Differences between revisions 1 and 5 (spanning 4 versions)
Revision 1 as of 2019-12-20 19:43:13
Size: 4549
Editor: AlbanVidal
Comment: Work in progress
Revision 5 as of 2019-12-21 21:47:54
Size: 8769
Editor: PaulWise
Comment: typos
Deletions are marked like this. Additions are marked like this.
Line 15: Line 15:
The purpose of this documentation is to accompagn you for the installation and configuration of this features: The purpose of this documentation is to help you for the installation and configuration of this features:
Line 19: Line 19:
This documentation is writen and testing for the following Debian versions: This documentation is written and tested for the following Debian versions:
Line 41: Line 41:
mariadb-server \
Line 57: Line 58:
 * '''unattended-upgrades''' - To install automaticly security updates  * '''unattended-upgrades''' - To install automatically security updates
Line 61: Line 62:
PHP-FPM is a FastCGI Process Manager wich allow communication between Apache2 server and PHP. PHP-FPM is a FastCGI Process Manager which allows communication between Apache2 server and PHP.
Line 75: Line 76:
If you use '''vim''' to edit your configurations files, you can easily enable syntax highlighting as following: If you use '''vim''' to edit your configurations files, you can easily enable syntax highlighting as follows:
Line 83: Line 84:
WARNING! This virtual host is not securised (listen on HTTP and not on HTTPS).
If incomming connexions is wanted, we recommand you to setup this vHost on HTTPS.
By example, you can see '''LetsEncrypt'''.
WARNING! This virtual host is not secured (listen on HTTP and not on HTTPS).
If incoming connection is wanted, we recommand you to set up this vHost on HTTPS.
For example, you can see '''LetsEncrypt'''.
Line 94: Line 95:
Now you can copy/past the following lines to create the ''/etc/apache2/sites-available/icinga.conf'' file. Now you can copy/paste the following lines to create the ''/etc/apache2/sites-available/icinga.conf'' file.
Line 160: Line 161:
=== Securing the MariaDB server ===

To secure the MariaDB installation, you have the choice between just running the embedded script or doing it manually.

Method 1 - embedded script:
{{{
mysql_secure_installation
}}}

Method 2 - manually:
{{{
# Delete anonymous users
mysql -e "DELETE FROM mysql.user WHERE User='';"
# Ensure the root user can not log in remotely
mysql -e "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');"
# Remove the test database
mysql -e "DROP DATABASE IF EXISTS test;"
mysql -e "DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%';"
# Make our changes take effect
mysql -e "FLUSH PRIVILEGES"
}}}

=== Create Icinga IDO database ===

You need to create the Icinga IDO database.
For that, we get the curent password on the configuration file.
{{{
ICINGA_IDO_PASSWORD="$(awk -F'"' '/password/ {print$2}' /etc/icinga2/features-available/ido-mysql.conf)"
}}}

And then we can create the database:
{{{
mysql <<< "
    CREATE DATABASE icinga;
    GRANT SELECT, INSERT, UPDATE, DELETE, DROP, CREATE VIEW, INDEX, EXECUTE
    ON icinga.*
    TO 'icinga2'@'localhost'
    IDENTIFIED BY '$ICINGA_IDO_PASSWORD';
    FLUSH PRIVILEGES;
"
}}}

=== Populate Icinga IDO Database ===

{{{
mysql icinga < /usr/share/icinga2-ido-mysql/schema/mysql.sql
}}}

=== Create IcingaWeb2 database ===

You need to create the IcingaWeb database.

Before, you need to set the following variables.
You must change the values:
{{{
ICINGAWEB2_DB_PASSWORD="changeme"
}}}

And then we can create the database:
{{{
mysql <<< "
    CREATE DATABASE icingaweb2;
    GRANT ALL
    ON icingaweb2.*
    TO 'icingaweb2'@'localhost'
    IDENTIFIED BY '$ICINGAWEB2_DB_PASSWORD';
    FLUSH PRIVILEGES;
"
}}}

=== Populate IcingaWeb Database ===

{{{
mysql icinga < /usr/share/icingaweb2/etc/schema/mysql.schema.sql
}}}

== Create configuration files ==

Now we are going to create final configuration files.

Before, you need to set some values:
{{{
ICINGA_WEB_ADMIN_USER="admin"
ICINGA_WEB_ADMIN_PWD="changeme"
}}}

And now just copy/paste the following content:

{{{
# roles.ini
cat << EOF > /etc/icingaweb2/roles.ini
[Administrators]
users = "$ICINGA_WEB_ADMIN_USER"
permissions = "*"
groups = "Administrators"
EOF

# groups.ini
cat << EOF > /etc/icingaweb2/groups.ini
[icingaweb2]
backend = "db"
resource = "icingaweb_db"
EOF

# config.ini
cat << EOF > /etc/icingaweb2/config.ini
[global]
show_stacktraces = "1"
config_backend = "db"
config_resource = "icingaweb_db"
#
[logging]
log = "syslog"
level = "ERROR"
application = "icingaweb2"
facility = "user"
EOF

# authentication.ini
cat << EOF > /etc/icingaweb2/authentication.ini
[icingaweb2]
backend = "db"
resource = "icingaweb_db"
EOF

# resources.ini
cat << EOF > /etc/icingaweb2/resources.ini
[icingaweb_db]
type = "db"
db = "mysql"
host = "localhost"
port = ""
dbname = "icingaweb2"
username = "icingaweb2"
password = "$ICINGAWEB2_DB_PASSWORD"
charset = "UTF8"
persistent = "0"
use_ssl = "0"
#
[icinga_ido]
type = "db"
db = "mysql"
host = "localhost"
port = ""
dbname = "icinga"
username = "icinga2"
password = "$ICINGA_IDO_PASSWORD"
charset = "UTF8"
persistent = "0"
use_ssl = "0"
EOF

mkdir /etc/icingaweb2/modules/monitoring/

# config.ini
cat << EOF > /etc/icingaweb2/modules/monitoring/config.ini
[security]
protected_customvars = "*pw*,*pass*,community"
EOF

# commandtransports.ini
cat << EOF > /etc/icingaweb2/modules/monitoring/commandtransports.ini
[icinga2]
transport = "local"
path = "/var/run/icinga2/cmd/icinga2.cmd"
EOF

# backends.ini
cat << EOF > /etc/icingaweb2/modules/monitoring/backends.ini
[icinga]
type = "ido"
resource = "icinga_ido
EOF
}}}

== Create Icinga Web administrator user ==

{{{
# Create a hash from password
HASH_ICINGA_WEB_ADMIN_PASSWORD=$(openssl passwd -1 "$ICINGA_WEB_ADMIN_PWD")

# Create user in database
mysql icingaweb2 -Bse "
    INSERT INTO icingaweb_user
        (name, active, password_hash)
        VALUES ('$ICINGA_WEB_ADMIN_USER', 1, '$HASH_ICINGA_WEB_ADMIN_PASSWORD');
"
}}}
Line 175: Line 365:
 * [[Icinga2 Documentation|https://icinga.com/docs/icinga2/latest/]]  * [[https://icinga.com/docs/icinga2/latest/|Icinga2 Documentation]]

Translation(s): English - Français



Icinga2 - Installation and configuration

Documentation overview

The purpose of this documentation is to help you for the installation and configuration of this features:

  • Icinga2 - Monitoring engine,
  • ?IcingaWeb2 - Web UI.

This documentation is written and tested for the following Debian versions:

  • Debian 10 (Buster)

Installation

Packages installation

Firstly, we need to update the packages list and install the required packages.

Update packages list:

apt update

Packages installation ( for Debian 10 ):

DEBIAN_FRONTEND=noninteractive apt-get -y install \
icinga2                \
icingacli              \
icingaweb2             \
icinga2-ido-mysql      \
mariadb-client         \
mariadb-server         \
monitoring-plugins     \
apache2                \
libapache2-mod-rpaf    \
php-fpm                \
curl                   \
vim-icinga2            \
vim-addon-manager      \
nagios-nrpe-plugin     \
unscd                  \
nagios-plugins-contrib \
unattended-upgrades

Packages notes:

  • vim-icinga2 - Icinga syntax highlighting for Vim

  • unscd - To enable DNS cache

  • unattended-upgrades - To install automatically security updates

PHP-FPM activation

PHP-FPM is a FastCGI Process Manager which allows communication between Apache2 server and PHP. It's an alternative to traditional PHP FastCGI implementation mostly useful for heavily loaded web servers.

Pour Debian 9:

a2enmod proxy_fcgi setenvif
a2enconf php7.3-fpm
apache2ctl configtest
systemctl restart php7.3-fpm.service
systemctl restart apache2.service

Icinga syntax highlighting for Vim

If you use vim to edit your configurations files, you can easily enable syntax highlighting as follows:

vim-addon-manager -w install icinga2

Create Apache2 virtual host for Icinga

WARNING! This virtual host is not secured (listen on HTTP and not on HTTPS). If incoming connection is wanted, we recommand you to set up this vHost on HTTPS. For example, you can see LetsEncrypt.

Before, you need to set the following variables. You must change the values:

FQDN="icinga.example.com"
EMAIL="me@example.com"

Now you can copy/paste the following lines to create the /etc/apache2/sites-available/icinga.conf file.

cat << EOF > /etc/apache2/sites-available/icinga.conf
<VirtualHost *:80>

    ServerName $FQDN
    ServerAdmin $EMAIL

    DocumentRoot "/usr/share/icingaweb2/public"

    <Directory "/usr/share/icingaweb2/public">
        Options SymLinksIfOwnerMatch
        AllowOverride None

        <IfModule mod_authz_core.c>
            # Apache 2.4
            <RequireAll>
                Require all granted
            </RequireAll>
        </IfModule>

        SetEnv ICINGAWEB_CONFIGDIR "/etc/icingaweb2"

        EnableSendfile Off

        <IfModule mod_rewrite.c>
            RewriteEngine on
            # RewriteBase /icingaweb2/
            RewriteBase /
            RewriteCond %{REQUEST_FILENAME} -s [OR]
            RewriteCond %{REQUEST_FILENAME} -l [OR]
            RewriteCond %{REQUEST_FILENAME} -d
            RewriteRule ^.*$ - [NC,L]
            RewriteRule ^.*$ index.php [NC,L]
        </IfModule>

        <IfModule !mod_rewrite.c>
            DirectoryIndex error_norewrite.html
            ErrorDocument 404 /error_norewrite.html
        </IfModule>
    </Directory>

    ErrorLog  /var/log/apache2/icinga-error.log
    CustomLog /var/log/apache2/icinga-access.log combined

</VirtualHost>
EOF

Now you can enable the Icinga virtual host on Apache2, test the configuration and reload Apache2

a2ensite icinga.conf
apache2ctl configtest
systemctl reload apache2

Enable Icinga features and modules

  • ido-mysql - Connexion between Icinga and MariaDB

  • monitoring - Monitoring module

icinga2 feature enable command ido-mysql
icingacli module enable monitoring

Securing the MariaDB server

To secure the MariaDB installation, you have the choice between just running the embedded script or doing it manually.

Method 1 - embedded script:

mysql_secure_installation

Method 2 - manually:

# Delete anonymous users
mysql -e "DELETE FROM mysql.user WHERE User='';"
# Ensure the root user can not log in remotely
mysql -e "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');"
# Remove the test database
mysql -e "DROP DATABASE IF EXISTS test;"
mysql -e "DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%';"
# Make our changes take effect
mysql -e "FLUSH PRIVILEGES"

Create Icinga IDO database

You need to create the Icinga IDO database. For that, we get the curent password on the configuration file.

ICINGA_IDO_PASSWORD="$(awk -F'"' '/password/ {print$2}' /etc/icinga2/features-available/ido-mysql.conf)"

And then we can create the database:

mysql <<< "
    CREATE DATABASE icinga;
    GRANT SELECT, INSERT, UPDATE, DELETE, DROP, CREATE VIEW, INDEX, EXECUTE
    ON icinga.*
    TO 'icinga2'@'localhost'
    IDENTIFIED BY '$ICINGA_IDO_PASSWORD';
    FLUSH PRIVILEGES;
"

Populate Icinga IDO Database

mysql icinga < /usr/share/icinga2-ido-mysql/schema/mysql.sql

Create IcingaWeb2 database

You need to create the ?IcingaWeb database.

Before, you need to set the following variables. You must change the values:

ICINGAWEB2_DB_PASSWORD="changeme"

And then we can create the database:

mysql <<< "
    CREATE DATABASE icingaweb2;
    GRANT ALL
    ON icingaweb2.*
    TO 'icingaweb2'@'localhost'
    IDENTIFIED BY '$ICINGAWEB2_DB_PASSWORD';
    FLUSH PRIVILEGES;
"

Populate IcingaWeb Database

mysql icinga < /usr/share/icingaweb2/etc/schema/mysql.schema.sql

Create configuration files

Now we are going to create final configuration files.

Before, you need to set some values:

ICINGA_WEB_ADMIN_USER="admin"
ICINGA_WEB_ADMIN_PWD="changeme"

And now just copy/paste the following content:

# roles.ini
cat << EOF > /etc/icingaweb2/roles.ini
[Administrators]
users = "$ICINGA_WEB_ADMIN_USER"
permissions = "*"
groups = "Administrators"
EOF

# groups.ini
cat << EOF > /etc/icingaweb2/groups.ini
[icingaweb2]
backend = "db"
resource = "icingaweb_db"
EOF

# config.ini
cat << EOF > /etc/icingaweb2/config.ini
[global]
show_stacktraces = "1"
config_backend = "db"
config_resource = "icingaweb_db"
#
[logging]
log = "syslog"
level = "ERROR"
application = "icingaweb2"
facility = "user"
EOF

# authentication.ini
cat << EOF > /etc/icingaweb2/authentication.ini
[icingaweb2]
backend = "db"
resource = "icingaweb_db"
EOF

# resources.ini
cat << EOF > /etc/icingaweb2/resources.ini
[icingaweb_db]
type = "db"
db = "mysql"
host = "localhost"
port = ""
dbname = "icingaweb2"
username = "icingaweb2"
password = "$ICINGAWEB2_DB_PASSWORD"
charset = "UTF8"
persistent = "0"
use_ssl = "0"
#
[icinga_ido]
type = "db"
db = "mysql"
host = "localhost"
port = ""
dbname = "icinga"
username = "icinga2"
password = "$ICINGA_IDO_PASSWORD"
charset = "UTF8"
persistent = "0"
use_ssl = "0"
EOF

mkdir /etc/icingaweb2/modules/monitoring/

# config.ini
cat << EOF > /etc/icingaweb2/modules/monitoring/config.ini
[security]
protected_customvars = "*pw*,*pass*,community"
EOF

# commandtransports.ini
cat << EOF > /etc/icingaweb2/modules/monitoring/commandtransports.ini
[icinga2]
transport = "local"
path = "/var/run/icinga2/cmd/icinga2.cmd"
EOF

# backends.ini
cat << EOF > /etc/icingaweb2/modules/monitoring/backends.ini
[icinga]
type = "ido"
resource = "icinga_ido
EOF

Create Icinga Web administrator user

# Create a hash from password
HASH_ICINGA_WEB_ADMIN_PASSWORD=$(openssl passwd -1 "$ICINGA_WEB_ADMIN_PWD")

# Create user in database
mysql icingaweb2 -Bse "
    INSERT INTO icingaweb_user
        (name, active, password_hash)
        VALUES ('$ICINGA_WEB_ADMIN_USER', 1, '$HASH_ICINGA_WEB_ADMIN_PASSWORD');
"

Troubleshooting

List of useful directories:

  • /etc/apache2
  • /etc/icinga2
  • /etc/icingaweb2
  • /var/lib/icinga2
  • /usr/share/icinga2

Others Wiki pages