diff --git a/.env_srv b/.env_srv index 8a6ddbb3b..45b034064 100644 --- a/.env_srv +++ b/.env_srv @@ -1,7 +1,7 @@ # ZBX_LISTENIP= # ZBX_HISTORYSTORAGEURL=http://elasticsearch:9200/ # Available since 3.4.5 # ZBX_HISTORYSTORAGETYPES=uint,dbl,str,log,text # Available since 3.4.5 -# ZBX_DBTLSCONNECT=require # Available since 5.0.0 +# ZBX_DBTLSCONNECT=required # Available since 5.0.0 # ZBX_DBTLSCAFILE=/run/secrets/root-ca.pem # Available since 5.0.0 # ZBX_DBTLSCERTFILE=/run/secrets/client-cert.pem # Available since 5.0.0 # ZBX_DBTLSKEYFILE=/run/secrets/client-key.pem # Available since 5.0.0 diff --git a/agent/centos/Dockerfile b/agent/centos/Dockerfile index 480448b91..7513604f0 100644 --- a/agent/centos/Dockerfile +++ b/agent/centos/Dockerfile @@ -23,7 +23,7 @@ RUN set -eux && \ mkdir -p /var/lib/zabbix/enc && \ mkdir -p /var/lib/zabbix/modules && \ dnf --quiet makecache && \ - dnf -y install --setopt=tsflags=nodocs \ + dnf -y install --setopt=tsflags=nodocs --setopt=install_weak_deps=False --best \ libcurl-minimal \ openssl-libs && \ curl -L "https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini" -o /sbin/tini && \ @@ -56,7 +56,7 @@ LABEL org.opencontainers.image.documentation="https://www.zabbix.com/documentati RUN set -eux && \ dnf --quiet makecache && \ - dnf -y install --setopt=tsflags=nodocs \ + dnf -y install --setopt=tsflags=nodocs --setopt=install_weak_deps=False --best \ autoconf \ automake \ pcre-devel \ diff --git a/java-gateway/centos/Dockerfile b/java-gateway/centos/Dockerfile index 5cc3a0e6d..8976682b6 100644 --- a/java-gateway/centos/Dockerfile +++ b/java-gateway/centos/Dockerfile @@ -18,7 +18,7 @@ RUN set -eux && \ mkdir -p /etc/zabbix/ && \ mkdir -p /usr/sbin/zabbix_java/ && \ dnf --quiet makecache && \ - dnf -y install --setopt=tsflags=nodocs \ + dnf -y install --setopt=tsflags=nodocs --setopt=install_weak_deps=False --best \ java-1.8.0-openjdk-headless && \ dnf -y clean all && \ rm -rf /var/cache/yum /var/lib/yum/yumdb/* /usr/lib/udev/hwdb.d/* && \ @@ -38,7 +38,7 @@ COPY ["conf/etc/", "/etc/"] RUN set -eux && \ dnf --quiet makecache && \ - dnf -y install --setopt=tsflags=nodocs \ + dnf -y install --setopt=tsflags=nodocs --setopt=install_weak_deps=False --best \ autoconf \ automake \ java-1.8.0-openjdk-devel \ diff --git a/proxy-mysql/centos/Dockerfile b/proxy-mysql/centos/Dockerfile index 591d02d72..cf71473f9 100644 --- a/proxy-mysql/centos/Dockerfile +++ b/proxy-mysql/centos/Dockerfile @@ -32,7 +32,7 @@ RUN set -eux && \ mkdir -p /usr/share/doc/zabbix-proxy-mysql && \ dnf --quiet makecache && \ dnf -y install http://repo.zabbix.com/non-supported/rhel/8/x86_64/fping-3.16-1.el8.x86_64.rpm --setopt=tsflags=nodocs && \ - dnf -y install --setopt=tsflags=nodocs \ + dnf -y install --setopt=tsflags=nodocs --setopt=install_weak_deps=False --best \ libcurl-minimal \ libevent \ libssh \ @@ -76,7 +76,7 @@ LABEL org.opencontainers.image.documentation="https://www.zabbix.com/documentati RUN set -eux && \ sed -i 's/enabled=0/enabled=1/g' /etc/yum.repos.d/CentOS-PowerTools.repo && \ dnf --quiet makecache && \ - dnf -y install --setopt=tsflags=nodocs \ + dnf -y install --setopt=tsflags=nodocs --setopt=install_weak_deps=False --best \ autoconf \ automake \ gcc \ @@ -86,7 +86,7 @@ RUN set -eux && \ libssh-devel \ libxml2-devel \ make \ - mariadb-devel \ + mariadb-connector-c-devel \ net-snmp-devel \ OpenIPMI-devel \ openldap-devel \ diff --git a/proxy-mysql/ubuntu/docker-entrypoint.sh b/proxy-mysql/ubuntu/docker-entrypoint.sh index ba066f813..3ff1f5c28 100755 --- a/proxy-mysql/ubuntu/docker-entrypoint.sh +++ b/proxy-mysql/ubuntu/docker-entrypoint.sh @@ -195,7 +195,8 @@ check_db_connect_mysql() { WAIT_TIMEOUT=5 if [ -n "${ZBX_DBTLSCONNECT}" ]; then - ssl_opts="--ssl --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE}" + ssl_mode=${ZBX_DBTLSCONNECT//verify_full/verify_identity} + ssl_opts="--ssl-mode=$ssl_mode --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE}" fi while [ ! "$(mysqladmin ping -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} -u ${DB_SERVER_ROOT_USER} \ @@ -210,7 +211,8 @@ mysql_query() { local result="" if [ -n "${ZBX_DBTLSCONNECT}" ]; then - ssl_opts="--ssl --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE}" + ssl_mode=${ZBX_DBTLSCONNECT//verify_full/verify_identity} + ssl_opts="--ssl-mode=$ssl_mode --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE}" fi result=$(mysql --silent --skip-column-names -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} \ @@ -260,7 +262,8 @@ create_db_schema_mysql() { echo "** Creating '${DB_SERVER_DBNAME}' schema in MySQL" if [ -n "${ZBX_DBTLSCONNECT}" ]; then - ssl_opts="--ssl --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE}" + ssl_mode=${ZBX_DBTLSCONNECT//verify_full/verify_identity} + ssl_opts="--ssl-mode=$ssl_mode --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE}" fi zcat /usr/share/doc/zabbix-proxy-mysql/create.sql.gz | mysql --silent --skip-column-names \ diff --git a/proxy-sqlite3/centos/Dockerfile b/proxy-sqlite3/centos/Dockerfile index 59be1bc84..a27ac3432 100644 --- a/proxy-sqlite3/centos/Dockerfile +++ b/proxy-sqlite3/centos/Dockerfile @@ -32,7 +32,7 @@ RUN set -eux && \ mkdir -p /usr/share/doc/zabbix-proxy-sqlite3 && \ dnf --quiet makecache && \ dnf -y install http://repo.zabbix.com/non-supported/rhel/8/x86_64/fping-3.16-1.el8.x86_64.rpm --setopt=tsflags=nodocs && \ - dnf -y install --setopt=tsflags=nodocs \ + dnf -y install --setopt=tsflags=nodocs --setopt=install_weak_deps=False --best \ libcurl-minimal \ libevent \ libssh \ @@ -75,7 +75,7 @@ LABEL org.opencontainers.image.documentation="https://www.zabbix.com/documentati RUN set -eux && \ sed -i 's/enabled=0/enabled=1/g' /etc/yum.repos.d/CentOS-PowerTools.repo && \ dnf --quiet makecache && \ - dnf -y install --setopt=tsflags=nodocs \ + dnf -y install --setopt=tsflags=nodocs --setopt=install_weak_deps=False --best \ autoconf \ automake \ gcc \ diff --git a/server-mysql/centos/Dockerfile b/server-mysql/centos/Dockerfile index d0079ea7d..83ac26c11 100644 --- a/server-mysql/centos/Dockerfile +++ b/server-mysql/centos/Dockerfile @@ -34,7 +34,7 @@ RUN set -eux && \ mkdir -p /usr/share/doc/zabbix-server-mysql && \ dnf --quiet makecache && \ dnf -y install --setopt=tsflags=nodocs http://repo.zabbix.com/non-supported/rhel/8/x86_64/fping-3.16-1.el8.x86_64.rpm && \ - dnf -y install --setopt=tsflags=nodocs \ + dnf -y install --setopt=tsflags=nodocs --setopt=install_weak_deps=False --best \ iputils \ traceroute \ libcurl-minimal \ @@ -80,7 +80,7 @@ LABEL org.opencontainers.image.documentation="https://www.zabbix.com/documentati RUN set -eux && \ sed -i 's/enabled=0/enabled=1/g' /etc/yum.repos.d/CentOS-PowerTools.repo && \ dnf --quiet makecache && \ - dnf -y install --setopt=tsflags=nodocs \ + dnf -y install --setopt=tsflags=nodocs --setopt=install_weak_deps=False --best \ autoconf \ automake \ gcc \ @@ -90,7 +90,7 @@ RUN set -eux && \ libssh-devel \ libxml2-devel \ make \ - mariadb-devel \ + mariadb-connector-c-devel \ net-snmp-devel \ OpenIPMI-devel \ openldap-devel \ diff --git a/server-mysql/centos/docker-entrypoint.sh b/server-mysql/centos/docker-entrypoint.sh index 755c64913..475135635 100755 --- a/server-mysql/centos/docker-entrypoint.sh +++ b/server-mysql/centos/docker-entrypoint.sh @@ -190,7 +190,10 @@ check_db_connect_mysql() { WAIT_TIMEOUT=5 if [ -n "${ZBX_DBTLSCONNECT}" ]; then - ssl_opts="--ssl --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE}" + if [ "${ZBX_DBTLSCONNECT}" != "required" ]; then + verify_cert="--ssl-verify-server-cert" + fi + ssl_opts="--ssl --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE} $verify_cert" fi while [ ! "$(mysqladmin ping -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} -u ${DB_SERVER_ROOT_USER} \ @@ -205,7 +208,10 @@ mysql_query() { local result="" if [ -n "${ZBX_DBTLSCONNECT}" ]; then - ssl_opts="--ssl --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE}" + if [ "${ZBX_DBTLSCONNECT}" != "required" ]; then + verify_cert="--ssl-verify-server-cert" + fi + ssl_opts="--ssl --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE} $verify_cert" fi result=$(mysql --silent --skip-column-names -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} \ @@ -255,7 +261,10 @@ create_db_schema_mysql() { echo "** Creating '${DB_SERVER_DBNAME}' schema in MySQL" if [ -n "${ZBX_DBTLSCONNECT}" ]; then - ssl_opts="--ssl --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE}" + if [ "${ZBX_DBTLSCONNECT}" != "required" ]; then + verify_cert="--ssl-verify-server-cert" + fi + ssl_opts="--ssl --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE} $verify_cert" fi zcat /usr/share/doc/zabbix-server-mysql/create.sql.gz | mysql --silent --skip-column-names \ diff --git a/server-mysql/ubuntu/docker-entrypoint.sh b/server-mysql/ubuntu/docker-entrypoint.sh index 22b595854..94aaef87d 100755 --- a/server-mysql/ubuntu/docker-entrypoint.sh +++ b/server-mysql/ubuntu/docker-entrypoint.sh @@ -190,7 +190,8 @@ check_db_connect_mysql() { WAIT_TIMEOUT=5 if [ -n "${ZBX_DBTLSCONNECT}" ]; then - ssl_opts="--ssl --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE}" + ssl_mode=${ZBX_DBTLSCONNECT//verify_full/verify_identity} + ssl_opts="--ssl-mode=$ssl_mode --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE}" fi while [ ! "$(mysqladmin ping -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} -u ${DB_SERVER_ROOT_USER} \ @@ -205,7 +206,8 @@ mysql_query() { local result="" if [ -n "${ZBX_DBTLSCONNECT}" ]; then - ssl_opts="--ssl --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE}" + ssl_mode=${ZBX_DBTLSCONNECT//verify_full/verify_identity} + ssl_opts="--ssl-mode=$ssl_mode --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE}" fi result=$(mysql --silent --skip-column-names -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} \ @@ -255,7 +257,8 @@ create_db_schema_mysql() { echo "** Creating '${DB_SERVER_DBNAME}' schema in MySQL" if [ -n "${ZBX_DBTLSCONNECT}" ]; then - ssl_opts="--ssl --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE}" + ssl_mode=${ZBX_DBTLSCONNECT//verify_full/verify_identity} + ssl_opts="--ssl-mode=$ssl_mode --ssl-ca=${ZBX_DBTLSCAFILE} --ssl-key=${ZBX_DBTLSKEYFILE} --ssl-cert=${ZBX_DBTLSCERTFILE}" fi zcat /usr/share/doc/zabbix-server-mysql/create.sql.gz | mysql --silent --skip-column-names \ diff --git a/server-pgsql/centos/Dockerfile b/server-pgsql/centos/Dockerfile index 313e57e3f..7f30b71b0 100644 --- a/server-pgsql/centos/Dockerfile +++ b/server-pgsql/centos/Dockerfile @@ -34,7 +34,7 @@ RUN set -eux && \ mkdir -p /usr/share/doc/zabbix-server-postgresql && \ dnf --quiet makecache && \ dnf -y install --setopt=tsflags=nodocs https://repo.zabbix.com/non-supported/rhel/7/x86_64/fping-3.10-1.el7.x86_64.rpm && \ - dnf -y install --setopt=tsflags=nodocs \ + dnf -y install --setopt=tsflags=nodocs --setopt=install_weak_deps=False --best \ iputils \ traceroute \ libcurl-minimal \ @@ -81,7 +81,7 @@ LABEL org.opencontainers.image.documentation="https://www.zabbix.com/documentati RUN set -eux && \ sed -i 's/enabled=0/enabled=1/g' /etc/yum.repos.d/CentOS-PowerTools.repo && \ dnf --quiet makecache && \ - dnf -y install \ + dnf -y install -setopt=tsflags=nodocs --setopt=install_weak_deps=False --best \ autoconf \ automake \ gcc \ diff --git a/web-apache-mysql/centos/Dockerfile b/web-apache-mysql/centos/Dockerfile index 31d79ba78..d6b0a9d75 100644 --- a/web-apache-mysql/centos/Dockerfile +++ b/web-apache-mysql/centos/Dockerfile @@ -63,7 +63,7 @@ RUN set -eux && \ dnf --quiet makecache && \ dnf -y install --setopt=install_weak_deps=False --best --setopt=tsflags=nodocs \ glibc-locale-source && \ - dnf -y install --setopt=tsflags=nodocs \ + dnf -y install --setopt=install_weak_deps=False --best --setopt=tsflags=nodocs \ gettext \ git && \ cd /usr/share/ && \ diff --git a/web-apache-mysql/ubuntu/docker-entrypoint.sh b/web-apache-mysql/ubuntu/docker-entrypoint.sh index 153a87292..1e31fb18c 100755 --- a/web-apache-mysql/ubuntu/docker-entrypoint.sh +++ b/web-apache-mysql/ubuntu/docker-entrypoint.sh @@ -171,8 +171,12 @@ check_db_connect() { WAIT_TIMEOUT=5 + if [ "${ZBX_DB_ENCRYPTION}" == "true" ]; then + ssl_opts="--ssl-mode=required --ssl-ca=${ZBX_DB_CA_FILE} --ssl-key=${ZBX_DB_KEY_FILE} --ssl-cert=${ZBX_DB_CERT_FILE}" + fi + while [ ! "$(mysqladmin ping -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} -u ${DB_SERVER_ROOT_USER} \ - --password="${DB_SERVER_ROOT_PASS}" --silent --connect_timeout=10)" ]; do + --password="${DB_SERVER_ROOT_PASS}" --silent --connect_timeout=10 $ssl_opts)" ]; do echo "**** MySQL server is not available. Waiting $WAIT_TIMEOUT seconds..." sleep $WAIT_TIMEOUT done diff --git a/web-apache-pgsql/centos/Dockerfile b/web-apache-pgsql/centos/Dockerfile index d6eda9561..e397348a0 100644 --- a/web-apache-pgsql/centos/Dockerfile +++ b/web-apache-pgsql/centos/Dockerfile @@ -63,7 +63,7 @@ RUN set -eux && \ dnf --quiet makecache && \ dnf -y install --setopt=install_weak_deps=False --best --setopt=tsflags=nodocs \ glibc-locale-source && \ - dnf -y install --setopt=tsflags=nodocs \ + dnf -y install --setopt=install_weak_deps=False --best --setopt=tsflags=nodocs \ gettext \ git && \ cd /usr/share/ && \ diff --git a/web-nginx-mysql/centos/Dockerfile b/web-nginx-mysql/centos/Dockerfile index fa7e37d80..83a77ecaa 100644 --- a/web-nginx-mysql/centos/Dockerfile +++ b/web-nginx-mysql/centos/Dockerfile @@ -55,7 +55,7 @@ RUN set -eux && \ dnf --quiet makecache && \ dnf -y install --setopt=install_weak_deps=False --best --setopt=tsflags=nodocs \ glibc-locale-source && \ - dnf -y install --setopt=tsflags=nodocs \ + dnf -y install --setopt=install_weak_deps=False --best --setopt=tsflags=nodocs \ gettext \ git && \ cd /usr/share/ && \ diff --git a/web-nginx-mysql/ubuntu/docker-entrypoint.sh b/web-nginx-mysql/ubuntu/docker-entrypoint.sh index adde0e72c..50a6c0c29 100755 --- a/web-nginx-mysql/ubuntu/docker-entrypoint.sh +++ b/web-nginx-mysql/ubuntu/docker-entrypoint.sh @@ -190,8 +190,12 @@ check_db_connect() { WAIT_TIMEOUT=5 + if [ "${ZBX_DB_ENCRYPTION}" == "true" ]; then + ssl_opts="--ssl-mode=required --ssl-ca=${ZBX_DB_CA_FILE} --ssl-key=${ZBX_DB_KEY_FILE} --ssl-cert=${ZBX_DB_CERT_FILE}" + fi + while [ ! "$(mysqladmin ping -h ${DB_SERVER_HOST} -P ${DB_SERVER_PORT} -u ${DB_SERVER_ROOT_USER} \ - --password="${DB_SERVER_ROOT_PASS}" --silent --connect_timeout=10)" ]; do + --password="${DB_SERVER_ROOT_PASS}" --silent --connect_timeout=10 $ssl_opts)" ]; do echo "**** MySQL server is not available. Waiting $WAIT_TIMEOUT seconds..." sleep $WAIT_TIMEOUT done diff --git a/web-nginx-pgsql/centos/Dockerfile b/web-nginx-pgsql/centos/Dockerfile index e16cb05d3..09124b65d 100644 --- a/web-nginx-pgsql/centos/Dockerfile +++ b/web-nginx-pgsql/centos/Dockerfile @@ -55,7 +55,7 @@ RUN set -eux && \ dnf --quiet makecache && \ dnf -y install --setopt=install_weak_deps=False --best --setopt=tsflags=nodocs \ glibc-locale-source && \ - dnf -y install --setopt=tsflags=nodocs \ + dnf -y install --setopt=install_weak_deps=False --best --setopt=tsflags=nodocs \ gettext \ git && \ cd /usr/share/ && \