notifications |**Optional.** Inline definition of notifications. Each dictionary item specifies a notification.<br /><br />The `templates` attribute can be used to specify an array of templates that should be inherited by the notification object.<br /><br />The new notification object's name is "hostname:service:notification" - where "notification" is the dictionary key in the notifications dictionary.
dependencies |**Optional.** Inline definition of dependencies. Each dictionary item specifies a dependency.<br /><br />The `templates` attribute can be used to specify an array of templates that should be inherited by the dependency object.<br /><br />The new dependency object's name is "hostname:service:dependency" - where "dependency" is the dictionary key in the dependencies dictionary.
authorities |**Optional.** A list of Endpoints on which this service check will be executed in a cluster scenario.
+ domains |**Optional.** A list of Domains for this service object in a cluster scenario.
### <a id="objecttype-servicegroup"></a> ServiceGroup
### <a id="objecttype-domain"></a> Domain
-TODO
+A [Service](#objecttype-service) object can be restricted using the `domains` attribute
+array specifying endpoint privileges.
+
+A Domain object specifices the ACLs applied for each [Endpoint](#objecttype-endpoint).
Example:
- TODO
+ object Domain "dmz-1" {
+ acl = {
+ node1 = (DomainPrivCheckResult),
+ node2 = (DomainPrivReadWrite)
+ }
+ }
Attributes:
Name |Description
----------------|----------------
- acl |TODO
+ acl |**Required.** Dictionary with items for Domain ACLs.
+
+Domain ACLs:
+
+ Name |Description
+ ----------------------|----------------
+ DomainPrivRead | Endpoint reads local messages and relays them to remote nodes.
+ DomainPrivCheckResult | Endpoint accepts check result messages from remote nodes.
+ DomainPrivCommand | Endpoint accepts command messages from remote nodes.
+ DomainPrevReadOnly | Endpoint reads local messages and relays them to remote nodes.
+ DomainPrivReadWrite | Combination of (DomainPrivRead | DomainPrivCheckResult | DomainPrivCommand)
A sample config part can look like this:
/**
- * Configure endpoints for cluster configuration
+ * Configure config master endpoint
*/
object Endpoint "icinga-node-1" {
If you update the configuration files on the configured file sender, it will
force a restart on all receiving nodes after validating the new config.
+A sample config part for a config receiver endpoint can look like this:
+
+ /**
+ * Configure config receiver endpoint
+ */
+
+ object Endpoint "icinga-node-2" {
+ host = "icinga-node-2.localdomain",
+ port = 8888,
+ accept_config = [ "icinga-node-1" ]
+ }
+
By default these configuration files are saved in /var/lib/icinga2/cluster/config.
In order to load configuration files which were received from a remote Icinga 2
# icinga2 -c /etc/icinga2/node1/icinga2.conf -DIcingaLocalStateDir=/opt/node1/var
+## <a id="domains"></a> Domains
+
+A [Service](#objecttype-service) object can be restricted using the `domains` attribute
+array specifying endpoint privileges.
+A Domain object specifices the ACLs applied for each [Endpoint](#objecttype-endpoint).
+
+The following example assigns the domain `dmz-db` to the service `dmz-oracledb`. Endpoint
+`icinga-node-dmz-1` does not allow any object modification (no commands, check results) and only
+relays local messages to the remote node(s). The endpoint `icinga-node-dmz-2` processes all
+messages read and write (accept check results, commands and also relay messages to remote
+nodes).
+
+That way the service `dmz-oracledb` on endpoint `icinga-node-dmz-1` will not be modified
+by any cluster event message, and could be checked by the local authority too presenting
+a different state history. `icinga-node-dmz-2` still receives all cluster message updates
+from the `icinga-node-dmz-1` endpoint.
+
+ object Host "dmz-host1" inherits "generic-host" {
+ services["dmz-oracledb"] = {
+ templates = [ "generic-service" ],
+ domains = [ "dmz-db" ],
+ authorities = [ "icinga-node-dmz-1", "icinga-node-dmz-2"],
+ }
+ }
+
+ object Domain "dmz-db" {
+ acl = {
+ icinga-node-dmz-1 = (DomainPrivReadOnly),
+ icinga-node-dmz-2 = (DomainPrivReadWrite)
+ }
+ }
+
## <a id="dependencies"></a> Dependencies
Icinga 2 uses host and service [Dependency](#objecttype-dependency) objects either directly
ScriptVariable::Set("DomainPrivCheckResult", DomainPrivCheckResult, true, true);
ScriptVariable::Set("DomainPrivCommand", DomainPrivCommand, true, true);
- ScriptVariable::Set("DomainPrevReadOnly", DomainPrivRead, true, true);
+ ScriptVariable::Set("DomainPrivReadOnly", DomainPrivRead, true, true);
ScriptVariable::Set("DomainPrivReadWrite", DomainPrivRead | DomainPrivCheckResult | DomainPrivCommand, true, true);
}