From a03d92532ef94fa5885c93ca4a2110f92c9c43bf Mon Sep 17 00:00:00 2001 From: Bernd Erk Date: Wed, 16 Oct 2013 09:18:18 +0200 Subject: [PATCH] Add cluster documentation to advanced topic. --- doc/6-advanced-topics.md | 102 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 101 insertions(+), 1 deletion(-) diff --git a/doc/6-advanced-topics.md b/doc/6-advanced-topics.md index f47acee27..c9bc351f9 100644 --- a/doc/6-advanced-topics.md +++ b/doc/6-advanced-topics.md @@ -14,7 +14,107 @@ TODO (move to basics?) ## Cluster -TODO +An Icinga 2 cluster consists of two or more nodes and can resist on multiple architectures. The base concept of Icinga 2 is the possibility to add additional features using components. In case of a cluster setup you have to add the cluster feature to all involved nodes. Before you start configuring the diffent nodes its necessary to setup the underlaying communication layer based on SSL. + +### Certificate authority and Certificates + +If you have no other way, we would suggest to use easy-rsa for certificate creation. You can get easy-rsa using your distribution package manager or the following git clone + + $ git clone https://github.com/OpenVPN/easy-rsa.git + +Before you create your CA please add your minium local variables to /easy-rsa/vars + +* KEY_COUNTRY +* KEY_PROVINCE +* KEY_CITY +* KEY_ORG +* KEY_EMAIL +* KEY_OU + +After that you have to export the defined var and clean-up all previously created files + + source ./vars + ./clean-all + +Then you can start CA creation using + + ./build-ca + +After that you can find your ca.crt and ca.key file in the keys directory and can create a server certificate for every node in the cluster using + + ./build-key-server + +Please don't use a passphrase during the certificate creation process. + +Icinga 2 needs all certification information in one file which could be easily achieved using + + cat .crt .key > .pem + +Please create a key-file for every node in the Icinga 2 Cluster and save the CA-Key for additional nodes at a later date + +### Enable the cluster configuration + +Until the cluster-component is moved into an independent feature you have to enable the required libraries in the icinga2.conf + + library "cluster" + +### Configure the ClusterListener Object + +The ClusterListener needs to be configured on every node in the cluster with the following settings: + + Configuration Setting |Value + -------------------------|------------------------------------ + ca_path | path to ca.crt file + cert_path | path to server certificate + bind_port | port for incoming and outgoing conns + peers | array of all reachable nodes + ------------------------- ------------------------------------ + +A sample config part can look like this: + + /** + * Load cluster-library and configure Cluster-Listener using CA-files + */ + library "cluster" + object ClusterListener "cluster" { + ca_path = "/etc/icinga2/ca/ca.crt", + cert_path = "/etc/icinga2/ca/icinga-node-1.pem", + bind_port = 8888, + peers = [ "icinga-node-1", "icinga-node-2" ] + } + +Peers configures the direction used to connect multipe nodes together. If have a three node cluster consisting of + +* node-1 +* node-2 +* node-3 + +and node-3 is only reachable from node-2, you have to consider this in your peer configuration + +### Configure Cluster Endpoints + +In addition to the configured port and hostname every endpoint can have specific abilities to send configfiles to other nodes and limit the hosts allowed to send config-files. + + Configuration Setting |Value + -------------------------|------------------------------------ + host | hostname + port | port + accept_config | defines all nodes allowed to send configs + config_files | defines all files to be send to other nodes + ------------------------- ------------------------------------ + +A sample config part can look like this: + + /** + * Configure endpoints for cluster configuration + */ + + object Endpoint "icinga-node-1" { + host = "icinga-node-1.localdomain", + port = 8888 + } + + ## Dependencies -- 2.40.0