Warn the user if Icinga DB is used as configuration database
Opened this issue · 25 comments
Describe the bug
After going through the icinga web setup and finishing the command transport setup I'm greeted with this error message:
Creating database schema…
Failed to fully setup the database. An error occured:
ERROR: PDOException in /usr/share/icingaweb2/modules/setup/library/Setup/Utils/DbTool.php:477 with message: SQLSTATE[42710]: Duplicate object: 7 ERROR: Type »boolenum« already exists
Module “monitoring” has been successfully enabled.
There aren't any entries in icingaweb2 logs though. Now how do I fix this?
To Reproduce
Provide a link to a live example, or an unambiguous set of steps to reproduce this bug. Include configuration, logs, etc. to reproduce, if relevant.
- go through the setup wizard
- finish configuring command transport (via API)
- be greeted with the error message
Your Environment
Include as many relevant details about the environment you experienced the problem in
- Version used (
icinga2 --version
): r2.14.2-1 - Operating System and version: Debian 12.5
- Enabled features (
icinga2 feature list
):
Disabled features: command compatlog debuglog elasticsearch gelf graphite influxdb influxdb2 journald livestatus opentsdb perfdata syslog
Enabled features: api checker icingadb ido-pgsql mainlog notification
- Icinga Web 2 version and modules (System - About): from apt: 2.12.1-1+debian12
- Config validation (
icinga2 daemon -C
):
icinga2 daemon -C
[2024-04-05 10:40:11 +0200] information/cli: Icinga application loader (version: r2.14.2-1)
[2024-04-05 10:40:11 +0200] information/cli: Loading configuration file(s).
[2024-04-05 10:40:11 +0200] information/ConfigItem: Committing config item(s).
[2024-04-05 10:40:11 +0200] information/ApiListener: My API identity: maintenance.fsmuw.rwth-aachen.de
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 2 NotificationCommands.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 13 Notifications.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 1 IcingaApplication.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 2 HostGroups.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 1 Host.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 1 Downtime.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 1 IcingaDB.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 1 FileLogger.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 3 Zones.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 1 CheckerComponent.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 1 IdoPgsqlConnection.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 1 User.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 1 Endpoint.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 1 ApiUser.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 1 ApiListener.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 1 NotificationComponent.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 246 CheckCommands.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 1 UserGroup.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 3 ServiceGroups.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 3 TimePeriods.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 1 ScheduledDowntime.
[2024-04-05 10:40:11 +0200] information/ConfigItem: Instantiated 12 Services.
[2024-04-05 10:40:11 +0200] information/ScriptGlobal: Dumping variables to file '/var/cache/icinga2/icinga2.vars'
[2024-04-05 10:40:11 +0200] information/cli: Finished validating the configuration file(s).
- If you run multiple Icinga 2 instances, the
zones.conf
file (oricinga2 object list --type Endpoint
andicinga2 object list --type Zone
) from all affected nodes: N.A.
Hi, thanks for reporting!
ERROR: PDOException in /usr/share/icingaweb2/modules/setup/library/Setup/Utils/DbTool.php:477 with message: SQLSTATE[42710]: Duplicate object: 7 ERROR: Type »boolenum« already exists
According to the error message you seem to be using PostgreSQL and apparently you've already imported the schema
! Please try to connect to your existing database in the setup wizard Authentication Backend
section! I don't quite understand why this would happen though. Did you import the schema manually beforehand?
The authentication backend is supposed to be LDAP, as I did configure it in the wizard, not a database. And yes, I did have to import both the schema from /usr/share/icingadb/schema/pgsql/schema.sqland /usr/local/share/icinga2-ido-pgsql/schema/pgsql.sql. The icingadb setup usually fails when that schema isn't applied beforehand and the IDO setup explicitly requires setting up the schema, otherwise warning that the database doesn't have a schema.
Please try to connect to your existing database in the setup wizard
Authentication Backend
section!
Sorry! I mean the Database Resource
section by that not the auth backend.
And yes, I did have to import both the schema from /usr/share/icingadb/schema/pgsql/schema.sqland /usr/local/share/icinga2-ido-pgsql/schema/pgsql.sql.
That is not why the wizard is complaining about, Icinga Web 2 requires its own database and also provides its own schema and if you use the Icinga DB database in the wizard, it will then conflict with Icinga DB's schema. This is the reason why it fails to create the boolenum
type as Icinga DB does this on its own database.
That is not why the wizard is complaining about, Icinga Web 2 requires its own database and also provides its own schema and if you use the Icinga DB database in the wizard, it will then conflict with Icinga DB's schema. This is the reason why it fails to create the
boolenum
type as Icinga DB does this on its own database.
Then the wizard may not be precise enough, or the setup guide for icingadb isn't. At what point during the setup would I need to place which database in the config (one for icingadb, one for icinga-ido and now the one for icinga-web)?
I recommend reading this blog post as I cannot list all the steps of the wizard here.
If a user chooses the IDO we issue a warning:
We should probably do the same if it's the Icinga DB...
I recommend reading this blog post as I cannot list all the steps of the wizard here.
I'll have a look in the next days, thanks.
I recommend reading this blog post as I cannot list all the steps of the wizard here.
This helped. The package icingadb-web was missing. Adding this made Ido a separate, not needed option.
Now the setup is done, but logging in doesn't work. I configured LDAP as authentication backend and limited it to only members of a certain group. I obviously am a member of that group as it's also used for various other tasks. Also, for some reason, the icinga2.log still contains
`[2024-04-08 10:59:09 +0200] information/IdoPgsqlConnection: Finished reconnecting to 'ido-pgsql' database 'icinga2' in 0.0857689 second(s).
Even though I didn't set up ido.
EDIT: the browser console is showing these errors: icinga.log
Could it be that enabling strict content policy in the wizard is causing these? If so, how do I solve the issue without needing to disable the strict content policiy?
Now the setup is done, but logging in doesn't work. I configured LDAP as authentication backend and limited it to only members of a certain group. I obviously am a member of that group as it's also used for various other tasks.
It's hard to guess what's going wrong when logging into Icinga Web 2, if you don't share the exact error you're experiencing.
lso, for some reason, the icinga2.log still contains
`[2024-04-08 10:59:09 +0200] information/IdoPgsqlConnection: Finished reconnecting to 'ido-pgsql' database 'icinga2' in 0.0857689 second(s).
This is probably because you have already installed the icinga2-ido-pgsql
feature. If you do not want to use the IDO
in any way, then simply remove it apt remove icinga2-ido-pgsql
and reload the Icinga 2 service.
Now the setup is done, but logging in doesn't work. I configured LDAP as authentication backend and limited it to only members of a certain group. I obviously am a member of that group as it's also used for various other tasks.
It's hard to guess what's going wrong when logging into Icinga Web 2, if you don't share the exact error you're experiencing.
It simply claims username or password are incorrect. That's simply not possible.
I've now taken a further look. I can't see anything being wrong with the ldap config for icinga, also it did all pass the validations. But it looks like the ldap server is never contacted. When running slapd on the remote server with -d -1 (most verbose log level), it doesn't recognize any incomming connection from icinga. So no surprise icingaweb claims failed authentication.
Well, what do the Icinga Web 2 logs say? You will find the logs in the appropriate places depending on how you have configured your logs via Configuration -> Application -> Logging type
.
Well, what do the Icinga Web 2 logs say? You will find the logs in the appropriate places depending on how you have configured your logs via
Configuration -> Application -> Logging type
.
I obviously can't find it in the UI as I can't log in. The log file on the server doesn't say anything about it.
Well, what do the Icinga Web 2 logs say? You will find the logs in the appropriate places depending on how you have configured your logs via
Configuration -> Application -> Logging type
.I obviously can't find it in the UI as I can't log in. The log file on the server doesn't say anything about it.
You can also check the config in /etc/icingaweb2/config.ini
.
That doesn't provide any logs though. For logging I have these setting:
[logging]
log = "syslog"
level = "WARNING"
application = "icingaweb2"
facility = "user"
log = "syslog"
This indicates that Icinga Web 2 is sending its logs to syslog. You should be able to find the logs in /var/log/messages
or /var/log/syslog
.
Also I would set "DEBUG" as severity so that you can see what Icinga Web is trying to do in order to authenticate.
log = "syslog"
This indicates that Icinga Web 2 is sending its logs to syslog. You should be able to find the logs in
/var/log/messages
or/var/log/syslog
.
Can I force icingaweb to log to /var/log/icingaweb2/icingaweb2.log?
log = "syslog"
This indicates that Icinga Web 2 is sending its logs to syslog. You should be able to find the logs in
/var/log/messages
or/var/log/syslog
.
Nothing there, even with DEBUG. The only icinga-related lines are these:
2024-04-15T13:50:19.777331+02:00 maintenance icinga2[2281406]: [2024-04-15 13:50:19 +0200] information/cli: Icinga application loader (version: r2.14.2-1)
2024-04-15T13:50:19.780103+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/cli: Loading configuration file(s).
2024-04-15T13:50:19.836868+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Committing config item(s).
2024-04-15T13:50:19.842830+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ApiListener: My API identity: maintenance.fsmuw.rwth-aachen.de
2024-04-15T13:50:19.894252+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 2 NotificationCommands.
2024-04-15T13:50:19.894374+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 13 Notifications.
2024-04-15T13:50:19.894423+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 IcingaApplication.
2024-04-15T13:50:19.894476+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 2 HostGroups.
2024-04-15T13:50:19.894527+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 Host.
2024-04-15T13:50:19.894578+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 Downtime.
2024-04-15T13:50:19.894629+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 IcingaDB.
2024-04-15T13:50:19.894681+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 FileLogger.
2024-04-15T13:50:19.894732+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 3 Zones.
2024-04-15T13:50:19.894799+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 CheckerComponent.
2024-04-15T13:50:19.894855+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 User.
2024-04-15T13:50:19.894907+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 Endpoint.
2024-04-15T13:50:19.894958+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 ApiUser.
2024-04-15T13:50:19.895010+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 ApiListener.
2024-04-15T13:50:19.895056+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 NotificationComponent.
2024-04-15T13:50:19.895113+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 246 CheckCommands.
2024-04-15T13:50:19.895164+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 UserGroup.
2024-04-15T13:50:19.895215+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 3 ServiceGroups.
2024-04-15T13:50:19.895267+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 3 TimePeriods.
2024-04-15T13:50:19.895318+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 1 ScheduledDowntime.
2024-04-15T13:50:19.895370+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ConfigItem: Instantiated 12 Services.
2024-04-15T13:50:19.895421+02:00 maintenance icinga2[2281436]: [2024-04-15 13:50:19 +0200] information/ScriptGlobal: Dumping variables to file '/var/cache/icinga2/icing\
a2.vars'
2024-04-15T13:50:19.908109+02:00 maintenance icinga2[2281406]: [2024-04-15 13:50:19 +0200] information/cli: Closing console log.
log = "syslog"
This indicates that Icinga Web 2 is sending its logs to syslog. You should be able to find the logs in
/var/log/messages
or/var/log/syslog
.Can I force icingaweb to log to /var/log/icingaweb2/icingaweb2.log?
You can replace the [logging]
section in /etc/icingaweb2/config.ini
with the following config.
[logging]
log = "file"
level = "DEBUG"
file = "/var/log/icingaweb2/icingaweb2.log"
And make sure that the /var/log/icingaweb2/icingaweb2.log
file is writable by the web server user e.g. for Debian:
sudo mkdir /var/log/icingaweb2
sudo chmod -R o+w /var/log/icingaweb2/
Thanks. But still I can't get icingaweb to produce any logs.
Thanks. But still I can't get icingaweb to produce any logs.
Have you tried to log in once again after changing the config and log files?
Thanks. But still I can't get icingaweb to produce any logs.
Have you tried to log in once again after changing the config and log files?
obviously yes
Thanks. But still I can't get icingaweb to produce any logs.
Have you tried to log in once again after changing the config and log files?
obviously yes
Obviously it's not obvious to me, as I don't know exactly what steps you've taken and wouldn't be asking you such questions if it were that obvious. Anyway, if Icinga Web 2 is not logging anything, then it might not be trying to use LDAP as an authentication method at all. What does your /etc/icingaweb2/authentication.ini
config look like?
Obviously it's not obvious to me, as I don't know exactly what steps you've taken and wouldn't be asking you such questions if it were that obvious.
If you think it's not obvious, then it's on you. You obviously can't test if login is working without actually logging in. And you can't (neccessarily) expect logs when nothing can happen that could be logged.
Anyway, if Icinga Web 2 is not logging anything, then it might not be trying to use LDAP as an authentication method at all.
My point exactly, otherwise I should see that in the LDAP server logs, if it fails or not.
What does your
/etc/icingaweb2/authentication.ini
config look like?
[icingaweb2]
user_class = "inetOrgPerson"
user_name_attribute = "uid"
backend = "ldap"
base_dn = "dc=domain,dc=de"
domain = "auth.domain.de" // this is the full domain of the server that hosts the LDAP. If I remember correctly originally from the wizzard this only had the domain itself, without the "auth." part. But the result is the same either way.
resource = "icingaweb_ldap"