Hi all,
I am newbie in Zabbix and I try to deploy it using Docker, docker-compose file to be exact.
Little by little I want to tweak every needed parameters and element. So I decided to use as a baseline official docker-compose files: zabbix/zabbix-docker: Official Zabbix Dockerfiles (github.com)
I have VM wiht CentOS 8 and service stack as it follows:
1. Ubuntu 6.2 image for Zabbix Server
2. Ubuntu 6.2 image for mysql database
3. Ubuntu 6.2 image for zabbix agent
These are key components.
I decided to start with self signed certificates using OpenSSL and bash script to generete them.
Code:
#!/usr/bin/env bash mkdir -p ~/newcerts mkdir -p ~/zbx_env/var/lib/zabbix/ssl/certs mkdir -p ~/zbx_env/var/lib/zabbix/ssl/ssl_ca mkdir -p ~/zbx_env/var/lib/zabbix/ssl/keys mkdir -p ~/zbx_env/var/lib/zabbix/enc chmod 0750 ~/newcerts cd ~/newcerts # CA key openssl genrsa 2048 > ca-key.pem openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem -subj "/C=XX/ST=XX/L=XX/O=XX/OU=IT/CN=root-ca/[email protected]" # server key openssl req -newkey rsa:2048 -days 365000 -nodes -keyout server-key.pem -out server-req.pem -subj "/C=XX/ST=DOL/L=XX/O=XX/OU=IT/CN=mysql-server/[email protected]" openssl x509 -req -days 365000 -set_serial 01 \ -in server-req.pem \ -out server-cert.pem \ -CA ca-cert.pem \ -CAkey ca-key.pem # client key openssl req -newkey rsa:2048 -days 365000 -nodes -keyout client-key.pem -out client-req.pem -subj "/C=XX/ST=XX/L=XX/O=XX/OU=IT/CN=zabbix/[email protected]" openssl x509 -req -days 365000 -set_serial 01 \ -in client-req.pem \ -out client-cert.pem \ -CA ca-cert.pem \ -CAkey ca-key.pem # check key ok openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem # ls key ls ~/newcerts cd ~/ mkdir env_vars cd env_vars yes | cp -rf ~/newcerts/ca-cert.pem ~/env_vars/.ZBX_DB_CA_FILE yes | cp -rf ~/newcerts/client-key.pem ~/env_vars/.ZBX_DB_KEY_FILE yes | cp -rf ~/newcerts/client-cert.pem ~/env_vars/.ZBX_DB_CERT_FILE yes | cp -rf ~/newcerts/server-cert.pem ~/env_vars/.DB_CERT_FILE yes | cp -rf ~/newcerts/server-key.pem ~/env_vars/.DB_KEY_FILE yes | cp -rf ~/newcerts/ca-cert.pem ~/env_vars/root-ca.pem yes | cp -rf ~/newcerts/client-key.pem ~/env_vars/client-key.pem yes | cp -rf ~/newcerts/client-cert.pem ~/env_vars/client-cert.pem yes | cp -rf ~/newcerts/server-cert.pem ~/env_vars/server-cert.pem yes | cp -rf ~/newcerts/server-key.pem ~/env_vars/server-key.pem yes | cp -rf ~/newcerts/ca-cert.pem ~/zbx_env/var/lib/zabbix/ssl/ssl_ca/root-ca.pem yes | cp -rf ~/newcerts/client-key.pem ~/zbx_env/var/lib/zabbix/ssl/keys/client-key.pem yes | cp -rf ~/newcerts/client-cert.pem ~/zbx_env/var/lib/zabbix/ssl/certs/client-cert.pem yes | cp -rf ~/newcerts/server-key.pem ~/zbx_env/var/lib/zabbix/ssl/keys/server-key.pem yes | cp -rf ~/newcerts/server-cert.pem ~/zbx_env/var/lib/zabbix/ssl/certs/server-cert.pem yes | cp -rf ~/newcerts/ca-cert.pem ~/zbx_env/var/lib/zabbix/enc/root-ca.pem yes | cp -rf ~/newcerts/client-key.pem ~/zbx_env/var/lib/zabbix/enc/client-key.pem yes | cp -rf ~/newcerts/client-cert.pem ~/zbx_env/var/lib/zabbix/enc/client-cert.pem zz0.q3vy5ub4z6nzz
Code:
version: '3.5'
services:
zabbix-server:
image: zabbix/zabbix-server-mysql:ubuntu-6.2-latest
ports:
- "10051:10051"
hostname: zabbix-server
environment:
- DB_SERVER_PORT=3306
volumes:
- ./env_vars/root-ca.pem:/usr/share/ca-certificates/root-ca.crt:ro
- /etc/localtime:/etc/localtime:ro
- ./zbx_env/usr/lib/zabbix/alertscripts:/usr/lib/zabbix/alertscripts:ro
- ./zbx_env/usr/lib/zabbix/externalscripts:/usr/lib/zabbix/externalscripts:ro
- ./zbx_env/var/lib/zabbix/export:/var/lib/zabbix/export:rw
- ./zbx_env/var/lib/zabbix/modules:/var/lib/zabbix/modules:ro
- ./zbx_env/var/lib/zabbix/enc:/var/lib/zabbix/enc:ro
- ./zbx_env/var/lib/zabbix/ssh_keys:/var/lib/zabbix/ssh_keys:ro
- ./zbx_env/var/lib/zabbix/mibs:/var/lib/zabbix/mibs:ro
- snmptraps:/var/lib/zabbix/snmptraps:rw
ulimits:
nproc: 65535
nofile:
soft: 20000
hard: 40000
deploy:
resources:
limits:
cpus: '0.70'
memory: 1G
reservations:
cpus: '0.5'
memory: 512M
env_file:
- ./env_vars/.env_db_mysql
- ./env_vars/.env_srv
secrets:
- MYSQL_USER
- MYSQL_PASSWORD
- MYSQL_ROOT_USER
- MYSQL_ROOT_PASSWORD
- client-key.pem
- client-cert.pem
- root-ca.pem
depends_on:
- mysql-server
networks:
zbx_net_backend:
aliases:
- zabbix-server
- zabbix-server-mysql
- zabbix-server-ubuntu-mysql
- zabbix-server-mysql-ubuntu
zbx_net_frontend:
# devices:
# - "/dev/ttyUSB0:/dev/ttyUSB0"
stop_grace_period: 30s
sysctls:
- net.ipv4.ip_local_port_range=1024 65000
- net.ipv4.conf.all.accept_redirects=0
- net.ipv4.conf.all.secure_redirects=0
- net.ipv4.conf.all.send_redirects=0
labels:
com.zabbix.description: "Zabbix server with MySQL database support"
com.zabbix.company: "Zabbix LLC"
com.zabbix.component: "zabbix-server"
com.zabbix.dbtype: "mysql"
com.zabbix.os: "ubuntu"
zabbix-web-apache-mysql:
image: zabbix/zabbix-web-apache-mysql:ubuntu-6.2-latest
ports:
- "8081:8080"
- "8443:8443"
hostname: zabbix-web-apache-mysql
volumes:
- ./env_vars/cert.pem:/usr/share/ca-certificates/mozilla/zabbix-cert.crt:ro
- /etc/localtime:/etc/localtime:ro
- ./zbx_env/etc/ssl/apache2:/etc/ssl/apache2:ro
- ./zbx_env/usr/share/zabbix/modules/:/usr/share/zabbix/modules/:ro
deploy:
resources:
limits:
cpus: '0.70'
memory: 512M
reservations:
cpus: '0.5'
memory: 256M
env_file:
- ./env_vars/.env_db_mysql
- ./env_vars/.env_web
secrets:
- MYSQL_USER
- MYSQL_PASSWORD
- client-key.pem
- client-cert.pem
- root-ca.pem
depends_on:
- mysql-server
- zabbix-server
healthcheck:
test: [ "CMD", "curl", "-f", "http://localhost:8080/" ]
interval: 10s
timeout: 5s
retries: 3
start_period: 30s
networks:
zbx_net_backend:
aliases:
- zabbix-web-apache-mysql
- zabbix-web-apache-ubuntu-mysql
- zabbix-web-apache-mysql-ubuntu
zbx_net_frontend:
stop_grace_period: 10s
sysctls:
- net.core.somaxconn=65535
labels:
com.zabbix.description: "Zabbix frontend on Apache web-server with MySQL database support"
com.zabbix.company: "Zabbix LLC"
com.zabbix.component: "zabbix-frontend"
com.zabbix.webserver: "apache2"
com.zabbix.dbtype: "mysql"
com.zabbix.os: "ubuntu"
zabbix-agent:
image: zabbix/zabbix-agent:ubuntu-6.2-latest
ports:
- "10050:10050"
hostname: zabbix-agent
volumes:
- /etc/localtime:/etc/localtime:ro
- ./zbx_env/etc/zabbix/zabbix_agentd.d:/etc/zabbix/zabbix_agentd.d:ro
- ./zbx_env/var/lib/zabbix/modules:/var/lib/zabbix/modules:ro
- ./zbx_env/var/lib/zabbix/enc:/var/lib/zabbix/enc:ro
- ./zbx_env/var/lib/zabbix/ssh_keys:/var/lib/zabbix/ssh_keys:ro
deploy:
resources:
limits:
cpus: '0.2'
memory: 128M
reservations:
cpus: '0.1'
memory: 64M
mode: global
env_file:
- ./env_vars/.env_agent
privileged: true
pid: "host"
networks:
zbx_net_backend:
aliases:
- zabbix-agent
- zabbix-agent-passive
- zabbix-agent-ubuntu
stop_grace_period: 5s
labels:
com.zabbix.description: "Zabbix agent"
com.zabbix.company: "Zabbix LLC"
com.zabbix.component: "zabbix-agentd"
com.zabbix.os: "ubuntu"
zabbix-snmptraps:
image: zabbix/zabbix-snmptraps:ubuntu-6.2-latest
ports:
- "162:1162/udp"
hostname: zabbix-snmptraps
volumes:
- snmptraps:/var/lib/zabbix/snmptraps:rw
deploy:
resources:
limits:
cpus: '0.5'
memory: 256M
reservations:
cpus: '0.25'
memory: 128M
networks:
zbx_net_frontend:
aliases:
- zabbix-snmptraps
zbx_net_backend:
stop_grace_period: 5s
labels:
com.zabbix.description: "Zabbix snmptraps"
com.zabbix.company: "Zabbix LLC"
com.zabbix.component: "snmptraps"
com.zabbix.os: "ubuntu"
mysql-server:
image: mysql:8.0-oracle
hostname : mysql-server
command:
- mysqld
- --character-set-server=utf8mb4
- --collation-server=utf8mb4_bin
#- --authentication-policy='caching_sha2_passowrd,sha256_password'
- --default-authentication-plugin=mysql_native_password
- --require-secure-transport
- --ssl-ca=/run/secrets/root-ca.pem
- --ssl-cert=/run/secrets/server-cert.pem
- --ssl-key=/run/secrets/server-key.pem
volumes:
- ./env_vars/cert.pem:/etc/pki/tls/cert.pem:rw
- ./zbx_env/var/lib/mysql:/var/lib/mysql:rw
env_file:
- ./env_vars/.env_db_mysql
secrets:
- MYSQL_USER
- MYSQL_PASSWORD
- MYSQL_ROOT_PASSWORD
- server-key.pem
- server-cert.pem
- root-ca.pem
stop_grace_period: 1m
networks:
zbx_net_backend:
aliases:
- mysql-server
- zabbix-database
- mysql-database
db_data_mysql:
image: busybox
volumes:
- ./zbx_env/var/lib/mysql:/var/lib/mysql:rw
networks:
zbx_net_frontend:
driver: bridge
driver_opts:
com.docker.network.enable_ipv6: "false"
ipam:
driver: default
config:
- subnet: 172.16.238.0/24
zbx_net_backend:
driver: bridge
driver_opts:
com.docker.network.enable_ipv6: "false"
internal: true
ipam:
driver: default
config:
- subnet: 172.16.239.0/24
volumes:
snmptraps:
secrets:
MYSQL_USER:
file: ./env_vars/.MYSQL_USER
MYSQL_PASSWORD:
file: ./env_vars/.MYSQL_PASSWORD
MYSQL_ROOT_USER:
file: ./env_vars/.MYSQL_ROOT_USER
MYSQL_ROOT_PASSWORD:
file: ./env_vars/.MYSQL_ROOT_PASSWORD
client-key.pem:
file: ./env_vars/.ZBX_DB_KEY_FILE
client-cert.pem:
file: ./env_vars/.ZBX_DB_CERT_FILE
root-ca.pem:
file: ./env_vars/.ZBX_DB_CA_FILE
server-cert.pem:
file: ./env_vars/.DB_CERT_FILE
server-key.pem:
file: ./env_vars/.DB_KEY_FILE zz0.s5h4ulicw2izz
This is my logs for DB:
Code:
Error response from daemon: Multiple IDs found with provided prefix: 5 [zabbixuser@ZabbixSrv ~]$ docker logs 5f38 2022-07-29 13:53:13+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 8.0.30-1.el8 started. 2022-07-29 13:53:14+00:00 [Note] [Entrypoint]: Switching to dedicated user 'mysql' 2022-07-29 13:53:14+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 8.0.30-1.el8 started. '/var/lib/mysql/mysql.sock' -> '/var/run/mysqld/mysqld.sock' 2022-07-29T13:53:14.355785Z 0 [B][Warning][/B] [MY-011068] [Server] The syntax '--skip-host-cache' is deprecated and will be removed in a future release. Please use SET GLOBAL host_cache_size=0 instead. 2022-07-29T13:53:14.357815Z 0 [B][Warning][/B] [MY-010918] [Server] 'default_authentication_plugin' is deprecated and will be removed in a future release. Please use authentication_policy instead. 2022-07-29T13:53:14.357839Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.30) starting as process 1 2022-07-29T13:53:14.364997Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started. 2022-07-29T13:53:14.787783Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended. 2022-07-29T13:53:15.204651Z 0 [Warning] [MY-010068] [Server] CA certificate /run/secrets/root-ca.pem is self signed. 2022-07-29T13:53:15.204693Z 0 [System] [MY-013602] [Server] Channel mysql_main configured to support TLS. Encrypted connections are now supported for this channel. 2022-07-29T13:53:15.215510Z 0 [B][Warning] [/B][MY-011810] [Server] Insecure configuration for --pid-file: Location '/var/run/mysqld' in the path is accessible to all OS users. Consider choosing a different directory. 2022-07-29T13:53:15.233901Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Bind-address: '::' port: 33060, socket: /var/run/mysqld/mysqlx.sock 2022-07-29T13:53:15.233916Z 0 [System] [MY-010931] [Server] /usr/sbin/mysqld: ready for connections. Version: '8.0.30' socket: '/var/run/mysqld/mysqld.sock' port: 3306 MySQL Community Server - GPL.
And this are logs from Zabbix Server:
Code:
224:20220729:133008.089 [Z3005] query failed: [2013] Lost connection to MySQL server during query [insert into history (itemid,clock,ns,value) values (42247,1659101407,721217705,0.125198); 224:20220729:133008.090 [Z3001] connection to database 'zabbix' failed: [2003] Can't connect to MySQL server on 'mysql-server:3306' (111) 224:20220729:133008.090 database is down: reconnecting in 10 seconds 228:20220729:133008.348 [Z3005] query failed: [1053] Server shutdown in progress [select escalationid,actionid,triggerid,eventid,r_eventid,nextcheck,esc_step,status,itemid,acknowledgeid,servicealarmid,serviceid from escalations where triggerid is not null and nextcheck<=1659101411 order by actionid,triggerid,itemid,escalationid] 228:20220729:133008.349 [Z3001] connection to database 'zabbix' failed: [2003] Can't connect to MySQL server on 'mysql-server:3306' (111) 228:20220729:133008.349 database is down: reconnecting in 10 seconds 250:20220729:133008.396 [Z3005] query failed: [2013] Lost connection to MySQL server during query [select a.alertid,a.mediatypeid,a.sendto,a.subject,a.message,a.status,a.retries,e.source,e.object,e.objectid,a.parameters,a.eventid,a.p_eventid from alerts a left join events e on a.eventid=e.eventid where alerttype=0 and a.status=3 order by a.alertid] 250:20220729:133008.397 [Z3001] connection to database 'zabbix' failed: [2003] Can't connect to MySQL server on 'mysql-server:3306' (111) 250:20220729:133008.397 database is down: reconnecting in 10 seconds 227:20220729:133009.098 [Z3005] query failed: [2013] Lost connection to MySQL server during query [insert into history (itemid,clock,ns,value) values (42248,1659101408,722826669,0); 227:20220729:133009.099 [Z3001] connection to database 'zabbix' failed: [2003] Can't connect to MySQL server on 'mysql-server:3306' (111) 227:20220729:133009.099 database is down: reconnecting in 10 seconds 206:20220729:133010.041 [Z3005] query failed: [2003] Can't connect to MySQL server on 'mysql-server:3306' (111) [begin;] 226:20220729:133010.099 [Z3005] query failed: [2003] Can't connect to MySQL server on 'mysql-server:3306' (111) [begin;] 226:20220729:133010.099 [Z3001] connection to database 'zabbix' failed: [2003] Can't connect to MySQL server on 'mysql-server:3306' (111) 226:20220729:133010.099 database is down: reconnecting in 10 seconds 237:20220729:133010.129 [Z3005] query failed: [2003] Can't connect to MySQL server on 'mysql-server:3306' (111) [select taskid,type,clock,ttl from task where status in (1,2) order by taskid] 237:20220729:133010.129 [Z3001] connection to database 'zabbix' failed: [2003] Can't connect to MySQL server on 'mysql-server:3306' (111) 237:20220729:133010.130 database is down: reconnecting in 10 seconds 206:20220729:133011.042 [Z3001] connection to database 'zabbix' failed: [2003] Can't connect to MySQL server on 'mysql-server:3306' (111) 206:20220729:133012.064 [Z3001] connection to database 'zabbix' failed: [2005] Unknown MySQL server host 'mysql-server' (-2) 206:20220729:133013.063 [Z3001] connection to database 'zabbix' failed: [2003] Can't connect to MySQL server on 'mysql-server:3306' (111) 225:20220729:133013.147 [Z3005] query failed: [2003] Can't connect to MySQL server on 'mysql-server:3306' (111) [begin;] 225:20220729:133013.148 [Z3001] connection to database 'zabbix' failed: [2003] Can't connect to MySQL server on 'mysql-server:3306' (111) 225:20220729:133013.148 database is down: reconnecting in 10 seconds 222:20220729:133013.403 [Z3005] query failed: [2003] Can't connect to MySQL server on 'mysql-server:3306' (111) [select h.hostid,h.host,h.name,t.httptestid,t.name,t.agent,t.authentication,t.http_user,t.http_password,t.http_proxy,t.retries,t.ssl_cert_file,t.ssl_key_file,t.ssl_key_password,t.verify_peer,t.verify_host,t.delay from httptest t,hosts h where t.hostid=h.hostid and t.nextcheck<=1659101412 and mod(t.httptestid,1)=0 and t.status=0 and h.proxy_hostid is null and h.status=0 and (h.maintenance_status=0 or h.maintenance_type=0)]