search

Icinga / icingaweb2

A lightweight and extensible web interface to keep an eye on your environment. Analyse problems and act on them.
https://icinga.com/get-started/
GNU General Public License v2.0
806 stars 280 forks source link

Warn the user if Icinga DB is used as configuration database #5208

Closed Artim96 closed 1 month ago

Artim96 commented 5 months ago

Describe the bug

After going through the icinga web setup and finishing the command transport setup I'm greeted with this error message:

Creating database schema…
Failed to fully setup the database. An error occured:
ERROR: PDOException in /usr/share/icingaweb2/modules/setup/library/Setup/Utils/DbTool.php:477 with message: SQLSTATE[42710]: Duplicate object: 7 ERROR: Type »boolenum« already exists

Module “monitoring” has been successfully enabled.

There aren't any entries in icingaweb2 logs though. Now how do I fix this?

To Reproduce

Provide a link to a live example, or an unambiguous set of steps to reproduce this bug. Include configuration, logs, etc. to reproduce, if relevant.

  1. go through the setup wizard
  2. finish configuring command transport (via API)
  3. be greeted with the error message

Your Environment

Include as many relevant details about the environment you experienced the problem in


* If you run multiple Icinga 2 instances, the `zones.conf` file (or `icinga2 object list --type Endpoint` and `icinga2 object list --type Zone`) from all affected nodes: N.A.
yhabteab commented 5 months ago

Hi, thanks for reporting!

ERROR: PDOException in /usr/share/icingaweb2/modules/setup/library/Setup/Utils/DbTool.php:477 with message: SQLSTATE[42710]: Duplicate object: 7 ERROR: Type »boolenum« already exists

According to the error message you seem to be using PostgreSQL and apparently you've already imported the schema! Please try to connect to your existing database in the setup wizard Authentication Backend section! I don't quite understand why this would happen though. Did you import the schema manually beforehand?

Artim96 commented 5 months ago

The authentication backend is supposed to be LDAP, as I did configure it in the wizard, not a database. And yes, I did have to import both the schema from /usr/share/icingadb/schema/pgsql/schema.sqland /usr/local/share/icinga2-ido-pgsql/schema/pgsql.sql. The icingadb setup usually fails when that schema isn't applied beforehand and the IDO setup explicitly requires setting up the schema, otherwise warning that the database doesn't have a schema.

yhabteab commented 5 months ago

Please try to connect to your existing database in the setup wizard Authentication Backend section!

Sorry! I mean the Database Resource section by that not the auth backend.

And yes, I did have to import both the schema from /usr/share/icingadb/schema/pgsql/schema.sqland /usr/local/share/icinga2-ido-pgsql/schema/pgsql.sql.

That is not why the wizard is complaining about, Icinga Web 2 requires its own database and also provides its own schema and if you use the Icinga DB database in the wizard, it will then conflict with Icinga DB's schema. This is the reason why it fails to create the boolenum type as Icinga DB does this on its own database.

Artim96 commented 5 months ago

That is not why the wizard is complaining about, Icinga Web 2 requires its own database and also provides its own schema and if you use the Icinga DB database in the wizard, it will then conflict with Icinga DB's schema. This is the reason why it fails to create the boolenum type as Icinga DB does this on its own database.

Then the wizard may not be precise enough, or the setup guide for icingadb isn't. At what point during the setup would I need to place which database in the config (one for icingadb, one for icinga-ido and now the one for icinga-web)?

yhabteab commented 5 months ago

I recommend reading this blog post as I cannot list all the steps of the wizard here.

nilmerg commented 5 months ago

If a user chooses the IDO we issue a warning: https://github.com/Icinga/icingaweb2/blob/ae9575e7e4763c792956c6623da88ca00a3accbc/modules/setup/application/forms/DbResourcePage.php#L132

We should probably do the same if it's the Icinga DB...

Artim96 commented 5 months ago

I recommend reading this blog post as I cannot list all the steps of the wizard here.

I'll have a look in the next days, thanks.

Artim96 commented 5 months ago

I recommend reading this blog post as I cannot list all the steps of the wizard here.

This helped. The package icingadb-web was missing. Adding this made Ido a separate, not needed option.

Now the setup is done, but logging in doesn't work. I configured LDAP as authentication backend and limited it to only members of a certain group. I obviously am a member of that group as it's also used for various other tasks. Also, for some reason, the icinga2.log still contains `[2024-04-08 10:59:09 +0200] information/IdoPgsqlConnection: Finished reconnecting to 'ido-pgsql' database 'icinga2' in 0.0857689 second(s).

Even though I didn't set up ido.

EDIT: the browser console is showing these errors: icinga.log

Could it be that enabling strict content policy in the wizard is causing these? If so, how do I solve the issue without needing to disable the strict content policiy?

yhabteab commented 5 months ago

Now the setup is done, but logging in doesn't work. I configured LDAP as authentication backend and limited it to only members of a certain group. I obviously am a member of that group as it's also used for various other tasks.

It's hard to guess what's going wrong when logging into Icinga Web 2, if you don't share the exact error you're experiencing.

lso, for some reason, the icinga2.log still contains `[2024-04-08 10:59:09 +0200] information/IdoPgsqlConnection: Finished reconnecting to 'ido-pgsql' database 'icinga2' in 0.0857689 second(s).

This is probably because you have already installed the icinga2-ido-pgsql feature. If you do not want to use the IDO in any way, then simply remove it apt remove icinga2-ido-pgsql and reload the Icinga 2 service.

Artim96 commented 5 months ago

Now the setup is done, but logging in doesn't work. I configured LDAP as authentication backend and limited it to only members of a certain group. I obviously am a member of that group as it's also used for various other tasks.

It's hard to guess what's going wrong when logging into Icinga Web 2, if you don't share the exact error you're experiencing.

It simply claims username or password are incorrect. That's simply not possible.

Artim96 commented 5 months ago

I've now taken a further look. I can't see anything being wrong with the ldap config for icinga, also it did all pass the validations. But it looks like the ldap server is never contacted. When running slapd on the remote server with -d -1 (most verbose log level), it doesn't recognize any incomming connection from icinga. So no surprise icingaweb claims failed authentication.

yhabteab commented 5 months ago

Well, what do the Icinga Web 2 logs say? You will find the logs in the appropriate places depending on how you have configured your logs via Configuration -> Application -> Logging type.

Artim96 commented 5 months ago

Well, what do the Icinga Web 2 logs say? You will find the logs in the appropriate places depending on how you have configured your logs via Configuration -> Application -> Logging type.

I obviously can't find it in the UI as I can't log in. The log file on the server doesn't say anything about it.

yhabteab commented 5 months ago

Well, what do the Icinga Web 2 logs say? You will find the logs in the appropriate places depending on how you have configured your logs via Configuration -> Application -> Logging type.

I obviously can't find it in the UI as I can't log in. The log file on the server doesn't say anything about it.

You can also check the config in /etc/icingaweb2/config.ini.

Artim96 commented 5 months ago

That doesn't provide any logs though. For logging I have these setting:

[logging]
log = "syslog"
level = "WARNING"
application = "icingaweb2"
facility = "user"
yhabteab commented 5 months ago

log = "syslog"

This indicates that Icinga Web 2 is sending its logs to syslog. You should be able to find the logs in /var/log/messages or /var/log/syslog.

lippserd commented 5 months ago

Also I would set "DEBUG" as severity so that you can see what Icinga Web is trying to do in order to authenticate.

Artim96 commented 5 months ago

log = "syslog"

This indicates that Icinga Web 2 is sending its logs to syslog. You should be able to find the logs in /var/log/messages or /var/log/syslog.

Can I force icingaweb to log to /var/log/icingaweb2/icingaweb2.log?

Artim96 commented 5 months ago

log = "syslog"

This indicates that Icinga Web 2 is sending its logs to syslog. You should be able to find the logs in /var/log/messages or /var/log/syslog.

Nothing there, even with DEBUG. The only icinga-related lines are these:

2024-04-15T13:50:19.777331+02:00 maintenance icinga2[2281406]: [2024-04-15 13:50:19 +0200] information/cli: Icinga application loader (version: r2.14.2-1)
2024-04-15T13:50:19.780103+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/cli: Loading configuration file(s).
2024-04-15T13:50:19.836868+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Committing config item(s).
2024-04-15T13:50:19.842830+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ApiListener: My API identity: maintenance.fsmuw.rwth-aachen.de
2024-04-15T13:50:19.894252+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 2 NotificationCommands.
2024-04-15T13:50:19.894374+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 13 Notifications.
2024-04-15T13:50:19.894423+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 IcingaApplication.
2024-04-15T13:50:19.894476+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 2 HostGroups.
2024-04-15T13:50:19.894527+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 Host.
2024-04-15T13:50:19.894578+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 Downtime.
2024-04-15T13:50:19.894629+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 IcingaDB.
2024-04-15T13:50:19.894681+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 FileLogger.
2024-04-15T13:50:19.894732+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 3 Zones.
2024-04-15T13:50:19.894799+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 CheckerComponent.
2024-04-15T13:50:19.894855+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 User.
2024-04-15T13:50:19.894907+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 Endpoint.
2024-04-15T13:50:19.894958+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 ApiUser.
2024-04-15T13:50:19.895010+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 ApiListener.
2024-04-15T13:50:19.895056+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 NotificationComponent.
2024-04-15T13:50:19.895113+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 246 CheckCommands.
2024-04-15T13:50:19.895164+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 UserGroup.
2024-04-15T13:50:19.895215+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 3 ServiceGroups.
2024-04-15T13:50:19.895267+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 3 TimePeriods.
2024-04-15T13:50:19.895318+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 ScheduledDowntime.
2024-04-15T13:50:19.895370+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 12 Services.
2024-04-15T13:50:19.895421+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ScriptGlobal: Dumping variables to file '/var/cache/icinga2/icing\
a2.vars'
2024-04-15T13:50:19.908109+02:00 maintenance icinga2[2281406]: [2024-04-15 13:50:19 +0200] information/cli: Closing console log.
yhabteab commented 5 months ago

log = "syslog"

This indicates that Icinga Web 2 is sending its logs to syslog. You should be able to find the logs in /var/log/messages or /var/log/syslog.

Can I force icingaweb to log to /var/log/icingaweb2/icingaweb2.log?

You can replace the [logging] section in /etc/icingaweb2/config.ini with the following config.

[logging]
log = "file"
level = "DEBUG"
file = "/var/log/icingaweb2/icingaweb2.log"

And make sure that the /var/log/icingaweb2/icingaweb2.log file is writable by the web server user e.g. for Debian:

sudo mkdir /var/log/icingaweb2
sudo chmod -R o+w /var/log/icingaweb2/
Artim96 commented 5 months ago

Thanks. But still I can't get icingaweb to produce any logs.

yhabteab commented 5 months ago

Thanks. But still I can't get icingaweb to produce any logs.

Have you tried to log in once again after changing the config and log files?

Artim96 commented 5 months ago

Thanks. But still I can't get icingaweb to produce any logs.

Have you tried to log in once again after changing the config and log files?

obviously yes

yhabteab commented 5 months ago

Thanks. But still I can't get icingaweb to produce any logs.

Have you tried to log in once again after changing the config and log files?

obviously yes

Obviously it's not obvious to me, as I don't know exactly what steps you've taken and wouldn't be asking you such questions if it were that obvious. Anyway, if Icinga Web 2 is not logging anything, then it might not be trying to use LDAP as an authentication method at all. What does your /etc/icingaweb2/authentication.ini config look like?

Artim96 commented 5 months ago

Obviously it's not obvious to me, as I don't know exactly what steps you've taken and wouldn't be asking you such questions if it were that obvious.

If you think it's not obvious, then it's on you. You obviously can't test if login is working without actually logging in. And you can't (neccessarily) expect logs when nothing can happen that could be logged.

Anyway, if Icinga Web 2 is not logging anything, then it might not be trying to use LDAP as an authentication method at all.

My point exactly, otherwise I should see that in the LDAP server logs, if it fails or not.

What does your /etc/icingaweb2/authentication.ini config look like?

[icingaweb2]
user_class = "inetOrgPerson"
user_name_attribute = "uid"
backend = "ldap"
base_dn = "dc=domain,dc=de"
domain = "auth.domain.de" // this is the full domain of the server that hosts the LDAP. If I remember correctly originally from the wizzard this only had the domain itself, without the "auth." part. But the result is the same either way.
resource = "icingaweb_ldap"
Artim96 commented 1 month ago

Is there any other way to get any additional logs from icinga? There's just nothing received by the LDAP server.

yhabteab commented 1 month ago

Can you please show a screenshot of your Icinga Web 2 login page? Since you have domain = “auth.domain.de” configured in your auth configuration, I suppose you are trying to authenticate in Icinga Web 2 as auth.domain.de\USERNAME or USERNAME@auth.domain.de as well?

Have you checked whether your ldap resource icingaweb_ldap in /etc/icingaweb2/resources.ini is also configured correctly?

Artim96 commented 1 month ago

icinga2_authentication_login

Since you have domain = “auth.domain.de” configured in your auth configuration, I suppose you are trying to authenticate in Icinga Web 2 as auth.domain.de\USERNAME or USERNAME@auth.domain.de as well?

No. Why would I? Because with everything else that connects to this LDAP server, there's no need for that. So if that is actually necessary, it should be documented somewhere - I never came across this - and it's questionable if this should be needed when this is the only source for authentication set up.

Have you checked whether your ldap resource icingaweb_ldap in /etc/icingaweb2/resources.ini is also configured correctly?

As far as I can tell, yes.

yhabteab commented 1 month ago

The screenshot doesn't help, I was just looking to get the error message you are facing after you entered the correct credentials.

No. Why would I? Because with everything else that connects to this LDAP server, there's no need for that.

I don't know if it's required, I was just asking, but if it's not needed by your LDAP server, then just remove it from the config.

yhabteab commented 1 month ago

Can you also share the output of ls -la /etc/icingaweb2/? Are the permissions for this directory set correctly?

Artim96 commented 1 month ago

icinga2_authentication_login That's all I get.

I don't know if it's required, I was just asking, but if it's not needed by your LDAP server, then just remove it from the config.

Good to know. I expected it to be necessary. This solves the issue, but I'll leave this open due to the changed title.