Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Warn the user if Icinga DB is used as configuration database #5208

Closed
Artim96 opened this issue Apr 5, 2024 · 31 comments · Fixed by #5212
Closed

Warn the user if Icinga DB is used as configuration database #5208

Artim96 opened this issue Apr 5, 2024 · 31 comments · Fixed by #5212
Assignees
Labels
enhancement New feature or improvement
Milestone

Comments

@Artim96
Copy link

Artim96 commented Apr 5, 2024

Describe the bug

After going through the icinga web setup and finishing the command transport setup I'm greeted with this error message:

Creating database schema…
Failed to fully setup the database. An error occured:
ERROR: PDOException in /usr/share/icingaweb2/modules/setup/library/Setup/Utils/DbTool.php:477 with message: SQLSTATE[42710]: Duplicate object: 7 ERROR: Type »boolenum« already exists

Module “monitoring” has been successfully enabled.

There aren't any entries in icingaweb2 logs though. Now how do I fix this?

To Reproduce

Provide a link to a live example, or an unambiguous set of steps to reproduce this bug. Include configuration, logs, etc. to reproduce, if relevant.

  1. go through the setup wizard
  2. finish configuring command transport (via API)
  3. be greeted with the error message

Your Environment

Include as many relevant details about the environment you experienced the problem in

  • Version used (icinga2 --version): r2.14.2-1
  • Operating System and version: Debian 12.5
  • Enabled features (icinga2 feature list):
Disabled features: command compatlog debuglog elasticsearch gelf graphite influxdb influxdb2 journald livestatus opentsdb perfdata syslog
Enabled features: api checker icingadb ido-pgsql mainlog notification
  • Icinga Web 2 version and modules (System - About): from apt: 2.12.1-1+debian12
  • Config validation (icinga2 daemon -C):
icinga2 daemon -C
[2024-04-05 10:40:11 +0200] information/cli: Icinga application loader (version: r2.14.2-1)
[2024-04-05 10:40:11 +0200] information/cli: Loading configuration file(s).
[2024-04-05 10:40:11 +0200] information/ConfigItem: Committing config item(s).
[2024-04-05 10:40:11 +0200] information/ApiListener: My API identity: maintenance.fsmuw.rwth-aachen.de
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 2 NotificationCommands.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 13 Notifications.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 1 IcingaApplication.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 2 HostGroups.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 1 Host.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 1 Downtime.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 1 IcingaDB.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 1 FileLogger.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 3 Zones.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 1 CheckerComponent.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 1 IdoPgsqlConnection.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 1 User.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 1 Endpoint.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 1 ApiUser.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 1 ApiListener.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 1 NotificationComponent.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 246 CheckCommands.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 1 UserGroup.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 3 ServiceGroups.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 3 TimePeriods.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 1 ScheduledDowntime.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 12 Services.
[2024-04-05 10:40:11 +0200] information/ScriptGlobal: Dumping variables to file '/var/cache/icinga2/icinga2.vars'
[2024-04-05 10:40:11 +0200] information/cli: Finished validating the configuration file(s).

  • If you run multiple Icinga 2 instances, the zones.conf file (or icinga2 object list --type Endpoint and icinga2 object list --type Zone) from all affected nodes: N.A.
@yhabteab yhabteab transferred this issue from Icinga/icinga2 Apr 5, 2024
@yhabteab
Copy link
Member

yhabteab commented Apr 5, 2024

Hi, thanks for reporting!

ERROR: PDOException in /usr/share/icingaweb2/modules/setup/library/Setup/Utils/DbTool.php:477 with message: SQLSTATE[42710]: Duplicate object: 7 ERROR: Type »boolenum« already exists

According to the error message you seem to be using PostgreSQL and apparently you've already imported the schema! Please try to connect to your existing database in the setup wizard Authentication Backend section! I don't quite understand why this would happen though. Did you import the schema manually beforehand?

@Artim96
Copy link
Author

Artim96 commented Apr 5, 2024

The authentication backend is supposed to be LDAP, as I did configure it in the wizard, not a database. And yes, I did have to import both the schema from /usr/share/icingadb/schema/pgsql/schema.sqland /usr/local/share/icinga2-ido-pgsql/schema/pgsql.sql. The icingadb setup usually fails when that schema isn't applied beforehand and the IDO setup explicitly requires setting up the schema, otherwise warning that the database doesn't have a schema.

@yhabteab
Copy link
Member

yhabteab commented Apr 5, 2024

Please try to connect to your existing database in the setup wizard Authentication Backend section!

Sorry! I mean the Database Resource section by that not the auth backend.

And yes, I did have to import both the schema from /usr/share/icingadb/schema/pgsql/schema.sqland /usr/local/share/icinga2-ido-pgsql/schema/pgsql.sql.

That is not why the wizard is complaining about, Icinga Web 2 requires its own database and also provides its own schema and if you use the Icinga DB database in the wizard, it will then conflict with Icinga DB's schema. This is the reason why it fails to create the boolenum type as Icinga DB does this on its own database.

@Artim96
Copy link
Author

Artim96 commented Apr 5, 2024

That is not why the wizard is complaining about, Icinga Web 2 requires its own database and also provides its own schema and if you use the Icinga DB database in the wizard, it will then conflict with Icinga DB's schema. This is the reason why it fails to create the boolenum type as Icinga DB does this on its own database.

Then the wizard may not be precise enough, or the setup guide for icingadb isn't. At what point during the setup would I need to place which database in the config (one for icingadb, one for icinga-ido and now the one for icinga-web)?

@yhabteab
Copy link
Member

yhabteab commented Apr 5, 2024

I recommend reading this blog post as I cannot list all the steps of the wizard here.

@nilmerg
Copy link
Member

nilmerg commented Apr 5, 2024

If a user chooses the IDO we issue a warning:

if ($connectionError === null && array_search('icinga_instances', $db->listTables(), true) !== false) {

We should probably do the same if it's the Icinga DB...

@nilmerg nilmerg added this to the 2.12.2 milestone Apr 5, 2024
@nilmerg nilmerg added the enhancement New feature or improvement label Apr 5, 2024
@Artim96
Copy link
Author

Artim96 commented Apr 5, 2024

I recommend reading this blog post as I cannot list all the steps of the wizard here.

I'll have a look in the next days, thanks.

@Artim96
Copy link
Author

Artim96 commented Apr 8, 2024

I recommend reading this blog post as I cannot list all the steps of the wizard here.

This helped. The package icingadb-web was missing. Adding this made Ido a separate, not needed option.

Now the setup is done, but logging in doesn't work. I configured LDAP as authentication backend and limited it to only members of a certain group. I obviously am a member of that group as it's also used for various other tasks. Also, for some reason, the icinga2.log still contains
`[2024-04-08 10:59:09 +0200] information/IdoPgsqlConnection: Finished reconnecting to 'ido-pgsql' database 'icinga2' in 0.0857689 second(s).

Even though I didn't set up ido.

EDIT: the browser console is showing these errors: icinga.log

Could it be that enabling strict content policy in the wizard is causing these? If so, how do I solve the issue without needing to disable the strict content policiy?

@yhabteab
Copy link
Member

yhabteab commented Apr 8, 2024

Now the setup is done, but logging in doesn't work. I configured LDAP as authentication backend and limited it to only members of a certain group. I obviously am a member of that group as it's also used for various other tasks.

It's hard to guess what's going wrong when logging into Icinga Web 2, if you don't share the exact error you're experiencing.

lso, for some reason, the icinga2.log still contains
`[2024-04-08 10:59:09 +0200] information/IdoPgsqlConnection: Finished reconnecting to 'ido-pgsql' database 'icinga2' in 0.0857689 second(s).

This is probably because you have already installed the icinga2-ido-pgsql feature. If you do not want to use the IDO in any way, then simply remove it apt remove icinga2-ido-pgsql and reload the Icinga 2 service.

@Artim96
Copy link
Author

Artim96 commented Apr 8, 2024

Now the setup is done, but logging in doesn't work. I configured LDAP as authentication backend and limited it to only members of a certain group. I obviously am a member of that group as it's also used for various other tasks.

It's hard to guess what's going wrong when logging into Icinga Web 2, if you don't share the exact error you're experiencing.

It simply claims username or password are incorrect. That's simply not possible.

@nilmerg nilmerg changed the title Icinga Web setup fails with PDOException Warn the user if Icinga DB is used as configuration database Apr 8, 2024
@Artim96
Copy link
Author

Artim96 commented Apr 15, 2024

I've now taken a further look. I can't see anything being wrong with the ldap config for icinga, also it did all pass the validations. But it looks like the ldap server is never contacted. When running slapd on the remote server with -d -1 (most verbose log level), it doesn't recognize any incomming connection from icinga. So no surprise icingaweb claims failed authentication.

@yhabteab
Copy link
Member

Well, what do the Icinga Web 2 logs say? You will find the logs in the appropriate places depending on how you have configured your logs via Configuration -> Application -> Logging type.

@Artim96
Copy link
Author

Artim96 commented Apr 15, 2024

Well, what do the Icinga Web 2 logs say? You will find the logs in the appropriate places depending on how you have configured your logs via Configuration -> Application -> Logging type.

I obviously can't find it in the UI as I can't log in. The log file on the server doesn't say anything about it.

@yhabteab
Copy link
Member

Well, what do the Icinga Web 2 logs say? You will find the logs in the appropriate places depending on how you have configured your logs via Configuration -> Application -> Logging type.

I obviously can't find it in the UI as I can't log in. The log file on the server doesn't say anything about it.

You can also check the config in /etc/icingaweb2/config.ini.

@Artim96
Copy link
Author

Artim96 commented Apr 15, 2024

That doesn't provide any logs though. For logging I have these setting:

[logging]
log = "syslog"
level = "WARNING"
application = "icingaweb2"
facility = "user"

@yhabteab
Copy link
Member

log = "syslog"

This indicates that Icinga Web 2 is sending its logs to syslog. You should be able to find the logs in /var/log/messages or /var/log/syslog.

@lippserd
Copy link
Member

Also I would set "DEBUG" as severity so that you can see what Icinga Web is trying to do in order to authenticate.

@Artim96
Copy link
Author

Artim96 commented Apr 15, 2024

log = "syslog"

This indicates that Icinga Web 2 is sending its logs to syslog. You should be able to find the logs in /var/log/messages or /var/log/syslog.

Can I force icingaweb to log to /var/log/icingaweb2/icingaweb2.log?

@Artim96
Copy link
Author

Artim96 commented Apr 15, 2024

log = "syslog"

This indicates that Icinga Web 2 is sending its logs to syslog. You should be able to find the logs in /var/log/messages or /var/log/syslog.

Nothing there, even with DEBUG. The only icinga-related lines are these:

2024-04-15T13:50:19.777331+02:00 maintenance icinga2[2281406]: [2024-04-15 13:50:19 +0200] information/cli: Icinga application loader (version: r2.14.2-1)
2024-04-15T13:50:19.780103+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/cli: Loading configuration file(s).
2024-04-15T13:50:19.836868+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Committing config item(s).
2024-04-15T13:50:19.842830+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ApiListener: My API identity: maintenance.fsmuw.rwth-aachen.de
2024-04-15T13:50:19.894252+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 2 NotificationCommands.
2024-04-15T13:50:19.894374+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 13 Notifications.
2024-04-15T13:50:19.894423+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 IcingaApplication.
2024-04-15T13:50:19.894476+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 2 HostGroups.
2024-04-15T13:50:19.894527+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 Host.
2024-04-15T13:50:19.894578+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 Downtime.
2024-04-15T13:50:19.894629+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 IcingaDB.
2024-04-15T13:50:19.894681+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 FileLogger.
2024-04-15T13:50:19.894732+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 3 Zones.
2024-04-15T13:50:19.894799+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 CheckerComponent.
2024-04-15T13:50:19.894855+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 User.
2024-04-15T13:50:19.894907+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 Endpoint.
2024-04-15T13:50:19.894958+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 ApiUser.
2024-04-15T13:50:19.895010+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 ApiListener.
2024-04-15T13:50:19.895056+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 NotificationComponent.
2024-04-15T13:50:19.895113+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 246 CheckCommands.
2024-04-15T13:50:19.895164+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 UserGroup.
2024-04-15T13:50:19.895215+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 3 ServiceGroups.
2024-04-15T13:50:19.895267+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 3 TimePeriods.
2024-04-15T13:50:19.895318+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 ScheduledDowntime.
2024-04-15T13:50:19.895370+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 12 Services.
2024-04-15T13:50:19.895421+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ScriptGlobal: Dumping variables to file '/var/cache/icinga2/icing\
a2.vars'
2024-04-15T13:50:19.908109+02:00 maintenance icinga2[2281406]: [2024-04-15 13:50:19 +0200] information/cli: Closing console log.

@yhabteab
Copy link
Member

log = "syslog"

This indicates that Icinga Web 2 is sending its logs to syslog. You should be able to find the logs in /var/log/messages or /var/log/syslog.

Can I force icingaweb to log to /var/log/icingaweb2/icingaweb2.log?

You can replace the [logging] section in /etc/icingaweb2/config.ini with the following config.

[logging]
log = "file"
level = "DEBUG"
file = "/var/log/icingaweb2/icingaweb2.log"

And make sure that the /var/log/icingaweb2/icingaweb2.log file is writable by the web server user e.g. for Debian:

sudo mkdir /var/log/icingaweb2
sudo chmod -R o+w /var/log/icingaweb2/

@Artim96
Copy link
Author

Artim96 commented Apr 15, 2024

Thanks. But still I can't get icingaweb to produce any logs.

@yhabteab
Copy link
Member

Thanks. But still I can't get icingaweb to produce any logs.

Have you tried to log in once again after changing the config and log files?

@Artim96
Copy link
Author

Artim96 commented Apr 15, 2024

Thanks. But still I can't get icingaweb to produce any logs.

Have you tried to log in once again after changing the config and log files?

obviously yes

@yhabteab
Copy link
Member

Thanks. But still I can't get icingaweb to produce any logs.

Have you tried to log in once again after changing the config and log files?

obviously yes

Obviously it's not obvious to me, as I don't know exactly what steps you've taken and wouldn't be asking you such questions if it were that obvious. Anyway, if Icinga Web 2 is not logging anything, then it might not be trying to use LDAP as an authentication method at all. What does your /etc/icingaweb2/authentication.ini config look like?

@Artim96
Copy link
Author

Artim96 commented Apr 16, 2024

Obviously it's not obvious to me, as I don't know exactly what steps you've taken and wouldn't be asking you such questions if it were that obvious.

If you think it's not obvious, then it's on you. You obviously can't test if login is working without actually logging in. And you can't (neccessarily) expect logs when nothing can happen that could be logged.

Anyway, if Icinga Web 2 is not logging anything, then it might not be trying to use LDAP as an authentication method at all.

My point exactly, otherwise I should see that in the LDAP server logs, if it fails or not.

What does your /etc/icingaweb2/authentication.ini config look like?

[icingaweb2]
user_class = "inetOrgPerson"
user_name_attribute = "uid"
backend = "ldap"
base_dn = "dc=domain,dc=de"
domain = "auth.domain.de" // this is the full domain of the server that hosts the LDAP. If I remember correctly originally from the wizzard this only had the domain itself, without the "auth." part. But the result is the same either way.
resource = "icingaweb_ldap"

@Artim96
Copy link
Author

Artim96 commented Jul 30, 2024

Is there any other way to get any additional logs from icinga? There's just nothing received by the LDAP server.

@yhabteab
Copy link
Member

Can you please show a screenshot of your Icinga Web 2 login page? Since you have domain = “auth.domain.de” configured in your auth configuration, I suppose you are trying to authenticate in Icinga Web 2 as auth.domain.de\USERNAME or USERNAME@auth.domain.de as well?

Have you checked whether your ldap resource icingaweb_ldap in /etc/icingaweb2/resources.ini is also configured correctly?

@Artim96
Copy link
Author

Artim96 commented Jul 30, 2024

icinga2_authentication_login

Since you have domain = “auth.domain.de” configured in your auth configuration, I suppose you are trying to authenticate in Icinga Web 2 as auth.domain.de\USERNAME or USERNAME@auth.domain.de as well?

No. Why would I? Because with everything else that connects to this LDAP server, there's no need for that. So if that is actually necessary, it should be documented somewhere - I never came across this - and it's questionable if this should be needed when this is the only source for authentication set up.

Have you checked whether your ldap resource icingaweb_ldap in /etc/icingaweb2/resources.ini is also configured correctly?

As far as I can tell, yes.

@yhabteab
Copy link
Member

The screenshot doesn't help, I was just looking to get the error message you are facing after you entered the correct credentials.

No. Why would I? Because with everything else that connects to this LDAP server, there's no need for that.

I don't know if it's required, I was just asking, but if it's not needed by your LDAP server, then just remove it from the config.

@yhabteab
Copy link
Member

Can you also share the output of ls -la /etc/icingaweb2/? Are the permissions for this directory set correctly?

@Artim96
Copy link
Author

Artim96 commented Jul 30, 2024

icinga2_authentication_login
That's all I get.

I don't know if it's required, I was just asking, but if it's not needed by your LDAP server, then just remove it from the config.

Good to know. I expected it to be necessary. This solves the issue, but I'll leave this open due to the changed title.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or improvement
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants