Icinga is a pretty cool monitoring solution (especially when compared to a monolithic dinosaur like nagios) but unfortunately it lacks any means of remote-control which is a sine qua non requirement for deployment automation. The most obvious use case is scheduling downtimes programmatically.
MK-Livestatus is a Nagios/Icinga extension (the Shinken kernel has it built-in) that allows queries and commands by accessing a UNIX socket on the machine. An added benefit is that queries always return up-to-date information as opposed to the ominous global state file (searching for "status.dat" should get you going on this). Unfortunately having a local socket also means that accessing livestatus over the network is not possible out-of-the-box. Using SSH is just awkward and exposing the socket through TCP is probably a huge security flaw.
Livestatus-service solves this problem by exposing the full functionality of the socket through a simple HTTP API. Due to using httpd and flask, you can build in authentication easily - put basicAuth in flask directly or the httpd access configuration of your choice.
- Livestatus access with no need for passwordless SSH or exposure of TCP sockets
- Nice, customizable query result formatting
- Built-in documentation
- Built-in access to the icinga command pipe
- Tested codebase
MIT
sudo pip install pyb-init && pyb-init github TDAF : livestatus_serviceAfterwards, building and packaging can be done with
cd target/dist/livestatus-service-$VERSION
python setup.py bdist_rpmsource venv/bin/activate
python bootstrap.pyBuild a software package.
The application will try to run as WSGI behind a httpd webserver by including configuration in /etc/httpd/conf.d/.
Building an RPM will work out-of-the-box with setup.py bdist_rpm, other packages should be easy to build too. The application should work out-of-the-box.
See the example config file. Configuration should be in /etc/livestatus.cfg
By default the service will want to run on port 8080 but you can change this by modifying the build configuration before building. Changing the value of :
project.port_to_run_on = "8080"will ensure that pybuilder patches in the correct port in the httpd configuration files.
Put a file named :
/etc/httpd/conf.d/livestatus_authorization.confon your server. The file should consist of access restrictions, e.G.
<Location />
Order deny,allow
Deny from all
AuthName "Account for Livestatus service"
AuthType Basic
Require group administrators
Require valid-user
Satisfy Any
</Location>If the file is not present then there will be no authentication.
Example to deploy livestatus_service in a suburi. Python deps installed in /opt/icinga-api/python2.6/site-packages
WSGIDaemonProcess livestatus_service user=icinga group=icinga threads=5 processes=2 python-path=/opt/icinga-api/python2.6/site-packages
WSGIScriptAlias /api /etc/apache/livestatus_service.wsgi
WSGISocketPrefix /etc/apache
WSGIProcessGroup livestatus_service
WSGIPassAuthorization On
<Location /api>
AuthName "Icinga API"
AuthType Basic
AuthUserFile /etc/apache/passwd
Require valid-user
</Location>