Icinga2 documentation clearly describes the master->satellite->client setup, but as of now everything can be configured using director module and top down approach, so you can easily monitor external remote networks that are not accessible from the master server.

See updates at the end of this blog post.

Follow icinga2 plus icingaweb2 and director module installation procedures and add master host.

The goal is to access client http://www.sleeplessbeastie.eu (local network A) via the satellite system monitoring.sleeplessbeastie.eu (external address, local network A) from the master monitoring.fishsilentcruise.space (external address, local network B).

Log in to the monitoring system.

Add an additional API user.

Define additional API user.

Add satellite node that can be accessed from master and client.

Deploy configuration.

Generate request ticket on your Icinga2 master.

master$ sudo icinga2 pki ticket --cn 'monitoring.sleeplessbeastie.eu'
9f5f13fe804813c59d255eb017467f16db91a3ad

Install icinga2 on satellite node.

satellite$ sudo apt-get install icinga2

Setup satellite node.

satellite$ sudo icinga2 node wizard
Welcome to the Icinga 2 Setup Wizard!

We’ll guide you through all required configuration details.

Please specify if this is a satellite setup (’n’ installs a master setup) [Y/n]: Starting the Node setup routine… Please specify the common name (CN) [monitoring]: monitoring.sleeplessbeastie.eu Please specify the master endpoint(s) this node should connect to: Master Common Name (CN from your master setup): monitoring.fishsilentcruise.space Do you want to establish a connection to the master from this node? [Y/n]: Please fill out the master connection information: Master endpoint host (Your master’s IP address or FQDN): monitoring.fishsilentcruise.space Master endpoint port [5665]: Add more master endpoints? [y/N]: Please specify the master connection for CSR auto-signing (defaults to master endpoint host): Host [monitoring.fishsilentcruise.space]: Port [5665]: information/base: Writing private key to ‘/etc/icinga2/pki/monitoring.sleeplessbeastie.eu.key’. information/base: Writing X509 certificate to ‘/etc/icinga2/pki/monitoring.sleeplessbeastie.eu.crt’. information/cli: Fetching public certificate from master (monitoring.fishsilentcruise.space, 5665):

Certificate information:

Subject: CN = monitoring.fishsilentcruise.space Issuer: CN = Icinga CA Valid From: Oct 30 21:51:07 2017 GMT Valid Until: Oct 26 21:51:07 2032 GMT Fingerprint: F8 7D 9E C1 B0 8C 4D B5 D2 77 0C 52 91 F6 9F 54 86 46 DD D9

Is this information correct? [y/N]: y information/cli: Received trusted master certificate.

Please specify the request ticket generated on your Icinga 2 master. (Hint: # icinga2 pki ticket –cn ‘monitoring.sleeplessbeastie.eu’): 9f5f13fe804813c59d255eb017467f16db 91a3ad information/cli: Requesting certificate with ticket ‘9f5f13fe804813c59d255eb017467f16db91a3ad’.

information/cli: Created backup file ‘/etc/icinga2/pki/monitoring.sleeplessbeastie.eu.crt.orig’. information/cli: Writing signed certificate to file ‘/etc/icinga2/pki/monitoring.sleeplessbeastie.eu.cr t’. information/cli: Writing CA certificate to file ‘/etc/icinga2/pki/ca.crt’. Please specify the API bind host/port (optional): Bind Host []: Bind Port []: Accept config from master? [y/N]: y Accept commands from master? [y/N]: y information/cli: Disabling the Notification feature. Disabling feature notification. Make sure to restart Icinga 2 for these changes to take effect. information/cli: Enabling the Apilistener feature. Enabling feature api. Make sure to restart Icinga 2 for these changes to take effect. information/cli: Created backup file ‘/etc/icinga2/features-available/api.conf.orig’. information/cli: Generating local zones.conf. information/cli: Dumping config items to file ‘/etc/icinga2/zones.conf’. information/cli: Created backup file ‘/etc/icinga2/zones.conf.orig’. warning/cli: CN ‘monitoring.sleeplessbeastie.eu’ does not match the default FQDN ‘monitoring’. Requires update for NodeName constant in constants.conf! information/cli: Updating constants.conf. information/cli: Created backup file ‘/etc/icinga2/constants.conf.orig’. information/cli: Updating constants file ‘/etc/icinga2/constants.conf’. information/cli: Updating constants file ‘/etc/icinga2/constants.conf’. Done.

Now restart your Icinga 2 daemon to finish the installation!

Configure API user on satellite.

satellite$ cat << EOF | sudo tee /etc/icinga2/conf.d/api-users.conf 
/**
 * The APIUser objects are used for authentication against the API.
 */
object ApiUser "sleeplessbeastie_zone" {
  password = "UhfpgoRa5Vcz3JfD"
  // client_cn = ""

permissions = [ “*” ] } EOF

Add director-global zone.

$ cat << EOF | sudo tee -a /etc/icinga2/zones.conf
object Zone "director-global" {
  global = true
}
EOF

Clean up local configuration.

$ sudo echo -n | sudo tee /etc/icinga2/conf.d/{apt.conf,commands.conf,groups.conf,hosts.conf,downtimes.conf,notifications.conf,satellite.conf,services.conf,templates.conf,timeperiods.conf,users.conf}

Restart icinga2 service.

$ sudo service restart icinga2

Add client node that can be accessed from satellite mode.

Deploy configuration.

Generate request ticket on your Icinga2 master.

master$ sudo icinga2 pki ticket --cn 'www.sleeplessbeastie.eu'
500d51eea82c6c2e595b9446fee16309d51d2009

Install icinga2 on client node.

client$ sudo apt-get install icinga2

Setup client node.

client$ sudo icinga2 node wizard
Welcome to the Icinga 2 Setup Wizard!

We’ll guide you through all required configuration details.

Please specify if this is a satellite setup (’n’ installs a master setup) [Y/n]: Starting the Node setup routine… Please specify the common name (CN) [www.lxd]: www.sleeplessbeastie.eu Please specify the master endpoint(s) this node should connect to: Master Common Name (CN from your master setup): monitoring.sleeplessbeastie.eu Do you want to establish a connection to the master from this node? [Y/n]: Please fill out the master connection information: Master endpoint host (Your master’s IP address or FQDN): monitoring.sleeplessbeastie.eu Master endpoint port [5665]: Add more master endpoints? [y/N]: Please specify the master connection for CSR auto-signing (defaults to master endpoint host): Host [monitoring.sleeplessbeastie.eu]: monitoring.fishsilentcruise.space Port [5665]: information/base: Writing private key to ‘/etc/icinga2/pki/www.sleeplessbeastie.eu.key’. information/base: Writing X509 certificate to ‘/etc/icinga2/pki/www.sleeplessbeastie.eu.crt’. information/cli: Fetching public certificate from master (monitoring.fishsilentcruise.space, 5665):

Certificate information:

Subject: CN = monitoring.fishsilentcruise.space Issuer: CN = Icinga CA Valid From: Oct 30 21:51:07 2017 GMT Valid Until: Oct 26 21:51:07 2032 GMT Fingerprint: F8 7D 9E C1 B0 8C 4D B5 D2 77 0C 52 91 F6 9F 54 86 46 DD D9

Is this information correct? [y/N]: y information/cli: Received trusted master certificate.

Please specify the request ticket generated on your Icinga 2 master. (Hint: # icinga2 pki ticket –cn ‘www.sleeplessbeastie.eu’): 500d51eea82c6c2e595b9446fee16309d51d2009 information/cli: Requesting certificate with ticket ‘500d51eea82c6c2e595b9446fee16309d51d2009’.

information/cli: Created backup file ‘/etc/icinga2/pki/www.sleeplessbeastie.eu.crt.orig’. information/cli: Writing signed certificate to file ‘/etc/icinga2/pki/www.sleeplessbeastie.eu.crt’. information/cli: Writing CA certificate to file ‘/etc/icinga2/pki/ca.crt’. Please specify the API bind host/port (optional): Bind Host []: Bind Port []: Accept config from master? [y/N]: y Accept commands from master? [y/N]: y information/cli: Disabling the Notification feature. Disabling feature notification. Make sure to restart Icinga 2 for these changes to take effect. information/cli: Enabling the Apilistener feature. Enabling feature api. Make sure to restart Icinga 2 for these changes to take effect. information/cli: Created backup file ‘/etc/icinga2/features-available/api.conf.orig’. information/cli: Generating local zones.conf. information/cli: Dumping config items to file ‘/etc/icinga2/zones.conf’. information/cli: Created backup file ‘/etc/icinga2/zones.conf.orig’. information/cli: Updating constants.conf. information/cli: Created backup file ‘/etc/icinga2/constants.conf.orig’. information/cli: Updating constants file ‘/etc/icinga2/constants.conf’. information/cli: Updating constants file ‘/etc/icinga2/constants.conf’. Done.

Now restart your Icinga 2 daemon to finish the installation!

Add director-global zone.

$ cat << EOF | sudo tee -a /etc/icinga2/zones.conf
object Zone "director-global" {
  global = true
}
EOF

Clean up local configuration.

$ sudo echo -n | sudo tee /etc/icinga2/conf.d/{apt.conf,commands.conf,groups.conf,hosts.conf,downtimes.conf,notifications.conf,satellite.conf,services.conf,templates.conf,timeperiods.conf,users.conf}

Restart icinga2 service.

$ sudo service restart icinga2

Client cannot connect be accessed and configured at this moment.

Add additional zone for satellite setup.

Define additional zone.

Add an endpoint for created zone.

Define endpoint for created zone.

Assign satellite to the created zone.

Assign client to the created zone.

Deploy configuration.

Verify that it works.

All stations status green.

Update – February 2022

An important hint from Daniel Hirschmann which likely makes most of this blog post obsolete.

You should add the zones and endpoint config manually in the zones.conf file on the master as well as on the satellite and run the Kickstart Wizard. It will detect the changes and add the new zone and endpoint in a proper way.

ko-fi