moritzvd.eu - Nagios https://moritzvd.eu Zola en Wed, 06 May 2020 12:47:00 +0000 Monitoring Traefik 2 with Icinga Wed, 06 May 2020 12:47:00 +0000 Unknown https://moritzvd.eu/posts/monitor-traefik-icinga/ https://moritzvd.eu/posts/monitor-traefik-icinga/ <p><img src="/images/traefik-icinga-banner.png" alt="Monitoring Traefik 2 with Icinga" /></p> <p>Checking if a specific website or web application is alive and well is a classic task of monitoring software. I monitor personal web services with good old Icinga2. Last year I wrote a small Python script that runs on a Icinga2 master or satellite node that queries the Traefik API to automate the generation of Icinga2 rules. For me this was a nice and useful exercise to learn how to use REST APIs together with Python for system administration. In the process of <a href="https://moritzvd.eu/upgrade-traefik-2/">upgrading Traefik 1.7 to 2.0</a> I also had to modify this script.</p> <p>So without further ado lets jump right in. The way my script works:</p> <p>It fetches the exposed Traefik Routers with their coresponding hostnames and services and creates Icinga2 <a href="https://icinga.com/docs/icinga2/latest/doc/03-monitoring-basics/#apply-rules">apply rules</a> that use the <a href="https://icinga.com/docs/icinga2/latest/doc/10-icinga-template-library/#http">HTTP check</a>. The script is designed to run as a nightly cronjob so that new services that should be monitored are added automatically.</p> <h2 id="requirements">Requirements<a class="anchor" aria-hidden="true" href="#requirements" hidden="">#</a> </h2> <ul> <li>A working Traefik v2.x reverse proxy with it's API exposed</li> <li>Icinga2 monitoring server</li> </ul> <p>Before proceeding please make shure you can access Traefik's API. For example in this way:</p> <pre data-lang="sh" style="background-color:#2b303b;color:#c0c5ce;" class="language-sh "><code class="language-sh" data-lang="sh"><span style="color:#bf616a;">curl -s --user</span><span> admin:passw0rd http://example.lan:8080/api/http/routers | </span><span style="color:#bf616a;">jq </span><span style="color:#96b5b4;">[ </span><span> { </span><span> &quot;</span><span style="color:#a3be8c;">entryPoints</span><span>&quot;</span><span style="color:#bf616a;">:</span><span> [ </span><span> &quot;</span><span style="color:#a3be8c;">dashboard</span><span>&quot; </span><span> </span><span style="color:#bf616a;">], </span><span> &quot;</span><span style="color:#a3be8c;">middlewares</span><span>&quot;</span><span style="color:#bf616a;">:</span><span> [ </span><span> &quot;</span><span style="color:#a3be8c;">dashboard-auth@file</span><span>&quot; </span><span> </span><span style="color:#bf616a;">], </span><span> </span><span style="color:#bf616a;">... </span></code></pre> <h2 id="installation">Installation<a class="anchor" aria-hidden="true" href="#installation" hidden="">#</a> </h2> <p>Run all this steps on a Icinga 2 master or satellite node.</p> <h3 id="download-script-and-install-script">Download script and install script<a class="anchor" aria-hidden="true" href="#download-script-and-install-script" hidden="">#</a> </h3> <pre data-lang="sh" style="background-color:#2b303b;color:#c0c5ce;" class="language-sh "><code class="language-sh" data-lang="sh"><span style="color:#bf616a;">git</span><span> clone https://github.com/movd/traefik_icinga_check </span><span style="color:#bf616a;">sudo -u</span><span> nagios mkdir /etc/icinga2/cronjobs </span><span style="color:#bf616a;">chmod</span><span> +x traefik_icinga_check/traefik2_to_icinga.py </span><span style="color:#bf616a;">sudo</span><span> cp traefik_icinga_check/traefik2_to_icinga.py /etc/icinga2/cronjobs/ </span><span style="color:#bf616a;">sudo</span><span> chown nagios:nagios /etc/icinga2/cronjobs/traefik2_to_icinga.py </span></code></pre> <h3 id="set-up-parameters-via-env">Set up parameters via .env<a class="anchor" aria-hidden="true" href="#set-up-parameters-via-env" hidden="">#</a> </h3> <pre data-lang="sh" style="background-color:#2b303b;color:#c0c5ce;" class="language-sh "><code class="language-sh" data-lang="sh"><span style="color:#bf616a;">$</span><span> sudo</span><span style="color:#bf616a;"> -u</span><span> nagios touch /etc/icinga2/cronjobs/.env </span></code></pre> <p>Open and insert parameters <code>/etc/icinga2/cronjobs/.env</code> (same as Traefik dashboard)</p> <pre data-lang="sh" style="background-color:#2b303b;color:#c0c5ce;" class="language-sh "><code class="language-sh" data-lang="sh"><span style="color:#bf616a;">TRAEFIK_API_HOSTNAME</span><span>=&#39;</span><span style="color:#a3be8c;">example.lan:8000</span><span>&#39; </span><span style="color:#bf616a;">TRAEFIK_USERNAME</span><span>=&#39;</span><span style="color:#a3be8c;">admin</span><span>&#39; </span><span style="color:#bf616a;">TRAEFIK_PASSWORD</span><span>=&#39;</span><span style="color:#a3be8c;">passw0rd</span><span>&#39; </span></code></pre> <h3 id="test-the-script-manually-by-printing-to-stdout">Test the script manually by printing to STDOUT<a class="anchor" aria-hidden="true" href="#test-the-script-manually-by-printing-to-stdout" hidden="">#</a> </h3> <pre data-lang="sh" style="background-color:#2b303b;color:#c0c5ce;" class="language-sh "><code class="language-sh" data-lang="sh"><span style="color:#bf616a;">$</span><span> sudo</span><span style="color:#bf616a;"> -u</span><span> nagios /etc/icinga2/cronjobs/traefik2_to_icinga.py </span><span style="color:#bf616a;">apply</span><span> Service &quot;</span><span style="color:#a3be8c;">example.com https apache-apache</span><span>&quot; { </span><span> import &quot;</span><span style="color:#a3be8c;">generic-service</span><span>&quot; </span><span> check_command = &quot;</span><span style="color:#a3be8c;">http</span><span>&quot; </span><span> vars.http_address = &quot;</span><span style="color:#a3be8c;">example.com</span><span>&quot; </span><span> vars.http_vhost = &quot;</span><span style="color:#a3be8c;">example.com</span><span>&quot; </span><span> </span><span> vars.http_ssl = &quot;</span><span style="color:#a3be8c;">1</span><span>&quot; </span><span> vars.http_sni = &quot;</span><span style="color:#a3be8c;">true</span><span>&quot; </span><span> </span><span> vars.notification</span><span style="color:#b48ead;">[</span><span>&quot;</span><span style="color:#a3be8c;">mail</span><span>&quot;</span><span style="color:#b48ead;">]</span><span> = { </span><span> groups = </span><span style="color:#b48ead;">[ </span><span>&quot;</span><span style="color:#a3be8c;">icingaadmins</span><span>&quot; </span><span style="color:#b48ead;">] </span><span> } </span><span>... </span></code></pre> <h3 id="configure-the-host-that-runs-traefik">Configure the Host that runs Traefik<a class="anchor" aria-hidden="true" href="#configure-the-host-that-runs-traefik" hidden="">#</a> </h3> <p>Edit your Traefik host and add the <code>vars.services</code> array, so that it matches the rules set in <code>traefik2_to_icinga.py</code></p> <pre data-lang="sh" style="background-color:#2b303b;color:#c0c5ce;" class="language-sh "><code class="language-sh" data-lang="sh"><span style="color:#bf616a;">object</span><span> Host &quot;</span><span style="color:#a3be8c;">Reverse Proxy</span><span>&quot; { </span><span> import &quot;</span><span style="color:#a3be8c;">generic-host</span><span>&quot; </span><span> address = &quot;</span><span style="color:#a3be8c;">10.0.0.254</span><span>&quot; </span><span> vars.os = &quot;</span><span style="color:#a3be8c;">Linux</span><span>&quot; </span><span> vars.services = </span><span style="color:#b48ead;">[</span><span>&quot;</span><span style="color:#a3be8c;">traefik</span><span>&quot;</span><span style="color:#b48ead;">] </span><span>} </span></code></pre> <h3 id="create-cronjob-for-nagios-user">Create cronjob for <code>nagios</code> user<a class="anchor" aria-hidden="true" href="#create-cronjob-for-nagios-user" hidden="">#</a> </h3> <pre data-lang="sh" style="background-color:#2b303b;color:#c0c5ce;" class="language-sh "><code class="language-sh" data-lang="sh"><span style="color:#bf616a;">sudo -u</span><span> nagios crontab</span><span style="color:#bf616a;"> -e </span></code></pre> <p>Edit and insert nightly cronjob. Something like that should suffice.</p> <pre data-lang="sh" style="background-color:#2b303b;color:#c0c5ce;" class="language-sh "><code class="language-sh" data-lang="sh"><span style="color:#65737e;"># Daily at 2am: Generate Icinga checks from Traefik API and restart Icinga2 service </span><span style="color:#bf616a;">0</span><span> 2 * * * /etc/icinga2/cronjobs/traefik2_to_icinga.py &gt; /etc/icinga2/zones.d/YOUR-ZONE/traefik_services.conf &amp;&amp; </span><span style="color:#bf616a;">systemctl</span><span> restart icinga2 &gt;/dev/null </span><span style="color:#d08770;">2</span><span>&gt;&amp;</span><span style="color:#d08770;">1 </span></code></pre> <p><em>Note:</em> Of course you need to print the output of <code>traefik2_to_icinga.py</code> to a directory that is either inside your zone or in conf.d</p> <p>The end result should look like this:</p> <p><img src="/images/screenshot-monitoring-traefik-icinga.png" alt="Screenshot of Icinga2 with Traefik Service" /></p> <p>I am looking forward to any feedback or even <a href="https://github.com/movd/traefik_icinga_check">pull-requests</a> for the small script.</p> <p><small><em>Source for the graphics used in the header: <a href="https://www.freepik.com/free-photos-vectors/background">Background vector created by vectorpouch - www.freepik.com</a></em></small></p>