From f169159b53d752adaf246928b55f3647d2355a50 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Wed, 21 Aug 2024 20:26:24 +0900 Subject: [PATCH] Added ZBX_TLS variables to specify data without attached volume with encryption files --- Dockerfiles/agent/README.md | 7 ++++- Dockerfiles/agent/alpine/Dockerfile | 1 + Dockerfiles/agent/alpine/docker-entrypoint.sh | 25 ++++++++++++++---- Dockerfiles/agent/centos/Dockerfile | 1 + Dockerfiles/agent/centos/docker-entrypoint.sh | 25 ++++++++++++++---- Dockerfiles/agent/ol/Dockerfile | 1 + Dockerfiles/agent/ol/docker-entrypoint.sh | 25 ++++++++++++++---- Dockerfiles/agent/rhel/Dockerfile | 1 + Dockerfiles/agent/rhel/docker-entrypoint.sh | 25 ++++++++++++++---- Dockerfiles/agent/ubuntu/Dockerfile | 1 + Dockerfiles/agent/ubuntu/docker-entrypoint.sh | 25 ++++++++++++++---- Dockerfiles/agent2/README.md | 7 ++++- Dockerfiles/agent2/alpine/Dockerfile | 1 + .../agent2/alpine/docker-entrypoint.sh | 25 ++++++++++++++---- Dockerfiles/agent2/centos/Dockerfile | 1 + .../agent2/centos/docker-entrypoint.sh | 25 ++++++++++++++---- Dockerfiles/agent2/ol/Dockerfile | 1 + Dockerfiles/agent2/ol/docker-entrypoint.sh | 25 ++++++++++++++---- Dockerfiles/agent2/rhel/Dockerfile | 1 + Dockerfiles/agent2/rhel/docker-entrypoint.sh | 25 ++++++++++++++---- Dockerfiles/agent2/ubuntu/Dockerfile | 1 + .../agent2/ubuntu/docker-entrypoint.sh | 25 ++++++++++++++---- Dockerfiles/proxy-mysql/README.md | 7 ++++- Dockerfiles/proxy-mysql/alpine/Dockerfile | 1 + .../proxy-mysql/alpine/docker-entrypoint.sh | 25 ++++++++++++++---- Dockerfiles/proxy-mysql/centos/Dockerfile | 1 + .../proxy-mysql/centos/docker-entrypoint.sh | 25 ++++++++++++++---- Dockerfiles/proxy-mysql/ol/Dockerfile | 1 + .../proxy-mysql/ol/docker-entrypoint.sh | 25 ++++++++++++++---- Dockerfiles/proxy-mysql/rhel/Dockerfile | 1 + .../proxy-mysql/rhel/docker-entrypoint.sh | 25 ++++++++++++++---- Dockerfiles/proxy-mysql/ubuntu/Dockerfile | 1 + .../proxy-mysql/ubuntu/docker-entrypoint.sh | 25 ++++++++++++++---- Dockerfiles/proxy-sqlite3/README.md | 7 ++++- Dockerfiles/proxy-sqlite3/alpine/Dockerfile | 1 + .../proxy-sqlite3/alpine/docker-entrypoint.sh | 25 ++++++++++++++---- Dockerfiles/proxy-sqlite3/centos/Dockerfile | 1 + .../proxy-sqlite3/centos/docker-entrypoint.sh | 25 ++++++++++++++---- Dockerfiles/proxy-sqlite3/ol/Dockerfile | 1 + .../proxy-sqlite3/ol/docker-entrypoint.sh | 25 ++++++++++++++---- Dockerfiles/proxy-sqlite3/rhel/Dockerfile | 1 + .../proxy-sqlite3/rhel/docker-entrypoint.sh | 25 ++++++++++++++---- Dockerfiles/proxy-sqlite3/ubuntu/Dockerfile | 1 + .../proxy-sqlite3/ubuntu/docker-entrypoint.sh | 25 ++++++++++++++---- Dockerfiles/server-mysql/README.md | 6 ++++- Dockerfiles/server-mysql/alpine/Dockerfile | 1 + .../server-mysql/alpine/docker-entrypoint.sh | 26 ++++++++++++++----- Dockerfiles/server-mysql/centos/Dockerfile | 1 + .../server-mysql/centos/docker-entrypoint.sh | 26 ++++++++++++++----- Dockerfiles/server-mysql/ol/Dockerfile | 1 + .../server-mysql/ol/docker-entrypoint.sh | 26 ++++++++++++++----- Dockerfiles/server-mysql/rhel/Dockerfile | 1 + .../server-mysql/rhel/docker-entrypoint.sh | 26 ++++++++++++++----- Dockerfiles/server-mysql/ubuntu/Dockerfile | 1 + .../server-mysql/ubuntu/docker-entrypoint.sh | 26 ++++++++++++++----- Dockerfiles/server-pgsql/README.md | 6 ++++- Dockerfiles/server-pgsql/alpine/Dockerfile | 1 + .../server-pgsql/alpine/docker-entrypoint.sh | 26 ++++++++++++++----- Dockerfiles/server-pgsql/centos/Dockerfile | 1 + .../server-pgsql/centos/docker-entrypoint.sh | 26 ++++++++++++++----- Dockerfiles/server-pgsql/ol/Dockerfile | 1 + .../server-pgsql/ol/docker-entrypoint.sh | 26 ++++++++++++++----- Dockerfiles/server-pgsql/rhel/Dockerfile | 1 + .../server-pgsql/rhel/docker-entrypoint.sh | 26 ++++++++++++++----- Dockerfiles/server-pgsql/ubuntu/Dockerfile | 1 + .../server-pgsql/ubuntu/docker-entrypoint.sh | 26 ++++++++++++++----- Dockerfiles/web-service/README.md | 5 +++- Dockerfiles/web-service/alpine/Dockerfile | 2 ++ .../web-service/alpine/docker-entrypoint.sh | 21 ++++++++++++--- Dockerfiles/web-service/centos/Dockerfile | 1 + .../web-service/centos/docker-entrypoint.sh | 21 ++++++++++++--- Dockerfiles/web-service/ol/Dockerfile | 1 + .../web-service/ol/docker-entrypoint.sh | 21 ++++++++++++--- Dockerfiles/web-service/rhel/Dockerfile | 1 + .../web-service/rhel/docker-entrypoint.sh | 21 ++++++++++++--- Dockerfiles/web-service/ubuntu/Dockerfile | 1 + .../web-service/ubuntu/docker-entrypoint.sh | 21 ++++++++++++--- env_vars/.env_agent | 5 ++++ env_vars/.env_prx | 5 ++++ env_vars/.env_srv | 4 +++ 80 files changed, 768 insertions(+), 192 deletions(-) diff --git a/Dockerfiles/agent/README.md b/Dockerfiles/agent/README.md index 319c71309b..3e0ed14ed9 100644 --- a/Dockerfiles/agent/README.md +++ b/Dockerfiles/agent/README.md @@ -151,13 +151,18 @@ ZBX_UNSAFEUSERPARAMETERS=0 ZBX_TLSCONNECT=unencrypted ZBX_TLSACCEPT=unencrypted ZBX_TLSCAFILE= +ZBX_TLSCA= ZBX_TLSCRLFILE= +ZBX_TLSCRL= ZBX_TLSSERVERCERTISSUER= ZBX_TLSSERVERCERTSUBJECT= ZBX_TLSCERTFILE= +ZBX_TLSCERT= ZBX_TLSKEYFILE= +ZBX_TLSKEY= ZBX_TLSPSKIDENTITY= ZBX_TLSPSKFILE= +ZBX_TLSPSK= ZBX_TLSCIPHERALL= # Available since 4.4.7 ZBX_TLSCIPHERALL13= # Available since 4.4.7 ZBX_TLSCIPHERCERT= # Available since 4.4.7 @@ -186,7 +191,7 @@ The volume allows load additional modules and extend Zabbix agent using ``LoadMo ### ``/var/lib/zabbix/enc`` -The volume is used to store TLS related files. These file names are specified using ``ZBX_TLSCAFILE``, ``ZBX_TLSCRLFILE``, ``ZBX_TLSKEY_FILE`` and ``ZBX_TLSPSKFILE`` variables. +The volume is used to store TLS related files. These file names are specified using ``ZBX_TLSCAFILE``, ``ZBX_TLSCRLFILE``, ``ZBX_TLSCERTFILE``, ``ZBX_TLSKEYFILE`` and ``ZBX_TLSPSKFILE`` variables. Additionally it is possible to use environment variables ``ZBX_TLSCA``, ``ZBX_TLSCRL``, ``ZBX_TLSCERT``, ``ZBX_TLSKEY`` and ``ZBX_TLSPSK`` with plaintext values. # The image variants diff --git a/Dockerfiles/agent/alpine/Dockerfile b/Dockerfiles/agent/alpine/Dockerfile index 21cc57b7ea..b5920f37ca 100644 --- a/Dockerfiles/agent/alpine/Dockerfile +++ b/Dockerfiles/agent/alpine/Dockerfile @@ -62,6 +62,7 @@ RUN set -eux && \ mkdir -p /etc/zabbix/zabbix_agentd.d && \ mkdir -p /var/lib/zabbix && \ mkdir -p /var/lib/zabbix/enc && \ + mkdir -p /var/lib/zabbix/enc_internal && \ mkdir -p /var/lib/zabbix/modules && \ chown --quiet -R zabbix:root /etc/zabbix/ /var/lib/zabbix/ && \ chgrp -R 0 /etc/zabbix/ /var/lib/zabbix/ && \ diff --git a/Dockerfiles/agent/alpine/docker-entrypoint.sh b/Dockerfiles/agent/alpine/docker-entrypoint.sh index 192efda4f7..c888baf512 100755 --- a/Dockerfiles/agent/alpine/docker-entrypoint.sh +++ b/Dockerfiles/agent/alpine/docker-entrypoint.sh @@ -20,6 +20,8 @@ fi ZABBIX_USER_HOME_DIR="/var/lib/zabbix" # Configuration files directory ZABBIX_ETC_DIR="/etc/zabbix" +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" escape_spec_char() { local var_value=$1 @@ -112,6 +114,19 @@ update_config_multiple_var() { done } +file_process_from_env() { + local config_path=$1 + local var_name=$2 + local file_name=$3 + local var_value=$4 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + update_config_var $config_path "$var_name" "$file_name" +} + prepare_zbx_agent_config() { echo "** Preparing Zabbix agent configuration file" ZBX_AGENT_CONFIG=$ZABBIX_ETC_DIR/zabbix_agentd.conf @@ -177,20 +192,20 @@ prepare_zbx_agent_config() { update_config_multiple_var $ZBX_AGENT_CONFIG "LoadModule" "${ZBX_LOADMODULE}" update_config_var $ZBX_AGENT_CONFIG "TLSConnect" "${ZBX_TLSCONNECT}" update_config_var $ZBX_AGENT_CONFIG "TLSAccept" "${ZBX_TLSACCEPT}" - update_config_var $ZBX_AGENT_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" - update_config_var $ZBX_AGENT_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" "${ZBX_TLSCA}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" "${ZBX_TLSCRL}" update_config_var $ZBX_AGENT_CONFIG "TLSServerCertIssuer" "${ZBX_TLSSERVERCERTISSUER}" update_config_var $ZBX_AGENT_CONFIG "TLSServerCertSubject" "${ZBX_TLSSERVERCERTSUBJECT}" - update_config_var $ZBX_AGENT_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" "${ZBX_TLSCERT}" update_config_var $ZBX_AGENT_CONFIG "TLSCipherAll" "${ZBX_TLSCIPHERALL}" update_config_var $ZBX_AGENT_CONFIG "TLSCipherAll13" "${ZBX_TLSCIPHERALL13}" update_config_var $ZBX_AGENT_CONFIG "TLSCipherCert" "${ZBX_TLSCIPHERCERT}" update_config_var $ZBX_AGENT_CONFIG "TLSCipherCert13" "${ZBX_TLSCIPHERCERT13}" update_config_var $ZBX_AGENT_CONFIG "TLSCipherPSK" "${ZBX_TLSCIPHERPSK}" update_config_var $ZBX_AGENT_CONFIG "TLSCipherPSK13" "${ZBX_TLSCIPHERPSK13}" - update_config_var $ZBX_AGENT_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" "${ZBX_TLSKEY}" update_config_var $ZBX_AGENT_CONFIG "TLSPSKIdentity" "${ZBX_TLSPSKIDENTITY}" - update_config_var $ZBX_AGENT_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" "${ZBX_TLSPSK}" update_config_multiple_var $ZBX_AGENT_CONFIG "DenyKey" "${ZBX_DENYKEY}" update_config_multiple_var $ZBX_AGENT_CONFIG "AllowKey" "${ZBX_ALLOWKEY}" diff --git a/Dockerfiles/agent/centos/Dockerfile b/Dockerfiles/agent/centos/Dockerfile index f5218d5c3b..7a13ae76ad 100644 --- a/Dockerfiles/agent/centos/Dockerfile +++ b/Dockerfiles/agent/centos/Dockerfile @@ -78,6 +78,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ mkdir -p /etc/zabbix/zabbix_agentd.d && \ mkdir -p /var/lib/zabbix && \ mkdir -p /var/lib/zabbix/enc && \ + mkdir -p /var/lib/zabbix/enc_internal && \ mkdir -p /var/lib/zabbix/modules && \ chown --quiet -R zabbix:root /etc/zabbix/ /var/lib/zabbix/ && \ chgrp -R 0 /etc/zabbix/ /var/lib/zabbix/ && \ diff --git a/Dockerfiles/agent/centos/docker-entrypoint.sh b/Dockerfiles/agent/centos/docker-entrypoint.sh index 192efda4f7..c888baf512 100755 --- a/Dockerfiles/agent/centos/docker-entrypoint.sh +++ b/Dockerfiles/agent/centos/docker-entrypoint.sh @@ -20,6 +20,8 @@ fi ZABBIX_USER_HOME_DIR="/var/lib/zabbix" # Configuration files directory ZABBIX_ETC_DIR="/etc/zabbix" +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" escape_spec_char() { local var_value=$1 @@ -112,6 +114,19 @@ update_config_multiple_var() { done } +file_process_from_env() { + local config_path=$1 + local var_name=$2 + local file_name=$3 + local var_value=$4 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + update_config_var $config_path "$var_name" "$file_name" +} + prepare_zbx_agent_config() { echo "** Preparing Zabbix agent configuration file" ZBX_AGENT_CONFIG=$ZABBIX_ETC_DIR/zabbix_agentd.conf @@ -177,20 +192,20 @@ prepare_zbx_agent_config() { update_config_multiple_var $ZBX_AGENT_CONFIG "LoadModule" "${ZBX_LOADMODULE}" update_config_var $ZBX_AGENT_CONFIG "TLSConnect" "${ZBX_TLSCONNECT}" update_config_var $ZBX_AGENT_CONFIG "TLSAccept" "${ZBX_TLSACCEPT}" - update_config_var $ZBX_AGENT_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" - update_config_var $ZBX_AGENT_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" "${ZBX_TLSCA}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" "${ZBX_TLSCRL}" update_config_var $ZBX_AGENT_CONFIG "TLSServerCertIssuer" "${ZBX_TLSSERVERCERTISSUER}" update_config_var $ZBX_AGENT_CONFIG "TLSServerCertSubject" "${ZBX_TLSSERVERCERTSUBJECT}" - update_config_var $ZBX_AGENT_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" "${ZBX_TLSCERT}" update_config_var $ZBX_AGENT_CONFIG "TLSCipherAll" "${ZBX_TLSCIPHERALL}" update_config_var $ZBX_AGENT_CONFIG "TLSCipherAll13" "${ZBX_TLSCIPHERALL13}" update_config_var $ZBX_AGENT_CONFIG "TLSCipherCert" "${ZBX_TLSCIPHERCERT}" update_config_var $ZBX_AGENT_CONFIG "TLSCipherCert13" "${ZBX_TLSCIPHERCERT13}" update_config_var $ZBX_AGENT_CONFIG "TLSCipherPSK" "${ZBX_TLSCIPHERPSK}" update_config_var $ZBX_AGENT_CONFIG "TLSCipherPSK13" "${ZBX_TLSCIPHERPSK13}" - update_config_var $ZBX_AGENT_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" "${ZBX_TLSKEY}" update_config_var $ZBX_AGENT_CONFIG "TLSPSKIdentity" "${ZBX_TLSPSKIDENTITY}" - update_config_var $ZBX_AGENT_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" "${ZBX_TLSPSK}" update_config_multiple_var $ZBX_AGENT_CONFIG "DenyKey" "${ZBX_DENYKEY}" update_config_multiple_var $ZBX_AGENT_CONFIG "AllowKey" "${ZBX_ALLOWKEY}" diff --git a/Dockerfiles/agent/ol/Dockerfile b/Dockerfiles/agent/ol/Dockerfile index 662b20d52f..b1e8d0e136 100644 --- a/Dockerfiles/agent/ol/Dockerfile +++ b/Dockerfiles/agent/ol/Dockerfile @@ -66,6 +66,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ mkdir -p /etc/zabbix/zabbix_agentd.d && \ mkdir -p /var/lib/zabbix && \ mkdir -p /var/lib/zabbix/enc && \ + mkdir -p /var/lib/zabbix/enc_internal && \ mkdir -p /var/lib/zabbix/modules && \ chown --quiet -R zabbix:root /etc/zabbix/ /var/lib/zabbix/ && \ chgrp -R 0 /etc/zabbix/ /var/lib/zabbix/ && \ diff --git a/Dockerfiles/agent/ol/docker-entrypoint.sh b/Dockerfiles/agent/ol/docker-entrypoint.sh index 192efda4f7..c888baf512 100755 --- a/Dockerfiles/agent/ol/docker-entrypoint.sh +++ b/Dockerfiles/agent/ol/docker-entrypoint.sh @@ -20,6 +20,8 @@ fi ZABBIX_USER_HOME_DIR="/var/lib/zabbix" # Configuration files directory ZABBIX_ETC_DIR="/etc/zabbix" +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" escape_spec_char() { local var_value=$1 @@ -112,6 +114,19 @@ update_config_multiple_var() { done } +file_process_from_env() { + local config_path=$1 + local var_name=$2 + local file_name=$3 + local var_value=$4 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + update_config_var $config_path "$var_name" "$file_name" +} + prepare_zbx_agent_config() { echo "** Preparing Zabbix agent configuration file" ZBX_AGENT_CONFIG=$ZABBIX_ETC_DIR/zabbix_agentd.conf @@ -177,20 +192,20 @@ prepare_zbx_agent_config() { update_config_multiple_var $ZBX_AGENT_CONFIG "LoadModule" "${ZBX_LOADMODULE}" update_config_var $ZBX_AGENT_CONFIG "TLSConnect" "${ZBX_TLSCONNECT}" update_config_var $ZBX_AGENT_CONFIG "TLSAccept" "${ZBX_TLSACCEPT}" - update_config_var $ZBX_AGENT_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" - update_config_var $ZBX_AGENT_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" "${ZBX_TLSCA}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" "${ZBX_TLSCRL}" update_config_var $ZBX_AGENT_CONFIG "TLSServerCertIssuer" "${ZBX_TLSSERVERCERTISSUER}" update_config_var $ZBX_AGENT_CONFIG "TLSServerCertSubject" "${ZBX_TLSSERVERCERTSUBJECT}" - update_config_var $ZBX_AGENT_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" "${ZBX_TLSCERT}" update_config_var $ZBX_AGENT_CONFIG "TLSCipherAll" "${ZBX_TLSCIPHERALL}" update_config_var $ZBX_AGENT_CONFIG "TLSCipherAll13" "${ZBX_TLSCIPHERALL13}" update_config_var $ZBX_AGENT_CONFIG "TLSCipherCert" "${ZBX_TLSCIPHERCERT}" update_config_var $ZBX_AGENT_CONFIG "TLSCipherCert13" "${ZBX_TLSCIPHERCERT13}" update_config_var $ZBX_AGENT_CONFIG "TLSCipherPSK" "${ZBX_TLSCIPHERPSK}" update_config_var $ZBX_AGENT_CONFIG "TLSCipherPSK13" "${ZBX_TLSCIPHERPSK13}" - update_config_var $ZBX_AGENT_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" "${ZBX_TLSKEY}" update_config_var $ZBX_AGENT_CONFIG "TLSPSKIdentity" "${ZBX_TLSPSKIDENTITY}" - update_config_var $ZBX_AGENT_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" "${ZBX_TLSPSK}" update_config_multiple_var $ZBX_AGENT_CONFIG "DenyKey" "${ZBX_DENYKEY}" update_config_multiple_var $ZBX_AGENT_CONFIG "AllowKey" "${ZBX_ALLOWKEY}" diff --git a/Dockerfiles/agent/rhel/Dockerfile b/Dockerfiles/agent/rhel/Dockerfile index e9678906d4..bb81fa597e 100644 --- a/Dockerfiles/agent/rhel/Dockerfile +++ b/Dockerfiles/agent/rhel/Dockerfile @@ -104,6 +104,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ mkdir -p /etc/zabbix/zabbix_agentd.d && \ mkdir -p /var/lib/zabbix && \ mkdir -p /var/lib/zabbix/enc && \ + mkdir -p /var/lib/zabbix/enc_internal && \ mkdir -p /var/lib/zabbix/modules && \ chown --quiet -R zabbix:root /etc/zabbix/ /var/lib/zabbix/ && \ chgrp -R 0 /etc/zabbix/ /var/lib/zabbix/ && \ diff --git a/Dockerfiles/agent/rhel/docker-entrypoint.sh b/Dockerfiles/agent/rhel/docker-entrypoint.sh index 192efda4f7..c888baf512 100755 --- a/Dockerfiles/agent/rhel/docker-entrypoint.sh +++ b/Dockerfiles/agent/rhel/docker-entrypoint.sh @@ -20,6 +20,8 @@ fi ZABBIX_USER_HOME_DIR="/var/lib/zabbix" # Configuration files directory ZABBIX_ETC_DIR="/etc/zabbix" +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" escape_spec_char() { local var_value=$1 @@ -112,6 +114,19 @@ update_config_multiple_var() { done } +file_process_from_env() { + local config_path=$1 + local var_name=$2 + local file_name=$3 + local var_value=$4 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + update_config_var $config_path "$var_name" "$file_name" +} + prepare_zbx_agent_config() { echo "** Preparing Zabbix agent configuration file" ZBX_AGENT_CONFIG=$ZABBIX_ETC_DIR/zabbix_agentd.conf @@ -177,20 +192,20 @@ prepare_zbx_agent_config() { update_config_multiple_var $ZBX_AGENT_CONFIG "LoadModule" "${ZBX_LOADMODULE}" update_config_var $ZBX_AGENT_CONFIG "TLSConnect" "${ZBX_TLSCONNECT}" update_config_var $ZBX_AGENT_CONFIG "TLSAccept" "${ZBX_TLSACCEPT}" - update_config_var $ZBX_AGENT_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" - update_config_var $ZBX_AGENT_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" "${ZBX_TLSCA}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" "${ZBX_TLSCRL}" update_config_var $ZBX_AGENT_CONFIG "TLSServerCertIssuer" "${ZBX_TLSSERVERCERTISSUER}" update_config_var $ZBX_AGENT_CONFIG "TLSServerCertSubject" "${ZBX_TLSSERVERCERTSUBJECT}" - update_config_var $ZBX_AGENT_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" "${ZBX_TLSCERT}" update_config_var $ZBX_AGENT_CONFIG "TLSCipherAll" "${ZBX_TLSCIPHERALL}" update_config_var $ZBX_AGENT_CONFIG "TLSCipherAll13" "${ZBX_TLSCIPHERALL13}" update_config_var $ZBX_AGENT_CONFIG "TLSCipherCert" "${ZBX_TLSCIPHERCERT}" update_config_var $ZBX_AGENT_CONFIG "TLSCipherCert13" "${ZBX_TLSCIPHERCERT13}" update_config_var $ZBX_AGENT_CONFIG "TLSCipherPSK" "${ZBX_TLSCIPHERPSK}" update_config_var $ZBX_AGENT_CONFIG "TLSCipherPSK13" "${ZBX_TLSCIPHERPSK13}" - update_config_var $ZBX_AGENT_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" "${ZBX_TLSKEY}" update_config_var $ZBX_AGENT_CONFIG "TLSPSKIdentity" "${ZBX_TLSPSKIDENTITY}" - update_config_var $ZBX_AGENT_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" "${ZBX_TLSPSK}" update_config_multiple_var $ZBX_AGENT_CONFIG "DenyKey" "${ZBX_DENYKEY}" update_config_multiple_var $ZBX_AGENT_CONFIG "AllowKey" "${ZBX_ALLOWKEY}" diff --git a/Dockerfiles/agent/ubuntu/Dockerfile b/Dockerfiles/agent/ubuntu/Dockerfile index 65e023ee51..e00037d831 100644 --- a/Dockerfiles/agent/ubuntu/Dockerfile +++ b/Dockerfiles/agent/ubuntu/Dockerfile @@ -62,6 +62,7 @@ RUN --mount=type=cache,target=/var/lib/apt/,sharing=locked \ mkdir -p /etc/zabbix/zabbix_agentd.d && \ mkdir -p /var/lib/zabbix && \ mkdir -p /var/lib/zabbix/enc && \ + mkdir -p /var/lib/zabbix/enc_internal && \ mkdir -p /var/lib/zabbix/modules && \ chown --quiet -R zabbix:root /etc/zabbix/ /var/lib/zabbix/ && \ chgrp -R 0 /etc/zabbix/ /var/lib/zabbix/ && \ diff --git a/Dockerfiles/agent/ubuntu/docker-entrypoint.sh b/Dockerfiles/agent/ubuntu/docker-entrypoint.sh index 192efda4f7..c888baf512 100755 --- a/Dockerfiles/agent/ubuntu/docker-entrypoint.sh +++ b/Dockerfiles/agent/ubuntu/docker-entrypoint.sh @@ -20,6 +20,8 @@ fi ZABBIX_USER_HOME_DIR="/var/lib/zabbix" # Configuration files directory ZABBIX_ETC_DIR="/etc/zabbix" +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" escape_spec_char() { local var_value=$1 @@ -112,6 +114,19 @@ update_config_multiple_var() { done } +file_process_from_env() { + local config_path=$1 + local var_name=$2 + local file_name=$3 + local var_value=$4 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + update_config_var $config_path "$var_name" "$file_name" +} + prepare_zbx_agent_config() { echo "** Preparing Zabbix agent configuration file" ZBX_AGENT_CONFIG=$ZABBIX_ETC_DIR/zabbix_agentd.conf @@ -177,20 +192,20 @@ prepare_zbx_agent_config() { update_config_multiple_var $ZBX_AGENT_CONFIG "LoadModule" "${ZBX_LOADMODULE}" update_config_var $ZBX_AGENT_CONFIG "TLSConnect" "${ZBX_TLSCONNECT}" update_config_var $ZBX_AGENT_CONFIG "TLSAccept" "${ZBX_TLSACCEPT}" - update_config_var $ZBX_AGENT_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" - update_config_var $ZBX_AGENT_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" "${ZBX_TLSCA}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" "${ZBX_TLSCRL}" update_config_var $ZBX_AGENT_CONFIG "TLSServerCertIssuer" "${ZBX_TLSSERVERCERTISSUER}" update_config_var $ZBX_AGENT_CONFIG "TLSServerCertSubject" "${ZBX_TLSSERVERCERTSUBJECT}" - update_config_var $ZBX_AGENT_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" "${ZBX_TLSCERT}" update_config_var $ZBX_AGENT_CONFIG "TLSCipherAll" "${ZBX_TLSCIPHERALL}" update_config_var $ZBX_AGENT_CONFIG "TLSCipherAll13" "${ZBX_TLSCIPHERALL13}" update_config_var $ZBX_AGENT_CONFIG "TLSCipherCert" "${ZBX_TLSCIPHERCERT}" update_config_var $ZBX_AGENT_CONFIG "TLSCipherCert13" "${ZBX_TLSCIPHERCERT13}" update_config_var $ZBX_AGENT_CONFIG "TLSCipherPSK" "${ZBX_TLSCIPHERPSK}" update_config_var $ZBX_AGENT_CONFIG "TLSCipherPSK13" "${ZBX_TLSCIPHERPSK13}" - update_config_var $ZBX_AGENT_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" "${ZBX_TLSKEY}" update_config_var $ZBX_AGENT_CONFIG "TLSPSKIdentity" "${ZBX_TLSPSKIDENTITY}" - update_config_var $ZBX_AGENT_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" "${ZBX_TLSPSK}" update_config_multiple_var $ZBX_AGENT_CONFIG "DenyKey" "${ZBX_DENYKEY}" update_config_multiple_var $ZBX_AGENT_CONFIG "AllowKey" "${ZBX_ALLOWKEY}" diff --git a/Dockerfiles/agent2/README.md b/Dockerfiles/agent2/README.md index f86556bffc..13140c5283 100644 --- a/Dockerfiles/agent2/README.md +++ b/Dockerfiles/agent2/README.md @@ -147,13 +147,18 @@ ZBX_UNSAFEUSERPARAMETERS=0 ZBX_TLSCONNECT=unencrypted ZBX_TLSACCEPT=unencrypted ZBX_TLSCAFILE= +ZBX_TLSCA= ZBX_TLSCRLFILE= +ZBX_TLSCRL= ZBX_TLSSERVERCERTISSUER= ZBX_TLSSERVERCERTSUBJECT= ZBX_TLSCERTFILE= +ZBX_TLSCERT= ZBX_TLSKEYFILE= +ZBX_TLSKEY= ZBX_TLSPSKIDENTITY= ZBX_TLSPSKFILE= +ZBX_TLSPSK= ZBX_DENYKEY=system.run[*] # Available since 5.0.0 ZBX_ALLOWKEY= # Available since 5.0.0 ``` @@ -172,7 +177,7 @@ The volume allows include ``*.conf`` files and extend Zabbix agent 2 using ``Use ### ``/var/lib/zabbix/enc`` -The volume is used to store TLS related files. These file names are specified using ``ZBX_TLSCAFILE``, ``ZBX_TLSCRLFILE``, ``ZBX_TLSKEY_FILE`` and ``ZBX_TLSPSKFILE`` variables. +The volume is used to store TLS related files. These file names are specified using ``ZBX_TLSCAFILE``, ``ZBX_TLSCRLFILE``, ``ZBX_TLSCERTFILE``, ``ZBX_TLSKEYFILE`` and ``ZBX_TLSPSKFILE`` variables. Additionally it is possible to use environment variables ``ZBX_TLSCA``, ``ZBX_TLSCRL``, ``ZBX_TLSCERT``, ``ZBX_TLSKEY`` and ``ZBX_TLSPSK`` with plaintext values. ### ``/var/lib/zabbix/buffer`` diff --git a/Dockerfiles/agent2/alpine/Dockerfile b/Dockerfiles/agent2/alpine/Dockerfile index cda42bb1ec..9b79b62838 100644 --- a/Dockerfiles/agent2/alpine/Dockerfile +++ b/Dockerfiles/agent2/alpine/Dockerfile @@ -60,6 +60,7 @@ RUN set -eux && \ mkdir -p /etc/zabbix/zabbix_agentd.d && \ mkdir -p /var/lib/zabbix && \ mkdir -p /var/lib/zabbix/enc && \ + mkdir -p /var/lib/zabbix/enc_internal && \ mkdir -p /var/lib/zabbix/modules && \ mkdir -p /var/lib/zabbix/buffer && \ chown --quiet -R zabbix:root /etc/zabbix/ /var/lib/zabbix/ /usr/sbin/zabbix-agent2-plugin/ && \ diff --git a/Dockerfiles/agent2/alpine/docker-entrypoint.sh b/Dockerfiles/agent2/alpine/docker-entrypoint.sh index dd464bd31a..bb79832a7d 100755 --- a/Dockerfiles/agent2/alpine/docker-entrypoint.sh +++ b/Dockerfiles/agent2/alpine/docker-entrypoint.sh @@ -20,6 +20,8 @@ fi ZABBIX_USER_HOME_DIR="/var/lib/zabbix" # Configuration files directory ZABBIX_ETC_DIR="/etc/zabbix" +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" escape_spec_char() { local var_value=$1 @@ -112,6 +114,19 @@ update_config_multiple_var() { done } +file_process_from_env() { + local config_path=$1 + local var_name=$2 + local file_name=$3 + local var_value=$4 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + update_config_var $config_path "$var_name" "$file_name" +} + prepare_zbx_agent_config() { echo "** Preparing Zabbix agent configuration file" ZBX_AGENT_CONFIG=$ZABBIX_ETC_DIR/zabbix_agent2.conf @@ -185,14 +200,14 @@ prepare_zbx_agent_config() { update_config_var $ZBX_AGENT_CONFIG "UnsafeUserParameters" "${ZBX_UNSAFEUSERPARAMETERS}" update_config_var $ZBX_AGENT_CONFIG "TLSConnect" "${ZBX_TLSCONNECT}" update_config_var $ZBX_AGENT_CONFIG "TLSAccept" "${ZBX_TLSACCEPT}" - update_config_var $ZBX_AGENT_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" - update_config_var $ZBX_AGENT_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" "${ZBX_TLSCA}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" "${ZBX_TLSCRL}" update_config_var $ZBX_AGENT_CONFIG "TLSServerCertIssuer" "${ZBX_TLSSERVERCERTISSUER}" update_config_var $ZBX_AGENT_CONFIG "TLSServerCertSubject" "${ZBX_TLSSERVERCERTSUBJECT}" - update_config_var $ZBX_AGENT_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" - update_config_var $ZBX_AGENT_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" "${ZBX_TLSCERT}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" "${ZBX_TLSKEY}" update_config_var $ZBX_AGENT_CONFIG "TLSPSKIdentity" "${ZBX_TLSPSKIDENTITY}" - update_config_var $ZBX_AGENT_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" "${ZBX_TLSPSK}" update_config_multiple_var $ZBX_AGENT_CONFIG "DenyKey" "${ZBX_DENYKEY}" update_config_multiple_var $ZBX_AGENT_CONFIG "AllowKey" "${ZBX_ALLOWKEY}" diff --git a/Dockerfiles/agent2/centos/Dockerfile b/Dockerfiles/agent2/centos/Dockerfile index 8a6b54cf95..f08cfe2e1f 100644 --- a/Dockerfiles/agent2/centos/Dockerfile +++ b/Dockerfiles/agent2/centos/Dockerfile @@ -80,6 +80,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ mkdir -p /etc/zabbix/zabbix_agentd.d && \ mkdir -p /var/lib/zabbix && \ mkdir -p /var/lib/zabbix/enc && \ + mkdir -p /var/lib/zabbix/enc_internal && \ mkdir -p /var/lib/zabbix/modules && \ mkdir -p /var/lib/zabbix/buffer && \ chown --quiet -R zabbix:root /etc/zabbix/ /var/lib/zabbix/ /usr/sbin/zabbix-agent2-plugin/ && \ diff --git a/Dockerfiles/agent2/centos/docker-entrypoint.sh b/Dockerfiles/agent2/centos/docker-entrypoint.sh index dd464bd31a..bb79832a7d 100755 --- a/Dockerfiles/agent2/centos/docker-entrypoint.sh +++ b/Dockerfiles/agent2/centos/docker-entrypoint.sh @@ -20,6 +20,8 @@ fi ZABBIX_USER_HOME_DIR="/var/lib/zabbix" # Configuration files directory ZABBIX_ETC_DIR="/etc/zabbix" +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" escape_spec_char() { local var_value=$1 @@ -112,6 +114,19 @@ update_config_multiple_var() { done } +file_process_from_env() { + local config_path=$1 + local var_name=$2 + local file_name=$3 + local var_value=$4 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + update_config_var $config_path "$var_name" "$file_name" +} + prepare_zbx_agent_config() { echo "** Preparing Zabbix agent configuration file" ZBX_AGENT_CONFIG=$ZABBIX_ETC_DIR/zabbix_agent2.conf @@ -185,14 +200,14 @@ prepare_zbx_agent_config() { update_config_var $ZBX_AGENT_CONFIG "UnsafeUserParameters" "${ZBX_UNSAFEUSERPARAMETERS}" update_config_var $ZBX_AGENT_CONFIG "TLSConnect" "${ZBX_TLSCONNECT}" update_config_var $ZBX_AGENT_CONFIG "TLSAccept" "${ZBX_TLSACCEPT}" - update_config_var $ZBX_AGENT_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" - update_config_var $ZBX_AGENT_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" "${ZBX_TLSCA}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" "${ZBX_TLSCRL}" update_config_var $ZBX_AGENT_CONFIG "TLSServerCertIssuer" "${ZBX_TLSSERVERCERTISSUER}" update_config_var $ZBX_AGENT_CONFIG "TLSServerCertSubject" "${ZBX_TLSSERVERCERTSUBJECT}" - update_config_var $ZBX_AGENT_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" - update_config_var $ZBX_AGENT_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" "${ZBX_TLSCERT}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" "${ZBX_TLSKEY}" update_config_var $ZBX_AGENT_CONFIG "TLSPSKIdentity" "${ZBX_TLSPSKIDENTITY}" - update_config_var $ZBX_AGENT_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" "${ZBX_TLSPSK}" update_config_multiple_var $ZBX_AGENT_CONFIG "DenyKey" "${ZBX_DENYKEY}" update_config_multiple_var $ZBX_AGENT_CONFIG "AllowKey" "${ZBX_ALLOWKEY}" diff --git a/Dockerfiles/agent2/ol/Dockerfile b/Dockerfiles/agent2/ol/Dockerfile index 9ff0bd2a6f..b5716a877d 100644 --- a/Dockerfiles/agent2/ol/Dockerfile +++ b/Dockerfiles/agent2/ol/Dockerfile @@ -67,6 +67,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ mkdir -p /etc/zabbix/zabbix_agentd.d && \ mkdir -p /var/lib/zabbix && \ mkdir -p /var/lib/zabbix/enc && \ + mkdir -p /var/lib/zabbix/enc_internal && \ mkdir -p /var/lib/zabbix/modules && \ mkdir -p /var/lib/zabbix/buffer && \ chown --quiet -R zabbix:root /etc/zabbix/ /var/lib/zabbix/ /usr/sbin/zabbix-agent2-plugin/ && \ diff --git a/Dockerfiles/agent2/ol/docker-entrypoint.sh b/Dockerfiles/agent2/ol/docker-entrypoint.sh index dd464bd31a..bb79832a7d 100755 --- a/Dockerfiles/agent2/ol/docker-entrypoint.sh +++ b/Dockerfiles/agent2/ol/docker-entrypoint.sh @@ -20,6 +20,8 @@ fi ZABBIX_USER_HOME_DIR="/var/lib/zabbix" # Configuration files directory ZABBIX_ETC_DIR="/etc/zabbix" +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" escape_spec_char() { local var_value=$1 @@ -112,6 +114,19 @@ update_config_multiple_var() { done } +file_process_from_env() { + local config_path=$1 + local var_name=$2 + local file_name=$3 + local var_value=$4 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + update_config_var $config_path "$var_name" "$file_name" +} + prepare_zbx_agent_config() { echo "** Preparing Zabbix agent configuration file" ZBX_AGENT_CONFIG=$ZABBIX_ETC_DIR/zabbix_agent2.conf @@ -185,14 +200,14 @@ prepare_zbx_agent_config() { update_config_var $ZBX_AGENT_CONFIG "UnsafeUserParameters" "${ZBX_UNSAFEUSERPARAMETERS}" update_config_var $ZBX_AGENT_CONFIG "TLSConnect" "${ZBX_TLSCONNECT}" update_config_var $ZBX_AGENT_CONFIG "TLSAccept" "${ZBX_TLSACCEPT}" - update_config_var $ZBX_AGENT_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" - update_config_var $ZBX_AGENT_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" "${ZBX_TLSCA}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" "${ZBX_TLSCRL}" update_config_var $ZBX_AGENT_CONFIG "TLSServerCertIssuer" "${ZBX_TLSSERVERCERTISSUER}" update_config_var $ZBX_AGENT_CONFIG "TLSServerCertSubject" "${ZBX_TLSSERVERCERTSUBJECT}" - update_config_var $ZBX_AGENT_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" - update_config_var $ZBX_AGENT_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" "${ZBX_TLSCERT}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" "${ZBX_TLSKEY}" update_config_var $ZBX_AGENT_CONFIG "TLSPSKIdentity" "${ZBX_TLSPSKIDENTITY}" - update_config_var $ZBX_AGENT_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" "${ZBX_TLSPSK}" update_config_multiple_var $ZBX_AGENT_CONFIG "DenyKey" "${ZBX_DENYKEY}" update_config_multiple_var $ZBX_AGENT_CONFIG "AllowKey" "${ZBX_ALLOWKEY}" diff --git a/Dockerfiles/agent2/rhel/Dockerfile b/Dockerfiles/agent2/rhel/Dockerfile index 2e1946905c..bce7905c0a 100644 --- a/Dockerfiles/agent2/rhel/Dockerfile +++ b/Dockerfiles/agent2/rhel/Dockerfile @@ -101,6 +101,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ mkdir -p /etc/zabbix/zabbix_agentd.d && \ mkdir -p /var/lib/zabbix && \ mkdir -p /var/lib/zabbix/enc && \ + mkdir -p /var/lib/zabbix/enc_internal && \ mkdir -p /var/lib/zabbix/modules && \ mkdir -p /var/lib/zabbix/buffer && \ chown --quiet -R zabbix:root /etc/zabbix/ /var/lib/zabbix/ /usr/sbin/zabbix-agent2-plugin/ && \ diff --git a/Dockerfiles/agent2/rhel/docker-entrypoint.sh b/Dockerfiles/agent2/rhel/docker-entrypoint.sh index dd464bd31a..bb79832a7d 100755 --- a/Dockerfiles/agent2/rhel/docker-entrypoint.sh +++ b/Dockerfiles/agent2/rhel/docker-entrypoint.sh @@ -20,6 +20,8 @@ fi ZABBIX_USER_HOME_DIR="/var/lib/zabbix" # Configuration files directory ZABBIX_ETC_DIR="/etc/zabbix" +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" escape_spec_char() { local var_value=$1 @@ -112,6 +114,19 @@ update_config_multiple_var() { done } +file_process_from_env() { + local config_path=$1 + local var_name=$2 + local file_name=$3 + local var_value=$4 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + update_config_var $config_path "$var_name" "$file_name" +} + prepare_zbx_agent_config() { echo "** Preparing Zabbix agent configuration file" ZBX_AGENT_CONFIG=$ZABBIX_ETC_DIR/zabbix_agent2.conf @@ -185,14 +200,14 @@ prepare_zbx_agent_config() { update_config_var $ZBX_AGENT_CONFIG "UnsafeUserParameters" "${ZBX_UNSAFEUSERPARAMETERS}" update_config_var $ZBX_AGENT_CONFIG "TLSConnect" "${ZBX_TLSCONNECT}" update_config_var $ZBX_AGENT_CONFIG "TLSAccept" "${ZBX_TLSACCEPT}" - update_config_var $ZBX_AGENT_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" - update_config_var $ZBX_AGENT_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" "${ZBX_TLSCA}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" "${ZBX_TLSCRL}" update_config_var $ZBX_AGENT_CONFIG "TLSServerCertIssuer" "${ZBX_TLSSERVERCERTISSUER}" update_config_var $ZBX_AGENT_CONFIG "TLSServerCertSubject" "${ZBX_TLSSERVERCERTSUBJECT}" - update_config_var $ZBX_AGENT_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" - update_config_var $ZBX_AGENT_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" "${ZBX_TLSCERT}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" "${ZBX_TLSKEY}" update_config_var $ZBX_AGENT_CONFIG "TLSPSKIdentity" "${ZBX_TLSPSKIDENTITY}" - update_config_var $ZBX_AGENT_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" "${ZBX_TLSPSK}" update_config_multiple_var $ZBX_AGENT_CONFIG "DenyKey" "${ZBX_DENYKEY}" update_config_multiple_var $ZBX_AGENT_CONFIG "AllowKey" "${ZBX_ALLOWKEY}" diff --git a/Dockerfiles/agent2/ubuntu/Dockerfile b/Dockerfiles/agent2/ubuntu/Dockerfile index 6e3d8c4291..d40f801f7f 100644 --- a/Dockerfiles/agent2/ubuntu/Dockerfile +++ b/Dockerfiles/agent2/ubuntu/Dockerfile @@ -62,6 +62,7 @@ RUN --mount=type=cache,target=/var/lib/apt/,sharing=locked \ mkdir -p /etc/zabbix/zabbix_agentd.d && \ mkdir -p /var/lib/zabbix && \ mkdir -p /var/lib/zabbix/enc && \ + mkdir -p /var/lib/zabbix/enc_internal && \ mkdir -p /var/lib/zabbix/modules && \ mkdir -p /var/lib/zabbix/buffer && \ chown --quiet -R zabbix:root /etc/zabbix/ /var/lib/zabbix/ /usr/sbin/zabbix-agent2-plugin/ && \ diff --git a/Dockerfiles/agent2/ubuntu/docker-entrypoint.sh b/Dockerfiles/agent2/ubuntu/docker-entrypoint.sh index dd464bd31a..bb79832a7d 100755 --- a/Dockerfiles/agent2/ubuntu/docker-entrypoint.sh +++ b/Dockerfiles/agent2/ubuntu/docker-entrypoint.sh @@ -20,6 +20,8 @@ fi ZABBIX_USER_HOME_DIR="/var/lib/zabbix" # Configuration files directory ZABBIX_ETC_DIR="/etc/zabbix" +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" escape_spec_char() { local var_value=$1 @@ -112,6 +114,19 @@ update_config_multiple_var() { done } +file_process_from_env() { + local config_path=$1 + local var_name=$2 + local file_name=$3 + local var_value=$4 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + update_config_var $config_path "$var_name" "$file_name" +} + prepare_zbx_agent_config() { echo "** Preparing Zabbix agent configuration file" ZBX_AGENT_CONFIG=$ZABBIX_ETC_DIR/zabbix_agent2.conf @@ -185,14 +200,14 @@ prepare_zbx_agent_config() { update_config_var $ZBX_AGENT_CONFIG "UnsafeUserParameters" "${ZBX_UNSAFEUSERPARAMETERS}" update_config_var $ZBX_AGENT_CONFIG "TLSConnect" "${ZBX_TLSCONNECT}" update_config_var $ZBX_AGENT_CONFIG "TLSAccept" "${ZBX_TLSACCEPT}" - update_config_var $ZBX_AGENT_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" - update_config_var $ZBX_AGENT_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" "${ZBX_TLSCA}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" "${ZBX_TLSCRL}" update_config_var $ZBX_AGENT_CONFIG "TLSServerCertIssuer" "${ZBX_TLSSERVERCERTISSUER}" update_config_var $ZBX_AGENT_CONFIG "TLSServerCertSubject" "${ZBX_TLSSERVERCERTSUBJECT}" - update_config_var $ZBX_AGENT_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" - update_config_var $ZBX_AGENT_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" "${ZBX_TLSCERT}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" "${ZBX_TLSKEY}" update_config_var $ZBX_AGENT_CONFIG "TLSPSKIdentity" "${ZBX_TLSPSKIDENTITY}" - update_config_var $ZBX_AGENT_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" + file_process_from_env $ZBX_AGENT_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" "${ZBX_TLSPSK}" update_config_multiple_var $ZBX_AGENT_CONFIG "DenyKey" "${ZBX_DENYKEY}" update_config_multiple_var $ZBX_AGENT_CONFIG "AllowKey" "${ZBX_ALLOWKEY}" diff --git a/Dockerfiles/proxy-mysql/README.md b/Dockerfiles/proxy-mysql/README.md index 763842f4f7..8ca389e3e5 100644 --- a/Dockerfiles/proxy-mysql/README.md +++ b/Dockerfiles/proxy-mysql/README.md @@ -222,13 +222,18 @@ ZBX_LOGSLOWQUERIES=3000 ZBX_TLSCONNECT=unencrypted ZBX_TLSACCEPT=unencrypted ZBX_TLSCAFILE= +ZBX_TLSCA= ZBX_TLSCRLFILE= +ZBX_TLSCRL= ZBX_TLSSERVERCERTISSUER= ZBX_TLSSERVERCERTSUBJECT= ZBX_TLSCERTFILE= +ZBX_TLSCERT= ZBX_TLSKEYFILE= +ZBX_TLSKEY= ZBX_TLSPSKIDENTITY= ZBX_TLSPSKFILE= +ZBX_TLSPSK= ZBX_TLSCIPHERALL= # Available since 4.4.7 ZBX_TLSCIPHERALL13= # Available since 4.4.7 ZBX_TLSCIPHERCERT= # Available since 4.4.7 @@ -258,7 +263,7 @@ The volume allows load additional modules and extend Zabbix proxy using ``LoadMo ### ``/var/lib/zabbix/enc`` -The volume is used to store TLS related files. These file names are specified using ``ZBX_TLSCAFILE``, ``ZBX_TLSCRLFILE``, ``ZBX_TLSKEY_FILE`` and ``ZBX_TLSPSKFILE`` variables. +The volume is used to store TLS related files. These file names are specified using ``ZBX_TLSCAFILE``, ``ZBX_TLSCRLFILE``, ``ZBX_TLSCERTFILE``, ``ZBX_TLSKEYFILE`` and ``ZBX_TLSPSKFILE`` variables. Additionally it is possible to use environment variables ``ZBX_TLSCA``, ``ZBX_TLSCRL``, ``ZBX_TLSCERT``, ``ZBX_TLSKEY`` and ``ZBX_TLSPSK`` with plaintext values. ### ``/var/lib/zabbix/ssh_keys`` diff --git a/Dockerfiles/proxy-mysql/alpine/Dockerfile b/Dockerfiles/proxy-mysql/alpine/Dockerfile index 8bee8990e1..3cf3ce1b4c 100644 --- a/Dockerfiles/proxy-mysql/alpine/Dockerfile +++ b/Dockerfiles/proxy-mysql/alpine/Dockerfile @@ -76,6 +76,7 @@ RUN set -eux && \ mkdir -p /etc/zabbix && \ mkdir -p /var/lib/zabbix && \ mkdir -p /var/lib/zabbix/enc && \ + mkdir -p /var/lib/zabbix/enc_internal && \ mkdir -p /usr/lib/zabbix/externalscripts && \ mkdir -p /var/lib/zabbix/mibs && \ mkdir -p /var/lib/zabbix/modules && \ diff --git a/Dockerfiles/proxy-mysql/alpine/docker-entrypoint.sh b/Dockerfiles/proxy-mysql/alpine/docker-entrypoint.sh index 69e109bdf7..ce771b0b01 100755 --- a/Dockerfiles/proxy-mysql/alpine/docker-entrypoint.sh +++ b/Dockerfiles/proxy-mysql/alpine/docker-entrypoint.sh @@ -17,6 +17,8 @@ fi ZABBIX_USER_HOME_DIR="/var/lib/zabbix" # Configuration files directory ZABBIX_ETC_DIR="/etc/zabbix" +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" : ${DB_CHARACTER_SET:="utf8mb4"} : ${DB_CHARACTER_COLLATE:="utf8mb4_bin"} @@ -140,6 +142,19 @@ update_config_multiple_var() { done } +file_process_from_env() { + local config_path=$1 + local var_name=$2 + local file_name=$3 + local var_value=$4 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + update_config_var $config_path "$var_name" "$file_name" +} + # Check prerequisites for MySQL database check_variables_mysql() { if [ ! -n "${DB_SERVER_SOCKET}" ]; then @@ -485,23 +500,23 @@ update_zbx_config() { update_config_var $ZBX_CONFIG "TLSConnect" "${ZBX_TLSCONNECT}" update_config_var $ZBX_CONFIG "TLSAccept" "${ZBX_TLSACCEPT}" - update_config_var $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" - update_config_var $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" + file_process_from_env $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" "${ZBX_TLSCA}" + file_process_from_env $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" "${ZBX_TLSCRL}" update_config_var $ZBX_CONFIG "TLSServerCertIssuer" "${ZBX_TLSSERVERCERTISSUER}" update_config_var $ZBX_CONFIG "TLSServerCertSubject" "${ZBX_TLSSERVERCERTSUBJECT}" - update_config_var $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" + file_process_from_env $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" "${ZBX_TLSCERT}" update_config_var $ZBX_CONFIG "TLSCipherAll" "${ZBX_TLSCIPHERALL}" update_config_var $ZBX_CONFIG "TLSCipherAll13" "${ZBX_TLSCIPHERALL13}" update_config_var $ZBX_CONFIG "TLSCipherCert" "${ZBX_TLSCIPHERCERT}" update_config_var $ZBX_CONFIG "TLSCipherCert13" "${ZBX_TLSCIPHERCERT13}" update_config_var $ZBX_CONFIG "TLSCipherPSK" "${ZBX_TLSCIPHERPSK}" update_config_var $ZBX_CONFIG "TLSCipherPSK13" "${ZBX_TLSCIPHERPSK13}" - update_config_var $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" + file_process_from_env $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" "${ZBX_TLSKEY}" update_config_var $ZBX_CONFIG "TLSPSKIdentity" "${ZBX_TLSPSKIDENTITY}" - update_config_var $ZBX_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" + file_process_from_env $ZBX_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" "${ZBX_TLSPSK}" if [ "$(id -u)" != '0' ]; then update_config_var $ZBX_CONFIG "User" "$(whoami)" diff --git a/Dockerfiles/proxy-mysql/centos/Dockerfile b/Dockerfiles/proxy-mysql/centos/Dockerfile index 37e2037c6c..899187eef9 100644 --- a/Dockerfiles/proxy-mysql/centos/Dockerfile +++ b/Dockerfiles/proxy-mysql/centos/Dockerfile @@ -94,6 +94,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ mkdir -p /etc/zabbix && \ mkdir -p /var/lib/zabbix && \ mkdir -p /var/lib/zabbix/enc && \ + mkdir -p /var/lib/zabbix/enc_internal && \ mkdir -p /usr/lib/zabbix/externalscripts && \ mkdir -p /var/lib/zabbix/mibs && \ mkdir -p /var/lib/zabbix/modules && \ diff --git a/Dockerfiles/proxy-mysql/centos/docker-entrypoint.sh b/Dockerfiles/proxy-mysql/centos/docker-entrypoint.sh index e59e63895f..3a3227f7d5 100755 --- a/Dockerfiles/proxy-mysql/centos/docker-entrypoint.sh +++ b/Dockerfiles/proxy-mysql/centos/docker-entrypoint.sh @@ -17,6 +17,8 @@ fi ZABBIX_USER_HOME_DIR="/var/lib/zabbix" # Configuration files directory ZABBIX_ETC_DIR="/etc/zabbix" +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" : ${DB_CHARACTER_SET:="utf8mb4"} : ${DB_CHARACTER_COLLATE:="utf8mb4_bin"} @@ -140,6 +142,19 @@ update_config_multiple_var() { done } +file_process_from_env() { + local config_path=$1 + local var_name=$2 + local file_name=$3 + local var_value=$4 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + update_config_var $config_path "$var_name" "$file_name" +} + # Check prerequisites for MySQL database check_variables_mysql() { if [ ! -n "${DB_SERVER_SOCKET}" ]; then @@ -482,23 +497,23 @@ update_zbx_config() { update_config_var $ZBX_CONFIG "TLSConnect" "${ZBX_TLSCONNECT}" update_config_var $ZBX_CONFIG "TLSAccept" "${ZBX_TLSACCEPT}" - update_config_var $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" - update_config_var $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" + file_process_from_env $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" "${ZBX_TLSCA}" + file_process_from_env $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" "${ZBX_TLSCRL}" update_config_var $ZBX_CONFIG "TLSServerCertIssuer" "${ZBX_TLSSERVERCERTISSUER}" update_config_var $ZBX_CONFIG "TLSServerCertSubject" "${ZBX_TLSSERVERCERTSUBJECT}" - update_config_var $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" + file_process_from_env $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" "${ZBX_TLSCERT}" update_config_var $ZBX_CONFIG "TLSCipherAll" "${ZBX_TLSCIPHERALL}" update_config_var $ZBX_CONFIG "TLSCipherAll13" "${ZBX_TLSCIPHERALL13}" update_config_var $ZBX_CONFIG "TLSCipherCert" "${ZBX_TLSCIPHERCERT}" update_config_var $ZBX_CONFIG "TLSCipherCert13" "${ZBX_TLSCIPHERCERT13}" update_config_var $ZBX_CONFIG "TLSCipherPSK" "${ZBX_TLSCIPHERPSK}" update_config_var $ZBX_CONFIG "TLSCipherPSK13" "${ZBX_TLSCIPHERPSK13}" - update_config_var $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" + file_process_from_env $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" "${ZBX_TLSKEY}" update_config_var $ZBX_CONFIG "TLSPSKIdentity" "${ZBX_TLSPSKIDENTITY}" - update_config_var $ZBX_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" + file_process_from_env $ZBX_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" "${ZBX_TLSPSK}" if [ "$(id -u)" != '0' ]; then update_config_var $ZBX_CONFIG "User" "$(whoami)" diff --git a/Dockerfiles/proxy-mysql/ol/Dockerfile b/Dockerfiles/proxy-mysql/ol/Dockerfile index 5bba5b5c44..e3612fda34 100644 --- a/Dockerfiles/proxy-mysql/ol/Dockerfile +++ b/Dockerfiles/proxy-mysql/ol/Dockerfile @@ -81,6 +81,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ mkdir -p /etc/zabbix && \ mkdir -p /var/lib/zabbix && \ mkdir -p /var/lib/zabbix/enc && \ + mkdir -p /var/lib/zabbix/enc_internal && \ mkdir -p /usr/lib/zabbix/externalscripts && \ mkdir -p /var/lib/zabbix/mibs && \ mkdir -p /var/lib/zabbix/modules && \ diff --git a/Dockerfiles/proxy-mysql/ol/docker-entrypoint.sh b/Dockerfiles/proxy-mysql/ol/docker-entrypoint.sh index e59e63895f..3a3227f7d5 100755 --- a/Dockerfiles/proxy-mysql/ol/docker-entrypoint.sh +++ b/Dockerfiles/proxy-mysql/ol/docker-entrypoint.sh @@ -17,6 +17,8 @@ fi ZABBIX_USER_HOME_DIR="/var/lib/zabbix" # Configuration files directory ZABBIX_ETC_DIR="/etc/zabbix" +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" : ${DB_CHARACTER_SET:="utf8mb4"} : ${DB_CHARACTER_COLLATE:="utf8mb4_bin"} @@ -140,6 +142,19 @@ update_config_multiple_var() { done } +file_process_from_env() { + local config_path=$1 + local var_name=$2 + local file_name=$3 + local var_value=$4 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + update_config_var $config_path "$var_name" "$file_name" +} + # Check prerequisites for MySQL database check_variables_mysql() { if [ ! -n "${DB_SERVER_SOCKET}" ]; then @@ -482,23 +497,23 @@ update_zbx_config() { update_config_var $ZBX_CONFIG "TLSConnect" "${ZBX_TLSCONNECT}" update_config_var $ZBX_CONFIG "TLSAccept" "${ZBX_TLSACCEPT}" - update_config_var $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" - update_config_var $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" + file_process_from_env $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" "${ZBX_TLSCA}" + file_process_from_env $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" "${ZBX_TLSCRL}" update_config_var $ZBX_CONFIG "TLSServerCertIssuer" "${ZBX_TLSSERVERCERTISSUER}" update_config_var $ZBX_CONFIG "TLSServerCertSubject" "${ZBX_TLSSERVERCERTSUBJECT}" - update_config_var $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" + file_process_from_env $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" "${ZBX_TLSCERT}" update_config_var $ZBX_CONFIG "TLSCipherAll" "${ZBX_TLSCIPHERALL}" update_config_var $ZBX_CONFIG "TLSCipherAll13" "${ZBX_TLSCIPHERALL13}" update_config_var $ZBX_CONFIG "TLSCipherCert" "${ZBX_TLSCIPHERCERT}" update_config_var $ZBX_CONFIG "TLSCipherCert13" "${ZBX_TLSCIPHERCERT13}" update_config_var $ZBX_CONFIG "TLSCipherPSK" "${ZBX_TLSCIPHERPSK}" update_config_var $ZBX_CONFIG "TLSCipherPSK13" "${ZBX_TLSCIPHERPSK13}" - update_config_var $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" + file_process_from_env $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" "${ZBX_TLSKEY}" update_config_var $ZBX_CONFIG "TLSPSKIdentity" "${ZBX_TLSPSKIDENTITY}" - update_config_var $ZBX_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" + file_process_from_env $ZBX_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" "${ZBX_TLSPSK}" if [ "$(id -u)" != '0' ]; then update_config_var $ZBX_CONFIG "User" "$(whoami)" diff --git a/Dockerfiles/proxy-mysql/rhel/Dockerfile b/Dockerfiles/proxy-mysql/rhel/Dockerfile index abcc663cc6..015d3491af 100644 --- a/Dockerfiles/proxy-mysql/rhel/Dockerfile +++ b/Dockerfiles/proxy-mysql/rhel/Dockerfile @@ -124,6 +124,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ mkdir -p /etc/zabbix && \ mkdir -p /var/lib/zabbix && \ mkdir -p /var/lib/zabbix/enc && \ + mkdir -p /var/lib/zabbix/enc_internal && \ mkdir -p /usr/lib/zabbix/externalscripts && \ mkdir -p /var/lib/zabbix/mibs && \ mkdir -p /var/lib/zabbix/modules && \ diff --git a/Dockerfiles/proxy-mysql/rhel/docker-entrypoint.sh b/Dockerfiles/proxy-mysql/rhel/docker-entrypoint.sh index e59e63895f..3a3227f7d5 100755 --- a/Dockerfiles/proxy-mysql/rhel/docker-entrypoint.sh +++ b/Dockerfiles/proxy-mysql/rhel/docker-entrypoint.sh @@ -17,6 +17,8 @@ fi ZABBIX_USER_HOME_DIR="/var/lib/zabbix" # Configuration files directory ZABBIX_ETC_DIR="/etc/zabbix" +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" : ${DB_CHARACTER_SET:="utf8mb4"} : ${DB_CHARACTER_COLLATE:="utf8mb4_bin"} @@ -140,6 +142,19 @@ update_config_multiple_var() { done } +file_process_from_env() { + local config_path=$1 + local var_name=$2 + local file_name=$3 + local var_value=$4 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + update_config_var $config_path "$var_name" "$file_name" +} + # Check prerequisites for MySQL database check_variables_mysql() { if [ ! -n "${DB_SERVER_SOCKET}" ]; then @@ -482,23 +497,23 @@ update_zbx_config() { update_config_var $ZBX_CONFIG "TLSConnect" "${ZBX_TLSCONNECT}" update_config_var $ZBX_CONFIG "TLSAccept" "${ZBX_TLSACCEPT}" - update_config_var $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" - update_config_var $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" + file_process_from_env $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" "${ZBX_TLSCA}" + file_process_from_env $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" "${ZBX_TLSCRL}" update_config_var $ZBX_CONFIG "TLSServerCertIssuer" "${ZBX_TLSSERVERCERTISSUER}" update_config_var $ZBX_CONFIG "TLSServerCertSubject" "${ZBX_TLSSERVERCERTSUBJECT}" - update_config_var $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" + file_process_from_env $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" "${ZBX_TLSCERT}" update_config_var $ZBX_CONFIG "TLSCipherAll" "${ZBX_TLSCIPHERALL}" update_config_var $ZBX_CONFIG "TLSCipherAll13" "${ZBX_TLSCIPHERALL13}" update_config_var $ZBX_CONFIG "TLSCipherCert" "${ZBX_TLSCIPHERCERT}" update_config_var $ZBX_CONFIG "TLSCipherCert13" "${ZBX_TLSCIPHERCERT13}" update_config_var $ZBX_CONFIG "TLSCipherPSK" "${ZBX_TLSCIPHERPSK}" update_config_var $ZBX_CONFIG "TLSCipherPSK13" "${ZBX_TLSCIPHERPSK13}" - update_config_var $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" + file_process_from_env $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" "${ZBX_TLSKEY}" update_config_var $ZBX_CONFIG "TLSPSKIdentity" "${ZBX_TLSPSKIDENTITY}" - update_config_var $ZBX_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" + file_process_from_env $ZBX_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" "${ZBX_TLSPSK}" if [ "$(id -u)" != '0' ]; then update_config_var $ZBX_CONFIG "User" "$(whoami)" diff --git a/Dockerfiles/proxy-mysql/ubuntu/Dockerfile b/Dockerfiles/proxy-mysql/ubuntu/Dockerfile index 8c4b53be84..f77b30bced 100644 --- a/Dockerfiles/proxy-mysql/ubuntu/Dockerfile +++ b/Dockerfiles/proxy-mysql/ubuntu/Dockerfile @@ -79,6 +79,7 @@ RUN --mount=type=cache,target=/var/lib/apt/,sharing=locked \ mkdir -p /etc/zabbix && \ mkdir -p /var/lib/zabbix && \ mkdir -p /var/lib/zabbix/enc && \ + mkdir -p /var/lib/zabbix/enc_internal && \ mkdir -p /usr/lib/zabbix/externalscripts && \ mkdir -p /var/lib/zabbix/mibs && \ mkdir -p /var/lib/zabbix/modules && \ diff --git a/Dockerfiles/proxy-mysql/ubuntu/docker-entrypoint.sh b/Dockerfiles/proxy-mysql/ubuntu/docker-entrypoint.sh index e999c97975..e20acf994c 100755 --- a/Dockerfiles/proxy-mysql/ubuntu/docker-entrypoint.sh +++ b/Dockerfiles/proxy-mysql/ubuntu/docker-entrypoint.sh @@ -17,6 +17,8 @@ fi ZABBIX_USER_HOME_DIR="/var/lib/zabbix" # Configuration files directory ZABBIX_ETC_DIR="/etc/zabbix" +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" : ${DB_CHARACTER_SET:="utf8mb4"} : ${DB_CHARACTER_COLLATE:="utf8mb4_bin"} @@ -140,6 +142,19 @@ update_config_multiple_var() { done } +file_process_from_env() { + local config_path=$1 + local var_name=$2 + local file_name=$3 + local var_value=$4 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + update_config_var $config_path "$var_name" "$file_name" +} + # Check prerequisites for MySQL database check_variables_mysql() { if [ ! -n "${DB_SERVER_SOCKET}" ]; then @@ -482,23 +497,23 @@ update_zbx_config() { update_config_var $ZBX_CONFIG "TLSConnect" "${ZBX_TLSCONNECT}" update_config_var $ZBX_CONFIG "TLSAccept" "${ZBX_TLSACCEPT}" - update_config_var $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" - update_config_var $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" + file_process_from_env $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" "${ZBX_TLSCA}" + file_process_from_env $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" "${ZBX_TLSCRL}" update_config_var $ZBX_CONFIG "TLSServerCertIssuer" "${ZBX_TLSSERVERCERTISSUER}" update_config_var $ZBX_CONFIG "TLSServerCertSubject" "${ZBX_TLSSERVERCERTSUBJECT}" - update_config_var $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" + file_process_from_env $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" "${ZBX_TLSCERT}" update_config_var $ZBX_CONFIG "TLSCipherAll" "${ZBX_TLSCIPHERALL}" update_config_var $ZBX_CONFIG "TLSCipherAll13" "${ZBX_TLSCIPHERALL13}" update_config_var $ZBX_CONFIG "TLSCipherCert" "${ZBX_TLSCIPHERCERT}" update_config_var $ZBX_CONFIG "TLSCipherCert13" "${ZBX_TLSCIPHERCERT13}" update_config_var $ZBX_CONFIG "TLSCipherPSK" "${ZBX_TLSCIPHERPSK}" update_config_var $ZBX_CONFIG "TLSCipherPSK13" "${ZBX_TLSCIPHERPSK13}" - update_config_var $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" + file_process_from_env $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" "${ZBX_TLSKEY}" update_config_var $ZBX_CONFIG "TLSPSKIdentity" "${ZBX_TLSPSKIDENTITY}" - update_config_var $ZBX_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" + file_process_from_env $ZBX_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" "${ZBX_TLSPSK}" if [ "$(id -u)" != '0' ]; then update_config_var $ZBX_CONFIG "User" "$(whoami)" diff --git a/Dockerfiles/proxy-sqlite3/README.md b/Dockerfiles/proxy-sqlite3/README.md index 7aaec4d0ff..88de9c2e5d 100644 --- a/Dockerfiles/proxy-sqlite3/README.md +++ b/Dockerfiles/proxy-sqlite3/README.md @@ -175,13 +175,18 @@ ZBX_LOGSLOWQUERIES=3000 ZBX_TLSCONNECT=unencrypted ZBX_TLSACCEPT=unencrypted ZBX_TLSCAFILE= +ZBX_TLSCA= ZBX_TLSCRLFILE= +ZBX_TLSCRL= ZBX_TLSSERVERCERTISSUER= ZBX_TLSSERVERCERTSUBJECT= ZBX_TLSCERTFILE= +ZBX_TLSCERT= ZBX_TLSKEYFILE= +ZBX_TLSKEY= ZBX_TLSPSKIDENTITY= ZBX_TLSPSKFILE= +ZBX_TLSPSK= ZBX_TLSCIPHERALL= # Available since 4.4.7 ZBX_TLSCIPHERALL13= # Available since 4.4.7 ZBX_TLSCIPHERCERT= # Available since 4.4.7 @@ -215,7 +220,7 @@ The volume allows load additional modules and extend Zabbix proxy using ``LoadMo ### ``/var/lib/zabbix/enc`` -The volume is used to store TLS related files. These file names are specified using ``ZBX_TLSCAFILE``, ``ZBX_TLSCRLFILE``, ``ZBX_TLSKEY_FILE`` and ``ZBX_TLSPSKFILE`` variables. +The volume is used to store TLS related files. These file names are specified using ``ZBX_TLSCAFILE``, ``ZBX_TLSCRLFILE``, ``ZBX_TLSCERTFILE``, ``ZBX_TLSKEYFILE`` and ``ZBX_TLSPSKFILE`` variables. Additionally it is possible to use environment variables ``ZBX_TLSCA``, ``ZBX_TLSCRL``, ``ZBX_TLSCERT``, ``ZBX_TLSKEY`` and ``ZBX_TLSPSK`` with plaintext values. ### ``/var/lib/zabbix/ssh_keys`` diff --git a/Dockerfiles/proxy-sqlite3/alpine/Dockerfile b/Dockerfiles/proxy-sqlite3/alpine/Dockerfile index 737e81b531..98f4874b3b 100644 --- a/Dockerfiles/proxy-sqlite3/alpine/Dockerfile +++ b/Dockerfiles/proxy-sqlite3/alpine/Dockerfile @@ -74,6 +74,7 @@ RUN set -eux && \ mkdir -p /var/lib/zabbix && \ mkdir -p /var/lib/zabbix/db_data && \ mkdir -p /var/lib/zabbix/enc && \ + mkdir -p /var/lib/zabbix/enc_internal && \ mkdir -p /usr/lib/zabbix/externalscripts && \ mkdir -p /var/lib/zabbix/mibs && \ mkdir -p /var/lib/zabbix/modules && \ diff --git a/Dockerfiles/proxy-sqlite3/alpine/docker-entrypoint.sh b/Dockerfiles/proxy-sqlite3/alpine/docker-entrypoint.sh index 984ea8fdb7..07ea5dd075 100755 --- a/Dockerfiles/proxy-sqlite3/alpine/docker-entrypoint.sh +++ b/Dockerfiles/proxy-sqlite3/alpine/docker-entrypoint.sh @@ -17,6 +17,8 @@ fi ZABBIX_USER_HOME_DIR="/var/lib/zabbix" # Configuration files directory ZABBIX_ETC_DIR="/etc/zabbix" +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" escape_spec_char() { local var_value=$1 @@ -106,6 +108,19 @@ update_config_multiple_var() { done } +file_process_from_env() { + local config_path=$1 + local var_name=$2 + local file_name=$3 + local var_value=$4 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + update_config_var $config_path "$var_name" "$file_name" +} + update_zbx_config() { echo "** Preparing Zabbix proxy configuration file" @@ -232,22 +247,22 @@ update_zbx_config() { update_config_var $ZBX_CONFIG "TLSConnect" "${ZBX_TLSCONNECT}" update_config_var $ZBX_CONFIG "TLSAccept" "${ZBX_TLSACCEPT}" - update_config_var $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" - update_config_var $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" + file_process_from_env $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" "${ZBX_TLSCA}" + file_process_from_env $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" "${ZBX_TLSCRL}" update_config_var $ZBX_CONFIG "TLSServerCertIssuer" "${ZBX_TLSSERVERCERTISSUER}" update_config_var $ZBX_CONFIG "TLSServerCertSubject" "${ZBX_TLSSERVERCERTSUBJECT}" - update_config_var $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" + file_process_from_env $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" "${ZBX_TLSCERT}" update_config_var $ZBX_CONFIG "TLSCipherAll" "${ZBX_TLSCIPHERALL}" update_config_var $ZBX_CONFIG "TLSCipherAll13" "${ZBX_TLSCIPHERALL13}" update_config_var $ZBX_CONFIG "TLSCipherCert" "${ZBX_TLSCIPHERCERT}" update_config_var $ZBX_CONFIG "TLSCipherCert13" "${ZBX_TLSCIPHERCERT13}" update_config_var $ZBX_CONFIG "TLSCipherPSK" "${ZBX_TLSCIPHERPSK}" update_config_var $ZBX_CONFIG "TLSCipherPSK13" "${ZBX_TLSCIPHERPSK13}" - update_config_var $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" + file_process_from_env $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" "${ZBX_TLSKEY}" update_config_var $ZBX_CONFIG "TLSPSKIdentity" "${ZBX_TLSPSKIDENTITY}" - update_config_var $ZBX_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" + file_process_from_env $ZBX_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" "${ZBX_TLSPSK}" if [ "$(id -u)" != '0' ]; then update_config_var $ZBX_CONFIG "User" "$(whoami)" diff --git a/Dockerfiles/proxy-sqlite3/centos/Dockerfile b/Dockerfiles/proxy-sqlite3/centos/Dockerfile index 28c78a0b3b..2edd60267c 100644 --- a/Dockerfiles/proxy-sqlite3/centos/Dockerfile +++ b/Dockerfiles/proxy-sqlite3/centos/Dockerfile @@ -91,6 +91,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ mkdir -p /var/lib/zabbix && \ mkdir -p /var/lib/zabbix/db_data && \ mkdir -p /var/lib/zabbix/enc && \ + mkdir -p /var/lib/zabbix/enc_internal && \ mkdir -p /usr/lib/zabbix/externalscripts && \ mkdir -p /var/lib/zabbix/mibs && \ mkdir -p /var/lib/zabbix/modules && \ diff --git a/Dockerfiles/proxy-sqlite3/centos/docker-entrypoint.sh b/Dockerfiles/proxy-sqlite3/centos/docker-entrypoint.sh index 984ea8fdb7..07ea5dd075 100755 --- a/Dockerfiles/proxy-sqlite3/centos/docker-entrypoint.sh +++ b/Dockerfiles/proxy-sqlite3/centos/docker-entrypoint.sh @@ -17,6 +17,8 @@ fi ZABBIX_USER_HOME_DIR="/var/lib/zabbix" # Configuration files directory ZABBIX_ETC_DIR="/etc/zabbix" +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" escape_spec_char() { local var_value=$1 @@ -106,6 +108,19 @@ update_config_multiple_var() { done } +file_process_from_env() { + local config_path=$1 + local var_name=$2 + local file_name=$3 + local var_value=$4 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + update_config_var $config_path "$var_name" "$file_name" +} + update_zbx_config() { echo "** Preparing Zabbix proxy configuration file" @@ -232,22 +247,22 @@ update_zbx_config() { update_config_var $ZBX_CONFIG "TLSConnect" "${ZBX_TLSCONNECT}" update_config_var $ZBX_CONFIG "TLSAccept" "${ZBX_TLSACCEPT}" - update_config_var $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" - update_config_var $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" + file_process_from_env $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" "${ZBX_TLSCA}" + file_process_from_env $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" "${ZBX_TLSCRL}" update_config_var $ZBX_CONFIG "TLSServerCertIssuer" "${ZBX_TLSSERVERCERTISSUER}" update_config_var $ZBX_CONFIG "TLSServerCertSubject" "${ZBX_TLSSERVERCERTSUBJECT}" - update_config_var $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" + file_process_from_env $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" "${ZBX_TLSCERT}" update_config_var $ZBX_CONFIG "TLSCipherAll" "${ZBX_TLSCIPHERALL}" update_config_var $ZBX_CONFIG "TLSCipherAll13" "${ZBX_TLSCIPHERALL13}" update_config_var $ZBX_CONFIG "TLSCipherCert" "${ZBX_TLSCIPHERCERT}" update_config_var $ZBX_CONFIG "TLSCipherCert13" "${ZBX_TLSCIPHERCERT13}" update_config_var $ZBX_CONFIG "TLSCipherPSK" "${ZBX_TLSCIPHERPSK}" update_config_var $ZBX_CONFIG "TLSCipherPSK13" "${ZBX_TLSCIPHERPSK13}" - update_config_var $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" + file_process_from_env $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" "${ZBX_TLSKEY}" update_config_var $ZBX_CONFIG "TLSPSKIdentity" "${ZBX_TLSPSKIDENTITY}" - update_config_var $ZBX_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" + file_process_from_env $ZBX_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" "${ZBX_TLSPSK}" if [ "$(id -u)" != '0' ]; then update_config_var $ZBX_CONFIG "User" "$(whoami)" diff --git a/Dockerfiles/proxy-sqlite3/ol/Dockerfile b/Dockerfiles/proxy-sqlite3/ol/Dockerfile index 95fbc9e869..f64752e843 100644 --- a/Dockerfiles/proxy-sqlite3/ol/Dockerfile +++ b/Dockerfiles/proxy-sqlite3/ol/Dockerfile @@ -77,6 +77,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ mkdir -p /var/lib/zabbix && \ mkdir -p /var/lib/zabbix/db_data && \ mkdir -p /var/lib/zabbix/enc && \ + mkdir -p /var/lib/zabbix/enc_internal && \ mkdir -p /usr/lib/zabbix/externalscripts && \ mkdir -p /var/lib/zabbix/mibs && \ mkdir -p /var/lib/zabbix/modules && \ diff --git a/Dockerfiles/proxy-sqlite3/ol/docker-entrypoint.sh b/Dockerfiles/proxy-sqlite3/ol/docker-entrypoint.sh index 984ea8fdb7..07ea5dd075 100755 --- a/Dockerfiles/proxy-sqlite3/ol/docker-entrypoint.sh +++ b/Dockerfiles/proxy-sqlite3/ol/docker-entrypoint.sh @@ -17,6 +17,8 @@ fi ZABBIX_USER_HOME_DIR="/var/lib/zabbix" # Configuration files directory ZABBIX_ETC_DIR="/etc/zabbix" +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" escape_spec_char() { local var_value=$1 @@ -106,6 +108,19 @@ update_config_multiple_var() { done } +file_process_from_env() { + local config_path=$1 + local var_name=$2 + local file_name=$3 + local var_value=$4 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + update_config_var $config_path "$var_name" "$file_name" +} + update_zbx_config() { echo "** Preparing Zabbix proxy configuration file" @@ -232,22 +247,22 @@ update_zbx_config() { update_config_var $ZBX_CONFIG "TLSConnect" "${ZBX_TLSCONNECT}" update_config_var $ZBX_CONFIG "TLSAccept" "${ZBX_TLSACCEPT}" - update_config_var $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" - update_config_var $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" + file_process_from_env $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" "${ZBX_TLSCA}" + file_process_from_env $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" "${ZBX_TLSCRL}" update_config_var $ZBX_CONFIG "TLSServerCertIssuer" "${ZBX_TLSSERVERCERTISSUER}" update_config_var $ZBX_CONFIG "TLSServerCertSubject" "${ZBX_TLSSERVERCERTSUBJECT}" - update_config_var $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" + file_process_from_env $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" "${ZBX_TLSCERT}" update_config_var $ZBX_CONFIG "TLSCipherAll" "${ZBX_TLSCIPHERALL}" update_config_var $ZBX_CONFIG "TLSCipherAll13" "${ZBX_TLSCIPHERALL13}" update_config_var $ZBX_CONFIG "TLSCipherCert" "${ZBX_TLSCIPHERCERT}" update_config_var $ZBX_CONFIG "TLSCipherCert13" "${ZBX_TLSCIPHERCERT13}" update_config_var $ZBX_CONFIG "TLSCipherPSK" "${ZBX_TLSCIPHERPSK}" update_config_var $ZBX_CONFIG "TLSCipherPSK13" "${ZBX_TLSCIPHERPSK13}" - update_config_var $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" + file_process_from_env $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" "${ZBX_TLSKEY}" update_config_var $ZBX_CONFIG "TLSPSKIdentity" "${ZBX_TLSPSKIDENTITY}" - update_config_var $ZBX_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" + file_process_from_env $ZBX_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" "${ZBX_TLSPSK}" if [ "$(id -u)" != '0' ]; then update_config_var $ZBX_CONFIG "User" "$(whoami)" diff --git a/Dockerfiles/proxy-sqlite3/rhel/Dockerfile b/Dockerfiles/proxy-sqlite3/rhel/Dockerfile index 5f08f4342e..f0f516788d 100644 --- a/Dockerfiles/proxy-sqlite3/rhel/Dockerfile +++ b/Dockerfiles/proxy-sqlite3/rhel/Dockerfile @@ -122,6 +122,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ mkdir -p /var/lib/zabbix && \ mkdir -p /var/lib/zabbix/db_data && \ mkdir -p /var/lib/zabbix/enc && \ + mkdir -p /var/lib/zabbix/enc_internal && \ mkdir -p /usr/lib/zabbix/externalscripts && \ mkdir -p /var/lib/zabbix/mibs && \ mkdir -p /var/lib/zabbix/modules && \ diff --git a/Dockerfiles/proxy-sqlite3/rhel/docker-entrypoint.sh b/Dockerfiles/proxy-sqlite3/rhel/docker-entrypoint.sh index 984ea8fdb7..07ea5dd075 100755 --- a/Dockerfiles/proxy-sqlite3/rhel/docker-entrypoint.sh +++ b/Dockerfiles/proxy-sqlite3/rhel/docker-entrypoint.sh @@ -17,6 +17,8 @@ fi ZABBIX_USER_HOME_DIR="/var/lib/zabbix" # Configuration files directory ZABBIX_ETC_DIR="/etc/zabbix" +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" escape_spec_char() { local var_value=$1 @@ -106,6 +108,19 @@ update_config_multiple_var() { done } +file_process_from_env() { + local config_path=$1 + local var_name=$2 + local file_name=$3 + local var_value=$4 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + update_config_var $config_path "$var_name" "$file_name" +} + update_zbx_config() { echo "** Preparing Zabbix proxy configuration file" @@ -232,22 +247,22 @@ update_zbx_config() { update_config_var $ZBX_CONFIG "TLSConnect" "${ZBX_TLSCONNECT}" update_config_var $ZBX_CONFIG "TLSAccept" "${ZBX_TLSACCEPT}" - update_config_var $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" - update_config_var $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" + file_process_from_env $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" "${ZBX_TLSCA}" + file_process_from_env $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" "${ZBX_TLSCRL}" update_config_var $ZBX_CONFIG "TLSServerCertIssuer" "${ZBX_TLSSERVERCERTISSUER}" update_config_var $ZBX_CONFIG "TLSServerCertSubject" "${ZBX_TLSSERVERCERTSUBJECT}" - update_config_var $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" + file_process_from_env $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" "${ZBX_TLSCERT}" update_config_var $ZBX_CONFIG "TLSCipherAll" "${ZBX_TLSCIPHERALL}" update_config_var $ZBX_CONFIG "TLSCipherAll13" "${ZBX_TLSCIPHERALL13}" update_config_var $ZBX_CONFIG "TLSCipherCert" "${ZBX_TLSCIPHERCERT}" update_config_var $ZBX_CONFIG "TLSCipherCert13" "${ZBX_TLSCIPHERCERT13}" update_config_var $ZBX_CONFIG "TLSCipherPSK" "${ZBX_TLSCIPHERPSK}" update_config_var $ZBX_CONFIG "TLSCipherPSK13" "${ZBX_TLSCIPHERPSK13}" - update_config_var $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" + file_process_from_env $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" "${ZBX_TLSKEY}" update_config_var $ZBX_CONFIG "TLSPSKIdentity" "${ZBX_TLSPSKIDENTITY}" - update_config_var $ZBX_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" + file_process_from_env $ZBX_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" "${ZBX_TLSPSK}" if [ "$(id -u)" != '0' ]; then update_config_var $ZBX_CONFIG "User" "$(whoami)" diff --git a/Dockerfiles/proxy-sqlite3/ubuntu/Dockerfile b/Dockerfiles/proxy-sqlite3/ubuntu/Dockerfile index 40cb83feca..5c3f7b3aae 100644 --- a/Dockerfiles/proxy-sqlite3/ubuntu/Dockerfile +++ b/Dockerfiles/proxy-sqlite3/ubuntu/Dockerfile @@ -76,6 +76,7 @@ RUN --mount=type=cache,target=/var/lib/apt/,sharing=locked \ mkdir -p /var/lib/zabbix && \ mkdir -p /var/lib/zabbix/db_data && \ mkdir -p /var/lib/zabbix/enc && \ + mkdir -p /var/lib/zabbix/enc_internal && \ mkdir -p /usr/lib/zabbix/externalscripts && \ mkdir -p /var/lib/zabbix/mibs && \ mkdir -p /var/lib/zabbix/modules && \ diff --git a/Dockerfiles/proxy-sqlite3/ubuntu/docker-entrypoint.sh b/Dockerfiles/proxy-sqlite3/ubuntu/docker-entrypoint.sh index 35d51e022d..c176f2842e 100755 --- a/Dockerfiles/proxy-sqlite3/ubuntu/docker-entrypoint.sh +++ b/Dockerfiles/proxy-sqlite3/ubuntu/docker-entrypoint.sh @@ -17,6 +17,8 @@ fi ZABBIX_USER_HOME_DIR="/var/lib/zabbix" # Configuration files directory ZABBIX_ETC_DIR="/etc/zabbix" +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" escape_spec_char() { local var_value=$1 @@ -106,6 +108,19 @@ update_config_multiple_var() { done } +file_process_from_env() { + local config_path=$1 + local var_name=$2 + local file_name=$3 + local var_value=$4 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + update_config_var $config_path "$var_name" "$file_name" +} + update_zbx_config() { echo "** Preparing Zabbix proxy configuration file" @@ -232,22 +247,22 @@ update_zbx_config() { update_config_var $ZBX_CONFIG "TLSConnect" "${ZBX_TLSCONNECT}" update_config_var $ZBX_CONFIG "TLSAccept" "${ZBX_TLSACCEPT}" - update_config_var $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" - update_config_var $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" + file_process_from_env $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" "${ZBX_TLSCA}" + file_process_from_env $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" "${ZBX_TLSCRL}" update_config_var $ZBX_CONFIG "TLSServerCertIssuer" "${ZBX_TLSSERVERCERTISSUER}" update_config_var $ZBX_CONFIG "TLSServerCertSubject" "${ZBX_TLSSERVERCERTSUBJECT}" - update_config_var $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" + file_process_from_env $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" "${ZBX_TLSCERT}" update_config_var $ZBX_CONFIG "TLSCipherAll" "${ZBX_TLSCIPHERALL}" update_config_var $ZBX_CONFIG "TLSCipherAll13" "${ZBX_TLSCIPHERALL13}" update_config_var $ZBX_CONFIG "TLSCipherCert" "${ZBX_TLSCIPHERCERT}" update_config_var $ZBX_CONFIG "TLSCipherCert13" "${ZBX_TLSCIPHERCERT13}" update_config_var $ZBX_CONFIG "TLSCipherPSK" "${ZBX_TLSCIPHERPSK}" update_config_var $ZBX_CONFIG "TLSCipherPSK13" "${ZBX_TLSCIPHERPSK13}" - update_config_var $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" + file_process_from_env $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" "${ZBX_TLSKEY}" update_config_var $ZBX_CONFIG "TLSPSKIdentity" "${ZBX_TLSPSKIDENTITY}" - update_config_var $ZBX_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" + file_process_from_env $ZBX_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" "${ZBX_TLSPSK}" if [ "$(id -u)" != '0' ]; then update_config_var $ZBX_CONFIG "User" "$(whoami)" diff --git a/Dockerfiles/server-mysql/README.md b/Dockerfiles/server-mysql/README.md index 189810471d..222834984d 100644 --- a/Dockerfiles/server-mysql/README.md +++ b/Dockerfiles/server-mysql/README.md @@ -209,9 +209,13 @@ ZBX_STARTPROXYPOLLERS=1 ZBX_PROXYCONFIGFREQUENCY=10 ZBX_PROXYDATAFREQUENCY=1 ZBX_TLSCAFILE= +ZBX_TLSCA= ZBX_TLSCRLFILE= +ZBX_TLSCRL= ZBX_TLSCERTFILE= +ZBX_TLSCERT= ZBX_TLSKEYFILE= +ZBX_TLSKEY= ZBX_TLSCIPHERALL= # Available since 4.4.7 ZBX_TLSCIPHERALL13= # Available since 4.4.7 ZBX_TLSCIPHERCERT= # Available since 4.4.7 @@ -245,7 +249,7 @@ The volume allows load additional modules and extend Zabbix server using ``LoadM ### ``/var/lib/zabbix/enc`` -The volume is used to store TLS related files. These file names are specified using ``ZBX_TLSCAFILE``, ``ZBX_TLSCRLFILE``, ``ZBX_TLSKEY_FILE`` and ``ZBX_TLSPSKFILE`` variables. +The volume is used to store TLS related files. These file names are specified using ``ZBX_TLSCAFILE``, ``ZBX_TLSCRLFILE``, ``ZBX_TLSCERTFILE`` and ``ZBX_TLSKEYFILE`` variables. Additionally it is possible to use environment variables ``ZBX_TLSCA``, ``ZBX_TLSCRL``, ``ZBX_TLSCERT`` and ``ZBX_TLSKEY`` with plaintext values. ### ``/var/lib/zabbix/ssh_keys`` diff --git a/Dockerfiles/server-mysql/alpine/Dockerfile b/Dockerfiles/server-mysql/alpine/Dockerfile index 5ffb2d8050..2e334da4d6 100644 --- a/Dockerfiles/server-mysql/alpine/Dockerfile +++ b/Dockerfiles/server-mysql/alpine/Dockerfile @@ -79,6 +79,7 @@ RUN set -eux && \ mkdir -p /usr/lib/zabbix/alertscripts && \ mkdir -p /var/lib/zabbix/dbscripts && \ mkdir -p /var/lib/zabbix/enc && \ + mkdir -p /var/lib/zabbix/enc_internal && \ mkdir -p /var/lib/zabbix/export && \ mkdir -p /usr/lib/zabbix/externalscripts && \ mkdir -p /var/lib/zabbix/mibs && \ diff --git a/Dockerfiles/server-mysql/alpine/docker-entrypoint.sh b/Dockerfiles/server-mysql/alpine/docker-entrypoint.sh index a76b1cffe0..924bf52ba4 100755 --- a/Dockerfiles/server-mysql/alpine/docker-entrypoint.sh +++ b/Dockerfiles/server-mysql/alpine/docker-entrypoint.sh @@ -14,6 +14,8 @@ fi ZABBIX_USER_HOME_DIR="/var/lib/zabbix" # Configuration files directory ZABBIX_ETC_DIR="/etc/zabbix" +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" : ${DB_CHARACTER_SET:="utf8mb4"} : ${DB_CHARACTER_COLLATE:="utf8mb4_bin"} @@ -137,6 +139,19 @@ update_config_multiple_var() { done } +file_process_from_env() { + local config_path=$1 + local var_name=$2 + local file_name=$3 + local var_value=$4 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + update_config_var $config_path "$var_name" "$file_name" +} + # Check prerequisites for MySQL database check_variables_mysql() { if [ ! -n "${DB_SERVER_SOCKET}" ]; then @@ -516,20 +531,17 @@ update_zbx_config() { update_config_var $ZBX_CONFIG "LoadModulePath" "$ZABBIX_USER_HOME_DIR/modules/" update_config_multiple_var $ZBX_CONFIG "LoadModule" "${ZBX_LOADMODULE}" - update_config_var $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" - update_config_var $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" + file_process_from_env $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" "${ZBX_TLSCA}" + file_process_from_env $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" "${ZBX_TLSCRL}" - update_config_var $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" + file_process_from_env $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" "${ZBX_TLSCERT}" update_config_var $ZBX_CONFIG "TLSCipherAll" "${ZBX_TLSCIPHERALL}" update_config_var $ZBX_CONFIG "TLSCipherAll13" "${ZBX_TLSCIPHERALL13}" update_config_var $ZBX_CONFIG "TLSCipherCert" "${ZBX_TLSCIPHERCERT}" update_config_var $ZBX_CONFIG "TLSCipherCert13" "${ZBX_TLSCIPHERCERT13}" update_config_var $ZBX_CONFIG "TLSCipherPSK" "${ZBX_TLSCIPHERPSK}" update_config_var $ZBX_CONFIG "TLSCipherPSK13" "${ZBX_TLSCIPHERPSK13}" - update_config_var $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" - - update_config_var $ZBX_CONFIG "TLSPSKIdentity" "${ZBX_TLSPSKIDENTITY}" - update_config_var $ZBX_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" + file_process_from_env $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" "${ZBX_TLSKEY}" update_config_var $ZBX_CONFIG "ServiceManagerSyncFrequency" "${ZBX_SERVICEMANAGERSYNCFREQUENCY}" update_config_var $ZBX_CONFIG "AllowSoftwareUpdateCheck" "${ZBX_ALLOWSOFTWAREUPDATECHECK}" diff --git a/Dockerfiles/server-mysql/centos/Dockerfile b/Dockerfiles/server-mysql/centos/Dockerfile index 33f0223c9b..d65f17ca43 100644 --- a/Dockerfiles/server-mysql/centos/Dockerfile +++ b/Dockerfiles/server-mysql/centos/Dockerfile @@ -107,6 +107,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ mkdir -p /usr/lib/zabbix/alertscripts && \ mkdir -p /var/lib/zabbix/dbscripts && \ mkdir -p /var/lib/zabbix/enc && \ + mkdir -p /var/lib/zabbix/enc_internal && \ mkdir -p /var/lib/zabbix/export && \ mkdir -p /usr/lib/zabbix/externalscripts && \ mkdir -p /var/lib/zabbix/mibs && \ diff --git a/Dockerfiles/server-mysql/centos/docker-entrypoint.sh b/Dockerfiles/server-mysql/centos/docker-entrypoint.sh index a8565f4938..2f6560e985 100755 --- a/Dockerfiles/server-mysql/centos/docker-entrypoint.sh +++ b/Dockerfiles/server-mysql/centos/docker-entrypoint.sh @@ -14,6 +14,8 @@ fi ZABBIX_USER_HOME_DIR="/var/lib/zabbix" # Configuration files directory ZABBIX_ETC_DIR="/etc/zabbix" +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" : ${DB_CHARACTER_SET:="utf8mb4"} : ${DB_CHARACTER_COLLATE:="utf8mb4_bin"} @@ -137,6 +139,19 @@ update_config_multiple_var() { done } +file_process_from_env() { + local config_path=$1 + local var_name=$2 + local file_name=$3 + local var_value=$4 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + update_config_var $config_path "$var_name" "$file_name" +} + # Check prerequisites for MySQL database check_variables_mysql() { if [ ! -n "${DB_SERVER_SOCKET}" ]; then @@ -513,20 +528,17 @@ update_zbx_config() { update_config_var $ZBX_CONFIG "LoadModulePath" "$ZABBIX_USER_HOME_DIR/modules/" update_config_multiple_var $ZBX_CONFIG "LoadModule" "${ZBX_LOADMODULE}" - update_config_var $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" - update_config_var $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" + file_process_from_env $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" "${ZBX_TLSCA}" + file_process_from_env $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" "${ZBX_TLSCRL}" - update_config_var $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" + file_process_from_env $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" "${ZBX_TLSCERT}" update_config_var $ZBX_CONFIG "TLSCipherAll" "${ZBX_TLSCIPHERALL}" update_config_var $ZBX_CONFIG "TLSCipherAll13" "${ZBX_TLSCIPHERALL13}" update_config_var $ZBX_CONFIG "TLSCipherCert" "${ZBX_TLSCIPHERCERT}" update_config_var $ZBX_CONFIG "TLSCipherCert13" "${ZBX_TLSCIPHERCERT13}" update_config_var $ZBX_CONFIG "TLSCipherPSK" "${ZBX_TLSCIPHERPSK}" update_config_var $ZBX_CONFIG "TLSCipherPSK13" "${ZBX_TLSCIPHERPSK13}" - update_config_var $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" - - update_config_var $ZBX_CONFIG "TLSPSKIdentity" "${ZBX_TLSPSKIDENTITY}" - update_config_var $ZBX_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" + file_process_from_env $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" "${ZBX_TLSKEY}" update_config_var $ZBX_CONFIG "ServiceManagerSyncFrequency" "${ZBX_SERVICEMANAGERSYNCFREQUENCY}" update_config_var $ZBX_CONFIG "AllowSoftwareUpdateCheck" "${ZBX_ALLOWSOFTWAREUPDATECHECK}" diff --git a/Dockerfiles/server-mysql/ol/Dockerfile b/Dockerfiles/server-mysql/ol/Dockerfile index 9197d12aea..cf80e546a3 100644 --- a/Dockerfiles/server-mysql/ol/Dockerfile +++ b/Dockerfiles/server-mysql/ol/Dockerfile @@ -88,6 +88,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ mkdir -p /usr/lib/zabbix/alertscripts && \ mkdir -p /var/lib/zabbix/dbscripts && \ mkdir -p /var/lib/zabbix/enc && \ + mkdir -p /var/lib/zabbix/enc_internal && \ mkdir -p /var/lib/zabbix/export && \ mkdir -p /usr/lib/zabbix/externalscripts && \ mkdir -p /var/lib/zabbix/mibs && \ diff --git a/Dockerfiles/server-mysql/ol/docker-entrypoint.sh b/Dockerfiles/server-mysql/ol/docker-entrypoint.sh index a8565f4938..2f6560e985 100755 --- a/Dockerfiles/server-mysql/ol/docker-entrypoint.sh +++ b/Dockerfiles/server-mysql/ol/docker-entrypoint.sh @@ -14,6 +14,8 @@ fi ZABBIX_USER_HOME_DIR="/var/lib/zabbix" # Configuration files directory ZABBIX_ETC_DIR="/etc/zabbix" +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" : ${DB_CHARACTER_SET:="utf8mb4"} : ${DB_CHARACTER_COLLATE:="utf8mb4_bin"} @@ -137,6 +139,19 @@ update_config_multiple_var() { done } +file_process_from_env() { + local config_path=$1 + local var_name=$2 + local file_name=$3 + local var_value=$4 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + update_config_var $config_path "$var_name" "$file_name" +} + # Check prerequisites for MySQL database check_variables_mysql() { if [ ! -n "${DB_SERVER_SOCKET}" ]; then @@ -513,20 +528,17 @@ update_zbx_config() { update_config_var $ZBX_CONFIG "LoadModulePath" "$ZABBIX_USER_HOME_DIR/modules/" update_config_multiple_var $ZBX_CONFIG "LoadModule" "${ZBX_LOADMODULE}" - update_config_var $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" - update_config_var $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" + file_process_from_env $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" "${ZBX_TLSCA}" + file_process_from_env $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" "${ZBX_TLSCRL}" - update_config_var $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" + file_process_from_env $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" "${ZBX_TLSCERT}" update_config_var $ZBX_CONFIG "TLSCipherAll" "${ZBX_TLSCIPHERALL}" update_config_var $ZBX_CONFIG "TLSCipherAll13" "${ZBX_TLSCIPHERALL13}" update_config_var $ZBX_CONFIG "TLSCipherCert" "${ZBX_TLSCIPHERCERT}" update_config_var $ZBX_CONFIG "TLSCipherCert13" "${ZBX_TLSCIPHERCERT13}" update_config_var $ZBX_CONFIG "TLSCipherPSK" "${ZBX_TLSCIPHERPSK}" update_config_var $ZBX_CONFIG "TLSCipherPSK13" "${ZBX_TLSCIPHERPSK13}" - update_config_var $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" - - update_config_var $ZBX_CONFIG "TLSPSKIdentity" "${ZBX_TLSPSKIDENTITY}" - update_config_var $ZBX_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" + file_process_from_env $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" "${ZBX_TLSKEY}" update_config_var $ZBX_CONFIG "ServiceManagerSyncFrequency" "${ZBX_SERVICEMANAGERSYNCFREQUENCY}" update_config_var $ZBX_CONFIG "AllowSoftwareUpdateCheck" "${ZBX_ALLOWSOFTWAREUPDATECHECK}" diff --git a/Dockerfiles/server-mysql/rhel/Dockerfile b/Dockerfiles/server-mysql/rhel/Dockerfile index 7c8dcd7093..edca6f342a 100644 --- a/Dockerfiles/server-mysql/rhel/Dockerfile +++ b/Dockerfiles/server-mysql/rhel/Dockerfile @@ -135,6 +135,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ mkdir -p /usr/lib/zabbix/alertscripts && \ mkdir -p /var/lib/zabbix/dbscripts && \ mkdir -p /var/lib/zabbix/enc && \ + mkdir -p /var/lib/zabbix/enc_internal && \ mkdir -p /var/lib/zabbix/export && \ mkdir -p /usr/lib/zabbix/externalscripts && \ mkdir -p /var/lib/zabbix/mibs && \ diff --git a/Dockerfiles/server-mysql/rhel/docker-entrypoint.sh b/Dockerfiles/server-mysql/rhel/docker-entrypoint.sh index a8565f4938..2f6560e985 100755 --- a/Dockerfiles/server-mysql/rhel/docker-entrypoint.sh +++ b/Dockerfiles/server-mysql/rhel/docker-entrypoint.sh @@ -14,6 +14,8 @@ fi ZABBIX_USER_HOME_DIR="/var/lib/zabbix" # Configuration files directory ZABBIX_ETC_DIR="/etc/zabbix" +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" : ${DB_CHARACTER_SET:="utf8mb4"} : ${DB_CHARACTER_COLLATE:="utf8mb4_bin"} @@ -137,6 +139,19 @@ update_config_multiple_var() { done } +file_process_from_env() { + local config_path=$1 + local var_name=$2 + local file_name=$3 + local var_value=$4 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + update_config_var $config_path "$var_name" "$file_name" +} + # Check prerequisites for MySQL database check_variables_mysql() { if [ ! -n "${DB_SERVER_SOCKET}" ]; then @@ -513,20 +528,17 @@ update_zbx_config() { update_config_var $ZBX_CONFIG "LoadModulePath" "$ZABBIX_USER_HOME_DIR/modules/" update_config_multiple_var $ZBX_CONFIG "LoadModule" "${ZBX_LOADMODULE}" - update_config_var $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" - update_config_var $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" + file_process_from_env $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" "${ZBX_TLSCA}" + file_process_from_env $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" "${ZBX_TLSCRL}" - update_config_var $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" + file_process_from_env $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" "${ZBX_TLSCERT}" update_config_var $ZBX_CONFIG "TLSCipherAll" "${ZBX_TLSCIPHERALL}" update_config_var $ZBX_CONFIG "TLSCipherAll13" "${ZBX_TLSCIPHERALL13}" update_config_var $ZBX_CONFIG "TLSCipherCert" "${ZBX_TLSCIPHERCERT}" update_config_var $ZBX_CONFIG "TLSCipherCert13" "${ZBX_TLSCIPHERCERT13}" update_config_var $ZBX_CONFIG "TLSCipherPSK" "${ZBX_TLSCIPHERPSK}" update_config_var $ZBX_CONFIG "TLSCipherPSK13" "${ZBX_TLSCIPHERPSK13}" - update_config_var $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" - - update_config_var $ZBX_CONFIG "TLSPSKIdentity" "${ZBX_TLSPSKIDENTITY}" - update_config_var $ZBX_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" + file_process_from_env $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" "${ZBX_TLSKEY}" update_config_var $ZBX_CONFIG "ServiceManagerSyncFrequency" "${ZBX_SERVICEMANAGERSYNCFREQUENCY}" update_config_var $ZBX_CONFIG "AllowSoftwareUpdateCheck" "${ZBX_ALLOWSOFTWAREUPDATECHECK}" diff --git a/Dockerfiles/server-mysql/ubuntu/Dockerfile b/Dockerfiles/server-mysql/ubuntu/Dockerfile index c558752e3a..dc9a5bb802 100644 --- a/Dockerfiles/server-mysql/ubuntu/Dockerfile +++ b/Dockerfiles/server-mysql/ubuntu/Dockerfile @@ -83,6 +83,7 @@ RUN --mount=type=cache,target=/var/lib/apt/,sharing=locked \ mkdir -p /usr/lib/zabbix/alertscripts && \ mkdir -p /var/lib/zabbix/dbscripts && \ mkdir -p /var/lib/zabbix/enc && \ + mkdir -p /var/lib/zabbix/enc_internal && \ mkdir -p /var/lib/zabbix/export && \ mkdir -p /usr/lib/zabbix/externalscripts && \ mkdir -p /var/lib/zabbix/mibs && \ diff --git a/Dockerfiles/server-mysql/ubuntu/docker-entrypoint.sh b/Dockerfiles/server-mysql/ubuntu/docker-entrypoint.sh index 254389bb9c..a8668e287f 100755 --- a/Dockerfiles/server-mysql/ubuntu/docker-entrypoint.sh +++ b/Dockerfiles/server-mysql/ubuntu/docker-entrypoint.sh @@ -14,6 +14,8 @@ fi ZABBIX_USER_HOME_DIR="/var/lib/zabbix" # Configuration files directory ZABBIX_ETC_DIR="/etc/zabbix" +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" : ${DB_CHARACTER_SET:="utf8mb4"} : ${DB_CHARACTER_COLLATE:="utf8mb4_bin"} @@ -137,6 +139,19 @@ update_config_multiple_var() { done } +file_process_from_env() { + local config_path=$1 + local var_name=$2 + local file_name=$3 + local var_value=$4 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + update_config_var $config_path "$var_name" "$file_name" +} + # Check prerequisites for MySQL database check_variables_mysql() { if [ ! -n "${DB_SERVER_SOCKET}" ]; then @@ -513,20 +528,17 @@ update_zbx_config() { update_config_var $ZBX_CONFIG "LoadModulePath" "$ZABBIX_USER_HOME_DIR/modules/" update_config_multiple_var $ZBX_CONFIG "LoadModule" "${ZBX_LOADMODULE}" - update_config_var $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" - update_config_var $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" + file_process_from_env $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" "${ZBX_TLSCA}" + file_process_from_env $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" "${ZBX_TLSCRL}" - update_config_var $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" + file_process_from_env $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" "${ZBX_TLSCERT}" update_config_var $ZBX_CONFIG "TLSCipherAll" "${ZBX_TLSCIPHERALL}" update_config_var $ZBX_CONFIG "TLSCipherAll13" "${ZBX_TLSCIPHERALL13}" update_config_var $ZBX_CONFIG "TLSCipherCert" "${ZBX_TLSCIPHERCERT}" update_config_var $ZBX_CONFIG "TLSCipherCert13" "${ZBX_TLSCIPHERCERT13}" update_config_var $ZBX_CONFIG "TLSCipherPSK" "${ZBX_TLSCIPHERPSK}" update_config_var $ZBX_CONFIG "TLSCipherPSK13" "${ZBX_TLSCIPHERPSK13}" - update_config_var $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" - - update_config_var $ZBX_CONFIG "TLSPSKIdentity" "${ZBX_TLSPSKIDENTITY}" - update_config_var $ZBX_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" + file_process_from_env $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" "${ZBX_TLSKEY}" update_config_var $ZBX_CONFIG "ServiceManagerSyncFrequency" "${ZBX_SERVICEMANAGERSYNCFREQUENCY}" update_config_var $ZBX_CONFIG "AllowSoftwareUpdateCheck" "${ZBX_ALLOWSOFTWAREUPDATECHECK}" diff --git a/Dockerfiles/server-pgsql/README.md b/Dockerfiles/server-pgsql/README.md index 2e5de9549b..463a95fc00 100644 --- a/Dockerfiles/server-pgsql/README.md +++ b/Dockerfiles/server-pgsql/README.md @@ -210,9 +210,13 @@ ZBX_STARTPROXYPOLLERS=1 ZBX_PROXYCONFIGFREQUENCY=10 ZBX_PROXYDATAFREQUENCY=1 ZBX_TLSCAFILE= +ZBX_TLSCA= ZBX_TLSCRLFILE= +ZBX_TLSCRL= ZBX_TLSCERTFILE= +ZBX_TLSCERT= ZBX_TLSKEYFILE= +ZBX_TLSKEY= ZBX_TLSCIPHERALL= # Available since 4.4.7 ZBX_TLSCIPHERALL13= # Available since 4.4.7 ZBX_TLSCIPHERCERT= # Available since 4.4.7 @@ -245,7 +249,7 @@ The volume allows load additional modules and extend Zabbix server using ``LoadM ### ``/var/lib/zabbix/enc`` -The volume is used to store TLS related files. These file names are specified using ``ZBX_TLSCAFILE``, ``ZBX_TLSCRLFILE``, ``ZBX_TLSKEY_FILE`` and ``ZBX_TLSPSKFILE`` variables. +The volume is used to store TLS related files. These file names are specified using ``ZBX_TLSCAFILE``, ``ZBX_TLSCRLFILE``, ``ZBX_TLSCERTFILE`` and ``ZBX_TLSKEYFILE`` variables. Additionally it is possible to use environment variables ``ZBX_TLSCA``, ``ZBX_TLSCRL``, ``ZBX_TLSCERT`` and ``ZBX_TLSKEY`` with plaintext values. ### ``/var/lib/zabbix/ssh_keys`` diff --git a/Dockerfiles/server-pgsql/alpine/Dockerfile b/Dockerfiles/server-pgsql/alpine/Dockerfile index ec36b0b0d9..dd34400588 100644 --- a/Dockerfiles/server-pgsql/alpine/Dockerfile +++ b/Dockerfiles/server-pgsql/alpine/Dockerfile @@ -78,6 +78,7 @@ RUN set -eux && \ mkdir -p /usr/lib/zabbix/alertscripts && \ mkdir -p /var/lib/zabbix/dbscripts && \ mkdir -p /var/lib/zabbix/enc && \ + mkdir -p /var/lib/zabbix/enc_internal && \ mkdir -p /var/lib/zabbix/export && \ mkdir -p /usr/lib/zabbix/externalscripts && \ mkdir -p /var/lib/zabbix/mibs && \ diff --git a/Dockerfiles/server-pgsql/alpine/docker-entrypoint.sh b/Dockerfiles/server-pgsql/alpine/docker-entrypoint.sh index da20d5e6c3..8b22bbdb29 100755 --- a/Dockerfiles/server-pgsql/alpine/docker-entrypoint.sh +++ b/Dockerfiles/server-pgsql/alpine/docker-entrypoint.sh @@ -17,6 +17,8 @@ fi ZABBIX_USER_HOME_DIR="/var/lib/zabbix" # Configuration files directory ZABBIX_ETC_DIR="/etc/zabbix" +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" # usage: file_env VAR [DEFAULT] # as example: file_env 'MYSQL_PASSWORD' 'zabbix' @@ -137,6 +139,19 @@ update_config_multiple_var() { done } +file_process_from_env() { + local config_path=$1 + local var_name=$2 + local file_name=$3 + local var_value=$4 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + update_config_var $config_path "$var_name" "$file_name" +} + # Check prerequisites for PostgreSQL database check_variables_postgresql() { file_env POSTGRES_USER @@ -533,20 +548,17 @@ update_zbx_config() { update_config_var $ZBX_CONFIG "LoadModulePath" "$ZABBIX_USER_HOME_DIR/modules/" update_config_multiple_var $ZBX_CONFIG "LoadModule" "${ZBX_LOADMODULE}" - update_config_var $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" - update_config_var $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" + file_process_from_env $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" "${ZBX_TLSCA}" + file_process_from_env $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" "${ZBX_TLSCRL}" - update_config_var $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" + file_process_from_env $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" "${ZBX_TLSCERT}" update_config_var $ZBX_CONFIG "TLSCipherAll" "${ZBX_TLSCIPHERALL}" update_config_var $ZBX_CONFIG "TLSCipherAll13" "${ZBX_TLSCIPHERALL13}" update_config_var $ZBX_CONFIG "TLSCipherCert" "${ZBX_TLSCIPHERCERT}" update_config_var $ZBX_CONFIG "TLSCipherCert13" "${ZBX_TLSCIPHERCERT13}" update_config_var $ZBX_CONFIG "TLSCipherPSK" "${ZBX_TLSCIPHERPSK}" update_config_var $ZBX_CONFIG "TLSCipherPSK13" "${ZBX_TLSCIPHERPSK13}" - update_config_var $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" - - update_config_var $ZBX_CONFIG "TLSPSKIdentity" "${ZBX_TLSPSKIDENTITY}" - update_config_var $ZBX_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" + file_process_from_env $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" "${ZBX_TLSKEY}" update_config_var $ZBX_CONFIG "ServiceManagerSyncFrequency" "${ZBX_SERVICEMANAGERSYNCFREQUENCY}" update_config_var $ZBX_CONFIG "AllowSoftwareUpdateCheck" "${ZBX_ALLOWSOFTWAREUPDATECHECK}" diff --git a/Dockerfiles/server-pgsql/centos/Dockerfile b/Dockerfiles/server-pgsql/centos/Dockerfile index 6d8f6b5927..d50a8b894e 100644 --- a/Dockerfiles/server-pgsql/centos/Dockerfile +++ b/Dockerfiles/server-pgsql/centos/Dockerfile @@ -110,6 +110,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ mkdir -p /usr/lib/zabbix/alertscripts && \ mkdir -p /var/lib/zabbix/dbscripts && \ mkdir -p /var/lib/zabbix/enc && \ + mkdir -p /var/lib/zabbix/enc_internal && \ mkdir -p /var/lib/zabbix/export && \ mkdir -p /usr/lib/zabbix/externalscripts && \ mkdir -p /var/lib/zabbix/mibs && \ diff --git a/Dockerfiles/server-pgsql/centos/docker-entrypoint.sh b/Dockerfiles/server-pgsql/centos/docker-entrypoint.sh index da20d5e6c3..8b22bbdb29 100755 --- a/Dockerfiles/server-pgsql/centos/docker-entrypoint.sh +++ b/Dockerfiles/server-pgsql/centos/docker-entrypoint.sh @@ -17,6 +17,8 @@ fi ZABBIX_USER_HOME_DIR="/var/lib/zabbix" # Configuration files directory ZABBIX_ETC_DIR="/etc/zabbix" +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" # usage: file_env VAR [DEFAULT] # as example: file_env 'MYSQL_PASSWORD' 'zabbix' @@ -137,6 +139,19 @@ update_config_multiple_var() { done } +file_process_from_env() { + local config_path=$1 + local var_name=$2 + local file_name=$3 + local var_value=$4 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + update_config_var $config_path "$var_name" "$file_name" +} + # Check prerequisites for PostgreSQL database check_variables_postgresql() { file_env POSTGRES_USER @@ -533,20 +548,17 @@ update_zbx_config() { update_config_var $ZBX_CONFIG "LoadModulePath" "$ZABBIX_USER_HOME_DIR/modules/" update_config_multiple_var $ZBX_CONFIG "LoadModule" "${ZBX_LOADMODULE}" - update_config_var $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" - update_config_var $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" + file_process_from_env $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" "${ZBX_TLSCA}" + file_process_from_env $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" "${ZBX_TLSCRL}" - update_config_var $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" + file_process_from_env $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" "${ZBX_TLSCERT}" update_config_var $ZBX_CONFIG "TLSCipherAll" "${ZBX_TLSCIPHERALL}" update_config_var $ZBX_CONFIG "TLSCipherAll13" "${ZBX_TLSCIPHERALL13}" update_config_var $ZBX_CONFIG "TLSCipherCert" "${ZBX_TLSCIPHERCERT}" update_config_var $ZBX_CONFIG "TLSCipherCert13" "${ZBX_TLSCIPHERCERT13}" update_config_var $ZBX_CONFIG "TLSCipherPSK" "${ZBX_TLSCIPHERPSK}" update_config_var $ZBX_CONFIG "TLSCipherPSK13" "${ZBX_TLSCIPHERPSK13}" - update_config_var $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" - - update_config_var $ZBX_CONFIG "TLSPSKIdentity" "${ZBX_TLSPSKIDENTITY}" - update_config_var $ZBX_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" + file_process_from_env $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" "${ZBX_TLSKEY}" update_config_var $ZBX_CONFIG "ServiceManagerSyncFrequency" "${ZBX_SERVICEMANAGERSYNCFREQUENCY}" update_config_var $ZBX_CONFIG "AllowSoftwareUpdateCheck" "${ZBX_ALLOWSOFTWAREUPDATECHECK}" diff --git a/Dockerfiles/server-pgsql/ol/Dockerfile b/Dockerfiles/server-pgsql/ol/Dockerfile index 8e6820dd38..a3b5c0d2c3 100644 --- a/Dockerfiles/server-pgsql/ol/Dockerfile +++ b/Dockerfiles/server-pgsql/ol/Dockerfile @@ -93,6 +93,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ mkdir -p /usr/lib/zabbix/alertscripts && \ mkdir -p /var/lib/zabbix/dbscripts && \ mkdir -p /var/lib/zabbix/enc && \ + mkdir -p /var/lib/zabbix/enc_internal && \ mkdir -p /var/lib/zabbix/export && \ mkdir -p /usr/lib/zabbix/externalscripts && \ mkdir -p /var/lib/zabbix/mibs && \ diff --git a/Dockerfiles/server-pgsql/ol/docker-entrypoint.sh b/Dockerfiles/server-pgsql/ol/docker-entrypoint.sh index da20d5e6c3..8b22bbdb29 100755 --- a/Dockerfiles/server-pgsql/ol/docker-entrypoint.sh +++ b/Dockerfiles/server-pgsql/ol/docker-entrypoint.sh @@ -17,6 +17,8 @@ fi ZABBIX_USER_HOME_DIR="/var/lib/zabbix" # Configuration files directory ZABBIX_ETC_DIR="/etc/zabbix" +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" # usage: file_env VAR [DEFAULT] # as example: file_env 'MYSQL_PASSWORD' 'zabbix' @@ -137,6 +139,19 @@ update_config_multiple_var() { done } +file_process_from_env() { + local config_path=$1 + local var_name=$2 + local file_name=$3 + local var_value=$4 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + update_config_var $config_path "$var_name" "$file_name" +} + # Check prerequisites for PostgreSQL database check_variables_postgresql() { file_env POSTGRES_USER @@ -533,20 +548,17 @@ update_zbx_config() { update_config_var $ZBX_CONFIG "LoadModulePath" "$ZABBIX_USER_HOME_DIR/modules/" update_config_multiple_var $ZBX_CONFIG "LoadModule" "${ZBX_LOADMODULE}" - update_config_var $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" - update_config_var $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" + file_process_from_env $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" "${ZBX_TLSCA}" + file_process_from_env $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" "${ZBX_TLSCRL}" - update_config_var $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" + file_process_from_env $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" "${ZBX_TLSCERT}" update_config_var $ZBX_CONFIG "TLSCipherAll" "${ZBX_TLSCIPHERALL}" update_config_var $ZBX_CONFIG "TLSCipherAll13" "${ZBX_TLSCIPHERALL13}" update_config_var $ZBX_CONFIG "TLSCipherCert" "${ZBX_TLSCIPHERCERT}" update_config_var $ZBX_CONFIG "TLSCipherCert13" "${ZBX_TLSCIPHERCERT13}" update_config_var $ZBX_CONFIG "TLSCipherPSK" "${ZBX_TLSCIPHERPSK}" update_config_var $ZBX_CONFIG "TLSCipherPSK13" "${ZBX_TLSCIPHERPSK13}" - update_config_var $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" - - update_config_var $ZBX_CONFIG "TLSPSKIdentity" "${ZBX_TLSPSKIDENTITY}" - update_config_var $ZBX_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" + file_process_from_env $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" "${ZBX_TLSKEY}" update_config_var $ZBX_CONFIG "ServiceManagerSyncFrequency" "${ZBX_SERVICEMANAGERSYNCFREQUENCY}" update_config_var $ZBX_CONFIG "AllowSoftwareUpdateCheck" "${ZBX_ALLOWSOFTWAREUPDATECHECK}" diff --git a/Dockerfiles/server-pgsql/rhel/Dockerfile b/Dockerfiles/server-pgsql/rhel/Dockerfile index f3e1fecc4a..eb5f732ed3 100644 --- a/Dockerfiles/server-pgsql/rhel/Dockerfile +++ b/Dockerfiles/server-pgsql/rhel/Dockerfile @@ -141,6 +141,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ mkdir -p /usr/lib/zabbix/alertscripts && \ mkdir -p /var/lib/zabbix/dbscripts && \ mkdir -p /var/lib/zabbix/enc && \ + mkdir -p /var/lib/zabbix/enc_internal && \ mkdir -p /var/lib/zabbix/export && \ mkdir -p /usr/lib/zabbix/externalscripts && \ mkdir -p /var/lib/zabbix/mibs && \ diff --git a/Dockerfiles/server-pgsql/rhel/docker-entrypoint.sh b/Dockerfiles/server-pgsql/rhel/docker-entrypoint.sh index da20d5e6c3..8b22bbdb29 100755 --- a/Dockerfiles/server-pgsql/rhel/docker-entrypoint.sh +++ b/Dockerfiles/server-pgsql/rhel/docker-entrypoint.sh @@ -17,6 +17,8 @@ fi ZABBIX_USER_HOME_DIR="/var/lib/zabbix" # Configuration files directory ZABBIX_ETC_DIR="/etc/zabbix" +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" # usage: file_env VAR [DEFAULT] # as example: file_env 'MYSQL_PASSWORD' 'zabbix' @@ -137,6 +139,19 @@ update_config_multiple_var() { done } +file_process_from_env() { + local config_path=$1 + local var_name=$2 + local file_name=$3 + local var_value=$4 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + update_config_var $config_path "$var_name" "$file_name" +} + # Check prerequisites for PostgreSQL database check_variables_postgresql() { file_env POSTGRES_USER @@ -533,20 +548,17 @@ update_zbx_config() { update_config_var $ZBX_CONFIG "LoadModulePath" "$ZABBIX_USER_HOME_DIR/modules/" update_config_multiple_var $ZBX_CONFIG "LoadModule" "${ZBX_LOADMODULE}" - update_config_var $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" - update_config_var $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" + file_process_from_env $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" "${ZBX_TLSCA}" + file_process_from_env $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" "${ZBX_TLSCRL}" - update_config_var $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" + file_process_from_env $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" "${ZBX_TLSCERT}" update_config_var $ZBX_CONFIG "TLSCipherAll" "${ZBX_TLSCIPHERALL}" update_config_var $ZBX_CONFIG "TLSCipherAll13" "${ZBX_TLSCIPHERALL13}" update_config_var $ZBX_CONFIG "TLSCipherCert" "${ZBX_TLSCIPHERCERT}" update_config_var $ZBX_CONFIG "TLSCipherCert13" "${ZBX_TLSCIPHERCERT13}" update_config_var $ZBX_CONFIG "TLSCipherPSK" "${ZBX_TLSCIPHERPSK}" update_config_var $ZBX_CONFIG "TLSCipherPSK13" "${ZBX_TLSCIPHERPSK13}" - update_config_var $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" - - update_config_var $ZBX_CONFIG "TLSPSKIdentity" "${ZBX_TLSPSKIDENTITY}" - update_config_var $ZBX_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" + file_process_from_env $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" "${ZBX_TLSKEY}" update_config_var $ZBX_CONFIG "ServiceManagerSyncFrequency" "${ZBX_SERVICEMANAGERSYNCFREQUENCY}" update_config_var $ZBX_CONFIG "AllowSoftwareUpdateCheck" "${ZBX_ALLOWSOFTWAREUPDATECHECK}" diff --git a/Dockerfiles/server-pgsql/ubuntu/Dockerfile b/Dockerfiles/server-pgsql/ubuntu/Dockerfile index 72efa1dbcc..74f9457baf 100644 --- a/Dockerfiles/server-pgsql/ubuntu/Dockerfile +++ b/Dockerfiles/server-pgsql/ubuntu/Dockerfile @@ -83,6 +83,7 @@ RUN --mount=type=cache,target=/var/lib/apt/,sharing=locked \ mkdir -p /usr/lib/zabbix/alertscripts && \ mkdir -p /var/lib/zabbix/dbscripts && \ mkdir -p /var/lib/zabbix/enc && \ + mkdir -p /var/lib/zabbix/enc_internal && \ mkdir -p /var/lib/zabbix/export && \ mkdir -p /usr/lib/zabbix/externalscripts && \ mkdir -p /var/lib/zabbix/mibs && \ diff --git a/Dockerfiles/server-pgsql/ubuntu/docker-entrypoint.sh b/Dockerfiles/server-pgsql/ubuntu/docker-entrypoint.sh index 5b4d238b7b..df6dfc12d0 100755 --- a/Dockerfiles/server-pgsql/ubuntu/docker-entrypoint.sh +++ b/Dockerfiles/server-pgsql/ubuntu/docker-entrypoint.sh @@ -17,6 +17,8 @@ fi ZABBIX_USER_HOME_DIR="/var/lib/zabbix" # Configuration files directory ZABBIX_ETC_DIR="/etc/zabbix" +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" # usage: file_env VAR [DEFAULT] # as example: file_env 'MYSQL_PASSWORD' 'zabbix' @@ -137,6 +139,19 @@ update_config_multiple_var() { done } +file_process_from_env() { + local config_path=$1 + local var_name=$2 + local file_name=$3 + local var_value=$4 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + update_config_var $config_path "$var_name" "$file_name" +} + # Check prerequisites for PostgreSQL database check_variables_postgresql() { file_env POSTGRES_USER @@ -533,20 +548,17 @@ update_zbx_config() { update_config_var $ZBX_CONFIG "LoadModulePath" "$ZABBIX_USER_HOME_DIR/modules/" update_config_multiple_var $ZBX_CONFIG "LoadModule" "${ZBX_LOADMODULE}" - update_config_var $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" - update_config_var $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" + file_process_from_env $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" "${ZBX_TLSCA}" + file_process_from_env $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}" "${ZBX_TLSCRL}" - update_config_var $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" + file_process_from_env $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" "${ZBX_TLSCERT}" update_config_var $ZBX_CONFIG "TLSCipherAll" "${ZBX_TLSCIPHERALL}" update_config_var $ZBX_CONFIG "TLSCipherAll13" "${ZBX_TLSCIPHERALL13}" update_config_var $ZBX_CONFIG "TLSCipherCert" "${ZBX_TLSCIPHERCERT}" update_config_var $ZBX_CONFIG "TLSCipherCert13" "${ZBX_TLSCIPHERCERT13}" update_config_var $ZBX_CONFIG "TLSCipherPSK" "${ZBX_TLSCIPHERPSK}" update_config_var $ZBX_CONFIG "TLSCipherPSK13" "${ZBX_TLSCIPHERPSK13}" - update_config_var $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" - - update_config_var $ZBX_CONFIG "TLSPSKIdentity" "${ZBX_TLSPSKIDENTITY}" - update_config_var $ZBX_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}" + file_process_from_env $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" "${ZBX_TLSKEY}" update_config_var $ZBX_CONFIG "ServiceManagerSyncFrequency" "${ZBX_SERVICEMANAGERSYNCFREQUENCY}" update_config_var $ZBX_CONFIG "AllowSoftwareUpdateCheck" "${ZBX_ALLOWSOFTWAREUPDATECHECK}" diff --git a/Dockerfiles/web-service/README.md b/Dockerfiles/web-service/README.md index 34127236cc..442cdfa01a 100644 --- a/Dockerfiles/web-service/README.md +++ b/Dockerfiles/web-service/README.md @@ -91,8 +91,11 @@ Additionally the image allows to specify many other environment variables listed ``` ZBX_TLSACCEPT=unencrypted ZBX_TLSCAFILE= +ZBX_TLSCA= ZBX_TLSCERTFILE= +ZBX_TLSCERT= ZBX_TLSKEYFILE= +ZBX_TLSKEY= ZBX_IGNOREURLCERTERRORS=0 ``` @@ -104,7 +107,7 @@ Please use official documentation for [``zabbix_web_service.conf``](https://www. ### ``/var/lib/zabbix/enc`` -The volume is used to store TLS related files. These file names are specified using ``ZBX_TLSCAFILE``, ``ZBX_TLSCERTFILE`` and ``ZBX_TLSKEY_FILE`` variables. +The volume is used to store TLS related files. These file names are specified using ``ZBX_TLSCAFILE``, ``ZBX_TLSCERTFILE`` and ``ZBX_TLSKEYFILE`` variables. Additionally it is possible to use environment variables ``ZBX_TLSCA``, ``ZBX_TLSCERT`` and ``ZBX_TLSKEY`` with plaintext values. # The image variants diff --git a/Dockerfiles/web-service/alpine/Dockerfile b/Dockerfiles/web-service/alpine/Dockerfile index b7dbe09fdd..888ec7a301 100644 --- a/Dockerfiles/web-service/alpine/Dockerfile +++ b/Dockerfiles/web-service/alpine/Dockerfile @@ -51,6 +51,8 @@ RUN set -eux && \ zabbix && \ mkdir -p /etc/zabbix && \ mkdir -p /var/lib/zabbix && \ + mkdir -p /var/lib/zabbix/enc && \ + mkdir -p /var/lib/zabbix/enc_internal && \ chown --quiet -R zabbix:root /etc/zabbix/ /var/lib/zabbix/ && \ chgrp -R 0 /etc/zabbix/ /var/lib/zabbix/ && \ chmod -R g=u /etc/zabbix/ /var/lib/zabbix/ diff --git a/Dockerfiles/web-service/alpine/docker-entrypoint.sh b/Dockerfiles/web-service/alpine/docker-entrypoint.sh index 4ba72eeab6..b86938b0b5 100755 --- a/Dockerfiles/web-service/alpine/docker-entrypoint.sh +++ b/Dockerfiles/web-service/alpine/docker-entrypoint.sh @@ -14,6 +14,8 @@ fi ZABBIX_USER_HOME_DIR="/var/lib/zabbix" # Configuration files directory ZABBIX_ETC_DIR="/etc/zabbix" +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" escape_spec_char() { local var_value=$1 @@ -84,6 +86,19 @@ update_config_var() { } +file_process_from_env() { + local config_path=$1 + local var_name=$2 + local file_name=$3 + local var_value=$4 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + update_config_var $config_path "$var_name" "$file_name" +} + prepare_zbx_web_service_config() { echo "** Preparing Zabbix web service configuration file" ZBX_CONFIG=$ZABBIX_ETC_DIR/zabbix_web_service.conf @@ -101,10 +116,10 @@ prepare_zbx_web_service_config() { update_config_var $ZBX_CONFIG "Timeout" "${ZBX_TIMEOUT}" update_config_var $ZBX_CONFIG "TLSAccept" "${ZBX_TLSACCEPT}" - update_config_var $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" + file_process_from_env $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" "${ZBX_TLSCA}" - update_config_var $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" - update_config_var $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" + file_process_from_env $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" "${ZBX_TLSCERT}" + file_process_from_env $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" "${ZBX_TLSKEY}" update_config_var $ZBX_CONFIG "IgnoreURLCertErrors" "${ZBX_IGNOREURLCERTERRORS}" } diff --git a/Dockerfiles/web-service/centos/Dockerfile b/Dockerfiles/web-service/centos/Dockerfile index 153e353a07..80b7b0227d 100644 --- a/Dockerfiles/web-service/centos/Dockerfile +++ b/Dockerfiles/web-service/centos/Dockerfile @@ -66,6 +66,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ mkdir -p /etc/zabbix && \ mkdir -p /var/lib/zabbix && \ mkdir -p /var/lib/zabbix/enc && \ + mkdir -p /var/lib/zabbix/enc_internal && \ chown --quiet -R zabbix:root /etc/zabbix/ /var/lib/zabbix/ && \ chgrp -R 0 /etc/zabbix/ /var/lib/zabbix/ && \ chmod -R g=u /etc/zabbix/ /var/lib/zabbix/ && \ diff --git a/Dockerfiles/web-service/centos/docker-entrypoint.sh b/Dockerfiles/web-service/centos/docker-entrypoint.sh index 4ba72eeab6..b86938b0b5 100755 --- a/Dockerfiles/web-service/centos/docker-entrypoint.sh +++ b/Dockerfiles/web-service/centos/docker-entrypoint.sh @@ -14,6 +14,8 @@ fi ZABBIX_USER_HOME_DIR="/var/lib/zabbix" # Configuration files directory ZABBIX_ETC_DIR="/etc/zabbix" +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" escape_spec_char() { local var_value=$1 @@ -84,6 +86,19 @@ update_config_var() { } +file_process_from_env() { + local config_path=$1 + local var_name=$2 + local file_name=$3 + local var_value=$4 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + update_config_var $config_path "$var_name" "$file_name" +} + prepare_zbx_web_service_config() { echo "** Preparing Zabbix web service configuration file" ZBX_CONFIG=$ZABBIX_ETC_DIR/zabbix_web_service.conf @@ -101,10 +116,10 @@ prepare_zbx_web_service_config() { update_config_var $ZBX_CONFIG "Timeout" "${ZBX_TIMEOUT}" update_config_var $ZBX_CONFIG "TLSAccept" "${ZBX_TLSACCEPT}" - update_config_var $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" + file_process_from_env $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" "${ZBX_TLSCA}" - update_config_var $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" - update_config_var $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" + file_process_from_env $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" "${ZBX_TLSCERT}" + file_process_from_env $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" "${ZBX_TLSKEY}" update_config_var $ZBX_CONFIG "IgnoreURLCertErrors" "${ZBX_IGNOREURLCERTERRORS}" } diff --git a/Dockerfiles/web-service/ol/Dockerfile b/Dockerfiles/web-service/ol/Dockerfile index 1e1591bb8f..4a95c21eda 100644 --- a/Dockerfiles/web-service/ol/Dockerfile +++ b/Dockerfiles/web-service/ol/Dockerfile @@ -60,6 +60,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ mkdir -p /etc/zabbix && \ mkdir -p /var/lib/zabbix && \ mkdir -p /var/lib/zabbix/enc && \ + mkdir -p /var/lib/zabbix/enc_internal && \ chown --quiet -R zabbix:root /etc/zabbix/ /var/lib/zabbix/ && \ chgrp -R 0 /etc/zabbix/ /var/lib/zabbix/ && \ chmod -R g=u /etc/zabbix/ /var/lib/zabbix/ && \ diff --git a/Dockerfiles/web-service/ol/docker-entrypoint.sh b/Dockerfiles/web-service/ol/docker-entrypoint.sh index 4ba72eeab6..b86938b0b5 100755 --- a/Dockerfiles/web-service/ol/docker-entrypoint.sh +++ b/Dockerfiles/web-service/ol/docker-entrypoint.sh @@ -14,6 +14,8 @@ fi ZABBIX_USER_HOME_DIR="/var/lib/zabbix" # Configuration files directory ZABBIX_ETC_DIR="/etc/zabbix" +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" escape_spec_char() { local var_value=$1 @@ -84,6 +86,19 @@ update_config_var() { } +file_process_from_env() { + local config_path=$1 + local var_name=$2 + local file_name=$3 + local var_value=$4 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + update_config_var $config_path "$var_name" "$file_name" +} + prepare_zbx_web_service_config() { echo "** Preparing Zabbix web service configuration file" ZBX_CONFIG=$ZABBIX_ETC_DIR/zabbix_web_service.conf @@ -101,10 +116,10 @@ prepare_zbx_web_service_config() { update_config_var $ZBX_CONFIG "Timeout" "${ZBX_TIMEOUT}" update_config_var $ZBX_CONFIG "TLSAccept" "${ZBX_TLSACCEPT}" - update_config_var $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" + file_process_from_env $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" "${ZBX_TLSCA}" - update_config_var $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" - update_config_var $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" + file_process_from_env $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" "${ZBX_TLSCERT}" + file_process_from_env $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" "${ZBX_TLSKEY}" update_config_var $ZBX_CONFIG "IgnoreURLCertErrors" "${ZBX_IGNOREURLCERTERRORS}" } diff --git a/Dockerfiles/web-service/rhel/Dockerfile b/Dockerfiles/web-service/rhel/Dockerfile index 39ee7a187d..1263c0feb7 100644 --- a/Dockerfiles/web-service/rhel/Dockerfile +++ b/Dockerfiles/web-service/rhel/Dockerfile @@ -91,6 +91,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ mkdir -p /etc/zabbix && \ mkdir -p /var/lib/zabbix && \ mkdir -p /var/lib/zabbix/enc && \ + mkdir -p /var/lib/zabbix/enc_internal && \ chown --quiet -R zabbix:root /etc/zabbix/ /var/lib/zabbix/ && \ chgrp -R 0 /etc/zabbix/ /var/lib/zabbix/ && \ chmod -R g=u /etc/zabbix/ /var/lib/zabbix/ && \ diff --git a/Dockerfiles/web-service/rhel/docker-entrypoint.sh b/Dockerfiles/web-service/rhel/docker-entrypoint.sh index 4ba72eeab6..b86938b0b5 100755 --- a/Dockerfiles/web-service/rhel/docker-entrypoint.sh +++ b/Dockerfiles/web-service/rhel/docker-entrypoint.sh @@ -14,6 +14,8 @@ fi ZABBIX_USER_HOME_DIR="/var/lib/zabbix" # Configuration files directory ZABBIX_ETC_DIR="/etc/zabbix" +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" escape_spec_char() { local var_value=$1 @@ -84,6 +86,19 @@ update_config_var() { } +file_process_from_env() { + local config_path=$1 + local var_name=$2 + local file_name=$3 + local var_value=$4 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + update_config_var $config_path "$var_name" "$file_name" +} + prepare_zbx_web_service_config() { echo "** Preparing Zabbix web service configuration file" ZBX_CONFIG=$ZABBIX_ETC_DIR/zabbix_web_service.conf @@ -101,10 +116,10 @@ prepare_zbx_web_service_config() { update_config_var $ZBX_CONFIG "Timeout" "${ZBX_TIMEOUT}" update_config_var $ZBX_CONFIG "TLSAccept" "${ZBX_TLSACCEPT}" - update_config_var $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" + file_process_from_env $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" "${ZBX_TLSCA}" - update_config_var $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" - update_config_var $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" + file_process_from_env $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" "${ZBX_TLSCERT}" + file_process_from_env $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" "${ZBX_TLSKEY}" update_config_var $ZBX_CONFIG "IgnoreURLCertErrors" "${ZBX_IGNOREURLCERTERRORS}" } diff --git a/Dockerfiles/web-service/ubuntu/Dockerfile b/Dockerfiles/web-service/ubuntu/Dockerfile index 13be3fbc50..ea8cf18a95 100644 --- a/Dockerfiles/web-service/ubuntu/Dockerfile +++ b/Dockerfiles/web-service/ubuntu/Dockerfile @@ -65,6 +65,7 @@ RUN --mount=type=cache,target=/var/lib/apt/,sharing=locked \ mkdir -p /etc/zabbix && \ mkdir -p /var/lib/zabbix && \ mkdir -p /var/lib/zabbix/enc && \ + mkdir -p /var/lib/zabbix/enc_internal && \ chown --quiet -R zabbix:root /etc/zabbix/ /var/lib/zabbix/ && \ chgrp -R 0 /etc/zabbix/ /var/lib/zabbix/ && \ chmod -R g=u /etc/zabbix/ /var/lib/zabbix/ && \ diff --git a/Dockerfiles/web-service/ubuntu/docker-entrypoint.sh b/Dockerfiles/web-service/ubuntu/docker-entrypoint.sh index 4ba72eeab6..b86938b0b5 100755 --- a/Dockerfiles/web-service/ubuntu/docker-entrypoint.sh +++ b/Dockerfiles/web-service/ubuntu/docker-entrypoint.sh @@ -14,6 +14,8 @@ fi ZABBIX_USER_HOME_DIR="/var/lib/zabbix" # Configuration files directory ZABBIX_ETC_DIR="/etc/zabbix" +# Internal directory for TLS related files, used when TLS*File specified as plain text values +ZABBIX_INTERNAL_ENC_DIR="${ZABBIX_USER_HOME_DIR}/enc_internal" escape_spec_char() { local var_value=$1 @@ -84,6 +86,19 @@ update_config_var() { } +file_process_from_env() { + local config_path=$1 + local var_name=$2 + local file_name=$3 + local var_value=$4 + + if [ ! -z "$var_value" ]; then + echo -n "$var_value" > "${ZABBIX_INTERNAL_ENC_DIR}/$var_name" + file_name="${ZABBIX_INTERNAL_ENC_DIR}/${var_name}" + fi + update_config_var $config_path "$var_name" "$file_name" +} + prepare_zbx_web_service_config() { echo "** Preparing Zabbix web service configuration file" ZBX_CONFIG=$ZABBIX_ETC_DIR/zabbix_web_service.conf @@ -101,10 +116,10 @@ prepare_zbx_web_service_config() { update_config_var $ZBX_CONFIG "Timeout" "${ZBX_TIMEOUT}" update_config_var $ZBX_CONFIG "TLSAccept" "${ZBX_TLSACCEPT}" - update_config_var $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" + file_process_from_env $ZBX_CONFIG "TLSCAFile" "${ZBX_TLSCAFILE}" "${ZBX_TLSCA}" - update_config_var $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" - update_config_var $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" + file_process_from_env $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}" "${ZBX_TLSCERT}" + file_process_from_env $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}" "${ZBX_TLSKEY}" update_config_var $ZBX_CONFIG "IgnoreURLCertErrors" "${ZBX_IGNOREURLCERTERRORS}" } diff --git a/env_vars/.env_agent b/env_vars/.env_agent index 411c810d89..c14b7a18fc 100644 --- a/env_vars/.env_agent +++ b/env_vars/.env_agent @@ -29,12 +29,17 @@ # ZBX_TLSCONNECT=unencrypted # ZBX_TLSACCEPT=unencrypted # ZBX_TLSCAFILE= +# ZBX_TLSCA= # ZBX_TLSCRLFILE= +# ZBX_TLSCRL= # ZBX_TLSSERVERCERTISSUER= # ZBX_TLSSERVERCERTSUBJECT= # ZBX_TLSCERTFILE= +# ZBX_TLSCERT= # ZBX_TLSKEYFILE= +# ZBX_TLSKEY= # ZBX_TLSPSKIDENTITY= # ZBX_TLSPSKFILE= +# ZBX_TLSPSK= # ZBX_DENYKEY=system.run[*] # ZBX_ALLOWKEY= diff --git a/env_vars/.env_prx b/env_vars/.env_prx index df2e90e5f9..b567164d68 100644 --- a/env_vars/.env_prx +++ b/env_vars/.env_prx @@ -57,13 +57,18 @@ # ZBX_TLSCONNECT=unencrypted # ZBX_TLSACCEPT=unencrypted # ZBX_TLSCAFILE= +# ZBX_TLSCA= # ZBX_TLSCRLFILE= +# ZBX_TLSCRL= # ZBX_TLSSERVERCERTISSUER= # ZBX_TLSSERVERCERTSUBJECT= # ZBX_TLSCERTFILE= +# ZBX_TLSCERT= # ZBX_TLSKEYFILE= +# ZBX_TLSKEY= # ZBX_TLSPSKIDENTITY= # ZBX_TLSPSKFILE= +# ZBX_TLSPSK= # ZBX_VAULT=HashiCorp # Available since 6.2.0 # ZBX_VAULTDBPATH= # ZBX_VAULTTLSCERTFILE= # Available since 6.2.0 diff --git a/env_vars/.env_srv b/env_vars/.env_srv index d3d112744e..47842d6826 100644 --- a/env_vars/.env_srv +++ b/env_vars/.env_srv @@ -71,9 +71,13 @@ ZBX_ENABLE_SNMP_TRAPS=true # ZBX_PROXYDATAFREQUENCY=1 # ZBX_LOADMODULE="dummy1.so,dummy2.so,dummy10.so" # ZBX_TLSCAFILE= +# ZBX_TLSCA= # ZBX_TLSCRLFILE= +# ZBX_TLSCRL= # ZBX_TLSCERTFILE= +# ZBX_TLSCERT= # ZBX_TLSKEYFILE= +# ZBX_TLSKEY= # ZBX_VAULT=HashiCorp # Available since 6.2.0 # ZBX_VAULTDBPATH= # ZBX_VAULTTLSCERTFILE= # Available since 6.2.0