community.zabbix
community.zabbix copied to clipboard
Published
20 hours ago •
ansible-collections
ansible-collections
Auto encryption broke zabbix-agent docker installation
SUMMARY
Not possible to run docker container with auto encryption
ISSUE TYPE
- Bug Report
COMPONENT NAME
community.zabbix.zabbix_agent
community.zabbix 2.1.0
ANSIBLE VERSION
ansible [core 2.15.4]
config file = /etc/ansible/ansible.cfg
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /root/.local/lib/python3.9/site-packages/ansible
ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
executable location = /root/.local/bin/ansible
python version = 3.9.2 (default, Feb 28 2021, 17:03:44) [GCC 10.2.1 20210110] (/usr/bin/python3)
jinja version = 3.1.2
libyaml = True
CONFIGURATION
CONFIG_FILE() = /etc/ansible/ansible.cfg
DEFAULT_HOST_LIST(/etc/ansible/ansible.cfg) = ['/etc/ansible/inventory.d']
DEFAULT_LOAD_CALLBACK_PLUGINS(/etc/ansible/ansible.cfg) = True
DEFAULT_STDOUT_CALLBACK(/etc/ansible/ansible.cfg) = yaml
OS / ENVIRONMENT / Zabbix Version
OS=linux ( problem present on all distro )
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION_CODENAME=bullseye
ID=debian
KERNEL=5.10.0-23-amd64
ENVIRONMENT=docker
Docker version 24.0.5, build ced0996
DESCRIPTION
In zabbix-agent docker installation with auto encryption miss directory /etc/zabbix/ and user zabbix Tested and verified with agent2 version
STEPS TO REPRODUCE
With clean installation, if set
zabbix_agent2_tlspsk_auto: true and zabbix_agent_docker: true
Our playbook
---
- name: "Install & configure zabbix-agent playbook"
hosts: "{{ variable_host|default('all') }}"
roles:
- role: community.zabbix.zabbix_agent
vars:
zabbix_agent2: true
zabbix_agent2_tlspsk_auto: true
zabbix_api_create_hostgroup: true
#zabbix_api_server_host: WRITTEN IN GROUP VARS
#zabbix_api_server_port: 80 DEFAULT
ansible_zabbix_url_path: "api_jsonrpc.php"
zabbix_api_login_pass: XXXXXXXXX
#zabbix_api_login_user: Admin DEFAULT
zabbix_api_create_hosts: true
zabbix_agent_hostgroups_state: present
zabbix_agent_host_state: present
zabbix_agent_inventory_mode: automatic
zabbix_useuip: 0
zabbix_agent_interfaces:
- type: 1
main: 1
useip: "{{ zabbix_useuip }}"
ip: "{{ zabbix_agent_ip }}"
dns: "{{ zabbix_agent2_hostname }}"
port: "{{ zabbix_agent_listenport }}"
Our group file inventory
---
zabbix_host_groups:
- Linux Servers
- Container agent
ansible_user: "root"
zabbix_agent_link_templates:
- Linux_base
zabbix_api_server_host: v3-re-docker.example.it
zabbix_agent_docker: true
zabbix_agent_docker_name: "zabbix-agent"
zabbix_agent_docker_hostname: "{{ ansible_hostname }}_zabbix-agent"
zabbix_agent_docker_user_uid: 1997
zabbix_agent_docker_user_gid: 1995
zabbix_agent_docker_privileged: true
zabbix_agent_docker_network_mode: bridge
zabbix_agent_docker_ports: [10050:10050]
zabbix_agent_docker_volumes: ["{{ zabbix_agent2_tlspskfile }}:{{ zabbix_agent2_tlspskfile }}"]
zabbix_agent_docker_env:
ZBX_HOSTNAME: "{{ inventory_hostname }}"
ZBX_SERVER_HOST: "{{ zabbix_api_server_host }}"
ZBX_TLSPSKIDENTITY: "{{ zabbix_agent2_tlspskidentity }}"
ZBX_TLSPSKFILE: "{{ zabbix_agent2_tlspskfile }}"
ZBX_TLSCONNECT: "{{ zabbix_agent2_tlsconnect }}"
ZBX_TLSACCEPT: "{{ zabbix_agent2_tlsaccept }}"
ACTUAL RESULTS
The role skip the repo & packet installation, file main.yaml line 38:
- name: "Install the correct repository"
include_tasks: "{{ ansible_os_family }}.yml"
when:
- not (zabbix_agent_docker | bool)
So the next encryption section starts, file main.yaml line 51 (agent2 version):
- name: "Encrypt with TLS PSK auto management"
include_tasks: tlspsk_auto_agent2.yml
when:
- zabbix_agent2 | bool
- zabbix_agent2_tlspsk_auto | bool
- (zabbix_agent2_tlspskfile is undefined) or (zabbix_agent2_tlspskfile | length == '0')
- (zabbix_agent2_tlspsk_secret is undefined) or (zabbix_agent2_tlspsk_secret | length == '0')
The error is about the directory /etc/zabbix/ is missing, and this is correct because no packet has been installed:
TASK [community.zabbix.zabbix_agent : AutoPSK | Template TLS PSK identity in file (Linux)] ***********************************************************************************************************************************************************************************************
fatal: [v3-re-docker-test.lab.example.it]: FAILED! => changed=false
checksum: 4eecc85eed64ec0c9466b690ab8521dbe7320071
msg: Destination directory /etc/zabbix does not exist
PLAY RECAP *******************************************************************************************************************************************************************************************************************************************************************************
v3-re-docker-test.lab.example.it : ok=13 changed=0 unreachable=0 failed=1 skipped=8 rescued=0 ignored=0
FIX
Added this tasks at the start of the file tlspsk_auto_agent2_linux.yml:
---
- name: "[ DOCKER ] | Create directory /etc/zabbix/ if not exist"
file:
path: "/etc/zabbix/"
mode: 0755
state: directory
become: true
when:
- zabbix_agent_docker | bool
tags:
- config
- name: "[ DOCKER ] | Adding zabbix group if not exist"
group:
name: zabbix
state: present
gid: "{{ zabbix_agent_docker_user_gid | default(omit) }}"
become: true
when:
- zabbix_agent_docker | bool
tags:
- config
- name: "[ DOCKER ] | Adding zabbix user if not exist"
user:
name: zabbix
group: zabbix
state: present
create_home: false
home: /etc/zabbix
uid: "{{ zabbix_agent_docker_user_uid | default(omit) }}"
system: true
become: true
when:
- zabbix_agent_docker | bool
tags:
- config
So directory and user are correctly created ( only if zabbix_agent_docker: true ) and the role work correctly.
NOTE
Tested only for agent2 version, not agent1 version
