Re: [icinga-users] Icingaweb2 Setting Downtime or Acknowledgement

2015-09-17 Thread Jo Rhett 
I think I saw this myself a while ago and it confused me too. Do any commands 
in the web UI work?  If not, double check that you’ve enable the command 
feature: 
https://github.com/Icinga/icinga2/blob/master/doc/5-advanced-topics.md#-external-commands

Without the command feature, you don’t have a socket to accept commands from 
the web UI… 

On Sep 15, 2015, at 3:02 AM, Romaneev Vasily  wrote:
> Hello!
> Does anybody know - is setting downtime or acknowledgement for service is 
> work in Icingaweb2.
> It has pretty good interface, but setting downtimes and ack's in a key 
> feature for us.
> 
> Is this require database update or just not implement now ?
> 
> Thank you!  
> 
> Required parameter 'service' missing
> 
> #0 
> /usr/share/icingaweb2/modules/monitoring/application/controllers/ServiceController.php(29):
>  Icinga\Web\UrlParams->getRequired('service')
> #1 
> /usr/share/icingaweb2/library/Icinga/Web/Controller/ActionController.php(133):
>  Icinga\Module\Monitoring\Controllers\ServiceController->init()
> #2 /usr/share/icingaweb2/library/Icinga/Web/Controller/Dispatcher.php(58): 
> Icinga\Web\Controller\ActionController->__construct(Object(Icinga\Web\Request),
>  Object(Icinga\Web\Response), Array)
> #3 /usr/share/icingaweb2/library/vendor/Zend/Controller/Front.php(937): 
> Icinga\Web\Controller\Dispatcher->dispatch(Object(Icinga\Web\Request), 
> Object(Icinga\Web\Response))
> #4 /usr/share/icingaweb2/library/Icinga/Application/Web.php(147): 
> Zend_Controller_Front->dispatch(Object(Icinga\Web\Request), 
> Object(Icinga\Web\Response))
> #5 /usr/share/icingaweb2/library/Icinga/Application/webrouter.php(109): 
> Icinga\Application\Web->dispatch()
> #6 /usr/share/icingaweb2/public/index.php(4): 
> require_once('/usr/share/icin...')
> #7 {main}
> 
> --
> Романеев Василий
> Мобильный: +7-987-636-62-67
> skype romaneev
> ___
> icinga-users mailing list
> icinga-users@lists.icinga.org
> https://lists.icinga.org/mailman/listinfo/icinga-users

-- 
Jo Rhett
Net Consonance : net philanthropy to improve open source and internet projects.

___
icinga-users mailing list
icinga-users@lists.icinga.org
https://lists.icinga.org/mailman/listinfo/icinga-users

Re: [icinga-users] is there another support mechanism for bugs?

2015-09-17 Thread Jo Rhett 
On Sep 16, 2015, at 2:48 PM, Michael Friedrich  
wrote:
> Frustration being explicitely put into public domain rather than going 
> offline and yelling or smashing something is pretty bad. It only helps for 5 
> minutes feeling better but obviously insults or puts stress on anyone working 
> on this open source project.
> 
> Such behaviour is pretty common amongst oss projects, and it is not the first 
> time happening.
> 
> I'm just the guy not willing to tolerate such frustration dumps but 
> interested in questions and answers and people helping each other. Everything 
> else is just bad karma.

The only person who posted frustrated was YOU. I simply asked if there was a 
better forum for support, which is a perfectly reasonable question since the 
web project appears to be semi-detached and might have its own list. To which 
you posted your frustrated and pissy response. Take a good hard look in the 
mirror, man. Everything you said above was about you, not about me.

> And if you ask yourself - when do they actually develop Icinga when they are 
> demanded to be doing community support at the same time?

The exact same as all of us who accept bug reports on our projects, and 
actually fix them. You’re operating in a community of people who develop, 
release, maintain and support. Shocking, I know, but we do the work without 
whining about it and pissing on people who did nothing more egregious than to 
ask if there was a better place to get support for the web interface.

There’s nothing pissy or frustrated in my response. But the projection mirror 
you cast aspersions at is deeply amusing.

While you’re busy tossing personal attacks at someone with a simple question, 
people are posting workaround hacks for the outstanding bug reports nobody can 
be bothered to reply to. Perhaps if you were to stop calling people names, you 
might get a PR from someone interested in a solution.

So if you’ll stop with the battery of direct personal attacks (that violate 
your employer's terms of use for this list), and perhaps give me what you do 
know about the interfaces in question as a starting point, perhaps we can help 
each other.

-- 
Jo Rhett
Net Consonance : net philanthropy to improve open source and internet projects.

___
icinga-users mailing list
icinga-users@lists.icinga.org
https://lists.icinga.org/mailman/listinfo/icinga-users

Re: [icinga-users] is there another support mechanism for bugs?

2015-09-17 Thread Michael Friedrich 

> On 17 Sep 2015, at 09:24, Jo Rhett  wrote:
>
> On Sep 16, 2015, at 2:48 PM, Michael Friedrich  
> wrote:
>> Frustration being explicitely put into public domain rather than going 
>> offline and yelling or smashing something is pretty bad. It only helps for 5 
>> minutes feeling better but obviously insults or puts stress on anyone 
>> working on this open source project.
>>
>> Such behaviour is pretty common amongst oss projects, and it is not the 
>> first time happening.
>>
>> I'm just the guy not willing to tolerate such frustration dumps but 
>> interested in questions and answers and people helping each other. 
>> Everything else is just bad karma.
>
> The only person who posted frustrated was YOU. I simply asked if there was a 
> better forum for support, which is a perfectly reasonable question since the 
> web project appears to be semi-detached and might have its own list. To which 
> you posted your frustrated and pissy response. Take a good hard look in the 
> mirror, man. Everything you said above was about you, not about me.
>
>> And if you ask yourself - when do they actually develop Icinga when they are 
>> demanded to be doing community support at the same time?
>
> The exact same as all of us who accept bug reports on our projects, and 
> actually fix them. You’re operating in a community of people who develop, 
> release, maintain and support. Shocking, I know, but we do the work without 
> whining about it and pissing on people who did nothing more egregious than to 
> ask if there was a better place to get support for the web interface.
>
> There’s nothing pissy or frustrated in my response. But the projection mirror 
> you cast aspersions at is deeply amusing.
>
> While you’re busy tossing personal attacks at someone with a simple question, 
> people are posting workaround hacks for the outstanding bug reports nobody 
> can be bothered to reply to. Perhaps if you were to stop calling people 
> names, you might get a PR from someone interested in a solution.
>
> So if you’ll stop with the battery of direct personal attacks (that violate 
> your employer's terms of use for this list), and perhaps give me what you do 
> know about the interfaces in question as a starting point, perhaps we can 
> help each other.

Ok, point taken. I’m sorry if it came around the other way.

I’ll continue what I can do best - develop the core. Sorry if I cannot be of 
help to you.

See ya,
Michael

-- 
Michael Friedrich, DI (FH)
Senior Developer

NETWAYS GmbH | Deutschherrnstr. 15-19 | D-90429 Nuernberg
Tel: +49 911 92885-0 | Fax: +49 911 92885-77
GF: Julian Hein, Bernd Erk | AG Nuernberg HRB18461
http://www.netways.de | michael.friedr...@netways.de

** OSBConf 2015 - September - osbconf.org **
** OSMC 2015 - November - netways.de/osmc **
___
icinga-users mailing list
icinga-users@lists.icinga.org
https://lists.icinga.org/mailman/listinfo/icinga-users

Re: [icinga-users] is there another support mechanism for bugs?

2015-09-17 Thread Jo Rhett 
On Sep 17, 2015, at 12:35 AM, Michael Friedrich  
wrote:
> Ok, point taken. I’m sorry if it came around the other way.

Thanks :)

> I’ll continue what I can do best - develop the core. Sorry if I cannot be of 
> help to you.

You mentioned colleges that know this part better? Is there a way to get 
pointers from them?

-- 
Jo Rhett
Net Consonance : net philanthropy to improve open source and internet projects.

___
icinga-users mailing list
icinga-users@lists.icinga.org
https://lists.icinga.org/mailman/listinfo/icinga-users

Re: [icinga-users] is there another support mechanism for bugs?

2015-09-17 Thread Michael Friedrich 

> On 17 Sep 2015, at 09:50, Jo Rhett  wrote:
>
> On Sep 17, 2015, at 12:35 AM, Michael Friedrich 
>  wrote:
>> Ok, point taken. I’m sorry if it came around the other way.
>
> Thanks :)
>
>> I’ll continue what I can do best - develop the core. Sorry if I cannot be of 
>> help to you.
>
> You mentioned colleges that know this part better? Is there a way to get 
> pointers from them?

I’ve mentioned that topic during our daily dev standup a couple of minutes ago. 
I’m certain they will take care.

Kind regards,
Michael


-- 
Michael Friedrich, DI (FH)
Senior Developer

NETWAYS GmbH | Deutschherrnstr. 15-19 | D-90429 Nuernberg
Tel: +49 911 92885-0 | Fax: +49 911 92885-77
GF: Julian Hein, Bernd Erk | AG Nuernberg HRB18461
http://www.netways.de | michael.friedr...@netways.de

** OSBConf 2015 - September - osbconf.org **
** OSMC 2015 - November - netways.de/osmc **
___
icinga-users mailing list
icinga-users@lists.icinga.org
https://lists.icinga.org/mailman/listinfo/icinga-users

Re: [icinga-users] group LDAP access to Icingaweb2

2015-09-17 Thread Matthias Jentsch 
Hi Everybody,

I've just tested this issue and setting permissions using LDAP groups does work 
with my configuration. Since I didn't find any obvious mistakes in the 
configuration provided in the ticket, I suspect that there might still be an 
issue within the LdapUserGroupBackend that is only triggered with your 
configuration.

If you want to help resolving this issue, please apply the patch that I've 
posted in https://dev.icinga.org/issues/9950 (it will add additional logging 
functions), check the DEBUG log and report back.


Am 16.09.2015 um 20:50 schrieb Eric Zounes:
Exactly. It's just a temporary workaround until Icingaweb2 fixes this issue. 
It's already being tracked here:
https://dev.icinga.org/issues/9950

I definitely wouldn't recommend this as a permanent solution.

On Wed, Sep 16, 2015 at 11:39 AM, Jo Rhett 
mailto:jrh...@netconsonance.com>> wrote:
I use Puppet but not for this site. Am I reading correctly that you’re querying 
LDAP for the group membership and then populating the user list to work around 
group LDAP not working?

On Sep 16, 2015, at 10:44 AM, Eric Zounes 
mailto:eric.zou...@puppetlabs.com>> wrote:
Hey there,

I ran into the same issue with Icingaweb2. The way I am working around this is 
by querying LDAP for the appropriate groups to map them to Icingaweb2 roles 
using Puppet. It's kind of a hack but it works quite well. I still have LDAP 
auth set up, but Puppet handles mapping the authenticated users to the ones 
generated by Puppet in the Icingaweb2 roles.  I'm not sure if this is useful 
since I have no idea if you use Puppet, but if you are then the LDAP query 
module can be found here:
 https://github.com/xaque208/puppet-ldapquery

If you're also using the Icingaweb2 Puppet module you can add this snippet of 
code to solve this problem:

  $ldap_group_base = 'ou=groups,dc=mycompany,dc=com'
  $ldap_members = $allowed_ldap_groups.map |$d| {
  $member_results = ldapquery("(memberOf=cn=${d},${ldap_group_base})", 
'uid')
  $members = $member_results.map |$m| { $m['uid'] }
}

  if $ldap_members != [] {
icingaweb2::config::roles { 'allowed_ldap_groups':
  role_users   => join(flatten($ldap_members), ','),
  role_permissions => '*',
}
  }

Hope this helps

On Wed, Sep 16, 2015 at 10:09 AM, Jo Rhett 
mailto:jrh...@netconsonance.com>> wrote:
This remains unanswered. Deployment of this is impossible if every user must be 
explicitly entered.

On Sep 10, 2015, at 8:16 PM, Jo Rhett 
<jrh...@netconsonance.com>
 wrote:
We are successfully authenticating users via LDAP. Right now if a user who is 
not in our Administrators group logs in to Icinga, they see nothing at all. 
I’ve created a group which has the appropriate permissions but I can’t seem to 
find a way to let users into it. A wildcard in the user field doesn’t work.

Any user I manually type into the Users field is successfully granted the 
permissions, however it is implausible for us to manually add every user 
(thousands) to this field.

The group authentication is also configured to LDAP, however no values placed 
in the group field work. I am using values that work on the command line to 
look up group users so I’m not sure what’s not happening with the group access. 
I can’t find any log entries indicating a failure.

This leads to two questions:

1. Is there any way to use a wildcard to mean “any authenticated user” for 
group mapping?
2. How can I debug or validate the query that Icingaweb2 is using for 
evaluating group access?

--
Jo Rhett
Net Consonance : net philanthropy to improve open source and internet projects.


___
icinga-users mailing list
icinga-users@lists.icinga.org
https://lists.icinga.org/mailman/listinfo/icinga-users


___
icinga-users mailing list
icinga-users@lists.icinga.org
https://lists.icinga.org/mailman/listinfo/icinga-users

--
Jo Rhett
Net Consonance : net philanthropy to improve open source and internet projects.


___
icinga-users mailing list
icinga-users@lists.icinga.org
https://lists.icinga.org/mailman/listinfo/icinga-users





___
icinga-users mailing list
icinga-users@lists.icinga.org
https://lists.icinga.org/mailman/listinfo/icinga-users



-- 
Matthias Jentsch
Application Developer

NETWAYS GmbH | Deutschherrnstr. 15-19 | D-90429 Nuernberg
Tel: +49 911 92885-0 | Fax: +49 911 92885-77
GF: Julian Hein, Bernd Erk | AG Nuernberg HRB18461
http://www.netways.de | matthias.jent...@netways.de

** OSBConf 2015 - September - osbconf.org **
** OSMC 2015 - November - netways.de/osmc **
___
icinga-users mailing list
icinga-users@

Re: [icinga-users] Icinga2 - how to display services from an existing Icinga1 server

2015-09-17 Thread Jo Rhett 
Check out https://github.com/Icinga/icinga2-migration 


It’s not the cleanest conversion and generates some funky names, but we 
converted a nagios server with roughly 10k customized queries and I only had to 
spent maybe 2 hours hacking the output from migration to get the tests online. 
There are two issues to be aware of:

1. host definitions that are !negative matches get parsed wrong, see 
https://dev.icinga.org/issues/9776 

2. if you were passing multiple arguments in as a single input string, it won’t 
work and you’ll have to separate those to distinct arguments 
https://lists.icinga.org/pipermail/icinga-users/2014-May/008241.html 


As stated above, I was able to convert a large site with many custom tests to 
work properly under Icinga in small number of hours. Those two hints will save 
you most of the time I lost going sideways ;)  What you will have isn’t pretty, 
but it gets Icinga stood up and allows to you iterate refactoring to take 
advantage of Icinga2’s features.

On Sep 16, 2015, at 6:37 AM, Paul C mailto:pkci...@gmail.com>> wrote:
> Icinga2 is proving very flexible with sattelite servers but we have an old 
> Icinga1 server with lots of customizations that would take a lot of effort to 
> migrate to Icinga2.  Is there a way to push Icinga 1 status file to icinga2 
> and it will magically display all the hosts and services?  There are several 
> thousand service definitions on the old box and a firewall prevents Icinga2 
> to connect to Icinga1 (but Icinga1 can connect to Icinga2).  
> 
> Thanks,
> Paul
> ___
> icinga-users mailing list
> icinga-users@lists.icinga.org 
> https://lists.icinga.org/mailman/listinfo/icinga-users

-- 
Jo Rhett
Net Consonance : net philanthropy to improve open source and internet projects.

___
icinga-users mailing list
icinga-users@lists.icinga.org
https://lists.icinga.org/mailman/listinfo/icinga-users

Re: [icinga-users] is there another support mechanism for bugs?

2015-09-17 Thread Jo Rhett 
On Sep 17, 2015, at 1:09 AM, Michael Friedrich  
wrote:
> I’ve mentioned that topic during our daily dev standup a couple of minutes 
> ago. I’m certain they will take care.

They provided a patch to enable debug logging, which was perfect. Thank you.

-- 
Jo Rhett
Net Consonance : net philanthropy to improve open source and internet projects.

___
icinga-users mailing list
icinga-users@lists.icinga.org
https://lists.icinga.org/mailman/listinfo/icinga-users

Re: [icinga-users] Distributed Monitoring sanity check

2015-09-17 Thread Jason 'XenoPhage' Frisvold 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 9/12/15 7:54 AM, Michael Friedrich wrote:
> Not necessarily. There are basically three modes which can monitor
> clients - command execution bridge, local configuration or config
> sync throughout the cluster.

It's taken a bit, but I'm starting to understand more..  Really liking
command execution bridges.. Much better than using SNMP for everything.

> zones.conf (or whatever you like to name and include it) includes
> the required connection information for all your endpoints.
> Furthermore it illustrates the trust model between zones, and for
> example a satellite must know that it is in a child zone of the
> master instance, in order to receive configuration or other
> events.
> 
> So yes, you’ll need to provide that information between each level.
> Clients not necessarily need to know about the master 2 levels up,
> and also not about the other clients connected to the satellite
> zone.

Cool.  I have everything in /etc/icinga2 in a git repo now.  I just
manually sync the zones.conf to the satellite when I change it.

> *Never* expose your CA’s private key to other nodes. You should
> keep it in a safe location where you’ll sign your certificates with
> the CA then. That’s not necessarily the icinga2 master (only if
> using CSR-Autosigning).

Hrm..  Is the default to autosign?  I haven't made any CA related
changes up to this point.  I can see the security implications,
though, and I'd like to move the CA signing elsewhere.

> The public ca.crt certificate must be put on each node, as well as
> their signed public and private key files. More on the docs.

I'll have to dig a bit in the docs.  I've gotten most of what I need
there, but I've had some trouble with understanding the multi-master
and satellite stuff.

>> - - Do clients that are performing command execution need to be 
>> reconfigured with the satellite listed as the "master" for that
>> client?
> 
> They’ll need a parent zone where the satellite is a member of.

Hrm.  After getting the zones.conf in place with assignment of
endpoints to zones, all of the endpoints continued to connect to the
master.  To resolve this, I had to re-run the wizard and point it at
the satellite server.  As of now, everything appears to be acting how
I would expect it to.

> ‘command’ is for enabling the external command pipe, so if you’re
> planning to use Icinga Web 2 on this satellite, you’d also need to
> enable the command and ido-mysql feature (and need a database
> setup).

Ok.  I have icingaweb installed on the master at the moment.  Don't
see a need to have it on the satellite, though I may want to move to a
multi-master setup in the future.  Not sure I have a large enough
deployment to justify that yet.

> Looks good to me. I guess hosts.conf contains the command_endpoint
> information used for the command execution bridge for all applied
> services?

Yes, that seemed to be the place to put it as per the documentation.

> One thing you should keep in mind - add cluster health checks so
> you’ll know about your setup, getting alarmed and add dependencies
> for notification suppressing even.

Just added these.  Had a break between data centers the other day and
no alerts..  I knew I'd need something like this eventually, but I had
thought that the loss of the satellite link would at least throw a red
flag somewhere..

Since it didn't, I added the cluster checks.  And then I ran into the
cluster bug that existed in 2.3.8 ..  Upgraded and it seems to be
working like a charm.

I did see two different checks in the docs.  There's the "cluster"
check and also the "cluster-zone" check.  Right now I have a "cluster"
check added for each master and satellite.  Where do the
"cluster-zone" checks fit in?

> Kind regards, Michael

Thanks!

- -- 
- ---
Jason 'XenoPhage' Frisvold
xenoph...@godshell.com
- ---

"Any sufficiently advanced magic is indistinguishable from technology."
- - Niven's Inverse of Clarke's Third Law
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAlX7K3wACgkQ8CjzPZyTUTRTGgCePXmIH0BWKhb1YAwsG0tZLZgG
Hp0An1VFbY97/XbFEiHnXHm8SJCWDSoM
=v4UE
-END PGP SIGNATURE-
___
icinga-users mailing list
icinga-users@lists.icinga.org
https://lists.icinga.org/mailman/listinfo/icinga-users