:Merge branch '5.0' of https://github.com/zabbix/zabbix-docker into 5.0

server-pgsql/centos/Dockerfile

@@ -33,7 +33,7 @@ RUN set -eux && \
     mkdir -p /usr/lib/zabbix/externalscripts && \
     mkdir -p /usr/share/doc/zabbix-server-postgresql && \
     dnf --quiet makecache && \
-    dnf -y install --setopt=tsflags=nodocs https://repo.zabbix.com/non-supported/rhel/7/x86_64/fping-3.10-1.el7.x86_64.rpm && \
+    dnf -y install --setopt=tsflags=nodocs https://repo.zabbix.com/non-supported/rhel/8/x86_64/fping-3.16-1.el8.x86_64.rpm && \
     dnf -y install --setopt=tsflags=nodocs --setopt=install_weak_deps=False --best \
             iputils \
             traceroute \
@@ -81,7 +81,7 @@ LABEL org.opencontainers.image.documentation="https://www.zabbix.com/documentati
 RUN set -eux && \
     sed -i 's/enabled=0/enabled=1/g' /etc/yum.repos.d/CentOS-PowerTools.repo && \
     dnf --quiet makecache && \
-    dnf -y install -setopt=tsflags=nodocs --setopt=install_weak_deps=False --best \
+    dnf -y install --setopt=tsflags=nodocs --setopt=install_weak_deps=False --best \
             autoconf \
             automake \
             gcc \

zabbix-appliance/rhel/Dockerfile

@@ -203,7 +203,6 @@ RUN set -eux && REPOLIST="rhel-8-for-x86_64-baseos-rpms,rhel-8-for-x86_64-appstr
     chgrp -R 0 /var/lib/mysql/ /var/lib/php/session/ && \
     chmod -R g=u /var/lib/mysql/ /var/lib/php/session/ && \
     dnf -y history undo `dnf history list last -q | sed -n 3p |column -t | cut -d' ' -f1` && \
-    dnf -y erase glibc-locale-source glibc-langpack-en && \
     dnf -y clean all && \
     rm -rf /var/cache/yum /var/lib/yum/yumdb/* /usr/lib/udev/hwdb.d/* && \
     rm -rf /var/cache/dnf /etc/udev/hwdb.bin /root/.pki

zabbix-appliance/rhel/conf/etc/supervisor/conf.d/supervisord_mysql.conf

@@ -2,7 +2,7 @@
 nodaemon = true
 
 [program:mysqld]
-command = /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=mysql --log-output=none --pid-file=/var/lib/mysql/mysqld.pid --socket=/var/lib/mysql/mysql.sock --port=3306 --character-set-server=utf8 --collation-server=utf8_bin --console
+command = /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=zabbix --log-output=none --pid-file=/var/lib/mysql/mysqld.pid --socket=/var/lib/mysql/mysql.sock --port=3306 --character-set-server=utf8 --collation-server=utf8_bin --console
 ;user = zabbix
 auto_start = true
 autorestart = true

zabbix-appliance/rhel/docker-entrypoint.sh

@@ -16,6 +16,10 @@ fi
 # Default timezone for web interface
 : ${PHP_TZ:="Europe/Riga"}
 
+# Default MySQL instance location
+: ${DB_SERVER_HOST:="localhost"}
+: ${DB_SERVER_PORT:="3306"}
+
 # Default directories
 # User 'zabbix' home directory
 ZABBIX_USER_HOME_DIR="/var/lib/zabbix"
@@ -55,49 +59,6 @@ file_env() {
     unset "$fileVar"
 }
 
-configure_db_mysql() {
-    [ "${DB_SERVER_HOST}" != "localhost" ] && return
-
-    echo "** Configuring local MySQL server"
-
-    MYSQL_ALLOW_EMPTY_PASSWORD=true
-    MYSQL_DATA_DIR="/var/lib/mysql"
-
-    MYSQL_CONF_FILE="/etc/my.cnf.d/mariadb-server.cnf"
-    DB_SERVER_SOCKET="/var/lib/mysql/mysql.sock"
-
-    MYSQLD=/usr/libexec/mysqld
-
-    sed -Ei 's/^(bind-address|log)/#&/' "$MYSQL_CONF_FILE"
-
-    if [ ! -d "$MYSQL_DATA_DIR/mysql" ]; then
-        [ -d "$MYSQL_DATA_DIR" ] || mkdir -p "$MYSQL_DATA_DIR"
-
-        echo "** Installing initial MySQL database schemas"
-        mysql_install_db --datadir="$MYSQL_DATA_DIR" 2>&1
-    else
-        echo "**** MySQL data directory is not empty. Using already existing installation."
-    fi
-
-    echo "** Starting MySQL server in background mode"
-
-    if [ "$(id -u)" == '0' ]; then
-        mysql_user="--user=zabbix"
-    fi
-
-    nohup $MYSQLD --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin \
-            --log-output=none --pid-file=/var/lib/mysql/mysqld.pid \
-            --port=3306 --character-set-server=utf8 --collation-server=utf8_bin $mysql_user &
-}
-
-prepare_system() {
-    echo "** Preparing the system"
-
-    DB_SERVER_HOST=${DB_SERVER_HOST:-"localhost"}
-
-    configure_db_mysql
-}
-
 escape_spec_char() {
     local var_value=$1
 
@@ -121,12 +82,18 @@ update_config_var() {
     local var_value=$3
     local is_multiple=$4
 
+    local masklist=("DBPassword TLSPSKIdentity")
+
     if [ ! -f "$config_path" ]; then
         echo "**** Configuration file '$config_path' does not exist"
         return
     fi
 
-    echo -n "** Updating '$config_path' parameter \"$var_name\": '$var_value'... "
+    if [[ " ${masklist[@]} " =~ " $var_name " ]] && [ ! -z "$var_value" ]; then
+        echo -n "** Updating '$config_path' parameter \"$var_name\": '****'. Enable DEBUG_MODE to view value ..."
+    else
+        echo -n "** Updating '$config_path' parameter \"$var_name\": '$var_value'..."
+    fi
 
     # Remove configuration parameter definition in case of unset parameter value
     if [ -z "$var_value" ]; then
@@ -180,18 +147,60 @@ update_config_multiple_var() {
     done
 }
 
+configure_db_mysql() {
+    [ "${DB_SERVER_HOST}" != "localhost" ] && return
+
+    echo "** Configuring local MySQL server"
+
+    if [ -n "${ZBX_DBTLSCONNECT}" ]; then
+        echo "**** Encryption with local MySQL instance is not supported"
+        unset ZBX_DBTLSCONNECT
+    fi
+
+    MYSQL_ALLOW_EMPTY_PASSWORD=true
+    MYSQL_DATA_DIR="/var/lib/mysql"
+
+    MYSQL_CONF_FILE="/etc/my.cnf.d/mariadb-server.cnf"
+    DB_SERVER_SOCKET="/var/lib/mysql/mysql.sock"
+
+    MYSQLD=/usr/libexec/mysqld
+
+    if [ "$(id -u)" == '0' ]; then
+        mysql_user="--user=zabbix"
+    fi
+
+    sed -Ei 's/^(bind-address|log)/#&/' "$MYSQL_CONF_FILE"
+
+    if [ ! -d "$MYSQL_DATA_DIR/mysql" ]; then
+        [ -d "$MYSQL_DATA_DIR" ] || mkdir -p "$MYSQL_DATA_DIR"
+
+        echo "** Installing initial MySQL database schemas"
+        mysql_install_db $mysql_user --datadir="$MYSQL_DATA_DIR" 1>/dev/null
+    else
+        echo "**** MySQL data directory is not empty. Using already existing installation."
+    fi
+
+    echo "** Starting MySQL server in background mode"
+
+    nohup $MYSQLD --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin \
+            --log-output=none --pid-file=/var/lib/mysql/mysqld.pid \
+            --port=3306 --character-set-server=utf8 --collation-server=utf8_bin $mysql_user &
+}
+
+prepare_system() {
+    echo "** Preparing the system"
+
+    configure_db_mysql
+}
+
 # Check prerequisites for MySQL database
 check_variables_mysql() {
-    DB_SERVER_HOST=${DB_SERVER_HOST:-"mysql-server"}
-    DB_SERVER_PORT=${DB_SERVER_PORT:-"3306"}
     USE_DB_ROOT_USER=false
     CREATE_ZBX_DB_USER=false
     file_env MYSQL_USER
     file_env MYSQL_PASSWORD
 
-    if [ "$type" != "" ]; then
     file_env MYSQL_ROOT_PASSWORD
-    fi
 
     if [ ! -n "${MYSQL_USER}" ] && [ "${MYSQL_RANDOM_ROOT_PASSWORD}" == "true" ]; then
         echo "**** Impossible to use MySQL server because of unknown Zabbix user and random 'root' password"
@@ -212,7 +221,7 @@ check_variables_mysql() {
     [ -n "${MYSQL_USER}" ] && CREATE_ZBX_DB_USER=true
 
     # If root password is not specified use provided credentials
-    DB_SERVER_ROOT_USER=${DB_SERVER_ROOT_USER:-${MYSQL_USER}}
+    : ${DB_SERVER_ROOT_USER:=${MYSQL_USER}}
     [ "${MYSQL_ALLOW_EMPTY_PASSWORD}" == "true" ] || DB_SERVER_ROOT_PASS=${DB_SERVER_ROOT_PASS:-${MYSQL_PASSWORD}}
     DB_SERVER_ZBX_USER=${MYSQL_USER:-"zabbix"}
     DB_SERVER_ZBX_PASS=${MYSQL_PASSWORD:-"zabbix"}
@@ -232,14 +241,16 @@ check_db_connect() {
         fi
         echo "* DB_SERVER_ZBX_USER: ${DB_SERVER_ZBX_USER}"
         echo "* DB_SERVER_ZBX_PASS: ${DB_SERVER_ZBX_PASS}"
-        echo "********************"
     fi
     echo "********************"
 
     WAIT_TIMEOUT=5
 
-    if [ "${ZBX_DB_ENCRYPTION}" == "true" ]; then
-        ssl_opts="--ssl --ssl-ca=${ZBX_DB_CA_FILE} --ssl-key=${ZBX_DB_KEY_FILE} --ssl-cert=${ZBX_DB_CERT_FILE}"
+    if [ -n "${ZBX_DBTLSCONNECT}" ]; then
+        if [ "${ZBX_DBTLSCONNECT}" != "required" ]; then
+            verify_cert="--ssl-verify-server-cert"
+        fi
+        ssl_opts="--ssl --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE} $verify_cert"
     fi
 
     while [ ! "$(mysqladmin ping -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} -u ${DB_SERVER_ROOT_USER} \
@@ -254,7 +265,10 @@ mysql_query() {
     local result=""
 
     if [ -n "${ZBX_DBTLSCONNECT}" ]; then
-        ssl_opts="--ssl --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE}"
+        if [ "${ZBX_DBTLSCONNECT}" != "required" ]; then
+            verify_cert="--ssl-verify-server-cert"
+        fi
+        ssl_opts="--ssl --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE} $verify_cert"
     fi
 
     result=$(mysql --silent --skip-column-names -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} \
@@ -304,7 +318,10 @@ create_db_schema_mysql() {
         echo "** Creating '${DB_SERVER_DBNAME}' schema in MySQL"
 
         if [ -n "${ZBX_DBTLSCONNECT}" ]; then
-            ssl_opts="--ssl --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE}"
+            if [ "${ZBX_DBTLSCONNECT}" != "required" ]; then
+                verify_cert="--ssl-verify-server-cert"
+            fi
+            ssl_opts="--ssl --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE} $verify_cert"
         fi
 
         zcat /usr/share/doc/zabbix-server-mysql/create.sql.gz | mysql --silent --skip-column-names \
@@ -338,17 +355,16 @@ prepare_web_server() {
     else
         echo "**** Impossible to enable SSL support for Nginx. Certificates are missed."
     fi
-
-    if [ -d "/var/log/nginx/" ]; then
-        ln -sf /dev/fd/2 /var/log/nginx/error.log
-    fi
 }
 
 stop_databases() {
     if [ "${DB_SERVER_HOST}" == "localhost" ]; then
+        echo "** Stopping MySQL instance after initial configuration"
         mysql_query "DELETE FROM mysql.user WHERE host = 'localhost' AND user != 'root'" 1>/dev/null
 
         kill -TERM $(cat /var/lib/mysql/mysqld.pid)
+    else
+        rm -f /etc/supervisor/conf.d/supervisord_mysql.conf
     fi
 }
 
@@ -480,6 +496,12 @@ update_zbx_config() {
     update_config_var $ZBX_CONFIG "TLSCRLFile" "${ZBX_TLSCRLFILE}"
 
     update_config_var $ZBX_CONFIG "TLSCertFile" "${ZBX_TLSCERTFILE}"
+    update_config_var $ZBX_CONFIG "TLSCipherAll" "${ZBX_TLSCIPHERALL}"
+    update_config_var $ZBX_CONFIG "TLSCipherAll13" "${ZBX_TLSCIPHERALL13}"
+    update_config_var $ZBX_CONFIG "TLSCipherCert" "${ZBX_TLSCIPHERCERT}"
+    update_config_var $ZBX_CONFIG "TLSCipherCert13" "${ZBX_TLSCIPHERCERT13}"
+    update_config_var $ZBX_CONFIG "TLSCipherPSK" "${ZBX_TLSCIPHERPSK}"
+    update_config_var $ZBX_CONFIG "TLSCipherPSK13" "${ZBX_TLSCIPHERPSK13}"
     update_config_var $ZBX_CONFIG "TLSKeyFile" "${ZBX_TLSKEYFILE}"
 
     update_config_var $ZBX_CONFIG "TLSPSKIdentity" "${ZBX_TLSPSKIDENTITY}"
@@ -526,6 +548,10 @@ prepare_zbx_web_config() {
     history_storage_url=$(escape_spec_char "${ZBX_HISTORYSTORAGEURL}")
     history_storage_types=$(escape_spec_char "${ZBX_HISTORYSTORAGETYPES}")
 
+    ZBX_DB_KEY_FILE=$(escape_spec_char "${ZBX_DB_KEY_FILE}")
+    ZBX_DB_CERT_FILE=$(escape_spec_char "${ZBX_DB_CERT_FILE}")
+    ZBX_DB_CA_FILE=$(escape_spec_char "${ZBX_DB_CA_FILE}")
+
     sed -i \
         -e "s/{DB_SERVER_HOST}/${DB_SERVER_HOST}/g" \
         -e "s/{DB_SERVER_PORT}/${DB_SERVER_PORT}/g" \