27. 06. 2019 Stefano Bruno Configuration Management, NetEye

A Simple Way to Deploy Linux Agents Using the Icinga 2 API

The Agent’s distribution is probably one of those more time-consuming tasks. This can be for various reasons: different operating systems, network segregation, administrative credentials that are difficult to obtain, or even more simply, a large number of Agents to install.

We know that the Agent installation on Windows servers is made easier by this PowerShell script made available by the community: https://github.com/Icinga/icinga2-powershell-module.
In addition, it’s possible to generate an authentication token at the Host Templates level. This clearly facilitates the deployment methods.

For Linux Operating Systems, the situation is more complicated: it is not possible to generate a token at the host template level, so each host type object will have a different authentication token. This will increase significantly the installation times.

Fortunately, the APIs that Icinga makes available will help us.

When creating a Linux host, it becomes possible to download a bash script by accessing the “Agent” tab on the host screen. There is a dedicated script for every single host.

The two parameters to be customized are the following:

ICINGA2_NODENAME=’linux_agent.domain’ (FQDN of the remote server)

ICINGA2_CA_TICKET=’aq1sw2de3fr4gt5hy6ju7ki8lo9′ (the ticket released by NetEye master)

  • The value for the first field is easily to find (for example, it could correspond to the hostname -f command executed on the remote server)
  • For the second parameter value, we must use the API via the curl command on the remote host agent. Here we can follow the instructions in the Icinga Documentation portal at the following link: https://icinga.com/docs/icinga2/latest/doc/12-icinga2-api/#generate-ticket

The curl command will return a JSON response like this:

    "results": [
            "code": 200.0,
            "status": "Generated PKI ticket 'aq1sw2de3fr4gt5hy6ju7ki8lo9aq1sw2de3fr4'  for common name 'linux_agent.domain'.",
            "ticket": "aq1sw2de3fr4gt5hy6ju7ki8lo9aq1sw2de3fr4"

We only have to parse the content in order to get just the authentication token.

It isn’t necessary for the host object to already be present on Director, we can create it later. If you have a large number of hosts to set up, I recommend that you use a configuration management tool (puppet, rundeck, etc…) that can execute commands on all remote servers.

Stefano Bruno

Stefano Bruno


Stefano Bruno

Leave a Reply

Your email address will not be published. Required fields are marked *