search

zabbix / zabbix-docker

Official Zabbix Dockerfiles
https://www.zabbix.com
GNU Affero General Public License v3.0
2.33k stars 1.36k forks source link

Web UI unavailable after migration from Cenos7 to Rocky Linux 8 #1445

Closed Kris0x0000 closed 2 months ago

Kris0x0000 commented 2 months ago

I'm using dockerized zabbix 5.0. It've worked fine until in-place upgrade from Centos7 to Rocky linux 8. Now it works only from inside of the zabbix-web-apache-mysql container. From the docker host it has no connection.

curl from the web container:

curl -vvv http://127.0.0.1:8080

<!DOCTYPE html>
<html>
        <head>
                <meta http-equiv="X-UA-Compatible" content="IE=Edge"/>
                <meta charset="utf-8" />
                <meta name="viewport" content="width=device-width, initial-scale=1">
                <meta name="Author" content="Zabbix SIA" />
                <title>Composed installation: Zabbix</title>
                <link rel="icon" href="favicon.ico">

curl from the docker host:

 curl -vvv 127.0.0.1:8080
* Rebuilt URL to: 127.0.0.1:8080/
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> GET / HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.61.1
> Accept: */*
>
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer

lsof -Pi

lsof -Pi | grep "8080"
docker-pr 1152020   root    4u  IPv4 9603312      0t0  TCP localhost:8080 (LISTEN)​

docker ps | grep zabbix

docker ps | grep zabbix
b312fa9d9fcb   zabbix/zabbix-agent:alpine-5.0.22                   "/sbin/tini -- /usr/…"   4 hours ago    Up 4 hours                                                             zabbix-docker-50_zabbix-agent_1
af75ba9a841a   zabbix/zabbix-web-apache-mysql:alpine-5.0.22        "docker-entrypoint.s…"   4 hours ago    Up 4 hours (healthy)   127.0.0.1:8080->8080/tcp, 8443/tcp              zabbix-docker-50_zabbix-web-apache-mysql_1
9fa9b3aea444   my/zabbix                                           "/sbin/tini -- /usr/…"   4 hours ago    Up 4 hours             0.0.0.0:10051->10051/tcp, :::10051->10051/tcp   zabbix-docker-50_zabbix-server_1
0ff85d1af06e   mysql:8.0                                           "docker-entrypoint.s…"   4 hours ago    Up 4 hours                                                             zabbix-docker-50_mysql-server_1

firewall-cmd --zone=docker --list-all

docker (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: be17954e014c ... docker0 ...
  sources:
  services:
  ports:
  protocols:
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

docker-compose.yaml:

version: '3.5'
services:
 zabbix-server:
  #image: zabbix/zabbix-server-mysql:alpine-5.0-latest
  image: my/zabbix

  ports:
   - "10051:10051"
  volumes:
   - /etc/localtime:/etc/localtime:ro
   #- /etc/timezone:/etc/timezone:ro
   - ./zbx_env/usr/lib/zabbix/alertscripts:/usr/lib/zabbix/alertscripts:ro
   - ./zbx_env/usr/lib/zabbix/externalscripts:/usr/lib/zabbix/externalscripts:ro
   - ./zbx_env/var/lib/zabbix/export:/var/lib/zabbix/export:rw
   - ./zbx_env/var/lib/zabbix/modules:/var/lib/zabbix/modules:ro
   - ./zbx_env/var/lib/zabbix/enc:/var/lib/zabbix/enc:ro
   - ./zbx_env/var/lib/zabbix/ssh_keys:/var/lib/zabbix/ssh_keys:ro
   - ./zbx_env/var/lib/zabbix/mibs:/var/lib/zabbix/mibs:ro
   #- snmptraps:/var/lib/zabbix/snmptraps:rw
  links:
   - mysql-server:mysql-server
  # - zabbix-java-gateway:zabbix-java-gateway
  ulimits:
   nproc: 65535
   nofile:
    soft: 20000
    hard: 40000
  deploy:
   resources:
    limits:
      cpus: '0.50'
      memory: 1G
    reservations:
      cpus: '0.3'
      memory: 512M
  env_file:
   - .env_db_mysql
   - .env_srv
  secrets:
   - MYSQL_USER
   - MYSQL_PASSWORD
   - MYSQL_ROOT_PASSWORD
  depends_on:
   - mysql-server
  networks:
   zbx_net_backend:
     aliases:
      - zabbix-server
      - zabbix-server-mysql
      - zabbix-server-alpine-mysql
      - zabbix-server-mysql-alpine
   zbx_net_frontend:
  stop_grace_period: 30s
  sysctls:
   - net.ipv4.ip_local_port_range=1024 65000
   - net.ipv4.conf.all.accept_redirects=0
   - net.ipv4.conf.all.secure_redirects=0
   - net.ipv4.conf.all.send_redirects=0
  labels:
   com.zabbix.description: "Zabbix server with MySQL database support"
   com.zabbix.company: "Zabbix LLC"
   com.zabbix.component: "zabbix-server"
   com.zabbix.dbtype: "mysql"
   com.zabbix.os: "alpine"

 zabbix-web-apache-mysql:
  image: zabbix/zabbix-web-apache-mysql:alpine-5.0.22
  ports:
   - "127.0.0.1:8080:8080"
  links:
   - mysql-server:mysql-server
   - zabbix-server:zabbix-server
  volumes:
   - /etc/localtime:/etc/localtime:ro
   # - /etc/timezone:/etc/timezone:ro
   - ./zbx_env/etc/ssl/apache2:/etc/ssl/apache2:ro
   - ./zbx_env/usr/share/zabbix/modules/:/usr/share/zabbix/modules/:ro
   - ./zbx_env/etc/zabbix/apache.conf:/etc/zabbix/apache.conf
  deploy:
   resources:
    limits:
      cpus: '0.50'
      memory: 512M
    reservations:
      cpus: '0.3'
      memory: 256M
  env_file:
   - .env_db_mysql
   - .env_web
  secrets:
   - MYSQL_USER
   - MYSQL_PASSWORD
  depends_on:
   - mysql-server
   - zabbix-server
  healthcheck:
   test: ["CMD", "curl", "-f", "http://localhost:8080/"]
   interval: 10s
   timeout: 5s
   retries: 3
   start_period: 30s
  networks:
   zbx_net_backend:
    aliases:
     - zabbix-web-apache-mysql
     - zabbix-web-apache-alpine-mysql
     - zabbix-web-apache-mysql-alpine
   zbx_net_frontend:
  stop_grace_period: 10s
  sysctls:
   - net.core.somaxconn=65535
  labels:
   com.zabbix.description: "Zabbix frontend on Apache web-server with MySQL database support"
   com.zabbix.company: "Zabbix LLC"
   com.zabbix.component: "zabbix-frontend"
   com.zabbix.webserver: "apache2"
   com.zabbix.dbtype: "mysql"
   com.zabbix.os: "alpine"

 zabbix-agent:
  image: zabbix/zabbix-agent:alpine-5.0.22
  ports:
   - "10050:10050"
  volumes:
   - /etc/localtime:/etc/localtime:ro
   - /etc/timezone:/etc/timezone:ro
   - ./zbx_env/etc/zabbix/zabbix_agentd.d:/etc/zabbix/zabbix_agentd.d:ro
   - ./zbx_env/var/lib/zabbix/modules:/var/lib/zabbix/modules:ro
   - ./zbx_env/var/lib/zabbix/enc:/var/lib/zabbix/enc:ro
   - ./zbx_env/var/lib/zabbix/ssh_keys:/var/lib/zabbix/ssh_keys:ro
  links:
   - zabbix-server:zabbix-server
  deploy:
   resources:
    limits:
      cpus: '0.2'
      memory: 128M
    reservations:
      cpus: '0.1'
      memory: 64M
   mode: global
  env_file:
   - .env_agent
  privileged: true
  pid: "host"
  networks:
   zbx_net_backend:
    aliases:
     - zabbix-agent
     - zabbix-agent-passive
     - zabbix-agent-alpine
  stop_grace_period: 5s
  labels:
   com.zabbix.description: "Zabbix agent"
   com.zabbix.company: "Zabbix LLC"
   com.zabbix.component: "zabbix-agentd"
   com.zabbix.os: "alpine"

 mysql-server:
  image: mysql:8.0
  command:
   - mysqld
   - --character-set-server=utf8
   - --collation-server=utf8_bin
   - --default-authentication-plugin=mysql_native_password
  volumes:
   - ./zbx_env/var/lib/mysql:/var/lib/mysql:rw
  env_file:
   - .env_db_mysql
  secrets:
   - MYSQL_USER
   - MYSQL_PASSWORD
   - MYSQL_ROOT_PASSWORD
  stop_grace_period: 1m
  networks:
   zbx_net_backend:
    aliases:
     - mysql-server
     - zabbix-database
     - mysql-database

 db_data_mysql:
  image: busybox
  volumes:
   - ./zbx_env/var/lib/mysql:/var/lib/mysql:rw

networks:
  zbx_net_frontend:
    driver: bridge
    driver_opts:
      com.docker.network.enable_ipv6: "true"
    ipam:
      driver: default
      config:
      - subnet: 172.16.238.0/24
  zbx_net_backend:
    driver: bridge
    driver_opts:
      com.docker.network.enable_ipv6: "true"
    internal: true
    ipam:
      driver: default
      config:
      - subnet: 172.16.239.0/24

secrets:
  MYSQL_USER:
    file: ./.MYSQL_USER
  MYSQL_PASSWORD:
    file: ./.MYSQL_PASSWORD
  MYSQL_ROOT_PASSWORD:
    file: ./.MYSQL_ROOT_PASSWORD
dotneft commented 2 months ago

What do you have in - ./zbx_env/etc/zabbix/apache.conf:/etc/zabbix/apache.conf?

Kris0x0000 commented 2 months ago

What do you have in - ./zbx_env/etc/zabbix/apache.conf:/etc/zabbix/apache.conf?

./zbx_env/etc/zabbix/apache.conf : 

<VirtualHost *:8080>
    DocumentRoot /usr/share/zabbix/
    ServerName zabbix
    DirectoryIndex index.php
    AddType application/x-httpd-php .php .php3 .php4 .php5 .phtml
    AddType application/x-httpd-php-source .phps

    <Directory "/usr/share/zabbix">
        Options FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>

    <Directory "/usr/share/zabbix/conf">
        Require all denied
        <files *.php>
            Order deny,allow
            Deny from all
        </files>
    </Directory>

    <Directory "/usr/share/zabbix/app">
        Require all denied
        <files *.php>
            Order deny,allow
            Deny from all
        </files>
    </Directory>

    <Directory "/usr/share/zabbix/include">
        Require all denied
        <files *.php>
            Order deny,allow
            Deny from all
        </files>
    </Directory>

    <Directory "/usr/share/zabbix/local">
        Require all denied
        <files *.php>
            Order deny,allow
            Deny from all
        </files>
    </Directory>

    <Directory "/usr/share/zabbix/locale">
        Require all denied
        <files *.php>
            Order deny,allow
            Deny from all
        </files>
    </Directory>

    <Directory "/usr/share/zabbix/vendor">
        Require all denied
        <files *.php>
            Order deny,allow
            Deny from all
        </files>
    </Directory>
</VirtualHost>
dotneft commented 2 months ago

Looks like some network issue. Do you see your request in the http access log? Maybe it is better to use podman instead of docker on Rocky 8?

Kris0x0000 commented 2 months ago

Hi, finally I was able to resolve the issue. The resolution was to change subnet for zbx_net_frontend for any other than 172.16.238.0/24. It looks like there was same orphaned network interfaces in the system. Even though they were not listed by "docker networks ls" they were still in the system "ip a".

changed from this:

networks:
  zbx_net_frontend:
    driver: bridge
    driver_opts:
      com.docker.network.enable_ipv6: "true"
    ipam:
      driver: default
      config:
      - subnet: 172.16.238.0/24
  zbx_net_backend:
    driver: bridge
    driver_opts:
      com.docker.network.enable_ipv6: "true"
    internal: true
    ipam:
      driver: default
      config:
      - subnet: 172.16.239.0/24

to this:

networks:
  zbx_net_frontend:
    driver: bridge
    driver_opts:
      com.docker.network.enable_ipv6: "true"
    ipam:
      driver: default
      config:
      - subnet: 172.16.233.0/24
  zbx_net_backend:
    driver: bridge
    driver_opts:
      com.docker.network.enable_ipv6: "true"
    internal: true
    ipam:
      driver: default
      config:
      - subnet: 172.16.239.0/24

ip a | grep -C2 "172.16.238."

4: br-1ee8472c9885: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:ff:54:35:92 brd ff:ff:ff:ff:ff:ff
    inet 172.16.238.1/24 brd 172.16.238.255 scope global br-1ee8472c9885
       valid_lft forever preferred_lft forever
5: br-24974ef4178c: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
--
805: br-7d1c7e8f727f: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:cf:fc:ea:16 brd ff:ff:ff:ff:ff:ff
    inet 172.16.238.1/24 brd 172.16.238.255 scope global br-7d1c7e8f727f
       valid_lft forever preferred_lft forever
    inet6 fe80::42:cfff:fefc:ea16/64 scope link
dotneft commented 2 months ago

Great! But strange that you are able to create multiple networks with the same IP ranges.