From a349fc645ae9f06c524e2b67c02307fc75efa899 Mon Sep 17 00:00:00 2001
From: Alexey Pustovalov <alexey.pustovalov@zabbix.com>
Date: Wed, 5 Aug 2020 17:44:48 -0400
Subject: [PATCH 1/6] Added information about Web and DB encryption
---
web-apache-mysql/alpine/README.md | 24 ++++++++++++++++++++++++
web-apache-mysql/centos/README.md | 24 ++++++++++++++++++++++++
web-apache-mysql/ubuntu/README.md | 24 ++++++++++++++++++++++++
web-apache-pgsql/alpine/README.md | 20 ++++++++++++++++++++
web-apache-pgsql/centos/README.md | 20 ++++++++++++++++++++
web-apache-pgsql/ubuntu/README.md | 20 ++++++++++++++++++++
web-nginx-mysql/alpine/README.md | 24 ++++++++++++++++++++++++
web-nginx-mysql/centos/README.md | 24 ++++++++++++++++++++++++
web-nginx-mysql/ubuntu/README.md | 24 ++++++++++++++++++++++++
web-nginx-pgsql/alpine/README.md | 20 ++++++++++++++++++++
web-nginx-pgsql/centos/README.md | 20 ++++++++++++++++++++
web-nginx-pgsql/ubuntu/README.md | 20 ++++++++++++++++++++
12 files changed, 264 insertions(+)
diff --git a/web-apache-mysql/alpine/README.md b/web-apache-mysql/alpine/README.md
index be2cefbf0..6429bd35a 100644
--- a/web-apache-mysql/alpine/README.md
+++ b/web-apache-mysql/alpine/README.md
@@ -162,6 +162,30 @@ The varable is PHP ``upload_max_filesize`` option. By default, value is `2M`.
The varable is PHP ``max_input_time`` option. By default, value is `300`.
+### `ZBX_DB_ENCRYPTION`
+
+The variable allows to activate encryption for connections to Zabbix database. Even if no other environment variables are specified, connections will be TLS-encrypted if `ZBX_DB_ENCRYPTION=true` specified. Available since 5.0.0. Disabled by default.
+
+### `ZBX_DB_KEY_FILE`
+
+The variable allows to specify the full path to a valid TLS key file. Available since 5.0.0.
+
+### `ZBX_DB_CERT_FILE`
+
+The variable allows to specify the full path to a valid TLS certificate file. Available since 5.0.0.
+
+### `ZBX_DB_CA_FILE`
+
+The variable allows to specify the full path to a valid TLS certificate authority file. Available since 5.0.0.
+
+### `ZBX_DB_VERIFY_HOST`
+
+The variable allows to activate host verification. Available since 5.0.0.
+
+### `ZBX_DB_CIPHER_LIST`
+
+The variable allows to specify a custom list of valid ciphers. The format of the cipher list must conform to the OpenSSL standard. Available since 5.0.0.
+
## Allowed volumes for the Zabbix web interface container
### ``/etc/ssl/apache2``
diff --git a/web-apache-mysql/centos/README.md b/web-apache-mysql/centos/README.md
index be2cefbf0..6429bd35a 100644
--- a/web-apache-mysql/centos/README.md
+++ b/web-apache-mysql/centos/README.md
@@ -162,6 +162,30 @@ The varable is PHP ``upload_max_filesize`` option. By default, value is `2M`.
The varable is PHP ``max_input_time`` option. By default, value is `300`.
+### `ZBX_DB_ENCRYPTION`
+
+The variable allows to activate encryption for connections to Zabbix database. Even if no other environment variables are specified, connections will be TLS-encrypted if `ZBX_DB_ENCRYPTION=true` specified. Available since 5.0.0. Disabled by default.
+
+### `ZBX_DB_KEY_FILE`
+
+The variable allows to specify the full path to a valid TLS key file. Available since 5.0.0.
+
+### `ZBX_DB_CERT_FILE`
+
+The variable allows to specify the full path to a valid TLS certificate file. Available since 5.0.0.
+
+### `ZBX_DB_CA_FILE`
+
+The variable allows to specify the full path to a valid TLS certificate authority file. Available since 5.0.0.
+
+### `ZBX_DB_VERIFY_HOST`
+
+The variable allows to activate host verification. Available since 5.0.0.
+
+### `ZBX_DB_CIPHER_LIST`
+
+The variable allows to specify a custom list of valid ciphers. The format of the cipher list must conform to the OpenSSL standard. Available since 5.0.0.
+
## Allowed volumes for the Zabbix web interface container
### ``/etc/ssl/apache2``
diff --git a/web-apache-mysql/ubuntu/README.md b/web-apache-mysql/ubuntu/README.md
index be2cefbf0..6429bd35a 100644
--- a/web-apache-mysql/ubuntu/README.md
+++ b/web-apache-mysql/ubuntu/README.md
@@ -162,6 +162,30 @@ The varable is PHP ``upload_max_filesize`` option. By default, value is `2M`.
The varable is PHP ``max_input_time`` option. By default, value is `300`.
+### `ZBX_DB_ENCRYPTION`
+
+The variable allows to activate encryption for connections to Zabbix database. Even if no other environment variables are specified, connections will be TLS-encrypted if `ZBX_DB_ENCRYPTION=true` specified. Available since 5.0.0. Disabled by default.
+
+### `ZBX_DB_KEY_FILE`
+
+The variable allows to specify the full path to a valid TLS key file. Available since 5.0.0.
+
+### `ZBX_DB_CERT_FILE`
+
+The variable allows to specify the full path to a valid TLS certificate file. Available since 5.0.0.
+
+### `ZBX_DB_CA_FILE`
+
+The variable allows to specify the full path to a valid TLS certificate authority file. Available since 5.0.0.
+
+### `ZBX_DB_VERIFY_HOST`
+
+The variable allows to activate host verification. Available since 5.0.0.
+
+### `ZBX_DB_CIPHER_LIST`
+
+The variable allows to specify a custom list of valid ciphers. The format of the cipher list must conform to the OpenSSL standard. Available since 5.0.0.
+
## Allowed volumes for the Zabbix web interface container
### ``/etc/ssl/apache2``
diff --git a/web-apache-pgsql/alpine/README.md b/web-apache-pgsql/alpine/README.md
index 3764be4c2..9e37927f4 100644
--- a/web-apache-pgsql/alpine/README.md
+++ b/web-apache-pgsql/alpine/README.md
@@ -160,6 +160,26 @@ The varable is PHP ``upload_max_filesize`` option. By default, value is `2M`.
The varable is PHP ``max_input_time`` option. By default, value is `300`.
+### `ZBX_DB_ENCRYPTION`
+
+The variable allows to activate encryption for connections to Zabbix database. Even if no other environment variables are specified, connections will be TLS-encrypted if `ZBX_DB_ENCRYPTION=true` specified. Available since 5.0.0. Disabled by default.
+
+### `ZBX_DB_KEY_FILE`
+
+The variable allows to specify the full path to a valid TLS key file. Available since 5.0.0.
+
+### `ZBX_DB_CERT_FILE`
+
+The variable allows to specify the full path to a valid TLS certificate file. Available since 5.0.0.
+
+### `ZBX_DB_CA_FILE`
+
+The variable allows to specify the full path to a valid TLS certificate authority file. Available since 5.0.0.
+
+### `ZBX_DB_VERIFY_HOST`
+
+The variable allows to activate host verification. Available since 5.0.0.
+
## Allowed volumes for the Zabbix web interface container
### ``/etc/ssl/apache2``
diff --git a/web-apache-pgsql/centos/README.md b/web-apache-pgsql/centos/README.md
index 3764be4c2..9e37927f4 100644
--- a/web-apache-pgsql/centos/README.md
+++ b/web-apache-pgsql/centos/README.md
@@ -160,6 +160,26 @@ The varable is PHP ``upload_max_filesize`` option. By default, value is `2M`.
The varable is PHP ``max_input_time`` option. By default, value is `300`.
+### `ZBX_DB_ENCRYPTION`
+
+The variable allows to activate encryption for connections to Zabbix database. Even if no other environment variables are specified, connections will be TLS-encrypted if `ZBX_DB_ENCRYPTION=true` specified. Available since 5.0.0. Disabled by default.
+
+### `ZBX_DB_KEY_FILE`
+
+The variable allows to specify the full path to a valid TLS key file. Available since 5.0.0.
+
+### `ZBX_DB_CERT_FILE`
+
+The variable allows to specify the full path to a valid TLS certificate file. Available since 5.0.0.
+
+### `ZBX_DB_CA_FILE`
+
+The variable allows to specify the full path to a valid TLS certificate authority file. Available since 5.0.0.
+
+### `ZBX_DB_VERIFY_HOST`
+
+The variable allows to activate host verification. Available since 5.0.0.
+
## Allowed volumes for the Zabbix web interface container
### ``/etc/ssl/apache2``
diff --git a/web-apache-pgsql/ubuntu/README.md b/web-apache-pgsql/ubuntu/README.md
index 3764be4c2..9e37927f4 100644
--- a/web-apache-pgsql/ubuntu/README.md
+++ b/web-apache-pgsql/ubuntu/README.md
@@ -160,6 +160,26 @@ The varable is PHP ``upload_max_filesize`` option. By default, value is `2M`.
The varable is PHP ``max_input_time`` option. By default, value is `300`.
+### `ZBX_DB_ENCRYPTION`
+
+The variable allows to activate encryption for connections to Zabbix database. Even if no other environment variables are specified, connections will be TLS-encrypted if `ZBX_DB_ENCRYPTION=true` specified. Available since 5.0.0. Disabled by default.
+
+### `ZBX_DB_KEY_FILE`
+
+The variable allows to specify the full path to a valid TLS key file. Available since 5.0.0.
+
+### `ZBX_DB_CERT_FILE`
+
+The variable allows to specify the full path to a valid TLS certificate file. Available since 5.0.0.
+
+### `ZBX_DB_CA_FILE`
+
+The variable allows to specify the full path to a valid TLS certificate authority file. Available since 5.0.0.
+
+### `ZBX_DB_VERIFY_HOST`
+
+The variable allows to activate host verification. Available since 5.0.0.
+
## Allowed volumes for the Zabbix web interface container
### ``/etc/ssl/apache2``
diff --git a/web-nginx-mysql/alpine/README.md b/web-nginx-mysql/alpine/README.md
index 49c265481..39ce53247 100644
--- a/web-nginx-mysql/alpine/README.md
+++ b/web-nginx-mysql/alpine/README.md
@@ -163,6 +163,30 @@ The varable is PHP ``upload_max_filesize`` option. By default, value is `2M`.
The varable is PHP ``max_input_time`` option. By default, value is `300`.
+### `ZBX_DB_ENCRYPTION`
+
+The variable allows to activate encryption for connections to Zabbix database. Even if no other environment variables are specified, connections will be TLS-encrypted if `ZBX_DB_ENCRYPTION=true` specified. Available since 5.0.0. Disabled by default.
+
+### `ZBX_DB_KEY_FILE`
+
+The variable allows to specify the full path to a valid TLS key file. Available since 5.0.0.
+
+### `ZBX_DB_CERT_FILE`
+
+The variable allows to specify the full path to a valid TLS certificate file. Available since 5.0.0.
+
+### `ZBX_DB_CA_FILE`
+
+The variable allows to specify the full path to a valid TLS certificate authority file. Available since 5.0.0.
+
+### `ZBX_DB_VERIFY_HOST`
+
+The variable allows to activate host verification. Available since 5.0.0.
+
+### `ZBX_DB_CIPHER_LIST`
+
+The variable allows to specify a custom list of valid ciphers. The format of the cipher list must conform to the OpenSSL standard. Available since 5.0.0.
+
## Allowed volumes for the Zabbix web interface container
### ``/etc/ssl/nginx``
diff --git a/web-nginx-mysql/centos/README.md b/web-nginx-mysql/centos/README.md
index 49c265481..39ce53247 100644
--- a/web-nginx-mysql/centos/README.md
+++ b/web-nginx-mysql/centos/README.md
@@ -163,6 +163,30 @@ The varable is PHP ``upload_max_filesize`` option. By default, value is `2M`.
The varable is PHP ``max_input_time`` option. By default, value is `300`.
+### `ZBX_DB_ENCRYPTION`
+
+The variable allows to activate encryption for connections to Zabbix database. Even if no other environment variables are specified, connections will be TLS-encrypted if `ZBX_DB_ENCRYPTION=true` specified. Available since 5.0.0. Disabled by default.
+
+### `ZBX_DB_KEY_FILE`
+
+The variable allows to specify the full path to a valid TLS key file. Available since 5.0.0.
+
+### `ZBX_DB_CERT_FILE`
+
+The variable allows to specify the full path to a valid TLS certificate file. Available since 5.0.0.
+
+### `ZBX_DB_CA_FILE`
+
+The variable allows to specify the full path to a valid TLS certificate authority file. Available since 5.0.0.
+
+### `ZBX_DB_VERIFY_HOST`
+
+The variable allows to activate host verification. Available since 5.0.0.
+
+### `ZBX_DB_CIPHER_LIST`
+
+The variable allows to specify a custom list of valid ciphers. The format of the cipher list must conform to the OpenSSL standard. Available since 5.0.0.
+
## Allowed volumes for the Zabbix web interface container
### ``/etc/ssl/nginx``
diff --git a/web-nginx-mysql/ubuntu/README.md b/web-nginx-mysql/ubuntu/README.md
index 49c265481..39ce53247 100644
--- a/web-nginx-mysql/ubuntu/README.md
+++ b/web-nginx-mysql/ubuntu/README.md
@@ -163,6 +163,30 @@ The varable is PHP ``upload_max_filesize`` option. By default, value is `2M`.
The varable is PHP ``max_input_time`` option. By default, value is `300`.
+### `ZBX_DB_ENCRYPTION`
+
+The variable allows to activate encryption for connections to Zabbix database. Even if no other environment variables are specified, connections will be TLS-encrypted if `ZBX_DB_ENCRYPTION=true` specified. Available since 5.0.0. Disabled by default.
+
+### `ZBX_DB_KEY_FILE`
+
+The variable allows to specify the full path to a valid TLS key file. Available since 5.0.0.
+
+### `ZBX_DB_CERT_FILE`
+
+The variable allows to specify the full path to a valid TLS certificate file. Available since 5.0.0.
+
+### `ZBX_DB_CA_FILE`
+
+The variable allows to specify the full path to a valid TLS certificate authority file. Available since 5.0.0.
+
+### `ZBX_DB_VERIFY_HOST`
+
+The variable allows to activate host verification. Available since 5.0.0.
+
+### `ZBX_DB_CIPHER_LIST`
+
+The variable allows to specify a custom list of valid ciphers. The format of the cipher list must conform to the OpenSSL standard. Available since 5.0.0.
+
## Allowed volumes for the Zabbix web interface container
### ``/etc/ssl/nginx``
diff --git a/web-nginx-pgsql/alpine/README.md b/web-nginx-pgsql/alpine/README.md
index 10cedbdd3..ca22afa7c 100644
--- a/web-nginx-pgsql/alpine/README.md
+++ b/web-nginx-pgsql/alpine/README.md
@@ -160,6 +160,26 @@ The varable is PHP ``upload_max_filesize`` option. By default, value is `2M`.
The varable is PHP ``max_input_time`` option. By default, value is `300`.
+### `ZBX_DB_ENCRYPTION`
+
+The variable allows to activate encryption for connections to Zabbix database. Even if no other environment variables are specified, connections will be TLS-encrypted if `ZBX_DB_ENCRYPTION=true` specified. Available since 5.0.0. Disabled by default.
+
+### `ZBX_DB_KEY_FILE`
+
+The variable allows to specify the full path to a valid TLS key file. Available since 5.0.0.
+
+### `ZBX_DB_CERT_FILE`
+
+The variable allows to specify the full path to a valid TLS certificate file. Available since 5.0.0.
+
+### `ZBX_DB_CA_FILE`
+
+The variable allows to specify the full path to a valid TLS certificate authority file. Available since 5.0.0.
+
+### `ZBX_DB_VERIFY_HOST`
+
+The variable allows to activate host verification. Available since 5.0.0.
+
## Allowed volumes for the Zabbix web interface container
### ``/etc/ssl/nginx``
diff --git a/web-nginx-pgsql/centos/README.md b/web-nginx-pgsql/centos/README.md
index 10cedbdd3..ca22afa7c 100644
--- a/web-nginx-pgsql/centos/README.md
+++ b/web-nginx-pgsql/centos/README.md
@@ -160,6 +160,26 @@ The varable is PHP ``upload_max_filesize`` option. By default, value is `2M`.
The varable is PHP ``max_input_time`` option. By default, value is `300`.
+### `ZBX_DB_ENCRYPTION`
+
+The variable allows to activate encryption for connections to Zabbix database. Even if no other environment variables are specified, connections will be TLS-encrypted if `ZBX_DB_ENCRYPTION=true` specified. Available since 5.0.0. Disabled by default.
+
+### `ZBX_DB_KEY_FILE`
+
+The variable allows to specify the full path to a valid TLS key file. Available since 5.0.0.
+
+### `ZBX_DB_CERT_FILE`
+
+The variable allows to specify the full path to a valid TLS certificate file. Available since 5.0.0.
+
+### `ZBX_DB_CA_FILE`
+
+The variable allows to specify the full path to a valid TLS certificate authority file. Available since 5.0.0.
+
+### `ZBX_DB_VERIFY_HOST`
+
+The variable allows to activate host verification. Available since 5.0.0.
+
## Allowed volumes for the Zabbix web interface container
### ``/etc/ssl/nginx``
diff --git a/web-nginx-pgsql/ubuntu/README.md b/web-nginx-pgsql/ubuntu/README.md
index 10cedbdd3..ca22afa7c 100644
--- a/web-nginx-pgsql/ubuntu/README.md
+++ b/web-nginx-pgsql/ubuntu/README.md
@@ -160,6 +160,26 @@ The varable is PHP ``upload_max_filesize`` option. By default, value is `2M`.
The varable is PHP ``max_input_time`` option. By default, value is `300`.
+### `ZBX_DB_ENCRYPTION`
+
+The variable allows to activate encryption for connections to Zabbix database. Even if no other environment variables are specified, connections will be TLS-encrypted if `ZBX_DB_ENCRYPTION=true` specified. Available since 5.0.0. Disabled by default.
+
+### `ZBX_DB_KEY_FILE`
+
+The variable allows to specify the full path to a valid TLS key file. Available since 5.0.0.
+
+### `ZBX_DB_CERT_FILE`
+
+The variable allows to specify the full path to a valid TLS certificate file. Available since 5.0.0.
+
+### `ZBX_DB_CA_FILE`
+
+The variable allows to specify the full path to a valid TLS certificate authority file. Available since 5.0.0.
+
+### `ZBX_DB_VERIFY_HOST`
+
+The variable allows to activate host verification. Available since 5.0.0.
+
## Allowed volumes for the Zabbix web interface container
### ``/etc/ssl/nginx``
From a02ebfc6802228d0d9bb8644972a0fa42d396199 Mon Sep 17 00:00:00 2001
From: Alexey Pustovalov <alexey.pustovalov@zabbix.com>
Date: Mon, 24 Aug 2020 16:12:32 -0400
Subject: [PATCH 2/6] Correct sentence about SSL for Nginx
---
web-nginx-mysql/alpine/README.md | 2 +-
web-nginx-mysql/centos/README.md | 2 +-
web-nginx-mysql/ubuntu/README.md | 2 +-
web-nginx-pgsql/alpine/README.md | 2 +-
web-nginx-pgsql/centos/README.md | 2 +-
web-nginx-pgsql/ubuntu/README.md | 2 +-
zabbix-appliance/rhel/README.md | 2 +-
7 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/web-nginx-mysql/alpine/README.md b/web-nginx-mysql/alpine/README.md
index 39ce53247..8f404c324 100644
--- a/web-nginx-mysql/alpine/README.md
+++ b/web-nginx-mysql/alpine/README.md
@@ -191,7 +191,7 @@ The variable allows to specify a custom list of valid ciphers. The format of the
### ``/etc/ssl/nginx``
-The volume allows to enable HTTPS for the Zabbix web interface. The volume must contains two files ``ssl.crt``, ``ssl.key`` and ``dhparam.pem`` prepared for Nginx SSL connections.
+The volume allows to enable HTTPS for the Zabbix web interface. The volume must contains three files ``ssl.crt``, ``ssl.key`` and ``dhparam.pem`` prepared for Nginx SSL connections.
Please follow official Nginx [documentation](http://nginx.org/en/docs/http/configuring_https_servers.html) to get more details about how to create certificate files.
diff --git a/web-nginx-mysql/centos/README.md b/web-nginx-mysql/centos/README.md
index 39ce53247..8f404c324 100644
--- a/web-nginx-mysql/centos/README.md
+++ b/web-nginx-mysql/centos/README.md
@@ -191,7 +191,7 @@ The variable allows to specify a custom list of valid ciphers. The format of the
### ``/etc/ssl/nginx``
-The volume allows to enable HTTPS for the Zabbix web interface. The volume must contains two files ``ssl.crt``, ``ssl.key`` and ``dhparam.pem`` prepared for Nginx SSL connections.
+The volume allows to enable HTTPS for the Zabbix web interface. The volume must contains three files ``ssl.crt``, ``ssl.key`` and ``dhparam.pem`` prepared for Nginx SSL connections.
Please follow official Nginx [documentation](http://nginx.org/en/docs/http/configuring_https_servers.html) to get more details about how to create certificate files.
diff --git a/web-nginx-mysql/ubuntu/README.md b/web-nginx-mysql/ubuntu/README.md
index 39ce53247..8f404c324 100644
--- a/web-nginx-mysql/ubuntu/README.md
+++ b/web-nginx-mysql/ubuntu/README.md
@@ -191,7 +191,7 @@ The variable allows to specify a custom list of valid ciphers. The format of the
### ``/etc/ssl/nginx``
-The volume allows to enable HTTPS for the Zabbix web interface. The volume must contains two files ``ssl.crt``, ``ssl.key`` and ``dhparam.pem`` prepared for Nginx SSL connections.
+The volume allows to enable HTTPS for the Zabbix web interface. The volume must contains three files ``ssl.crt``, ``ssl.key`` and ``dhparam.pem`` prepared for Nginx SSL connections.
Please follow official Nginx [documentation](http://nginx.org/en/docs/http/configuring_https_servers.html) to get more details about how to create certificate files.
diff --git a/web-nginx-pgsql/alpine/README.md b/web-nginx-pgsql/alpine/README.md
index ca22afa7c..4be7546c1 100644
--- a/web-nginx-pgsql/alpine/README.md
+++ b/web-nginx-pgsql/alpine/README.md
@@ -184,7 +184,7 @@ The variable allows to activate host verification. Available since 5.0.0.
### ``/etc/ssl/nginx``
-The volume allows to enable HTTPS for the Zabbix web interface. The volume must contains two files ``ssl.crt``, ``ssl.key`` and ``dhparam.pem`` prepared for Nginx SSL connections.
+The volume allows to enable HTTPS for the Zabbix web interface. The volume must contains three files ``ssl.crt``, ``ssl.key`` and ``dhparam.pem`` prepared for Nginx SSL connections.
Please follow official Nginx [documentation](http://nginx.org/en/docs/http/configuring_https_servers.html) to get more details about how to create certificate files.
diff --git a/web-nginx-pgsql/centos/README.md b/web-nginx-pgsql/centos/README.md
index ca22afa7c..4be7546c1 100644
--- a/web-nginx-pgsql/centos/README.md
+++ b/web-nginx-pgsql/centos/README.md
@@ -184,7 +184,7 @@ The variable allows to activate host verification. Available since 5.0.0.
### ``/etc/ssl/nginx``
-The volume allows to enable HTTPS for the Zabbix web interface. The volume must contains two files ``ssl.crt``, ``ssl.key`` and ``dhparam.pem`` prepared for Nginx SSL connections.
+The volume allows to enable HTTPS for the Zabbix web interface. The volume must contains three files ``ssl.crt``, ``ssl.key`` and ``dhparam.pem`` prepared for Nginx SSL connections.
Please follow official Nginx [documentation](http://nginx.org/en/docs/http/configuring_https_servers.html) to get more details about how to create certificate files.
diff --git a/web-nginx-pgsql/ubuntu/README.md b/web-nginx-pgsql/ubuntu/README.md
index ca22afa7c..4be7546c1 100644
--- a/web-nginx-pgsql/ubuntu/README.md
+++ b/web-nginx-pgsql/ubuntu/README.md
@@ -184,7 +184,7 @@ The variable allows to activate host verification. Available since 5.0.0.
### ``/etc/ssl/nginx``
-The volume allows to enable HTTPS for the Zabbix web interface. The volume must contains two files ``ssl.crt``, ``ssl.key`` and ``dhparam.pem`` prepared for Nginx SSL connections.
+The volume allows to enable HTTPS for the Zabbix web interface. The volume must contains three files ``ssl.crt``, ``ssl.key`` and ``dhparam.pem`` prepared for Nginx SSL connections.
Please follow official Nginx [documentation](http://nginx.org/en/docs/http/configuring_https_servers.html) to get more details about how to create certificate files.
diff --git a/zabbix-appliance/rhel/README.md b/zabbix-appliance/rhel/README.md
index e6764554b..ae3c8be38 100644
--- a/zabbix-appliance/rhel/README.md
+++ b/zabbix-appliance/rhel/README.md
@@ -206,7 +206,7 @@ The volume allows to add new MIB files. It does not support subdirectories, all
### ``/etc/ssl/nginx``
-The volume allows to enable HTTPS for the Zabbix web interface. The volume must contains two files ``ssl.crt``, ``ssl.key`` and ``dhparam.pem`` prepared for Nginx SSL connections.
+The volume allows to enable HTTPS for the Zabbix web interface. The volume must contains three files ``ssl.crt``, ``ssl.key`` and ``dhparam.pem`` prepared for Nginx SSL connections.
Please follow official Nginx [documentation](http://nginx.org/en/docs/http/configuring_https_servers.html) to get more details about how to create certificate files.
From 59749e683c934765011b51869e5629fbc6525ec0 Mon Sep 17 00:00:00 2001
From: Alexey Pustovalov <alexey.pustovalov@zabbix.com>
Date: Mon, 24 Aug 2020 16:51:46 -0400
Subject: [PATCH 3/6] Fixed escaping for DB certs in web images
---
.gitignore | 3 +++
web-apache-mysql/ubuntu/docker-entrypoint.sh | 4 ++++
web-apache-pgsql/ubuntu/docker-entrypoint.sh | 4 ++++
web-nginx-mysql/ubuntu/docker-entrypoint.sh | 4 ++++
web-nginx-pgsql/ubuntu/docker-entrypoint.sh | 4 ++++
5 files changed, 19 insertions(+)
diff --git a/.gitignore b/.gitignore
index 3d63db5ec..03f34fddd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,5 @@
zbx_env/
zbx_env*/
+.*CERT_FILE
+.*KEY_FILE
+.*CA_FILE
diff --git a/web-apache-mysql/ubuntu/docker-entrypoint.sh b/web-apache-mysql/ubuntu/docker-entrypoint.sh
index 3cd52ce60..1abd0b211 100755
--- a/web-apache-mysql/ubuntu/docker-entrypoint.sh
+++ b/web-apache-mysql/ubuntu/docker-entrypoint.sh
@@ -220,6 +220,10 @@ prepare_zbx_web_config() {
server_user=$(escape_spec_char "${DB_SERVER_ZBX_USER}")
server_pass=$(escape_spec_char "${DB_SERVER_ZBX_PASS}")
+ ZBX_DB_KEY_FILE=$(escape_spec_char "${ZBX_DB_KEY_FILE}")
+ ZBX_DB_CERT_FILE=$(escape_spec_char "${ZBX_DB_CERT_FILE}")
+ ZBX_DB_CA_FILE=$(escape_spec_char "${ZBX_DB_CA_FILE}")
+
sed -i \
-e "s/{DB_SERVER_HOST}/${DB_SERVER_HOST}/g" \
-e "s/{DB_SERVER_PORT}/${DB_SERVER_PORT}/g" \
diff --git a/web-apache-pgsql/ubuntu/docker-entrypoint.sh b/web-apache-pgsql/ubuntu/docker-entrypoint.sh
index 81ca0c4e9..1cf2460e0 100755
--- a/web-apache-pgsql/ubuntu/docker-entrypoint.sh
+++ b/web-apache-pgsql/ubuntu/docker-entrypoint.sh
@@ -222,6 +222,10 @@ prepare_zbx_web_config() {
server_user=$(escape_spec_char "${DB_SERVER_ZBX_USER}")
server_pass=$(escape_spec_char "${DB_SERVER_ZBX_PASS}")
+ ZBX_DB_KEY_FILE=$(escape_spec_char "${ZBX_DB_KEY_FILE}")
+ ZBX_DB_CERT_FILE=$(escape_spec_char "${ZBX_DB_CERT_FILE}")
+ ZBX_DB_CA_FILE=$(escape_spec_char "${ZBX_DB_CA_FILE}")
+
sed -i \
-e "s/{DB_SERVER_HOST}/${DB_SERVER_HOST}/g" \
-e "s/{DB_SERVER_PORT}/${DB_SERVER_PORT}/g" \
diff --git a/web-nginx-mysql/ubuntu/docker-entrypoint.sh b/web-nginx-mysql/ubuntu/docker-entrypoint.sh
index c99c9eda7..7b00ff08d 100755
--- a/web-nginx-mysql/ubuntu/docker-entrypoint.sh
+++ b/web-nginx-mysql/ubuntu/docker-entrypoint.sh
@@ -248,6 +248,10 @@ prepare_zbx_web_config() {
server_user=$(escape_spec_char "${DB_SERVER_ZBX_USER}")
server_pass=$(escape_spec_char "${DB_SERVER_ZBX_PASS}")
+ ZBX_DB_KEY_FILE=$(escape_spec_char "${ZBX_DB_KEY_FILE}")
+ ZBX_DB_CERT_FILE=$(escape_spec_char "${ZBX_DB_CERT_FILE}")
+ ZBX_DB_CA_FILE=$(escape_spec_char "${ZBX_DB_CA_FILE}")
+
sed -i \
-e "s/{DB_SERVER_HOST}/${DB_SERVER_HOST}/g" \
-e "s/{DB_SERVER_PORT}/${DB_SERVER_PORT}/g" \
diff --git a/web-nginx-pgsql/ubuntu/docker-entrypoint.sh b/web-nginx-pgsql/ubuntu/docker-entrypoint.sh
index 6a2e893d0..4223377a1 100755
--- a/web-nginx-pgsql/ubuntu/docker-entrypoint.sh
+++ b/web-nginx-pgsql/ubuntu/docker-entrypoint.sh
@@ -248,6 +248,10 @@ prepare_zbx_web_config() {
server_user=$(escape_spec_char "${DB_SERVER_ZBX_USER}")
server_pass=$(escape_spec_char "${DB_SERVER_ZBX_PASS}")
+ ZBX_DB_KEY_FILE=$(escape_spec_char "${ZBX_DB_KEY_FILE}")
+ ZBX_DB_CERT_FILE=$(escape_spec_char "${ZBX_DB_CERT_FILE}")
+ ZBX_DB_CA_FILE=$(escape_spec_char "${ZBX_DB_CA_FILE}")
+
sed -i \
-e "s/{DB_SERVER_HOST}/${DB_SERVER_HOST}/g" \
-e "s/{DB_SERVER_PORT}/${DB_SERVER_PORT}/g" \
From add779496a85f1bfb2851b74149313fc8d106b95 Mon Sep 17 00:00:00 2001
From: Alexey Pustovalov <alexey.pustovalov@zabbix.com>
Date: Thu, 27 Aug 2020 13:01:12 -0400
Subject: [PATCH 4/6] add selector for Zabbix agent DaemonSet
---
kubernetes.yaml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kubernetes.yaml b/kubernetes.yaml
index 06c087cd6..08e18a6f5 100644
--- a/kubernetes.yaml
+++ b/kubernetes.yaml
@@ -458,6 +458,9 @@ metadata:
tier: agent
namespace: zabbix
spec:
+ selector:
+ matchLabels:
+ name: zabbix-agent
updateStrategy:
type: RollingUpdate
rollingUpdate:
From a5615f74f98be96464cd1c073f4aa64120dffa96 Mon Sep 17 00:00:00 2001
From: Alexey Pustovalov <alexey.pustovalov@zabbix.com>
Date: Thu, 27 Aug 2020 15:19:48 -0400
Subject: [PATCH 5/6] Fixed image building on CentOS
---
agent/centos/Dockerfile | 2 +-
agent/ubuntu/Dockerfile | 2 +-
proxy-mysql/centos/Dockerfile | 2 +-
proxy-mysql/ubuntu/Dockerfile | 2 +-
proxy-sqlite3/centos/Dockerfile | 2 +-
proxy-sqlite3/ubuntu/Dockerfile | 2 +-
server-mysql/centos/Dockerfile | 2 +-
server-mysql/ubuntu/Dockerfile | 2 +-
server-pgsql/centos/Dockerfile | 2 +-
server-pgsql/ubuntu/Dockerfile | 2 +-
10 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/agent/centos/Dockerfile b/agent/centos/Dockerfile
index b42644bc7..342cdaa84 100644
--- a/agent/centos/Dockerfile
+++ b/agent/centos/Dockerfile
@@ -39,7 +39,7 @@ RUN set -eux && \
gpg --keyserver "$server" --recv-keys 595E85A6B1B4779EA4DAAEC70B588DFF0527A9B7 && break || : ; \
done && \
gpg --batch --verify /tmp/tini.asc /sbin/tini && \
- rm -r "$GNUPGHOME" /tmp/tini.asc && \
+ rm -rf "$GNUPGHOME" /tmp/tini.asc && \
chmod +x /sbin/tini && \
yum -y clean all && \
rm -rf /var/cache/yum /var/lib/yum/yumdb/* /usr/lib/udev/hwdb.d/* && \
diff --git a/agent/ubuntu/Dockerfile b/agent/ubuntu/Dockerfile
index 0a5c80e60..7f90c66b6 100644
--- a/agent/ubuntu/Dockerfile
+++ b/agent/ubuntu/Dockerfile
@@ -47,7 +47,7 @@ RUN set -eux && \
gpg --keyserver "$server" --recv-keys 595E85A6B1B4779EA4DAAEC70B588DFF0527A9B7 && break || : ; \
done && \
gpg --batch --verify /tmp/tini.asc /sbin/tini && \
- rm -r "$GNUPGHOME" /tmp/tini.asc && \
+ rm -rf "$GNUPGHOME" /tmp/tini.asc && \
chmod +x /sbin/tini && \
apt-get -y purge curl gpg dirmngr gpg-agent && \
apt-get -y autoremove && \
diff --git a/proxy-mysql/centos/Dockerfile b/proxy-mysql/centos/Dockerfile
index 164a23c98..7f699bbd8 100644
--- a/proxy-mysql/centos/Dockerfile
+++ b/proxy-mysql/centos/Dockerfile
@@ -54,7 +54,7 @@ RUN set -eux && \
gpg --keyserver "$server" --recv-keys 595E85A6B1B4779EA4DAAEC70B588DFF0527A9B7 && break || : ; \
done && \
gpg --batch --verify /tmp/tini.asc /sbin/tini && \
- rm -r "$GNUPGHOME" /tmp/tini.asc && \
+ rm -rf "$GNUPGHOME" /tmp/tini.asc && \
chmod +x /sbin/tini && \
yum -y clean all && \
rm -rf /var/cache/yum /var/lib/yum/yumdb/* /usr/lib/udev/hwdb.d/* && \
diff --git a/proxy-mysql/ubuntu/Dockerfile b/proxy-mysql/ubuntu/Dockerfile
index 2b3faecd6..bddb8d536 100644
--- a/proxy-mysql/ubuntu/Dockerfile
+++ b/proxy-mysql/ubuntu/Dockerfile
@@ -63,7 +63,7 @@ RUN set -eux && \
gpg --keyserver "$server" --recv-keys 595E85A6B1B4779EA4DAAEC70B588DFF0527A9B7 && break || : ; \
done && \
gpg --batch --verify /tmp/tini.asc /sbin/tini && \
- rm -r "$GNUPGHOME" /tmp/tini.asc && \
+ rm -rf "$GNUPGHOME" /tmp/tini.asc && \
chmod +x /sbin/tini && \
apt-get -y purge curl gpg dirmngr gpg-agent && \
apt-get -y autoremove && \
diff --git a/proxy-sqlite3/centos/Dockerfile b/proxy-sqlite3/centos/Dockerfile
index 997c2f68c..544252e4c 100644
--- a/proxy-sqlite3/centos/Dockerfile
+++ b/proxy-sqlite3/centos/Dockerfile
@@ -53,7 +53,7 @@ RUN set -eux && \
gpg --keyserver "$server" --recv-keys 595E85A6B1B4779EA4DAAEC70B588DFF0527A9B7 && break || : ; \
done && \
gpg --batch --verify /tmp/tini.asc /sbin/tini && \
- rm -r "$GNUPGHOME" /tmp/tini.asc && \
+ rm -rf "$GNUPGHOME" /tmp/tini.asc && \
chmod +x /sbin/tini && \
yum -y clean all && \
rm -rf /var/cache/yum /var/lib/yum/yumdb/* /usr/lib/udev/hwdb.d/* && \
diff --git a/proxy-sqlite3/ubuntu/Dockerfile b/proxy-sqlite3/ubuntu/Dockerfile
index bccf9ff3d..244a85946 100644
--- a/proxy-sqlite3/ubuntu/Dockerfile
+++ b/proxy-sqlite3/ubuntu/Dockerfile
@@ -61,7 +61,7 @@ RUN set -eux && \
gpg --keyserver "$server" --recv-keys 595E85A6B1B4779EA4DAAEC70B588DFF0527A9B7 && break || : ; \
done && \
gpg --batch --verify /tmp/tini.asc /sbin/tini && \
- rm -r "$GNUPGHOME" /tmp/tini.asc && \
+ rm -rf "$GNUPGHOME" /tmp/tini.asc && \
chmod +x /sbin/tini && \
apt-get -y purge curl gpg dirmngr gpg-agent && \
apt-get -y autoremove && \
diff --git a/server-mysql/centos/Dockerfile b/server-mysql/centos/Dockerfile
index 60776e98d..ec931325a 100644
--- a/server-mysql/centos/Dockerfile
+++ b/server-mysql/centos/Dockerfile
@@ -59,7 +59,7 @@ RUN set -eux && \
gpg --keyserver "$server" --recv-keys 595E85A6B1B4779EA4DAAEC70B588DFF0527A9B7 && break || : ; \
done && \
gpg --batch --verify /tmp/tini.asc /sbin/tini && \
- rm -r "$GNUPGHOME" /tmp/tini.asc && \
+ rm -rf "$GNUPGHOME" /tmp/tini.asc && \
chmod +x /sbin/tini && \
yum -y clean all && \
rm -rf /var/cache/yum /var/lib/yum/yumdb/* /usr/lib/udev/hwdb.d/* && \
diff --git a/server-mysql/ubuntu/Dockerfile b/server-mysql/ubuntu/Dockerfile
index cb75ecedc..8710ec7f4 100644
--- a/server-mysql/ubuntu/Dockerfile
+++ b/server-mysql/ubuntu/Dockerfile
@@ -68,7 +68,7 @@ RUN set -eux && \
gpg --keyserver "$server" --recv-keys 595E85A6B1B4779EA4DAAEC70B588DFF0527A9B7 && break || : ; \
done && \
gpg --batch --verify /tmp/tini.asc /sbin/tini && \
- rm -r "$GNUPGHOME" /tmp/tini.asc && \
+ rm -rf "$GNUPGHOME" /tmp/tini.asc && \
chmod +x /sbin/tini && \
apt-get -y purge curl gpg dirmngr gpg-agent && \
apt-get -y autoremove && \
diff --git a/server-pgsql/centos/Dockerfile b/server-pgsql/centos/Dockerfile
index ed43ccfbc..f6253dff7 100644
--- a/server-pgsql/centos/Dockerfile
+++ b/server-pgsql/centos/Dockerfile
@@ -60,7 +60,7 @@ RUN set -eux && \
gpg --keyserver "$server" --recv-keys 595E85A6B1B4779EA4DAAEC70B588DFF0527A9B7 && break || : ; \
done && \
gpg --batch --verify /tmp/tini.asc /sbin/tini && \
- rm -r "$GNUPGHOME" /tmp/tini.asc && \
+ rm -rf "$GNUPGHOME" /tmp/tini.asc && \
chmod +x /sbin/tini && \
yum -y clean all && \
rm -rf /var/cache/yum /var/lib/yum/yumdb/* /usr/lib/udev/hwdb.d/* && \
diff --git a/server-pgsql/ubuntu/Dockerfile b/server-pgsql/ubuntu/Dockerfile
index be27d9601..04442a0b5 100644
--- a/server-pgsql/ubuntu/Dockerfile
+++ b/server-pgsql/ubuntu/Dockerfile
@@ -68,7 +68,7 @@ RUN set -eux && \
gpg --keyserver "$server" --recv-keys 595E85A6B1B4779EA4DAAEC70B588DFF0527A9B7 && break || : ; \
done && \
gpg --batch --verify /tmp/tini.asc /sbin/tini && \
- rm -r "$GNUPGHOME" /tmp/tini.asc && \
+ rm -rf "$GNUPGHOME" /tmp/tini.asc && \
chmod +x /sbin/tini && \
apt-get -y purge curl gpg dirmngr gpg-agent && \
apt-get -y autoremove && \
From 110dd1a267f69ebf45a0165e7d5341941b353499 Mon Sep 17 00:00:00 2001
From: Alexey Pustovalov <alexey.pustovalov@zabbix.com>
Date: Fri, 28 Aug 2020 12:50:40 -0400
Subject: [PATCH 6/6] Added tzdata package to Zabbix components
---
agent/alpine/Dockerfile | 1 +
agent/centos/Dockerfile | 1 +
agent/ubuntu/Dockerfile | 1 +
server-mysql/alpine/Dockerfile | 1 +
server-mysql/centos/Dockerfile | 1 +
server-mysql/ubuntu/Dockerfile | 1 +
server-pgsql/alpine/Dockerfile | 1 +
server-pgsql/centos/Dockerfile | 1 +
server-pgsql/ubuntu/Dockerfile | 1 +
snmptraps/alpine/Dockerfile | 1 +
snmptraps/centos/Dockerfile | 1 +
snmptraps/ubuntu/Dockerfile | 1 +
12 files changed, 12 insertions(+)
diff --git a/agent/alpine/Dockerfile b/agent/alpine/Dockerfile
index 213601cb0..478175f4b 100644
--- a/agent/alpine/Dockerfile
+++ b/agent/alpine/Dockerfile
@@ -24,6 +24,7 @@ RUN set -eux && \
apk add --no-cache --clean-protected \
tini \
bash \
+ tzdata \
coreutils \
iputils \
libcurl \
diff --git a/agent/centos/Dockerfile b/agent/centos/Dockerfile
index 342cdaa84..005f9df53 100644
--- a/agent/centos/Dockerfile
+++ b/agent/centos/Dockerfile
@@ -24,6 +24,7 @@ RUN set -eux && \
mkdir -p /var/lib/zabbix/modules && \
yum --quiet makecache && \
yum -y install --setopt=tsflags=nodocs \
+ tzdata \
libldap \
libcurl \
openssl-libs && \
diff --git a/agent/ubuntu/Dockerfile b/agent/ubuntu/Dockerfile
index 7f90c66b6..cea6feef6 100644
--- a/agent/ubuntu/Dockerfile
+++ b/agent/ubuntu/Dockerfile
@@ -27,6 +27,7 @@ RUN set -eux && \
mkdir -p /var/lib/zabbix/modules && \
apt-get -y update && \
DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install \
+ tzdata \
curl \
ca-certificates \
gpg \
diff --git a/server-mysql/alpine/Dockerfile b/server-mysql/alpine/Dockerfile
index 42bd4a5be..8728d74c2 100644
--- a/server-mysql/alpine/Dockerfile
+++ b/server-mysql/alpine/Dockerfile
@@ -36,6 +36,7 @@ RUN set -eux && \
tini \
bash \
fping \
+ tzdata \
iputils \
libcurl \
libldap \
diff --git a/server-mysql/centos/Dockerfile b/server-mysql/centos/Dockerfile
index ec931325a..5739c3968 100644
--- a/server-mysql/centos/Dockerfile
+++ b/server-mysql/centos/Dockerfile
@@ -36,6 +36,7 @@ RUN set -eux && \
yum -y install --setopt=tsflags=nodocs https://repo.zabbix.com/non-supported/rhel/7/x86_64/iksemel-1.4-2.el7.centos.x86_64.rpm \
https://repo.zabbix.com/non-supported/rhel/7/x86_64/fping-3.10-1.el7.x86_64.rpm && \
yum -y install --setopt=tsflags=nodocs \
+ tzdata \
iputils \
traceroute \
libcurl \
diff --git a/server-mysql/ubuntu/Dockerfile b/server-mysql/ubuntu/Dockerfile
index 8710ec7f4..ca0d1bc08 100644
--- a/server-mysql/ubuntu/Dockerfile
+++ b/server-mysql/ubuntu/Dockerfile
@@ -38,6 +38,7 @@ RUN set -eux && \
apt-get -y update && \
DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install \
curl \
+ tzdata \
ca-certificates \
gpg \
dirmngr \
diff --git a/server-pgsql/alpine/Dockerfile b/server-pgsql/alpine/Dockerfile
index aaf8b991a..9d6c09577 100644
--- a/server-pgsql/alpine/Dockerfile
+++ b/server-pgsql/alpine/Dockerfile
@@ -36,6 +36,7 @@ RUN set -eux && \
tini \
bash \
fping \
+ tzdata \
iputils \
libcurl \
libldap \
diff --git a/server-pgsql/centos/Dockerfile b/server-pgsql/centos/Dockerfile
index f6253dff7..26f073de6 100644
--- a/server-pgsql/centos/Dockerfile
+++ b/server-pgsql/centos/Dockerfile
@@ -37,6 +37,7 @@ RUN set -eux && \
https://repo.zabbix.com/non-supported/rhel/7/x86_64/fping-3.10-1.el7.x86_64.rpm && \
yum -y install --setopt=tsflags=nodocs \
iputils \
+ tzdata \
traceroute \
libcurl \
libxml2 \
diff --git a/server-pgsql/ubuntu/Dockerfile b/server-pgsql/ubuntu/Dockerfile
index 04442a0b5..0985bac45 100644
--- a/server-pgsql/ubuntu/Dockerfile
+++ b/server-pgsql/ubuntu/Dockerfile
@@ -38,6 +38,7 @@ RUN set -eux && \
apt-get -y update && \
DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install \
curl \
+ tzdata \
ca-certificates \
gpg \
dirmngr \
diff --git a/snmptraps/alpine/Dockerfile b/snmptraps/alpine/Dockerfile
index b39704b76..be2a959f0 100644
--- a/snmptraps/alpine/Dockerfile
+++ b/snmptraps/alpine/Dockerfile
@@ -30,6 +30,7 @@ RUN set -eux && \
zabbix && \
apk update && \
apk add --clean-protected --no-cache \
+ tzdata \
net-snmp \
supervisor && \
apk add --no-cache --virtual build-dependencies \
diff --git a/snmptraps/centos/Dockerfile b/snmptraps/centos/Dockerfile
index 7a85d2eb4..65b30a861 100644
--- a/snmptraps/centos/Dockerfile
+++ b/snmptraps/centos/Dockerfile
@@ -30,6 +30,7 @@ RUN set -eux && \
yum --quiet makecache && \
yum -y install epel-release && \
yum -y install --setopt=tsflags=nodocs \
+ tzdata \
net-snmp \
supervisor && \
yum -y install --setopt=tsflags=nodocs \
diff --git a/snmptraps/ubuntu/Dockerfile b/snmptraps/ubuntu/Dockerfile
index 26cfaab21..7d45c689f 100644
--- a/snmptraps/ubuntu/Dockerfile
+++ b/snmptraps/ubuntu/Dockerfile
@@ -32,6 +32,7 @@ RUN set -eux && \
zabbix && \
apt-get -y update && \
DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install \
+ tzdata \
snmp-mibs-downloader \
snmptrapd \
supervisor && \