Hi,
I did the upgrade from the fresh install. I guess I should not have done that?
-Laura
________________________________________
From: icinga-users <icinga-users-boun...@lists.icinga.org> on behalf of
icinga-users-requ...@lists.icinga.org <icinga-users-requ...@lists.icinga.org>
Sent: Friday, February 5, 2016 4:00 AM
To: icinga-users@lists.icinga.org
Subject: icinga-users Digest, Vol 26, Issue 12
Send icinga-users mailing list submissions to
icinga-users@lists.icinga.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.icinga.org/mailman/listinfo/icinga-users
or, via email, send a message with subject or body 'help' to
icinga-users-requ...@lists.icinga.org
You can reach the person managing the list at
icinga-users-ow...@lists.icinga.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of icinga-users digest..."
Today's Topics:
1. Re: icingaweb2: STARTTLS for LDAP auth not working
(Berthold Cogel)
2. Re: icinga-users Digest, Vol 26, Issue 8 (Laura DiMauro)
3. Re: icinga-users Digest, Vol 26, Issue 8 (Muhammad Panji)
----------------------------------------------------------------------
Message: 1
Date: Thu, 04 Feb 2016 17:05:47 +0100
From: Berthold Cogel <co...@uni-koeln.de>
To: icinga-users@lists.icinga.org
Subject: Re: [icinga-users] icingaweb2: STARTTLS for LDAP auth not
working
Message-ID: <56b376db.6060...@uni-koeln.de>
Content-Type: text/plain; charset=windows-1252
Am 21.01.2016 um 22:26 schrieb KodaK:
> Hi all,
>
> I'm setting up icingaweb2 using the /setup wizard and I'm at the
> authentication setup section.
>
> I've configured the icinga host to use our internal root cacert. I'm
> able to bind to both LDAP STARTTLS and LDAPS using command line tools
> (ldapsearch, etc)
>
> However, I'm unable to use either in Icingaweb2 unless I set
> "TLS_REQCERT never" in ldap.conf.
>
> When using TLS I get:
>
> Failed to successfully validate the configuration: ldap_start_tls():
> Unable to start TLS: Connect error
>
> And something similar when using LDAPS:
>
> NOTE: There might be an issue with the chosen encryption. Ensure that
> the LDAP-Server supports LDAPS and that the LDAP-Client is configured
> to accept its certificate.
> LDAP bind to corp.com:389 (u...@corp.com / ***) failed: Can't contact
> LDAP server
>
> So, this tells me that icingaweb2 is actually looking at ldap.conf,
> but for some reason is not accepting the company root CA certificate.
>
> I was also used a small php script that does a tls bind and nothing
> else and was able to successfully bind, so PHP is working.
>
> I can't think of any other layers (maybe apache? If so, how?) that I can
> check.
>
> Is anyone using TLS with a local root CA? Does anyone have any
> suggestions for other things to check? Is there a way for me to get
> more debugging output from the setup wizard?
>
> This is a RHEL7.1 box up to date as of 1-04-2016 and using the icinga
> yum repo. Versions:
>
> icinga2-bin-2.4.1-1.el7.centos.x86_64
> icingaweb2-common-2.1.2-1.el7.centos.noarch
> icingaweb2-vendor-Parsedown-1.0.0-1.el7.centos.noarch
> icinga2-common-2.4.1-1.el7.centos.x86_64
> icinga2-2.4.1-1.el7.centos.x86_64
> icingaweb2-vendor-JShrink-1.0.1-1.el7.centos.noarch
> icingaweb2-vendor-HTMLPurifier-4.7.0-1.el7.centos.noarch
> php-Icinga-2.1.2-1.el7.centos.noarch
> icingaweb2-2.1.2-1.el7.centos.noarch
> icinga2-ido-mysql-2.4.1-1.el7.centos.x86_64
> icingaweb2-vendor-lessphp-0.4.0-1.el7.centos.noarch
> icingaweb2-vendor-dompdf-0.6.1-1.el7.centos.noarch
> icingacli-2.1.2-1.el7.centos.noarch
>
> (Also, but unrelated: when I try to register at monitoring-portal.org
> it fails with "server error". I know that's not an icinga-users
> issue, but hopefully someone who can do something will be notified.)
>
> Thanks for reading,
>
> --Jason
> _______________________________________________
> icinga-users mailing list
> icinga-users@lists.icinga.org
> https://lists.icinga.org/mailman/listinfo/icinga-users
>
I've installed icinga2/icingaweb2 on a RHEL6 system. I've started with
MySQL as backend first and configured the LDAP connection after I got
the interface up and running.
I've put all certificates in our CA chain in /etc/pki/tls/certs. They
must be readable for the users in the system (apache, icinga, ..) or
your client won't be able to verify the LDAP certificate.
And in /etc/openldap/ldap.conf:
BASE dc=....,dc=....
TLS_CACERTDIR /etc/pki/tls/certs
TLS_REQCERT demand
No problem so far.... after I increased the memory_limit in php.ini....
No wonder with about 90000 objects in our ou=People.
Regards
Berthold
------------------------------
Message: 2
Date: Thu, 4 Feb 2016 18:04:56 +0000
From: Laura DiMauro <ldima...@unm.edu>
To: "icinga-users@lists.icinga.org" <icinga-users@lists.icinga.org>
Subject: Re: [icinga-users] icinga-users Digest, Vol 26, Issue 8
Message-ID:
<bn3pr0701mb13613cf025391b2d29b3e786d3...@bn3pr0701mb1361.namprd07.prod.outlook.com>
Content-Type: text/plain; charset="iso-8859-1"
Hello,
Yes, I did the steps you mentioned below without a problem and I checked my
users and passwords to make sure everything looked ok.
I did forget about a step that I did yesterday. I did the 'upgrading the mysql
database' part as well. It said to apply all database schema upgrade files
incrementally. I saw the following in
/usr/share/icinga2-ido-mysql/schema/upgrade:
2.0.2.sql 2.1.0.sql 2.2.0.sql 2.3.0.sql 2.4.0.sql
I followed the instructions and used the following command for each version:
mysql -u root -p icinga <
/usr/share/icinga2-ido-mysql/schema/upgrade/<version>.sql
After I did the first version it gave me the following error:
ERROR 1060 (42S21) at line 10: Duplicate column name 'endpoint_name'
Should I not have completed this as part of my first icinga2 installation?
________________________________________
From: icinga-users <icinga-users-boun...@lists.icinga.org> on behalf of
icinga-users-requ...@lists.icinga.org <icinga-users-requ...@lists.icinga.org>
Sent: Wednesday, February 3, 2016 8:24 PM
To: icinga-users@lists.icinga.org
Subject: icinga-users Digest, Vol 26, Issue 8
Send icinga-users mailing list submissions to
icinga-users@lists.icinga.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.icinga.org/mailman/listinfo/icinga-users
or, via email, send a message with subject or body 'help' to
icinga-users-requ...@lists.icinga.org
You can reach the person managing the list at
icinga-users-ow...@lists.icinga.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of icinga-users digest..."
Today's Topics:
1. Re: Error: Request contained illegal metachars help! (Rob DeSanno)
2. Icingaweb2 configuration - Monitoring IDO Resource (Laura DiMauro)
3. Re: Icingaweb2 configuration - Monitoring IDO Resource
(Muhammad Panji)
----------------------------------------------------------------------
Message: 1
Date: Wed, 03 Feb 2016 12:29:12 -0500
From: Rob DeSanno <rdesa...@icloud.com>
To: Icinga User's Corner <icinga-users@lists.icinga.org>, Michael
Friedrich <michael.friedr...@netways.de>
Subject: Re: [icinga-users] Error: Request contained illegal metachars
help!
Message-ID: <etPan.56b238e8.47832ef3.7329@heisenberg.local>
Content-Type: text/plain; charset="utf-8"
As always, thanks for your quick response. I?ll play around with doing it your
way and report back if I continue having issues.
On February 3, 2016 at 11:43:22 AM, Michael Friedrich
(michael.friedr...@netways.de) wrote:
> On 03 Feb 2016, at 16:49, Rob DeSanno <rdesa...@icloud.com> wrote:
>
> Good morning / afternoon!
>
> I have one http check that I am trying to convert from Nagios over to Icinga2
> but its kicking my butt. In a nutshell, the way this check works is the
> icinga host uses nrpe to run a command on the destination host which, in
> turn, tries to verify that that host can reach an outside host (ie icinga ?>
> SERVERNAME ?> amazonaws.com).
>
> The problem that I am coming across is that this check only runs when the
> nrpe arguments are encapsulated within quotes, something Icinga can?t
> process. If I escape the quotes in the check, the remote host doesn?t like it
> and returns the following error:
>
> Client request was invalid, bailing out...
> Error: Request contained illegal metachars!
>
> Here is how I have it currently configured...
>
> object CheckCommand "check_http_remote" {
> import "nrpe-common"
> command = [ PluginDir + "/check_nrpe","-H", "$host.address$", "-t", "30",
> "-c", "check_http_remote", "-a", "$ARG1$?]
>
>
> apply Service "pingS3" {
> import "generic-service"
> display_name = "pingS3"
> check_command = "check_http_remote"
>
> vars += {
> "ARG1" = "-H s3.amazonaws.com -u https://s3.amazonaws.com/blahblahblah.txt";
> }
>
> assign where host.vars.servertype in [?remote_server"]
> }
Don?t go the old way of passing command arguments as an entire string. There
already is an ?nrpe? CheckCommand available which allows you to pass additional
arguments (the infamous -a flag). Note that you really should read about how to
pass command parameters as custom attributes (you certainly do already
partially).
Those arguments can be defined as array, so to speak yours would look like the
following.
apply Service ?pingS3? {
import ?generic-service?
display_name = ?
check_command = ?nrpe?
vars.nrpe_timeout = 30
vars.nrpe_command = ?check_http_remote?
vars.nrpe_arguments = [ ?-H?, ?s3.amazonaws.com?, ?-u?,
?https://s3.amazonaws.com/blahblahblah.txt? ]
assign where host.vars.servertype in [?remote_server"]
}
(untested brain dump). Icinga 2 will automatically convert the given array into
shell-escaped parameters for the ?-a? argument. Everything else should be
working already as the ?nrpe? CheckCommand is provided by just enabling the ITL
plugins (default).
Although there might be another problem in passing additional parameters, so I
would go for an nrpe config like this
[check_http_remote]=?./check_http -H $ARG1$ -u $ARG2$
and change the Service apply rule to
apply Service ?pingS3? {
import ?generic-service?
display_name = ?
check_command = ?nrpe?
vars.nrpe_timeout = 30
vars.nrpe_command = ?check_http_remote?
vars.nrpe_arguments = [ ?s3.amazonaws.com?,
?https://s3.amazonaws.com/blahblahblah.txt? ]
assign where host.vars.servertype in [?remote_server"]
}
Last but not least NRPE is considered insecure (or, immature) and you should
consider looking into alternatives, such as the Icinga 2 client itself.
>
> ...and this is how it is configured in nagios
>
> define command{
> command_name check_http_remote
> command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c check_http_remote -a
> "$ARG1$ $ARG2$ $ARG3$ $ARG4$ $ARG5$ $ARG6$ $ARG7$ $ARG8$ $ARG9$ $ARG10$
> $ARG11$ $ARG12$ $ARG13$ $ARG14$ $ARG15$ $ARG16$ $ARG17$ $ARG18$ $ARG19$
> $ARG20$?
? and then you had to remove $ARG7$ and rename the entire numbering ? reminds
me of my fun days back in Vienna.
Kind regards,
Michael
>
>
> define service {
> use generic
> service_description pingS3
> check_command
> check_http_remote!-H!s3.amazonaws.com!-u!https://s3.amazonaws.com/blahblahblah.txt!-t!30
>
> Lastly, here are the results of a manual run from the icinga server, the
> first without quotes and the second with.
>
> /usr/lib64/nagios/plugins/check_nrpe -H SERVERNAME -c check_http_remote -t 30
> -a -H s3.amazonaws.com -u https://s3.amazonaws.com/blahblahblah.txt
> Name or service not known
> HTTP CRITICAL - Unable to open TCP socket
>
> /usr/lib64/nagios/plugins/check_nrpe -H SERVERNAME -c check_http_remote -t 30
> -a "-H s3.amazonaws.com -u https://s3.amazonaws.com/blahblahblah.txt";
> HTTP OK: HTTP/1.1 200 OK - 496 bytes in 0.050 second response time
> |time=0.049625s;;;0.000000 size=496B;;;0
>
> Any thoughts on how I can overcome this and still use the same check? I can
> code my way out of this by running individual scripts on each server and
> calling them from Icinga but that doesn?t seem like the right way of doing it.
> _______________________________________________
> icinga-users mailing list
> icinga-users@lists.icinga.org
> https://lists.icinga.org/mailman/listinfo/icinga-users
--?
Michael Friedrich, DI (FH)
Senior Developer
NETWAYS GmbH | Deutschherrnstr. 15-19 | D-90429 Nuernberg
Tel: +49 911 92885-0 | Fax: +49 911 92885-77
CEO: Julian Hein, Bernd Erk | AG Nuernberg HRB18461
http://www.netways.de | michael.friedr...@netways.de
** OSDC 2016 - April - netways.de/osdc **
** OSBConf 2016 - September - osbconf.org **
_______________________________________________
icinga-users mailing list
icinga-users@lists.icinga.org
https://lists.icinga.org/mailman/listinfo/icinga-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.icinga.org/pipermail/icinga-users/attachments/20160203/d8bdc27c/attachment-0001.html>
------------------------------
Message: 2
Date: Wed, 3 Feb 2016 22:13:27 +0000
From: Laura DiMauro <ldima...@unm.edu>
To: "icinga-users@lists.icinga.org" <icinga-users@lists.icinga.org>
Subject: [icinga-users] Icingaweb2 configuration - Monitoring IDO
Resource
Message-ID:
<bn3pr0701mb1361719db139845b833f88f4d3...@bn3pr0701mb1361.namprd07.prod.outlook.com>
Content-Type: text/plain; charset="iso-8859-1"
Hello,
I have installed Icinga2 and Icingaweb2 on RHEL7 (in a development server). I
was able to configure icingaweb2 in the browser until the 'Monitoring IDO
Resource' section.
I can't seem to validate configuration. I am receiving the following:
* There is currently no icinga instance writing to the IDO. Make sure that
a icinga instance is configured and able to write to the IDO.
Validation Log
Connection to icinga as icinga on localhost: successful
protocol_version: 10
version: 5.5.44-MariaDB
version_compile_os: Linux
It's probably something silly but I cannot seem to figure it out. Any
suggestions would be grateful!
Best Regards,
Laura
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.icinga.org/pipermail/icinga-users/attachments/20160203/eba859f5/attachment-0001.html>
------------------------------
Message: 3
Date: Thu, 4 Feb 2016 10:24:39 +0700
From: Muhammad Panji <sumodi...@gmail.com>
To: "Icinga User's Corner" <icinga-users@lists.icinga.org>
Subject: Re: [icinga-users] Icingaweb2 configuration - Monitoring IDO
Resource
Message-ID:
<canbzdhmoeysj-ovswexz0sax84wosaha0-5oyp09_7txdfw...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
On Thu, Feb 4, 2016 at 5:13 AM, Laura DiMauro <ldima...@unm.edu> wrote:
> Hello,
>
> I have installed Icinga2 and Icingaweb2 on RHEL7 (in a development
> server). I was able to configure icingaweb2 in the browser until
> the 'Monitoring IDO Resource' section.
>
>
> I can't seem to validate configuration. I am receiving the following:
>
>
> - There is currently no icinga instance writing to the IDO. Make sure
> that a icinga instance is configured and able to write to the IDO.
>
> *Validation Log*
>
> Connection to icinga as icinga on localhost: successful
> protocol_version: 10
> version: 5.5.44-MariaDB
> version_compile_os: Linux
>
> It's probably something silly but I cannot seem to figure it out. Any
> suggestions would be grateful!
>
> 1. Install icinga-ido-mysql package
2. create database, user and privileges
3. import sql schema
4. enable ido-mysql feature
the configuration for ido-mysql is on
/etc/icinga2/features-available/ido-mysql.conf
You can follow this part of the documentation :
http://docs.icinga.org/icinga2/latest/doc/module/icinga2/chapter/getting-started#configuring-db-ido-mysql
Thanks.
Regards,
--
Muhammad Panji
http://www.panji.web.id
http://www.kurungsiku.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.icinga.org/pipermail/icinga-users/attachments/20160204/6bb260c7/attachment.html>
------------------------------
Subject: Digest Footer
_______________________________________________
icinga-users mailing list
icinga-users@lists.icinga.org
https://lists.icinga.org/mailman/listinfo/icinga-users
------------------------------
End of icinga-users Digest, Vol 26, Issue 8
*******************************************
------------------------------
Message: 3
Date: Fri, 5 Feb 2016 09:47:48 +0700
From: Muhammad Panji <sumodi...@gmail.com>
To: "Icinga User's Corner" <icinga-users@lists.icinga.org>
Subject: Re: [icinga-users] icinga-users Digest, Vol 26, Issue 8
Message-ID:
<canbzdhn61xp2st6q4s6r3voywm9ejtmnbmtu-_h-h8i-dq0...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
On Fri, Feb 5, 2016 at 1:04 AM, Laura DiMauro <ldima...@unm.edu> wrote:
> Hello,
> Yes, I did the steps you mentioned below without a problem and I checked
> my users and passwords to make sure everything looked ok.
> I did forget about a step that I did yesterday. I did the 'upgrading the
> mysql database' part as well. It said to apply all database schema upgrade
> files incrementally. I saw the following in
> /usr/share/icinga2-ido-mysql/schema/upgrade:
> 2.0.2.sql 2.1.0.sql 2.2.0.sql 2.3.0.sql 2.4.0.sql
>
> I followed the instructions and used the following command for each
> version:
> mysql -u root -p icinga <
> /usr/share/icinga2-ido-mysql/schema/upgrade/<version>.sql
>
> After I did the first version it gave me the following error:
> ERROR 1060 (42S21) at line 10: Duplicate column name 'endpoint_name'
>
> Should I not have completed this as part of my first icinga2 installation?
>
> I only import sql on schema folder and not import anything on upgrade
folder. Did you do upgrade from previous version or fresh install?
Regards,
--
Muhammad Panji
http://www.panji.web.id
http://www.kurungsiku.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.icinga.org/pipermail/icinga-users/attachments/20160205/4edd5556/attachment-0001.html>
------------------------------
Subject: Digest Footer
_______________________________________________
icinga-users mailing list
icinga-users@lists.icinga.org
https://lists.icinga.org/mailman/listinfo/icinga-users
------------------------------
End of icinga-users Digest, Vol 26, Issue 12
********************************************
_______________________________________________
icinga-users mailing list
icinga-users@lists.icinga.org
https://lists.icinga.org/mailman/listinfo/icinga-users
