Icinga 2 v2.8.0 released

by | Nov 17, 2017

We are happy to bring you Icinga 2 v2.8.0 with lots of cool features this time 🙂 Advanced certificate signing in distributed environments, Elasticsearch feature, and much more – read on.
Thanks to all contributorsMichael, Konstantin, Mike, Sebastian, Claudio, Irina, Roland, Ryan, Lee, Jean-Louis, Rudy, Robin, Dirk, Yannick, you are doing an awesome job! 🙂
Many thanks to VW for sponsoring the Elasticsearch and CA-Proxy & On-Demand Signing features in v2.8.0!

CA Proxy and On-Demand Signing

When designing the Icinga 2 distributed monitoring “feature” years ago, we’ve also thought about making the certificate creation process a bit more easy. Manual TLS certificate creation is possible, but requires more work. “CSR Auto-Signing” was born, where clients “authenticated” themselves with a pre-generated ticket. This method works well, and has been adopted into automation tools like Puppet, Ansible, etc and the Icinga Director already. Still, if you do not have sort of automated deployments, you would always need to pre-generate tickets on the master node for your client setup.
Icinga 2 v2.8 adds the possibility to do ticket-less “On-demand CSR signing” on the master. “ca list” and “ca sign” are the CLI commands you are looking for. Client setup with “node wizard”, “node setup” and the graphical Windows setup wizard have been updated to support this method in v2.8. Before you rush into it, read the updated documentation.
This feature was added as part of a sponsored feature for a distributed environment: the so-called “CA Proxy”. Think of a three level cluster with a signing master, satellite checkers and clients. Clients required you to have a direct synchronous connection to the signing master. The satellite could not sign it, nor forward the signing request.
The feature request was simple: Forward the certificate signing request (CSR) through the satellite to the signing master. This must not only work with 3 levels, but n levels with multiple satellite parents too. This change allows to setup Linux and Windows clients in the exact same manner as now. The main difference is that the parent host to ask for a signed certificate is now the direct parent instance, the satellite.
Combined with the two signing methods, “auto” and “on-demand”, this really enhances Icinga 2 to a new level of distributed monitoring setups. Please ensure to have v2.8 installed on all instances where you’d want to use this new feature.
Bonus feature: automated certificate renewal for clients. Please note that now Icinga 2 is able to manage certificate updates, so we had to move the certificate location into /var/lib/icinga2/certs. Read the upgrade documentation which also includes a soft migration path for existing setups.

Elasticsearch Writer

Similar to the GELFWriter feature for Graylog, and our Icingabeat integration, the requirement was to write events including check results and parsed performance data metrics into Elasticsearch.
The elasticsearch feature also supports HTTP proxies with basic auth and TLS. Elasticsearch’s REST API does not have such by default. An example with an Nginx HTTP proxy can be found on the NETWAYS blog. Please note that this feature requires at least Elasticsearch 5.x.

 

Flapping Detection

This feature prevents notifications if a host/service is changing states between OK and NOT-OK quite often. Think of a switch port which goes up and down, it “flaps”. The previous flapping detection algorithm in Icinga 2 had a lot of bugs, and we weren’t sure how to tackle them. v2.8 finally introduces a new “old” algorithm storing the states and support high and low thresholds again. Diana provided the feature implementation and wrote in detail in this blog post.

Documentation

You’ll find many new things in the documentation. Here is a list what you definitely should check out:

Parts of the CA proxy feature involved technical concepts being written too. Troubleshooting has been enhanced as always.

More Enhancements

If you are planning to integrate the REST API with client-side Javascript, you’ll recognise CORS support in v2.8. The “process-check-result” API action supports “execution_end” which is the timestamp for metric datapoints.
If you run “icinga2.exe daemon -C” with an unprivileged account on Windows, Icinga 2 doesn’t crash. Yet better, it asks you for permission to run the command as administrator. The Windows setup wizard allows you to edit the defined parent endpoint again. Thanks Michael for the patch! The “check_service.exe” plugin supports descriptions instead of names.
New functions inside the DSL: get_services() for hosts and global functions like path_exists(), glob(), glob_recursive(). The ITL got many enhancements and fixes from community contributors, thanks a lot!

Upgrade to v2.8

There’s a lot of changes coming with this new release. The Changelog highlights them all. Please read the upgrading documentation thoroughly before putting v2.8 into production.
Notable changes:

  • DB IDO schema upgrade required.
  • Certificate path changes. There is a built-in migration path to ensure existing setups still work.
  • On-Demand signing and CA proxy are new features available in 2.8. ALL instances must be upgraded in order to use this feature.
  • Windows client packages require the “Universal C Runtime Package”
  • “Bottom up” client mode is gone. Read the docs for migration hints.
  • “classicui-config” config package is gone. Manual configuration is required if you want to keep this legacy 1.x interface.
  • “flapping_threshold” has no effect. Migrate to the new attributes.

 

Ready?

Package updates on the official repository on packages.icinga.com are being pushed. Community repositories might need a bit to catch up.
Enjoy this release as much as we do! See you at OSMC next week 🙂

You May Also Like…

Subscribe to our Newsletter

A monthly digest of the latest Icinga news, releases, articles and community topics.