Open CompPhy opened 3 months ago
I have a related issue, when not specifying anything related to PSK, default configuration file includes the line (file doesn't exist):
TLSPSKFile=/etc/zabbix/tls_psk_auto.secret
And zabbix-agent fails to start:
zabbix_agent2 [107816]: ERROR: cannot use encryption configuration: TLSPSKFile configuration parameter set without PSK being used
Workaround is to set zabbix_agent_tlspskfile
to empty string when calling agent role.
Ubuntu 22 & collection 2.5.1
I have a related issue, when not specifying anything related to PSK, default configuration file includes the line (file doesn't exist):
TLSPSKFile=/etc/zabbix/tls_psk_auto.secret
And zabbix-agent fails to start:
zabbix_agent2 [107816]: ERROR: cannot use encryption configuration: TLSPSKFile configuration parameter set without PSK being used
Workaround is to set
zabbix_agent_tlspskfile
to empty string when calling agent role.Ubuntu 22 & collection 2.5.1
@sshmanko Would encourage you to check the latest release and see if you still have this problem. If you do, create a new ticket specific to your problem because while your issue is similar to the one originally posted here, it is completely different in what is/was causing the issue.
If you want Ansible to create this file then you need to provide the content of this file too in variable zabbix_proxy_tlspsk_secret
@BGmot I'm curious on your thoughts. Playing with the idea of adding the same auto-psk stuff we have in the agent role. Think its better to copy/past or to put it into a new role that deals with the PSK that can be called by both agent and proxy?
To be honest I don't like "auto-psk" functionality. That is a security stuff. Distribution of these files (along with certificates, keys, CA's certificate) must be (in my opinion) carefully designed/planned and deployed as an activity not tight to Zabbix components' deployment. Zabbix is just using these files. What do you think?
When it comes to the cert I completely agree. We should not be generating a cert. I'm less concerned about generating a pre-shared key (although I suppose that in this case at least, the difference between a cert and a psk is not huge)
If you feel like implementing it then sure, go ahead please. But anyway you'll need to read PSK file from every host to configure all the hosts in Zabbix (via zabbix_host module).
SUMMARY
If you specify
zabbix_proxy_tlspskfile
variable, there is nothing in the roles to actually create this file. There is a check to make sure the directory exists, but nothing to make sure the file itself exists. The role will complete and even restarts the service, but then the service will fail shortly after startup with the error below. I've specifically seen this on the Zabbix Proxy role, but would expect this can probably happen on any role that does PSK configuration.cannot open file "/var/lib/zabbix/zabbix.psk": [2] No such file or directory
The only work around I've found is to manually create this file before running the Zabbix role. The better solution would be to have the role create the file, if it doesn't already exist. Doing something like
openssl rand -hex 32
is sufficient for the content of this file.I'm currently using the 2.4.0 release of the collection, but looking at the relevant tasks on the current main branch and I don't see anything for this issue. I do have a work around in our usage currently, but it sure would be nice if the collection would fix this eventually.
ISSUE TYPE
COMPONENT NAME
Zabbix Proxy role, possibly others as well.
ANSIBLE VERSION
CONFIGURATION
OS / ENVIRONMENT / Zabbix Version
We are currently targeting latest RedHat 8 and 9 releases, and the same issue appears in both.
STEPS TO REPRODUCE
EXPECTED RESULTS
If the file doesn't exist, the role should just create a reasonable default based on a random hash. In our case we set this variable to
/var/lib/zabbix/zabbix.psk
.ACTUAL RESULTS