-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 9/12/15 7:54 AM, Michael Friedrich wrote: > Not necessarily. There are basically three modes which can monitor > clients - command execution bridge, local configuration or config > sync throughout the cluster.
It's taken a bit, but I'm starting to understand more.. Really liking command execution bridges.. Much better than using SNMP for everything. > zones.conf (or whatever you like to name and include it) includes > the required connection information for all your endpoints. > Furthermore it illustrates the trust model between zones, and for > example a satellite must know that it is in a child zone of the > master instance, in order to receive configuration or other > events. > > So yes, you’ll need to provide that information between each level. > Clients not necessarily need to know about the master 2 levels up, > and also not about the other clients connected to the satellite > zone. Cool. I have everything in /etc/icinga2 in a git repo now. I just manually sync the zones.conf to the satellite when I change it. > *Never* expose your CA’s private key to other nodes. You should > keep it in a safe location where you’ll sign your certificates with > the CA then. That’s not necessarily the icinga2 master (only if > using CSR-Autosigning). Hrm.. Is the default to autosign? I haven't made any CA related changes up to this point. I can see the security implications, though, and I'd like to move the CA signing elsewhere. > The public ca.crt certificate must be put on each node, as well as > their signed public and private key files. More on the docs. I'll have to dig a bit in the docs. I've gotten most of what I need there, but I've had some trouble with understanding the multi-master and satellite stuff. >> - - Do clients that are performing command execution need to be >> reconfigured with the satellite listed as the "master" for that >> client? > > They’ll need a parent zone where the satellite is a member of. Hrm. After getting the zones.conf in place with assignment of endpoints to zones, all of the endpoints continued to connect to the master. To resolve this, I had to re-run the wizard and point it at the satellite server. As of now, everything appears to be acting how I would expect it to. > ‘command’ is for enabling the external command pipe, so if you’re > planning to use Icinga Web 2 on this satellite, you’d also need to > enable the command and ido-mysql feature (and need a database > setup). Ok. I have icingaweb installed on the master at the moment. Don't see a need to have it on the satellite, though I may want to move to a multi-master setup in the future. Not sure I have a large enough deployment to justify that yet. > Looks good to me. I guess hosts.conf contains the command_endpoint > information used for the command execution bridge for all applied > services? Yes, that seemed to be the place to put it as per the documentation. > One thing you should keep in mind - add cluster health checks so > you’ll know about your setup, getting alarmed and add dependencies > for notification suppressing even. Just added these. Had a break between data centers the other day and no alerts.. I knew I'd need something like this eventually, but I had thought that the loss of the satellite link would at least throw a red flag somewhere.. Since it didn't, I added the cluster checks. And then I ran into the cluster bug that existed in 2.3.8 .. Upgraded and it seems to be working like a charm. I did see two different checks in the docs. There's the "cluster" check and also the "cluster-zone" check. Right now I have a "cluster" check added for each master and satellite. Where do the "cluster-zone" checks fit in? > Kind regards, Michael Thanks! - -- - --------------------------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --------------------------- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAlX7K3wACgkQ8CjzPZyTUTRTGgCePXmIH0BWKhb1YAwsG0tZLZgG Hp0An1VFbY97/XbFEiHnXHm8SJCWDSoM =v4UE -----END PGP SIGNATURE----- _______________________________________________ icinga-users mailing list icinga-users@lists.icinga.org https://lists.icinga.org/mailman/listinfo/icinga-users
