assume works as the ca for the monitored system.
It looks like it did not create the folder/file: /var/lib/icinga2/certs/ca.crt
The other cert files were created:
/var/lib/icinga2/certs/mon.my.int.key
/var/lib/icinga2/certs/mon.my.int.crt
Any tips would be appreciated.
Thank you,
Chris.
TASK [chrnie.icinga2 : Enable icinga2 feature ido-pgsql - False] ****************************************************************************************************************************************************************************
Wednesday 15 August 2018 13:40:56 +0200 (0:00:00.350) 0:04:49.539 ******
[WARNING]: The src option requires state to be 'link' or 'hard'. This will become an error in Ansible 2.10
The Task "Import icinga2 schema" and maybe other mysql related tasks cannot be executed when the mysql users are setup with "REQUIRE SSL"
I'm trying to understand how to deploy into a system that has about 25 servers. One will be the master (icinga2_role = master
), the rest will be clients (icinga2_role = agent
).
When I run master, I set the host of the playbook to be the monitoring server. It is the only one I am referencing from the inventory list. There is only one and Icinga as master is installed.
Now I want to run with icinga2_role = agent
.
In my playbook I set to hosts: all
, but I don't think I should include the master server in the inventory.
What is best practice scenario for running playbook for a a master server and then for the rest of the agent servers.
Thanks for any tips,
Chris.
FYI...
[WARNING]: While constructing a mapping from ... roles/chrnie.icinga2/tasks/feature_ido-mysql.yml, line 51, column 5, found a duplicate dict key (). Using last defined value only.
name: "{{ icinga2_ido_dbname }}"
login_host: "{{ icinga2_ido_host }}"
login_port: "{{ icinga2_ido_port }}"
login_user: "{{ icinga2_ido_user }}"
login_password: "{{ icinga2_ido_password|default(omit) }}"
target: /usr/share/icinga2-ido-mysql/schema/mysql.sql
Non existent parameters parent_host and parent_zone used in Task:
- name: node setup
shell: |
{{ icinga2_binary }} node setup \
--ticket {{ icinga2_client_ticket['stdout'] }} \
--zone {{ inventory_hostname }} \
--parent_host {{ icinga2_cert_request_host }} \
--parent_zone {{ icinga2_ZoneName }} \
--trustedcert /var/lib/icinga2/certs/trustedcert.crt \
--cn {{ icinga2_nodename }} \
--accept-commands \
--accept-config
args:
creates: /etc/icinga2/zones.conf.orig
notify: Test config before restart icinga 2
when: icinga2_role == "agent"
ignore_errors: '{{ ansible_check_mode }}'
icinga2 node setup --help
icinga2 - The Icinga 2 network monitoring daemon (version: r2.8.4-1)
Usage:
icinga2 node setup [<arguments>]
Sets up an Icinga 2 node.
Global options:
-h [ --help ] show this help message
-V [ --version ] show version information
--color use VT100 color codes even when stdout is not a
terminal
-D [ --define ] arg define a constant
-a [ --app ] arg application library name (default: icinga)
-l [ --library ] arg load a library
-I [ --include ] arg add include search directory
-x [ --log-level ] arg specify the log level for the console log.
The valid value is either debug, notice,
information (default), warning, or critical
-X [ --script-debugger ] whether to enable the script debugger
Command options:
--zone arg The name of the local zone
--master_host arg The name of the master host for auto-signing the csr;
syntax: host[,port]
--endpoint arg Connect to remote endpoint; syntax: cn[,host,port]
--listen arg Listen on host,port
--ticket arg Generated ticket number for this request (optional)
--trustedcert arg Trusted master certificate file
--cn arg The certificate's common name
--accept-config Accept config from master
--accept-commands Accept commands from master
--master Use setup for a master instance
Report bugs at <https://github.com/Icinga/icinga2>
Get support: <https://www.icinga.com/support/>
Icinga home page: <https://www.icinga.com/>
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.