Dockbix agent XXL - enable TLS configuration

[chrismcna]

Hi,

I want to enabled TLSConnect=psk and TLSAccept=psk, so I have tried setting environment variable ZA_TLSConnect=psk, ZA_TLSAccept=psk, ZA_TLSPSKIdentity and ZA_TLSPSKFile but this has no effect. The agent log contains a messaging saying "failed to accept an incoming connection: from ...: TLS connections are not allowed"

I used the above environment variables as "https://hub.docker.com/r/monitoringartist/dockbix-agent-xxl-limited/" states "You can use almost any agent config parameter, just add prefix ZA_ " with a link to agent configuration page.

[jangaraj]

How did you mount files from "ZA_TLSPSKIdentity and ZA_TLSPSKFile"?

[chrismcna]

ZA_TLSPSKIdentity isnt a file path its the value, please see documentation https://www.zabbix.com/documentation/3.2/manual/appendix/config/zabbix_agentd

ZA_TLSPSKFile is the path to the file containing the TLS PSK, i tried a few ways, 1: i used volume to mount the file in the container. 2: also tired "docker cp" command and coping the file to docker container.

I have a windows agent that i have setup with TLS and is working fine, so I understand how the TLS settings work in the conf file.

from what i can tell the environment variables are not passed to/picked up by zabbix agent, if you can help explain how these environment variables are passed to/picked up by the agent I can attempt debug myself.

[chrismcna]

i using docker-compose v2, when i say i mount the file to container, i used the volumes section, e.g. volumes:

• "/data/docker/stacks/zabbix/zabbix-agentd.psk:/root/zabbix-agentd.psk"

file location on docker host /data/docker/stacks/zabbix/zabbix-agentd.psk,

then used environment section environment to set the environment variables e.g. environment:

• ZA_TLSPSKFile=/root/zabbix-agent.psk

[jangaraj]

Please follow https://github.com/monitoringartist/dockbix-agent-xxl#support and provide all logs. Agent doesn't have TLS support compiled, so I'm curious why it is not failing.

[chrismcna]

the agent does have tls support, see screen shot of log from agent

[chrismcna]

i will enabled debug and get you that information soon

[chrismcna]

here is the log log.txt

[jangaraj]

There is no problem on Zabbix agent side. There is "wrapper" code, which prepares environment for Zabbix and it ignores any variables with prefix ZA_TLS. There were problems with TLS, so it was safe just ignore these settings.

Currently, you can't configure any TLS settings for this docker image. You need to use another image or agent with docker module in the host OS.

Let me keep this issue open for now as my own reminder.

[chrismcna]

thanks for the help, it answers my question. I saw the tls support enabled in the agent log and hoped i could get it work.

By the way thanks for this project and all your/your team's hard work, this project is great

[chrismcna]

Just a quick question, I have a Ubuntu Zabbix Agent 3.4.0, I have used the a precompiled unbuntu 16 zabbix_module_docker.so and loaded it in with the Zabbix agent configuration, the agent log states its loaded the module, but Im not getting any Docker data in my Zabbix server. the agent is connected to server

Any ideas?

------Docker compose snippet zabbix-agent-new: image: zabbix/zabbix-agent:ubuntu-3.4.0 privileged: true environment:

• "ZBX_HOSTNAME=zabbix-agent-new"
• "ZBX_TLSCONNECT=psk"
• "ZBX_TLSACCEPT=psk"
• "ZBX_TLSPSKIDENTITY=***"
• "ZBX_TLSPSKFILE=zabbix_agentd.psk"
• "ZBX_LOADMODULEPATH=/var/lib/zabbix/modules"
• "ZBX_LOADMODULE=zabbix_module_docker.so" volumes:
• "/:/rootfs"
• "/var/run:/var/run"
• "/data/docker/stacks/zabbix/zabbix_module_docker.so:/var/lib/zabbix/modules/zabbix_module_docker.so"
• "/data/docker/stacks/zabbix/zabbix_agentd.psk:/var/lib/zabbix/enc/zabbix_agentd.psk"

Zabbix Agent Log

[jangaraj]

Module doesn't read metrics from /rootfs; it is not designated for run in the container. You will need to modify module source code for that.

[chrismcna]

solved it now using. So ive taken the zabbix_module_docker.so from your docker image as I noticed your version in the image is 0.6.8 and your prebuilt is 0.6.7.

i then used this docker compose below, Ive had to mount over configuration files i cant change from the zabbix/zabbix-agent docker image.

/etc/zabbix/zabbix_agentd.conf is mounted over as i cannot specify AllowRoot via zabbix/zabbix-agent image environment variables

/etc/supervisor/conf.d/supervisord_zabbix.conf is mounted over as i cannot change the Zabbix agent user to run as as root any other way.

now I have the zabbix/zabbix-agent image, loading in your module, working with docker and using encryption

version: "2" services: zabbix-server: image: zabbix/zabbix-appliance:latest volumes:

• "/data/docker/stacks/zabbix/mysql:/var/lib/mysql"
• "/etc/localtime:/etc/localtime:ro"
• "/etc/timezone:/etc/timezone:ro" ports:
• "127.0.0.1:10051:10051" zabbix-agent: image: zabbix/zabbix-agent:ubuntu-3.4.0 privileged: true volumes:
• "/:/rootfs"
• "/var/run:/var/run"
• "/data/docker/stacks/zabbix/zabbix_module_docker.so:/var/lib/zabbix/modules/zabbix_module_docker.so"
• "/data/docker/stacks/zabbix/supervisord_zabbix.conf:/etc/supervisor/conf.d/supervisord_zabbix.conf:ro"
• "/data/docker/stacks/zabbix/zabbix_agentd.conf:/etc/zabbix/zabbix_agentd.conf:ro"
• "/data/docker/stacks/zabbix/zabbix_agentd.psk:/var/lib/zabbix/enc/zabbix_agentd.psk"

[ProteanCode]

isn't there any shortcut as for now?

My first idea is to use nginx reverse proxy that redirects a url into local container, so it would end with proxying https://dockbix-agent.node-234.examle.com to container IP (like 172.10.0.5:10050)

I will try to do this using nginx-proxy container, this would encrypt all data between nginx reverse proxy and zabbix server (which is also running under HTTPS)

As for swarm, I have very limited knowledge how its load balancer would handle it but a wildcard certificate should do the work

[jangaraj]

No, there is no shortcut for that. But https://github.com/monitoringartist/dockbix-xxl/ uses nginx, so you can create custom nginx config and used it instead of default nginx configuration.