27.07.2019 linux icinga

Installing icinga2 on CentOS

In this tutorial I am going to show you how to install the icinga2 monitoring tool, which is a fork of nagios and akin to PRTG from Paessler .

What is icinga2?

Simply put, icinga2 is a monitoring tool for servers. It can be self-hosted for free and while it is very powerful, it has some pitfalls while installing it. I have done this last week on my own, so I thought I am going to share this with you.

Getting the packages

CentOS does not come with the required packages in the standard repositories. You need activate the Fedora Epel and Red Hat Software Collections repositories in order to use it. After doing that, we can pull the required packages and their dependencies off the web.

yum -y install centos-release-scl
yum install epel-release
yum install https://packages.icinga.com/epel/icinga-rpm-release-7-latest.noarch.rpm
yum install httpd mariadb mariadb-server rh-php72-php-fpm icinga2-ido-mysql nagios-plugins-all

Enable the services

This is straight forward. Just enable the services so they launch automatically on rebooting and also start them right now, so we can continue to work on it.

systemctl enable mariadb httpd rh-php71-php-fpm icinga2
systemctl start mariadb httpd rh-php71-php-fpm icinga2

Configuring PHP-FPM

By default, the Apache is not configured to accept PHP files. So we need to help him a bit with that. Let’s edit /etc/nano/conf.d/php.conf and put the following in:

<FilesMatch \.php$>
        SetHandler "proxy:fcgi://127.0.0.1:9000"
</FilesMatch>;

AddType text/html .php
DirectoryIndex  index.php

After that, we need to make a small adjustment to the php.ini located in /etc/opt/rh/rh-php71/. Open the file with nano or vim and search for date.timezone. Remove the semicolon in front and add your timezone. In my case, it looks like this: date.timezone=Europe/Berlin. If you need help what to put there, refer to this page .

Restart the apache and FPM with systemctl restart rh-php72-php-fpm httpd. After that, go to /var/www/html and make a test file called index.php:

<?php7
echo phpinfo();
?>

If you now go to the IP of your host, you should see the PHP info page with the configuration of your PHP installation.

Install icingaweb2 and enable features

The next step is simple. We are going to enable a few features of icinga and install the web interface. Run those commands:

icinga 2 feature enable ido-mysql
icinga 2 feature enable command
yum -y install icingaweb2
systemctl restart icinga2

Restarting icinga2 afterwards enables the features.

Configuring MariaDB

First, we need to make the MariaDB server secure. To that end, we run mysql_secure_installation. The root password should be empty, so just press enter when prompted for one. After that, set a new root password and answer all questions with yes. Unless you run your database on a different server than your monitoring tool of course, then you’ll need to allow connections from other hosts as well.

Next, we are going to add the users and databases needed. Fire up the MariaDB shell by invoking mysql -u root -p and enter the password you just created.

This SQL is needed:

CREATE DATABASE icinga2db;
GRANT ALL ON icinga2db.* TO 'icinga2usr'@'localhost' IDENTIFIED BY 'password';

CREATE DATABASE icinga2db_ido;
GRANT SELECT, INSERT, UPDATE, DELETE, DROP, CREATE VIEW, INDEX, EXECUTE ON icinga2db_ido.* TO 'icinga2usr'@'localhost' IDENTIFIED BY 'password';

FLUSH PRIVILEGES;

The first database, icinga2db, is there for authentication and settings of the web interface. The second is for communication of the web interface with the actual service, that does the monitoring. IDO means here “Icinga Data Output”.

As another step, we need to fill the ido database with some schema. This is not needed for the first database, that one will be filled by the frontend installation.

This command should do it:

mysql -p icinga2db_ido < /usr/share/icinga2-ido-mysql/schema/mysql.sql

You will be prompted for a password.

Grant icinga2 access to the IDO database

Edit the file /etc/icinga2/features-enabled/ido-mysql.conf with a text editor of your choice:

/**
 * The IdoMysqlConnection type implements MySQL support
 * for DB IDO.
 */

library "db_ido_mysql"

object IdoMysqlConnection "IDO_DB_Connection" {
  user = "icinga2usr"
  password = "password"
  host = "localhost"
  database = "icinga2db_ido"
}

Pay attention to the object name. That one will appear later on again, when you select the database. Name your objects in a way that you’ll still know half a year later what it does. If you have several resources to maintain in icinga2, you will be happy that you did this from the start. Just put in the credentials you have that user during the database setup.

Configure the icinga2 API module

First, we need to enable this module:

icinga2 feature enable api
icinga2 api setup
systemctl restart icinga2

Next, we are going to set up a user for the API:

object ApiUser "username" {
  password = "password"
  permissions = ["status/query"]  // needs adjustment
}

We need this in case we want to install icinga2 director later, which allows configuring monitoring tool via the web interface, or use other features, that require an API user. For an overview of the permissions, see this page in the icinga2 documentation. It is a good idea to restrict API users to their respective roles.

Alias for Apache

Edit /etc/httpd/conf/httpd.conf. We will add a redirection/alias there for our monitoring tool:

<IfModule alias_module>
    Alias /icingaweb2   /usr/share/icingaweb2/public
</IfModule>

This will allow you to visit the monitoring interface via https://yourip/icingaweb2. Adjust it to your liking.

Adjust Apache user group

In order for Apache to read the web interface files, it needs permission to access it’s folders. So we add it to the icinga2 group:

    (groupadd --system icingacmd)
    usermod -a -G icingacmd apache

Test it with id apache, it should look like this:

uid=48(apache) gid=48(apache) groups=48(apache),994(icingacmd)

Restart

After all this, restart all involved services, or the computer/server. Here is the command for your convenience:

systemctl start mariadb httpd rh-php71-php-fpm icinga2

Finally.. the setup

Point your browser to http://yourip/icingaweb2 or whatever alias you’ve chosen and enter the setup. It will ask you for a setup token, so make sure to generate one:

icingacli setup config directory --group icingaweb2;
icingacli setup token create

Just copy the token to the web interface. It will show you an overview of all requirements it has and they should all be green. One will be yellow and that is Imagick. I didn’t install it, as I didn’t need it’s features. Here is a quick tutorial how to do it. The other issue you may have, is that it complains about a directory not being writeable. I am not going to tell you how to handle your security, but if you need some pointers, look here . Or just disable it, but I am not recommending that, since I don’t really like the brutal methods that lower security.

The setup in the web interface should be fairly straight forward. Just enter all the credentials we have set up. When you are done, you should be greeted by the overview and the sensors installed by default.

However, you are far from done. Now begins the real work in setting up sensors and tests to monitor your services. In the next tutorial , we are going to install director to make all of this easier.

Link to the author's twitter Link to the authors ko-fi page

comments

Characters: 0/1000

gravatar portrait

 Pinned by contact@tuxstash.de

Come join the discussion and write something nice. You will have to confirm your comment by mail, so make sure it is legit and not a throwaway. Only the name part of it will be displayed, so don't worry about spam. If it does not show up after confirming it, it may be considered spam, but I curate them manually, so don't worry. Please read the privacy statement for more.