diff --git a/.env_web b/.env_web index 43a0b202f..4d9e27016 100644 --- a/.env_web +++ b/.env_web @@ -4,7 +4,7 @@ ZBX_SERVER_NAME=Composed installation # ZBX_DB_ENCRYPTION=true # Available since 5.0.0 # ZBX_DB_KEY_FILE=/run/secrets/client-key.pem # Available since 5.0.0 # ZBX_DB_CERT_FILE=/run/secrets/client-cert.pem # Available since 5.0.0 -# ZBX_DB_CA_FILE=/run/secrets/pgsql-ca.pem # Available since 5.0.0 +# ZBX_DB_CA_FILE=/run/secrets/root-ca.pem # Available since 5.0.0 # ZBX_DB_VERIFY_HOST=false # Available since 5.0.0 # ZBX_DB_CIPHER_LIST= # Available since 5.0.0 # ZBX_HISTORYSTORAGEURL=http://elasticsearch:9200/ # Available since 3.4.5 diff --git a/proxy-mysql/alpine/docker-entrypoint.sh b/proxy-mysql/alpine/docker-entrypoint.sh index 6d8a1c2a6..96a1faccf 100755 --- a/proxy-mysql/alpine/docker-entrypoint.sh +++ b/proxy-mysql/alpine/docker-entrypoint.sh @@ -177,6 +177,32 @@ check_variables_mysql() { DB_SERVER_DBNAME=${MYSQL_DATABASE:-"zabbix_proxy"} } +db_tls_params() { + local result="" + + if [ -n "${ZBX_DBTLSCONNECT}" ]; then + result="--ssl" + + if [ "${ZBX_DBTLSCONNECT}" != "required" ]; then + result="${result} --ssl-verify-server-cert" + fi + + if [ -n "${ZBX_DBTLSCAFILE}" ]; then + result="${result} --ssl-ca=${ZBX_DBTLSCAFILE}" + fi + + if [ -n "${ZBX_DBTLSKEYFILE}" ]; then + result="${result} --ssl-key=${ZBX_DBTLSKEYFILE}" + fi + + if [ -n "${ZBX_DBTLSCERTFILE}" ]; then + result="${result} --ssl-cert=${ZBX_DBTLSCERTFILE}" + fi + fi + + echo $result +} + check_db_connect_mysql() { echo "********************" echo "* DB_SERVER_HOST: ${DB_SERVER_HOST}" @@ -194,9 +220,7 @@ check_db_connect_mysql() { WAIT_TIMEOUT=5 - if [ -n "${ZBX_DBTLSCONNECT}" ]; then - ssl_opts="--ssl --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE}" - fi + ssl_opts="$(db_tls_params)" while [ ! "$(mysqladmin ping -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} -u ${DB_SERVER_ROOT_USER} \ --password="${DB_SERVER_ROOT_PASS}" --silent --connect_timeout=10 $ssl_opts)" ]; do @@ -209,9 +233,7 @@ mysql_query() { query=$1 local result="" - if [ -n "${ZBX_DBTLSCONNECT}" ]; then - ssl_opts="--ssl --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE}" - fi + ssl_opts="$(db_tls_params)" result=$(mysql --silent --skip-column-names -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} \ -u ${DB_SERVER_ROOT_USER} --password="${DB_SERVER_ROOT_PASS}" -e "$query" $ssl_opts) @@ -259,9 +281,7 @@ create_db_schema_mysql() { if [ -z "${ZBX_DB_VERSION}" ]; then echo "** Creating '${DB_SERVER_DBNAME}' schema in MySQL" - if [ -n "${ZBX_DBTLSCONNECT}" ]; then - ssl_opts="--ssl --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE}" - fi + ssl_opts="$(db_tls_params)" zcat /usr/share/doc/zabbix-proxy-mysql/create.sql.gz | mysql --silent --skip-column-names \ -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} \ diff --git a/proxy-mysql/centos/docker-entrypoint.sh b/proxy-mysql/centos/docker-entrypoint.sh index 6d8a1c2a6..de19cec28 100755 --- a/proxy-mysql/centos/docker-entrypoint.sh +++ b/proxy-mysql/centos/docker-entrypoint.sh @@ -177,6 +177,33 @@ check_variables_mysql() { DB_SERVER_DBNAME=${MYSQL_DATABASE:-"zabbix_proxy"} } +db_tls_params() { + local result="" + + if [ -n "${ZBX_DBTLSCONNECT}" ]; then + result="--ssl" + + if [ "${ZBX_DBTLSCONNECT}" != "required" ]; then + result="${result} --ssl-verify-server-cert" + fi + + if [ -n "${ZBX_DBTLSCAFILE}" ]; then + result="${result} --ssl-ca=${ZBX_DBTLSCAFILE}" + fi + + if [ -n "${ZBX_DBTLSKEYFILE}" ]; then + result="${result} --ssl-key=${ZBX_DBTLSKEYFILE}" + fi + + if [ -n "${ZBX_DBTLSCERTFILE}" ]; then + result="${result} --ssl-cert=${ZBX_DBTLSCERTFILE}" + fi + fi + + echo $result +} + + check_db_connect_mysql() { echo "********************" echo "* DB_SERVER_HOST: ${DB_SERVER_HOST}" @@ -194,9 +221,7 @@ check_db_connect_mysql() { WAIT_TIMEOUT=5 - if [ -n "${ZBX_DBTLSCONNECT}" ]; then - ssl_opts="--ssl --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE}" - fi + ssl_opts="$(db_tls_params)" while [ ! "$(mysqladmin ping -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} -u ${DB_SERVER_ROOT_USER} \ --password="${DB_SERVER_ROOT_PASS}" --silent --connect_timeout=10 $ssl_opts)" ]; do @@ -209,9 +234,7 @@ mysql_query() { query=$1 local result="" - if [ -n "${ZBX_DBTLSCONNECT}" ]; then - ssl_opts="--ssl --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE}" - fi + ssl_opts="$(db_tls_params)" result=$(mysql --silent --skip-column-names -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} \ -u ${DB_SERVER_ROOT_USER} --password="${DB_SERVER_ROOT_PASS}" -e "$query" $ssl_opts) @@ -259,9 +282,7 @@ create_db_schema_mysql() { if [ -z "${ZBX_DB_VERSION}" ]; then echo "** Creating '${DB_SERVER_DBNAME}' schema in MySQL" - if [ -n "${ZBX_DBTLSCONNECT}" ]; then - ssl_opts="--ssl --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE}" - fi + ssl_opts="$(db_tls_params)" zcat /usr/share/doc/zabbix-proxy-mysql/create.sql.gz | mysql --silent --skip-column-names \ -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} \ diff --git a/proxy-mysql/rhel/docker-entrypoint.sh b/proxy-mysql/rhel/docker-entrypoint.sh index 6d8a1c2a6..de19cec28 100755 --- a/proxy-mysql/rhel/docker-entrypoint.sh +++ b/proxy-mysql/rhel/docker-entrypoint.sh @@ -177,6 +177,33 @@ check_variables_mysql() { DB_SERVER_DBNAME=${MYSQL_DATABASE:-"zabbix_proxy"} } +db_tls_params() { + local result="" + + if [ -n "${ZBX_DBTLSCONNECT}" ]; then + result="--ssl" + + if [ "${ZBX_DBTLSCONNECT}" != "required" ]; then + result="${result} --ssl-verify-server-cert" + fi + + if [ -n "${ZBX_DBTLSCAFILE}" ]; then + result="${result} --ssl-ca=${ZBX_DBTLSCAFILE}" + fi + + if [ -n "${ZBX_DBTLSKEYFILE}" ]; then + result="${result} --ssl-key=${ZBX_DBTLSKEYFILE}" + fi + + if [ -n "${ZBX_DBTLSCERTFILE}" ]; then + result="${result} --ssl-cert=${ZBX_DBTLSCERTFILE}" + fi + fi + + echo $result +} + + check_db_connect_mysql() { echo "********************" echo "* DB_SERVER_HOST: ${DB_SERVER_HOST}" @@ -194,9 +221,7 @@ check_db_connect_mysql() { WAIT_TIMEOUT=5 - if [ -n "${ZBX_DBTLSCONNECT}" ]; then - ssl_opts="--ssl --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE}" - fi + ssl_opts="$(db_tls_params)" while [ ! "$(mysqladmin ping -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} -u ${DB_SERVER_ROOT_USER} \ --password="${DB_SERVER_ROOT_PASS}" --silent --connect_timeout=10 $ssl_opts)" ]; do @@ -209,9 +234,7 @@ mysql_query() { query=$1 local result="" - if [ -n "${ZBX_DBTLSCONNECT}" ]; then - ssl_opts="--ssl --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE}" - fi + ssl_opts="$(db_tls_params)" result=$(mysql --silent --skip-column-names -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} \ -u ${DB_SERVER_ROOT_USER} --password="${DB_SERVER_ROOT_PASS}" -e "$query" $ssl_opts) @@ -259,9 +282,7 @@ create_db_schema_mysql() { if [ -z "${ZBX_DB_VERSION}" ]; then echo "** Creating '${DB_SERVER_DBNAME}' schema in MySQL" - if [ -n "${ZBX_DBTLSCONNECT}" ]; then - ssl_opts="--ssl --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE}" - fi + ssl_opts="$(db_tls_params)" zcat /usr/share/doc/zabbix-proxy-mysql/create.sql.gz | mysql --silent --skip-column-names \ -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} \ diff --git a/proxy-mysql/ubuntu/docker-entrypoint.sh b/proxy-mysql/ubuntu/docker-entrypoint.sh index 3ff1f5c28..e0e9e8015 100755 --- a/proxy-mysql/ubuntu/docker-entrypoint.sh +++ b/proxy-mysql/ubuntu/docker-entrypoint.sh @@ -177,6 +177,29 @@ check_variables_mysql() { DB_SERVER_DBNAME=${MYSQL_DATABASE:-"zabbix_proxy"} } +db_tls_params() { + local result="" + + if [ -n "${ZBX_DBTLSCONNECT}" ]; then + ssl_mode=${ZBX_DBTLSCONNECT//verify_full/verify_identity} + result="--ssl-mode=$ssl_mode" + + if [ -n "${ZBX_DBTLSCAFILE}" ]; then + result="${result} --ssl-ca=${ZBX_DBTLSCAFILE}" + fi + + if [ -n "${ZBX_DBTLSKEYFILE}" ]; then + result="${result} --ssl-key=${ZBX_DBTLSKEYFILE}" + fi + + if [ -n "${ZBX_DBTLSCERTFILE}" ]; then + result="${result} --ssl-cert=${ZBX_DBTLSCERTFILE}" + fi + fi + + echo $result +} + check_db_connect_mysql() { echo "********************" echo "* DB_SERVER_HOST: ${DB_SERVER_HOST}" @@ -194,10 +217,7 @@ check_db_connect_mysql() { WAIT_TIMEOUT=5 - if [ -n "${ZBX_DBTLSCONNECT}" ]; then - ssl_mode=${ZBX_DBTLSCONNECT//verify_full/verify_identity} - ssl_opts="--ssl-mode=$ssl_mode --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE}" - fi + ssl_opts="$(db_tls_params)" while [ ! "$(mysqladmin ping -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} -u ${DB_SERVER_ROOT_USER} \ --password="${DB_SERVER_ROOT_PASS}" --silent --connect_timeout=10 $ssl_opts)" ]; do @@ -210,10 +230,7 @@ mysql_query() { query=$1 local result="" - if [ -n "${ZBX_DBTLSCONNECT}" ]; then - ssl_mode=${ZBX_DBTLSCONNECT//verify_full/verify_identity} - ssl_opts="--ssl-mode=$ssl_mode --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE}" - fi + ssl_opts="$(db_tls_params)" result=$(mysql --silent --skip-column-names -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} \ -u ${DB_SERVER_ROOT_USER} --password="${DB_SERVER_ROOT_PASS}" -e "$query" $ssl_opts) @@ -261,10 +278,7 @@ create_db_schema_mysql() { if [ -z "${ZBX_DB_VERSION}" ]; then echo "** Creating '${DB_SERVER_DBNAME}' schema in MySQL" - if [ -n "${ZBX_DBTLSCONNECT}" ]; then - ssl_mode=${ZBX_DBTLSCONNECT//verify_full/verify_identity} - ssl_opts="--ssl-mode=$ssl_mode --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE}" - fi + ssl_opts="$(db_tls_params)" zcat /usr/share/doc/zabbix-proxy-mysql/create.sql.gz | mysql --silent --skip-column-names \ -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} \ diff --git a/server-mysql/alpine/docker-entrypoint.sh b/server-mysql/alpine/docker-entrypoint.sh index 755c64913..45c7b8e09 100755 --- a/server-mysql/alpine/docker-entrypoint.sh +++ b/server-mysql/alpine/docker-entrypoint.sh @@ -172,6 +172,32 @@ check_variables_mysql() { DB_SERVER_DBNAME=${MYSQL_DATABASE:-"zabbix"} } +db_tls_params() { + local result="" + + if [ -n "${ZBX_DBTLSCONNECT}" ]; then + result="--ssl" + + if [ "${ZBX_DBTLSCONNECT}" != "required" ]; then + result="${result} --ssl-verify-server-cert" + fi + + if [ -n "${ZBX_DBTLSCAFILE}" ]; then + result="${result} --ssl-ca=${ZBX_DBTLSCAFILE}" + fi + + if [ -n "${ZBX_DBTLSKEYFILE}" ]; then + result="${result} --ssl-key=${ZBX_DBTLSKEYFILE}" + fi + + if [ -n "${ZBX_DBTLSCERTFILE}" ]; then + result="${result} --ssl-cert=${ZBX_DBTLSCERTFILE}" + fi + fi + + echo $result +} + check_db_connect_mysql() { echo "********************" echo "* DB_SERVER_HOST: ${DB_SERVER_HOST}" @@ -189,9 +215,7 @@ check_db_connect_mysql() { WAIT_TIMEOUT=5 - if [ -n "${ZBX_DBTLSCONNECT}" ]; then - ssl_opts="--ssl --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE}" - fi + ssl_opts="$(db_tls_params)" while [ ! "$(mysqladmin ping -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} -u ${DB_SERVER_ROOT_USER} \ --password="${DB_SERVER_ROOT_PASS}" --silent --connect_timeout=10 $ssl_opts)" ]; do @@ -204,9 +228,7 @@ mysql_query() { query=$1 local result="" - if [ -n "${ZBX_DBTLSCONNECT}" ]; then - ssl_opts="--ssl --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE}" - fi + ssl_opts="$(db_tls_params)" result=$(mysql --silent --skip-column-names -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} \ -u ${DB_SERVER_ROOT_USER} --password="${DB_SERVER_ROOT_PASS}" -e "$query" $ssl_opts) @@ -254,9 +276,7 @@ create_db_schema_mysql() { if [ -z "${ZBX_DB_VERSION}" ]; then echo "** Creating '${DB_SERVER_DBNAME}' schema in MySQL" - if [ -n "${ZBX_DBTLSCONNECT}" ]; then - ssl_opts="--ssl --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE}" - fi + ssl_opts="$(db_tls_params)" zcat /usr/share/doc/zabbix-server-mysql/create.sql.gz | mysql --silent --skip-column-names \ -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} \ diff --git a/server-mysql/centos/docker-entrypoint.sh b/server-mysql/centos/docker-entrypoint.sh index 475135635..45c7b8e09 100755 --- a/server-mysql/centos/docker-entrypoint.sh +++ b/server-mysql/centos/docker-entrypoint.sh @@ -172,6 +172,32 @@ check_variables_mysql() { DB_SERVER_DBNAME=${MYSQL_DATABASE:-"zabbix"} } +db_tls_params() { + local result="" + + if [ -n "${ZBX_DBTLSCONNECT}" ]; then + result="--ssl" + + if [ "${ZBX_DBTLSCONNECT}" != "required" ]; then + result="${result} --ssl-verify-server-cert" + fi + + if [ -n "${ZBX_DBTLSCAFILE}" ]; then + result="${result} --ssl-ca=${ZBX_DBTLSCAFILE}" + fi + + if [ -n "${ZBX_DBTLSKEYFILE}" ]; then + result="${result} --ssl-key=${ZBX_DBTLSKEYFILE}" + fi + + if [ -n "${ZBX_DBTLSCERTFILE}" ]; then + result="${result} --ssl-cert=${ZBX_DBTLSCERTFILE}" + fi + fi + + echo $result +} + check_db_connect_mysql() { echo "********************" echo "* DB_SERVER_HOST: ${DB_SERVER_HOST}" @@ -189,12 +215,7 @@ check_db_connect_mysql() { WAIT_TIMEOUT=5 - if [ -n "${ZBX_DBTLSCONNECT}" ]; then - if [ "${ZBX_DBTLSCONNECT}" != "required" ]; then - verify_cert="--ssl-verify-server-cert" - fi - ssl_opts="--ssl --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE} $verify_cert" - fi + ssl_opts="$(db_tls_params)" while [ ! "$(mysqladmin ping -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} -u ${DB_SERVER_ROOT_USER} \ --password="${DB_SERVER_ROOT_PASS}" --silent --connect_timeout=10 $ssl_opts)" ]; do @@ -207,12 +228,7 @@ mysql_query() { query=$1 local result="" - if [ -n "${ZBX_DBTLSCONNECT}" ]; then - if [ "${ZBX_DBTLSCONNECT}" != "required" ]; then - verify_cert="--ssl-verify-server-cert" - fi - ssl_opts="--ssl --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE} $verify_cert" - fi + ssl_opts="$(db_tls_params)" result=$(mysql --silent --skip-column-names -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} \ -u ${DB_SERVER_ROOT_USER} --password="${DB_SERVER_ROOT_PASS}" -e "$query" $ssl_opts) @@ -260,12 +276,7 @@ create_db_schema_mysql() { if [ -z "${ZBX_DB_VERSION}" ]; then echo "** Creating '${DB_SERVER_DBNAME}' schema in MySQL" - if [ -n "${ZBX_DBTLSCONNECT}" ]; then - if [ "${ZBX_DBTLSCONNECT}" != "required" ]; then - verify_cert="--ssl-verify-server-cert" - fi - ssl_opts="--ssl --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE} $verify_cert" - fi + ssl_opts="$(db_tls_params)" zcat /usr/share/doc/zabbix-server-mysql/create.sql.gz | mysql --silent --skip-column-names \ -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} \ diff --git a/server-mysql/rhel/docker-entrypoint.sh b/server-mysql/rhel/docker-entrypoint.sh index 475135635..45c7b8e09 100755 --- a/server-mysql/rhel/docker-entrypoint.sh +++ b/server-mysql/rhel/docker-entrypoint.sh @@ -172,6 +172,32 @@ check_variables_mysql() { DB_SERVER_DBNAME=${MYSQL_DATABASE:-"zabbix"} } +db_tls_params() { + local result="" + + if [ -n "${ZBX_DBTLSCONNECT}" ]; then + result="--ssl" + + if [ "${ZBX_DBTLSCONNECT}" != "required" ]; then + result="${result} --ssl-verify-server-cert" + fi + + if [ -n "${ZBX_DBTLSCAFILE}" ]; then + result="${result} --ssl-ca=${ZBX_DBTLSCAFILE}" + fi + + if [ -n "${ZBX_DBTLSKEYFILE}" ]; then + result="${result} --ssl-key=${ZBX_DBTLSKEYFILE}" + fi + + if [ -n "${ZBX_DBTLSCERTFILE}" ]; then + result="${result} --ssl-cert=${ZBX_DBTLSCERTFILE}" + fi + fi + + echo $result +} + check_db_connect_mysql() { echo "********************" echo "* DB_SERVER_HOST: ${DB_SERVER_HOST}" @@ -189,12 +215,7 @@ check_db_connect_mysql() { WAIT_TIMEOUT=5 - if [ -n "${ZBX_DBTLSCONNECT}" ]; then - if [ "${ZBX_DBTLSCONNECT}" != "required" ]; then - verify_cert="--ssl-verify-server-cert" - fi - ssl_opts="--ssl --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE} $verify_cert" - fi + ssl_opts="$(db_tls_params)" while [ ! "$(mysqladmin ping -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} -u ${DB_SERVER_ROOT_USER} \ --password="${DB_SERVER_ROOT_PASS}" --silent --connect_timeout=10 $ssl_opts)" ]; do @@ -207,12 +228,7 @@ mysql_query() { query=$1 local result="" - if [ -n "${ZBX_DBTLSCONNECT}" ]; then - if [ "${ZBX_DBTLSCONNECT}" != "required" ]; then - verify_cert="--ssl-verify-server-cert" - fi - ssl_opts="--ssl --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE} $verify_cert" - fi + ssl_opts="$(db_tls_params)" result=$(mysql --silent --skip-column-names -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} \ -u ${DB_SERVER_ROOT_USER} --password="${DB_SERVER_ROOT_PASS}" -e "$query" $ssl_opts) @@ -260,12 +276,7 @@ create_db_schema_mysql() { if [ -z "${ZBX_DB_VERSION}" ]; then echo "** Creating '${DB_SERVER_DBNAME}' schema in MySQL" - if [ -n "${ZBX_DBTLSCONNECT}" ]; then - if [ "${ZBX_DBTLSCONNECT}" != "required" ]; then - verify_cert="--ssl-verify-server-cert" - fi - ssl_opts="--ssl --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE} $verify_cert" - fi + ssl_opts="$(db_tls_params)" zcat /usr/share/doc/zabbix-server-mysql/create.sql.gz | mysql --silent --skip-column-names \ -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} \ diff --git a/server-mysql/ubuntu/docker-entrypoint.sh b/server-mysql/ubuntu/docker-entrypoint.sh index 94aaef87d..bbfad1511 100755 --- a/server-mysql/ubuntu/docker-entrypoint.sh +++ b/server-mysql/ubuntu/docker-entrypoint.sh @@ -172,6 +172,29 @@ check_variables_mysql() { DB_SERVER_DBNAME=${MYSQL_DATABASE:-"zabbix"} } +db_tls_params() { + local result="" + + if [ -n "${ZBX_DBTLSCONNECT}" ]; then + ssl_mode=${ZBX_DBTLSCONNECT//verify_full/verify_identity} + result="--ssl-mode=$ssl_mode" + + if [ -n "${ZBX_DBTLSCAFILE}" ]; then + result="${result} --ssl-ca=${ZBX_DBTLSCAFILE}" + fi + + if [ -n "${ZBX_DBTLSKEYFILE}" ]; then + result="${result} --ssl-key=${ZBX_DBTLSKEYFILE}" + fi + + if [ -n "${ZBX_DBTLSCERTFILE}" ]; then + result="${result} --ssl-cert=${ZBX_DBTLSCERTFILE}" + fi + fi + + echo $result +} + check_db_connect_mysql() { echo "********************" echo "* DB_SERVER_HOST: ${DB_SERVER_HOST}" @@ -189,10 +212,7 @@ check_db_connect_mysql() { WAIT_TIMEOUT=5 - if [ -n "${ZBX_DBTLSCONNECT}" ]; then - ssl_mode=${ZBX_DBTLSCONNECT//verify_full/verify_identity} - ssl_opts="--ssl-mode=$ssl_mode --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE}" - fi + ssl_opts="$(db_tls_params)" while [ ! "$(mysqladmin ping -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} -u ${DB_SERVER_ROOT_USER} \ --password="${DB_SERVER_ROOT_PASS}" --silent --connect_timeout=10 $ssl_opts)" ]; do @@ -205,10 +225,7 @@ mysql_query() { query=$1 local result="" - if [ -n "${ZBX_DBTLSCONNECT}" ]; then - ssl_mode=${ZBX_DBTLSCONNECT//verify_full/verify_identity} - ssl_opts="--ssl-mode=$ssl_mode --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE}" - fi + ssl_opts="$(db_tls_params)" result=$(mysql --silent --skip-column-names -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} \ -u ${DB_SERVER_ROOT_USER} --password="${DB_SERVER_ROOT_PASS}" -e "$query" $ssl_opts) @@ -256,10 +273,7 @@ create_db_schema_mysql() { if [ -z "${ZBX_DB_VERSION}" ]; then echo "** Creating '${DB_SERVER_DBNAME}' schema in MySQL" - if [ -n "${ZBX_DBTLSCONNECT}" ]; then - ssl_mode=${ZBX_DBTLSCONNECT//verify_full/verify_identity} - ssl_opts="--ssl-mode=$ssl_mode --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE}" - fi + ssl_opts="$(db_tls_params)" zcat /usr/share/doc/zabbix-server-mysql/create.sql.gz | mysql --silent --skip-column-names \ -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} \ diff --git a/web-apache-mysql/alpine/docker-entrypoint.sh b/web-apache-mysql/alpine/docker-entrypoint.sh index cc9d10176..50ceeaf0a 100755 --- a/web-apache-mysql/alpine/docker-entrypoint.sh +++ b/web-apache-mysql/alpine/docker-entrypoint.sh @@ -154,6 +154,28 @@ check_variables() { DB_SERVER_DBNAME=${MYSQL_DATABASE:-"zabbix"} } +db_tls_params() { + local result="" + + if [ "${ZBX_DB_ENCRYPTION}" == "true" ]; then + result="--ssl" + + if [ -n "${ZBX_DB_CA_FILE}" ]; then + result="${result} --ssl-ca=${ZBX_DB_CA_FILE}" + fi + + if [ -n "${ZBX_DB_KEY_FILE}" ]; then + result="${result} --ssl-key=${ZBX_DB_KEY_FILE}" + fi + + if [ -n "${ZBX_DB_CERT_FILE}" ]; then + result="${result} --ssl-cert=${ZBX_DB_CERT_FILE}" + fi + fi + + echo $result +} + check_db_connect() { echo "********************" echo "* DB_SERVER_HOST: ${DB_SERVER_HOST}" @@ -171,9 +193,7 @@ check_db_connect() { WAIT_TIMEOUT=5 - if [ "${ZBX_DB_ENCRYPTION}" == "true" ]; then - ssl_opts="--ssl --ssl-ca=${ZBX_DB_CA_FILE} --ssl-key=${ZBX_DB_KEY_FILE} --ssl-cert=${ZBX_DB_CERT_FILE}" - fi + ssl_opts="$(db_tls_params)" while [ ! "$(mysqladmin ping -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} -u ${DB_SERVER_ROOT_USER} \ --password="${DB_SERVER_ROOT_PASS}" --silent --connect_timeout=10 $ssl_opts)" ]; do diff --git a/web-apache-mysql/centos/docker-entrypoint.sh b/web-apache-mysql/centos/docker-entrypoint.sh index a781bf7d8..6ba3a7df3 100755 --- a/web-apache-mysql/centos/docker-entrypoint.sh +++ b/web-apache-mysql/centos/docker-entrypoint.sh @@ -154,6 +154,28 @@ check_variables() { DB_SERVER_DBNAME=${MYSQL_DATABASE:-"zabbix"} } +db_tls_params() { + local result="" + + if [ "${ZBX_DB_ENCRYPTION}" == "true" ]; then + result="--ssl" + + if [ -n "${ZBX_DB_CA_FILE}" ]; then + result="${result} --ssl-ca=${ZBX_DB_CA_FILE}" + fi + + if [ -n "${ZBX_DB_KEY_FILE}" ]; then + result="${result} --ssl-key=${ZBX_DB_KEY_FILE}" + fi + + if [ -n "${ZBX_DB_CERT_FILE}" ]; then + result="${result} --ssl-cert=${ZBX_DB_CERT_FILE}" + fi + fi + + echo $result +} + check_db_connect() { echo "********************" echo "* DB_SERVER_HOST: ${DB_SERVER_HOST}" @@ -171,9 +193,7 @@ check_db_connect() { WAIT_TIMEOUT=5 - if [ "${ZBX_DB_ENCRYPTION}" == "true" ]; then - ssl_opts="--ssl --ssl-ca=${ZBX_DB_CA_FILE} --ssl-key=${ZBX_DB_KEY_FILE} --ssl-cert=${ZBX_DB_CERT_FILE}" - fi + ssl_opts="$(db_tls_params)" while [ ! "$(mysqladmin ping -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} -u ${DB_SERVER_ROOT_USER} \ --password="${DB_SERVER_ROOT_PASS}" --silent --connect_timeout=10 $ssl_opts)" ]; do diff --git a/web-apache-mysql/ubuntu/docker-entrypoint.sh b/web-apache-mysql/ubuntu/docker-entrypoint.sh index 1e31fb18c..f40f53f2a 100755 --- a/web-apache-mysql/ubuntu/docker-entrypoint.sh +++ b/web-apache-mysql/ubuntu/docker-entrypoint.sh @@ -154,6 +154,28 @@ check_variables() { DB_SERVER_DBNAME=${MYSQL_DATABASE:-"zabbix"} } +db_tls_params() { + local result="" + + if [ "${ZBX_DB_ENCRYPTION}" == "true" ]; then + result="--ssl-mode=required" + + if [ -n "${ZBX_DB_CA_FILE}" ]; then + result="${result} --ssl-ca=${ZBX_DB_CA_FILE}" + fi + + if [ -n "${ZBX_DB_KEY_FILE}" ]; then + result="${result} --ssl-key=${ZBX_DB_KEY_FILE}" + fi + + if [ -n "${ZBX_DB_CERT_FILE}" ]; then + result="${result} --ssl-cert=${ZBX_DB_CERT_FILE}" + fi + fi + + echo $result +} + check_db_connect() { echo "********************" echo "* DB_SERVER_HOST: ${DB_SERVER_HOST}" @@ -171,9 +193,7 @@ check_db_connect() { WAIT_TIMEOUT=5 - if [ "${ZBX_DB_ENCRYPTION}" == "true" ]; then - ssl_opts="--ssl-mode=required --ssl-ca=${ZBX_DB_CA_FILE} --ssl-key=${ZBX_DB_KEY_FILE} --ssl-cert=${ZBX_DB_CERT_FILE}" - fi + ssl_opts="$(db_tls_params)" while [ ! "$(mysqladmin ping -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} -u ${DB_SERVER_ROOT_USER} \ --password="${DB_SERVER_ROOT_PASS}" --silent --connect_timeout=10 $ssl_opts)" ]; do diff --git a/web-nginx-mysql/alpine/docker-entrypoint.sh b/web-nginx-mysql/alpine/docker-entrypoint.sh index eef39a80a..6c1517043 100755 --- a/web-nginx-mysql/alpine/docker-entrypoint.sh +++ b/web-nginx-mysql/alpine/docker-entrypoint.sh @@ -172,6 +172,28 @@ check_variables() { DB_SERVER_DBNAME=${MYSQL_DATABASE:-"zabbix"} } +db_tls_params() { + local result="" + + if [ "${ZBX_DB_ENCRYPTION}" == "true" ]; then + result="--ssl" + + if [ -n "${ZBX_DB_CA_FILE}" ]; then + result="${result} --ssl-ca=${ZBX_DB_CA_FILE}" + fi + + if [ -n "${ZBX_DB_KEY_FILE}" ]; then + result="${result} --ssl-key=${ZBX_DB_KEY_FILE}" + fi + + if [ -n "${ZBX_DB_CERT_FILE}" ]; then + result="${result} --ssl-cert=${ZBX_DB_CERT_FILE}" + fi + fi + + echo $result +} + check_db_connect() { echo "********************" echo "* DB_SERVER_HOST: ${DB_SERVER_HOST}" @@ -190,9 +212,7 @@ check_db_connect() { WAIT_TIMEOUT=5 - if [ "${ZBX_DB_ENCRYPTION}" == "true" ]; then - ssl_opts="--ssl --ssl-ca=${ZBX_DB_CA_FILE} --ssl-key=${ZBX_DB_KEY_FILE} --ssl-cert=${ZBX_DB_CERT_FILE}" - fi + ssl_opts="$(db_tls_params)" while [ ! "$(mysqladmin ping -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} -u ${DB_SERVER_ROOT_USER} \ --password="${DB_SERVER_ROOT_PASS}" --silent --connect_timeout=10 $ssl_opts)" ]; do diff --git a/web-nginx-mysql/centos/docker-entrypoint.sh b/web-nginx-mysql/centos/docker-entrypoint.sh index 5f8136703..3e2bdcf7c 100755 --- a/web-nginx-mysql/centos/docker-entrypoint.sh +++ b/web-nginx-mysql/centos/docker-entrypoint.sh @@ -172,6 +172,28 @@ check_variables() { DB_SERVER_DBNAME=${MYSQL_DATABASE:-"zabbix"} } +db_tls_params() { + local result="" + + if [ "${ZBX_DB_ENCRYPTION}" == "true" ]; then + result="--ssl" + + if [ -n "${ZBX_DB_CA_FILE}" ]; then + result="${result} --ssl-ca=${ZBX_DB_CA_FILE}" + fi + + if [ -n "${ZBX_DB_KEY_FILE}" ]; then + result="${result} --ssl-key=${ZBX_DB_KEY_FILE}" + fi + + if [ -n "${ZBX_DB_CERT_FILE}" ]; then + result="${result} --ssl-cert=${ZBX_DB_CERT_FILE}" + fi + fi + + echo $result +} + check_db_connect() { echo "********************" echo "* DB_SERVER_HOST: ${DB_SERVER_HOST}" @@ -190,9 +212,7 @@ check_db_connect() { WAIT_TIMEOUT=5 - if [ "${ZBX_DB_ENCRYPTION}" == "true" ]; then - ssl_opts="--ssl --ssl-ca=${ZBX_DB_CA_FILE} --ssl-key=${ZBX_DB_KEY_FILE} --ssl-cert=${ZBX_DB_CERT_FILE}" - fi + ssl_opts="$(db_tls_params)" while [ ! "$(mysqladmin ping -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} -u ${DB_SERVER_ROOT_USER} \ --password="${DB_SERVER_ROOT_PASS}" --silent --connect_timeout=10 $ssl_opts)" ]; do diff --git a/web-nginx-mysql/rhel/docker-entrypoint.sh b/web-nginx-mysql/rhel/docker-entrypoint.sh index 5f8136703..3e2bdcf7c 100755 --- a/web-nginx-mysql/rhel/docker-entrypoint.sh +++ b/web-nginx-mysql/rhel/docker-entrypoint.sh @@ -172,6 +172,28 @@ check_variables() { DB_SERVER_DBNAME=${MYSQL_DATABASE:-"zabbix"} } +db_tls_params() { + local result="" + + if [ "${ZBX_DB_ENCRYPTION}" == "true" ]; then + result="--ssl" + + if [ -n "${ZBX_DB_CA_FILE}" ]; then + result="${result} --ssl-ca=${ZBX_DB_CA_FILE}" + fi + + if [ -n "${ZBX_DB_KEY_FILE}" ]; then + result="${result} --ssl-key=${ZBX_DB_KEY_FILE}" + fi + + if [ -n "${ZBX_DB_CERT_FILE}" ]; then + result="${result} --ssl-cert=${ZBX_DB_CERT_FILE}" + fi + fi + + echo $result +} + check_db_connect() { echo "********************" echo "* DB_SERVER_HOST: ${DB_SERVER_HOST}" @@ -190,9 +212,7 @@ check_db_connect() { WAIT_TIMEOUT=5 - if [ "${ZBX_DB_ENCRYPTION}" == "true" ]; then - ssl_opts="--ssl --ssl-ca=${ZBX_DB_CA_FILE} --ssl-key=${ZBX_DB_KEY_FILE} --ssl-cert=${ZBX_DB_CERT_FILE}" - fi + ssl_opts="$(db_tls_params)" while [ ! "$(mysqladmin ping -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} -u ${DB_SERVER_ROOT_USER} \ --password="${DB_SERVER_ROOT_PASS}" --silent --connect_timeout=10 $ssl_opts)" ]; do diff --git a/web-nginx-mysql/ubuntu/docker-entrypoint.sh b/web-nginx-mysql/ubuntu/docker-entrypoint.sh index 09c0fc988..d4d7579f4 100755 --- a/web-nginx-mysql/ubuntu/docker-entrypoint.sh +++ b/web-nginx-mysql/ubuntu/docker-entrypoint.sh @@ -172,6 +172,28 @@ check_variables() { DB_SERVER_DBNAME=${MYSQL_DATABASE:-"zabbix"} } +db_tls_params() { + local result="" + + if [ "${ZBX_DB_ENCRYPTION}" == "true" ]; then + result="--ssl-mode=required" + + if [ -n "${ZBX_DB_CA_FILE}" ]; then + result="${result} --ssl-ca=${ZBX_DB_CA_FILE}" + fi + + if [ -n "${ZBX_DB_KEY_FILE}" ]; then + result="${result} --ssl-key=${ZBX_DB_KEY_FILE}" + fi + + if [ -n "${ZBX_DB_CERT_FILE}" ]; then + result="${result} --ssl-cert=${ZBX_DB_CERT_FILE}" + fi + fi + + echo $result +} + check_db_connect() { echo "********************" echo "* DB_SERVER_HOST: ${DB_SERVER_HOST}" @@ -190,9 +212,7 @@ check_db_connect() { WAIT_TIMEOUT=5 - if [ "${ZBX_DB_ENCRYPTION}" == "true" ]; then - ssl_opts="--ssl-mode=required --ssl-ca=${ZBX_DB_CA_FILE} --ssl-key=${ZBX_DB_KEY_FILE} --ssl-cert=${ZBX_DB_CERT_FILE}" - fi + ssl_opts="$(db_tls_params)" while [ ! "$(mysqladmin ping -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} -u ${DB_SERVER_ROOT_USER} \ --password="${DB_SERVER_ROOT_PASS}" --silent --connect_timeout=10 $ssl_opts)" ]; do