From 10dcfe98189a1b40aa45df9990fa0f56615e9bcf Mon Sep 17 00:00:00 2001 From: meaz Date: Mon, 7 Aug 2023 06:13:22 +0000 Subject: [PATCH] v6 update (#1) It updates vagrant, zabbix to v6, the different templates, etc. Tested on vagrant and proxmox machine. Co-authored-by: meaz Reviewed-on: https://git.disroot.org/Disroot-Ansible/zabbix/pulls/1 --- Playbooks/zabbix.yml | 2 - README.MD | 21 +- Vagrantfile | 2 +- defaults/main.yml | 122 ++---- handlers/main.yml | 5 + tasks/configure.yml | 32 +- tasks/install_agent.yml | 12 +- tasks/install_client.yml | 10 - tasks/install_proxy.yml | 22 +- tasks/install_server.yml | 21 +- tasks/main.yml | 3 + tasks/update.yml | 34 ++ templates/etc/zabbix/nginx.conf.j2 | 61 +++ templates/etc/zabbix/php-fpm.conf.j2 | 24 + templates/etc/zabbix/web/zabbix.conf.php.j2 | 58 +++ .../userparameter_container.conf.j2 | 0 .../{ => etc/zabbix}/zabbix_agentd.conf.j2 | 204 ++++++++- .../{ => etc/zabbix}/zabbix_proxy.conf.j2 | 394 +++++++++++++++-- .../{ => etc/zabbix}/zabbix_server.conf.j2 | 412 ++++++++++++++++-- templates/zabbix.conf.php.j2 | 19 - 20 files changed, 1227 insertions(+), 231 deletions(-) delete mode 100644 tasks/install_client.yml create mode 100644 tasks/update.yml create mode 100644 templates/etc/zabbix/nginx.conf.j2 create mode 100644 templates/etc/zabbix/php-fpm.conf.j2 create mode 100644 templates/etc/zabbix/web/zabbix.conf.php.j2 rename templates/{ => etc/zabbix}/zabbix_agent.d/userparameter_container.conf.j2 (100%) rename templates/{ => etc/zabbix}/zabbix_agentd.conf.j2 (56%) rename templates/{ => etc/zabbix}/zabbix_proxy.conf.j2 (54%) rename templates/{ => etc/zabbix}/zabbix_server.conf.j2 (54%) delete mode 100644 templates/zabbix.conf.php.j2 diff --git a/Playbooks/zabbix.yml b/Playbooks/zabbix.yml index 5ad62ef..144036f 100644 --- a/Playbooks/zabbix.yml +++ b/Playbooks/zabbix.yml @@ -3,8 +3,6 @@ - hosts: zabbix roles: - mariadb - # - nginx - #- php-fpm - zabbix vars_files: diff --git a/README.MD b/README.MD index 6299f4e..5216661 100644 --- a/README.MD +++ b/README.MD @@ -5,14 +5,24 @@ This role deploys, configures and updates Zabbix. You can deploy test instance u `vagrant up` `ansible-playbook -b Playbooks/zabbix.yml` -Then you can access Zabbix from your computer on http://192.168.33.27 +Then you can access Zabbix from your computer on http://192.168.33.27:8080 + The default login credentials for Zabbix are: -Username: Admin -Password: zabbix +* Username: Admin +* Password: zabbix + +⚠️ If mariadb is deployed on a different server than zabbix, then you have to do `mysql> set global log_bin_trust_function_creators = 1;` on your mariadb server, then deploy this role, and set it back to `mysql> set global log_bin_trust_function_creators = 0;` + + +## Zabbix-agent +* zabbix-agent service needs to be deployed to the container you want to monitor (set `zabbix_agent: 'true'` when you run the role) in order to be catched by zabbix-server. +* This role allows you to add your own scripts. See `#Zabbix Scripts` section in `defaults/main.yml`. + ## TODO - - obviously better Readme file - - Find better way that zabbix_installed: 'false' and zabbix_proxy_installed: 'false' + - Find better way than zabbix_proxy_installed: 'false' (01.08.23: it not needed anymore, but needs more tests) + - When a script needs for example psql for lufi script, then it won't work if the needed package (example postgresql-client) is not installed on the container that zabbix-agent runs on. We could add a task in `install_agent` that installs dependencies and have `zabbix_script_deps` var. + - It would be nice to have `userparameter_container.conf.j2` more vanilla as most of them won't work without the disroot scripts repo. ## CHANGELOG @@ -20,3 +30,4 @@ Password: zabbix - Create readme file - Create Playbook - Create Vagrantfile +- **01.08.23** - Fix role issues and update to v6.0 diff --git a/Vagrantfile b/Vagrantfile index e83c9e0..66e049c 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -8,7 +8,7 @@ Vagrant.configure("2") do |config| #config.ssh.insert_key = false config.vm.define "zabbix" do |zabbix| - zabbix.vm.box = "generic/debian10" + zabbix.vm.box = "generic/debian11" zabbix.vm.provider :libvirt do |libvirt| libvirt.memory = 256 end diff --git a/defaults/main.yml b/defaults/main.yml index d0da146..5ebc9b6 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,37 +1,44 @@ --- -#zabbix_installed: 'false' -zabbix_proxy_installed: 'true' +zabbix_proxy_installed: 'false' # set to false the first time you deploy proxy, then to true once it is deployed. NOT NEEDED ANYMORE? #main -zabbix_version: '5.0' -zabbix_agent: 'true' -zabbix_server: 'true' -zabbix_proxy: 'false' +zabbix_version: '6.0' +zabbix_agent: 'true' # set to true if you want to deploy it. +zabbix_server: 'true' # set to true if you want to deploy it. +zabbix_proxy: 'false' # set to true if you want to deploy it. #Zabbix Server +zabbix_server_pkg: + - zabbix-server-mysql + - zabbix-frontend-php + - zabbix-nginx-conf + - zabbix-sql-scripts + - gzip + - python3-pymysql + zabbix_server_hostname: 'localhost' -zabbix_server_name: 'Monitoring Monitoring' +zabbix_server_name: 'Monitoring' zabbix_server_listen_port: '10051' zabbix_server_log_path: '/var/log/zabbix/zabbix_server.log' zabbix_server_log_size: '1' #in MB zabbix_debug_level: '3' -# 0 - basic information about starting and stopping of Zabbix processes -# 1 - critical information -# 2 - error information -# 3 - warnings -# 4 - for debugging (produces lots of information) -# 5 - extended debugging (produces even more information) +# 0 - basic information about starting and stopping of Zabbix processes +# 1 - critical information +# 2 - error information +# 3 - warnings +# 4 - for debugging (produces lots of information) +# 5 - extended debugging (produces even more information) zabbix_server_db_host: 'localhost' zabbix_server_db_plugin: 'mysql' zabbix_server_db_port: '0' zabbix_server_db_name: 'zabbix' zabbix_server_db_user: 'zabbixadmin' zabbix_server_db_passwd: 'changeme' -zabbix_server_pollers: '5' # Number of pre-forked instances of pollers. +zabbix_server_pollers: '5' # Number of pre-forked instances of pollers. zabbix_server_ipmi_pollers: '0' zabbix_server_timeout: '4' -zabbix_server_alert_scripts: '/usr/lib/zabbix/alertscripts/usr/lib/zabbix/alertscripts' +zabbix_server_alert_scripts: '/usr/lib/zabbix/alertscripts' zabbix_server_external_scripts: '/usr/lib/zabbix/externalscripts' zabbix_server_fping: '/usr/bin/fping' zabbix_server_fping6: '/usr/bin/fping6' @@ -39,8 +46,8 @@ zabbix_server_queries_slow: '3000' zabbix_cachesize: '8M' #Zabbix Client -zabbix_agent_params: - - name: "container" +zabbix_web_listen: '8080' +zabbix_web_servername: 'example.com' zabbix_agent_pid: '/var/run/zabbix/zabbix_agentd.pid' zabbix_agent_logfile: '/var/log/zabbix/zabbix_agentd.log' @@ -53,15 +60,19 @@ zabbix_agent_pkg: - gzip - zabbix-get - zabbix-sender -zabbix_client_pkg: - - zabbix-agent - - gzip #Zabbix Scripts +zabbix_agent_params: # this deploys userparameters + - name: "container" # this one is useful for LXC containers + zabbix_scripts_deploy: 'false' -zabbix_scripts_repo: 'https://git.disroot.org/Disroot/zabbix-scripts.git' +zabbix_scripts_repo: '' # add your script repo address here zabbix_scripts_dir: '/usr/local/bin/zabbix-scripts' -zabbix_scripts_version: 'master' +zabbix_scripts_version: 'main' +#zabbix_scripts_config_items: # Uncomment those if you want to add more config items from your scripts +# - key: '' +# value: '' + #Zabbix Proxy zabbix_proxy_pkg: - zabbix-proxy-mysql @@ -78,71 +89,30 @@ zabbix_proxy_debug_level: '3' zabbix_proxy_db_host: 'localhost' zabbix_proxy_db_name: 'zabbix_proxy' zabbix_proxy_db_user: 'zabbixproxyadmin' -zabbix_proxy_db_passwd: 'dupa123' +zabbix_proxy_db_passwd: 'changeme' zabbix_proxy_local_buffer: '0' zabbix_proxy_offline_buffer: '1' -zabbix_proxy_heartbeat_freq: '60' zabbix_proxy_config_freq: '3600' zabbix_proxy_data_sernder_freq: '1' zabbix_proxy_start_pollers: '5' zabbix_proxy_ipmi_pollers: '0' -#PHP Vars -php_version: '8.0' -php_etc_path: '/etc/php' -install_php: 'true' -pool_listen: '/var/run/php/php{{ php_version }}-fpm.sock' +# PHP +zabbix_pm: 'dynamic' +zabbix_pm_max_children: '50' +zabbix_pm_start_servers: '5' +zabbix_pm_min_spare_servers: '5' +zabbix_pm_max_spare_servers: '35' +zabbix_pm_max_requests: '200' -php_pkgs: - - php{{ php_version }}-fpm - - php{{ php_version }}-bz2 - - php{{ php_version }}-cgi - - php{{ php_version }}-cli - - php{{ php_version }}-common - - php{{ php_version }}-curl - - php{{ php_version }}-dev - - php{{ php_version }}-enchant - - php{{ php_version }}-gd - - php{{ php_version }}-gmp - - php{{ php_version }}-igbinary - - php{{ php_version }}-interbase - - php{{ php_version }}-intl - - php{{ php_version }}-mbstring # frontend - - php{{ php_version }}-msgpack - - php{{ php_version }}-pspell - - php{{ php_version }}-readline - - php{{ php_version }}-zip - - php{{ php_version }}-gd # frontend - - php{{ php_version }}-bcmath # frontend - - php{{ php_version }}-xml # frontend - - php{{ php_version }}-ldap # frontend - - -#nginx -nginx_default_vhost: 'zabbix' -nginx_default_vhost_ssl: 'zabbix' -#nginx_www_dir: '/var/www/' -nginx_vhosts: - -- name: 'zabbix' - template: 'zabbix' - proto: 'http' - listen: '80' - root: '/usr/share/zabbix' - use_access_log: 'true' - use_error_log: 'true' - nginx_error_log_level: 'warn' - state: 'enable' - letsencrypt: 'false' - -# MARIADB CONFIG +#MariaDB mariadb_databases: - name: '{{ zabbix_server_db_name }}' - collation: 'utf8_general_ci' # should it be utf8_bin? - encoding: 'utf8' + collation: 'utf8mb4_bin' + encoding: 'utf8mb4' - name: '{{ zabbix_proxy_db_name }}' - collation: 'utf8_general_ci' - encoding: 'utf8' + collation: 'utf8mb4_bin' + encoding: 'utf8mb4' mariadb_users: - name: '{{ zabbix_server_db_user }}' diff --git a/handlers/main.yml b/handlers/main.yml index 53ecdfa..af872a7 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -14,3 +14,8 @@ systemd: name: zabbix-proxy state: restarted + +- name: restart nginx + systemd: + name: nginx + state: restarted \ No newline at end of file diff --git a/tasks/configure.yml b/tasks/configure.yml index 89c4367..3df2818 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -2,7 +2,7 @@ - name: '[Configure] - Configure Zabbix Server' template: - src: 'templates/zabbix_server.conf.j2' + src: 'templates/etc/zabbix/zabbix_server.conf.j2' dest: '/etc/zabbix/zabbix_server.conf' owner: 'root' group: 'root' @@ -10,14 +10,9 @@ when: zabbix_server == 'true' notify: restart zabbix_server -- name: '[Configure] - Create Zabbix frontend Dir' - file: - path: '/etc/zabbix/web' - state: 'directory' - - name: '[Configure] - Configure Zabbix Proxy' template: - src: 'templates/zabbix_proxy.conf.j2' + src: 'templates/etc/zabbix/zabbix_proxy.conf.j2' dest: '/etc/zabbix/zabbix_proxy.conf' owner: 'root' group: 'root' @@ -27,17 +22,36 @@ - name: '[Configure] - Configure Zabbix frontend' template: - src: 'templates/zabbix.conf.php.j2' + src: 'templates/etc/zabbix/web/zabbix.conf.php.j2' dest: '/etc/zabbix/web/zabbix.conf.php' owner: 'www-data' group: 'www-data' + when: zabbix_server == 'true' + notify: restart zabbix_server + +- name: '[Configure] - Configure nginx' + template: + src: 'templates/etc/zabbix/nginx.conf.j2' + dest: '/etc/zabbix/nginx.conf' + owner: 'root' + group: 'root' + mode: '0644' + when: zabbix_server == 'true' + notify: restart zabbix_server + +- name: '[Configure] - Configure Zabbix php' + template: + src: 'templates/etc/zabbix/php-fpm.conf.j2' + dest: '/etc/zabbix/php-fpm.conf' + owner: 'root' + group: 'root' mode: '0644' when: zabbix_server == 'true' notify: restart zabbix_server - name: '[Configure] - Configure Zabbix Agent' template: - src: 'templates/zabbix_agentd.conf.j2' + src: 'templates/etc/zabbix/zabbix_agentd.conf.j2' dest: '/etc/zabbix/zabbix_agentd.conf' owner: 'root' group: 'root' diff --git a/tasks/install_agent.yml b/tasks/install_agent.yml index ab48d5f..979f473 100644 --- a/tasks/install_agent.yml +++ b/tasks/install_agent.yml @@ -10,14 +10,9 @@ notify: - restart zabbix_agent -- name: "[Agent] - Make sure the service is enabled" - systemd: - name: zabbix-agent - enabled: yes - - name: "[Agent] - Deploy Zabbix custom userparameters" template: - src: 'zabbix_agent.d/userparameter_container.conf.j2' + src: 'templates/etc/zabbix/zabbix_agent.d/userparameter_container.conf.j2' dest: '/etc/zabbix/zabbix_agentd.d/userparameter_container.conf' notify: - restart zabbix_agent @@ -41,3 +36,8 @@ src: 'zabbix-scripts.cfg.j2' dest: '/var/local/container-scripts/zabbix-scripts.cfg' when: zabbix_scripts_deploy == 'true' + +- name: "[Agent] - Make sure the service is enabled" + systemd: + name: zabbix-agent + enabled: yes \ No newline at end of file diff --git a/tasks/install_client.yml b/tasks/install_client.yml deleted file mode 100644 index 2b2c40e..0000000 --- a/tasks/install_client.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- - -- name: "[APT] - Install Zabbix from repository" - apt: - name: "{{ zabbix_client_pkg }}" - state: latest - update_cache: yes - install_recommends: no - notify: - - restart zabbix_agent diff --git a/tasks/install_proxy.yml b/tasks/install_proxy.yml index 50101d1..f421179 100644 --- a/tasks/install_proxy.yml +++ b/tasks/install_proxy.yml @@ -10,16 +10,17 @@ notify: - restart zabbix_proxy -- name: "[Agent] - Make sure the service is enabled" - systemd: - name: zabbix-proxy - enabled: yes - - name: '[Proxy] - Remove apache2' apt: name: "{{ zabbix_apache }}" state: absent +- name: "[Proxy] - Check if Zabbix proxy is already installed" + shell: + cmd: "{{ zabbix_server_db_plugin }} -h {{ zabbix_proxy_db_host }} -u {{ zabbix_proxy_db_user }} -p{{ zabbix_proxy_db_passwd }} {{ zabbix_proxy_db_name }} -se 'SELECT * from dbversion;'" + register: zabbixproxy_installed + ignore_errors: true + - name: '[Proxy] - Importing Zabbix Proxy schema. Onetime only shot' mysql_db: login_host: "{{ zabbix_proxy_db_host }}" @@ -27,7 +28,14 @@ login_user: '{{ zabbix_proxy_db_user }}' name: "{{ zabbix_proxy_db_name }}" state: import - target: /usr/share/doc/zabbix-proxy-mysql/schema.sql.gz - when: zabbix_proxy_installed == 'false' + target: /usr/share/zabbix-sql-scripts/mysql/proxy.sql + when: "'ERROR' in zabbixproxy_installed.stderr" + # ERROR 1146 means the table doesn't exist + # when: zabbix_proxy_installed == 'false' NOT NEEDED ANYMORE? notify: - restart zabbix_server + +- name: "[Proxy] - Make sure the service is enabled" + systemd: + name: zabbix-proxy + enabled: yes \ No newline at end of file diff --git a/tasks/install_server.yml b/tasks/install_server.yml index 7ead633..96e690b 100644 --- a/tasks/install_server.yml +++ b/tasks/install_server.yml @@ -2,11 +2,7 @@ - name: '[Server] - Install Zabbix from repository' apt: - pkg: - - zabbix-server-mysql - - zabbix-frontend-php - - gzip - - python3-pymysql + pkg: "{{ zabbix_server_pkg }}" state: latest update_cache: yes install_recommends: no @@ -14,17 +10,12 @@ notify: - restart zabbix_server -- name: "[Agent] - Make sure the service is enabled" - systemd: - name: zabbix-server - enabled: yes - - name: '[Server] - Remove apache2' apt: name: "{{ zabbix_apache }}" state: absent -- name: "[Check] - Zabbix is already installed?" +- name: "[Server] - Check if Zabbix is already installed" shell: cmd: "{{ zabbix_server_db_plugin }} -h {{ zabbix_server_db_host }} -u {{ zabbix_server_db_user }} -p{{ zabbix_server_db_passwd }} {{ zabbix_server_db_name }} -se 'SELECT instanceid from config;'" register: zabbix_installed @@ -37,8 +28,14 @@ login_user: '{{ zabbix_server_db_user }}' name: "{{ zabbix_server_db_name }}" state: import - target: /usr/share/doc/zabbix-server-mysql/create.sql.gz + target: /usr/share/zabbix-sql-scripts/mysql/server.sql.gz when: "'ERROR 1146' in zabbix_installed.stderr" # ERROR 1146 means the table doesn't exist notify: - restart zabbix_server + - restart nginx + +- name: "[Server] - Make sure the service is enabled" + systemd: + name: zabbix-server + enabled: yes \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index 282acfa..a6a056b 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,5 +1,8 @@ --- +- name: Update + include: update.yml + - name: Manage apt apt_repository include: apt.yml diff --git a/tasks/update.yml b/tasks/update.yml new file mode 100644 index 0000000..8e1065b --- /dev/null +++ b/tasks/update.yml @@ -0,0 +1,34 @@ +--- + +- name: "[Update] - Check installed version" + shell: + cmd: "apt-cache policy zabbix-server-mysql | grep Installed | cut -f 3 -d':' | cut -f1,2 -d'.'" + register: installed_version + +- name: "[Update] - Make sure the server is stopped" + systemd: + name: zabbix-server + state: stopped + when: installed_version.stdout != zabbix_version + ignore_errors: true # needed otherwise there is an error on first installation as it doesn't exist + +- name: "[Update] - Make sure the agent is stopped" + systemd: + name: zabbix-agent + state: stopped + when: installed_version != zabbix_version + ignore_errors: true # needed otherwise there is an error on first installation as it doesn't exist + +- name: "[Update] - Make sure the proxy is stopped" + systemd: + name: zabbix-proxy + state: stopped + when: installed_version != zabbix_version + ignore_errors: true # needed otherwise there is an error on first installation as it doesn't exist + +- name: '[Update] - Remove current repository' + file: + path: '/etc/apt/sources.list.d/zabbix.list' + state: 'absent' + when: installed_version != zabbix_version + diff --git a/templates/etc/zabbix/nginx.conf.j2 b/templates/etc/zabbix/nginx.conf.j2 new file mode 100644 index 0000000..ee1c13e --- /dev/null +++ b/templates/etc/zabbix/nginx.conf.j2 @@ -0,0 +1,61 @@ +server { + listen {{ zabbix_web_listen }}; + server_name {{ zabbix_web_servername }}; + + root /usr/share/zabbix; + + index index.php; + + location = /favicon.ico { + log_not_found off; + } + + location / { + try_files $uri $uri/ =404; + } + + location /assets { + access_log off; + expires 10d; + } + + location ~ /\.ht { + deny all; + } + + location ~ /(api\/|conf[^\.]|include|locale) { + deny all; + return 404; + } + + location /vendor { + deny all; + return 404; + } + + location ~ [^/]\.php(/|$) { + fastcgi_pass unix:/var/run/php/zabbix.sock; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + + fastcgi_param DOCUMENT_ROOT /usr/share/zabbix; + fastcgi_param SCRIPT_FILENAME /usr/share/zabbix$fastcgi_script_name; + fastcgi_param PATH_TRANSLATED /usr/share/zabbix$fastcgi_script_name; + + include fastcgi_params; + fastcgi_param QUERY_STRING $query_string; + fastcgi_param REQUEST_METHOD $request_method; + fastcgi_param CONTENT_TYPE $content_type; + fastcgi_param CONTENT_LENGTH $content_length; + + fastcgi_intercept_errors on; + fastcgi_ignore_client_abort off; + fastcgi_connect_timeout 60; + fastcgi_send_timeout 180; + fastcgi_read_timeout 180; + fastcgi_buffer_size 128k; + fastcgi_buffers 4 256k; + fastcgi_busy_buffers_size 256k; + fastcgi_temp_file_write_size 256k; + } +} \ No newline at end of file diff --git a/templates/etc/zabbix/php-fpm.conf.j2 b/templates/etc/zabbix/php-fpm.conf.j2 new file mode 100644 index 0000000..b4b8d56 --- /dev/null +++ b/templates/etc/zabbix/php-fpm.conf.j2 @@ -0,0 +1,24 @@ +[zabbix] +user = www-data +group = www-data + +listen = /var/run/php/zabbix.sock +listen.owner = www-data +listen.allowed_clients = 127.0.0.1 + +pm = {{ zabbix_pm }} +pm.max_children = {{ zabbix_pm_max_children }} +pm.start_servers = {{ zabbix_pm_start_servers }} +pm.min_spare_servers = {{ zabbix_pm_min_spare_servers }} +pm.max_spare_servers = {{ zabbix_pm_max_spare_servers }} +pm.max_requests = {{ zabbix_pm_max_requests }} + +php_value[session.save_handler] = files +php_value[session.save_path] = /var/lib/php/sessions/ + +php_value[max_execution_time] = 300 +php_value[memory_limit] = 128M +php_value[post_max_size] = 16M +php_value[upload_max_filesize] = 2M +php_value[max_input_time] = 300 +php_value[max_input_vars] = 10000 \ No newline at end of file diff --git a/templates/etc/zabbix/web/zabbix.conf.php.j2 b/templates/etc/zabbix/web/zabbix.conf.php.j2 new file mode 100644 index 0000000..ce94391 --- /dev/null +++ b/templates/etc/zabbix/web/zabbix.conf.php.j2 @@ -0,0 +1,58 @@ + 'http://localhost:9200', +// 'text' => 'http://localhost:9200' +//]; +// Value types stored in Elasticsearch. +//$HISTORY['types'] = ['uint', 'text']; + +// Used for SAML authentication. +// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings. +//$SSO['SP_KEY'] = 'conf/certs/sp.key'; +//$SSO['SP_CERT'] = 'conf/certs/sp.crt'; +//$SSO['IDP_CERT'] = 'conf/certs/idp.crt'; +//$SSO['SETTINGS'] = []; \ No newline at end of file diff --git a/templates/zabbix_agent.d/userparameter_container.conf.j2 b/templates/etc/zabbix/zabbix_agent.d/userparameter_container.conf.j2 similarity index 100% rename from templates/zabbix_agent.d/userparameter_container.conf.j2 rename to templates/etc/zabbix/zabbix_agent.d/userparameter_container.conf.j2 diff --git a/templates/zabbix_agentd.conf.j2 b/templates/etc/zabbix/zabbix_agentd.conf.j2 similarity index 56% rename from templates/zabbix_agentd.conf.j2 rename to templates/etc/zabbix/zabbix_agentd.conf.j2 index aa7ce19..2745846 100644 --- a/templates/zabbix_agentd.conf.j2 +++ b/templates/etc/zabbix/zabbix_agentd.conf.j2 @@ -25,7 +25,7 @@ PidFile={{ zabbix_agent_pid }} ### Option: LogFile # Log file name for LogType 'file' parameter. # -# Mandatory: no +# Mandatory: yes, if LogType is set to file, otherwise no # Default: # LogFile= @@ -63,14 +63,33 @@ DebugLevel={{ zabbix_agent_debug_level }} # Default: # SourceIP= -### Option: EnableRemoteCommands -# Whether remote commands from Zabbix server are allowed. -# 0 - not allowed -# 1 - allowed +### Option: AllowKey +# Allow execution of item keys matching pattern. +# Multiple keys matching rules may be defined in combination with DenyKey. +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. +# Parameters are processed one by one according their appearance order. +# If no AllowKey or DenyKey rules defined, all keys are allowed. +# +# Mandatory: no + +### Option: DenyKey +# Deny execution of items keys matching pattern. +# Multiple keys matching rules may be defined in combination with AllowKey. +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. +# Parameters are processed one by one according their appearance order. +# If no AllowKey or DenyKey rules defined, all keys are allowed. +# Unless another system.run[*] rule is specified DenyKey=system.run[*] is added by default. # # Mandatory: no # Default: -# EnableRemoteCommands=0 +# DenyKey=system.run[*] + +### Option: EnableRemoteCommands - Deprecated, use AllowKey=system.run[*] or DenyKey=system.run[*] instead +# Internal alias for AllowKey/DenyKey parameters depending on value: +# 0 - DenyKey=system.run[*] +# 1 - AllowKey=system.run[*] +# +# Mandatory: no ### Option: LogRemoteCommands # Enable logging of executed shell commands as warnings. @@ -84,11 +103,14 @@ DebugLevel={{ zabbix_agent_debug_level }} ##### Passive checks related ### Option: Server -# List of comma delimited IP addresses (or hostnames) of Zabbix servers. +# List of comma delimited IP addresses, optionally in CIDR notation, or DNS names of Zabbix servers and Zabbix proxies. # Incoming connections will be accepted only from the hosts listed here. -# If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', '::ffff:127.0.0.1' are treated equally. +# If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', '::ffff:127.0.0.1' are treated equally +# and '::/0' will allow any IPv4 or IPv6 address. +# '0.0.0.0/0' can be used to allow any IPv4 address. +# Example: Server=127.0.0.1,192.168.1.0/24,::1,2001:db8::/32,zabbix.example.com # -# Mandatory: no +# Mandatory: yes, if StartAgents is not explicitly set to 0 # Default: # Server= @@ -122,12 +144,25 @@ ListenPort={{ zabbix_agent_listen_port }} ##### Active checks related ### Option: ServerActive -# List of comma delimited IP:port (or hostname:port) pairs of Zabbix servers for active checks. +# Zabbix server/proxy address or cluster configuration to get active checks from. +# Server/proxy address is IP address or DNS name and optional port separated by colon. +# Cluster configuration is one or more server addresses separated by semicolon. +# Multiple Zabbix servers/clusters and Zabbix proxies can be specified, separated by comma. +# More than one Zabbix proxy should not be specified from each Zabbix server/cluster. +# If Zabbix proxy is specified then Zabbix server/cluster for that proxy should not be specified. +# Multiple comma-delimited addresses can be provided to use several independent Zabbix servers in parallel. Spaces are allowed. # If port is not specified, default port is used. # IPv6 addresses must be enclosed in square brackets if port for that host is specified. # If port is not specified, square brackets for IPv6 addresses are optional. # If this parameter is not specified, active checks are disabled. -# Example: ServerActive=127.0.0.1:20051,zabbix.domain,[::1]:30051,::1,[12fc::1] +# Example for Zabbix proxy: +# ServerActive=127.0.0.1:10051 +# Example for multiple servers: +# ServerActive=127.0.0.1:20051,zabbix.domain,[::1]:30051,::1,[12fc::1] +# Example for high availability: +# ServerActive=zabbix.cluster.node1;zabbix.cluster.node2:20051;zabbix.cluster.node3 +# Example for high availability with two clusters and one server: +# ServerActive=zabbix.cluster.node1;zabbix.cluster.node2:20051,zabbix.cluster2.node1;zabbix.cluster2.node2,zabbix.domain # # Mandatory: no # Default: @@ -136,8 +171,8 @@ ListenPort={{ zabbix_agent_listen_port }} ServerActive={{ zabbix_agent_server_address }} ### Option: Hostname -# Unique, case sensitive hostname. -# Required for active checks and must match hostname as configured on the server. +# List of comma delimited unique, case sensitive hostnames. +# Required for active checks and must match hostnames as configured on the server. # Value is acquired from HostnameItem if undefined. # # Mandatory: no @@ -157,11 +192,11 @@ Hostname={{ inventory_hostname }} ### Option: HostMetadata # Optional parameter that defines host metadata. # Host metadata is used at host auto-registration process. -# An agent will issue an error and not start if the value is over limit of 255 characters. +# An agent will issue an error and not start if the value is over limit of 2034 bytes. # If not defined, value will be acquired from HostMetadataItem. # # Mandatory: no -# Range: 0-255 characters +# Range: 0-2034 bytes # Default: # HostMetadata= @@ -169,20 +204,42 @@ Hostname={{ inventory_hostname }} # Optional parameter that defines an item used for getting host metadata. # Host metadata is used at host auto-registration process. # During an auto-registration request an agent will log a warning message if -# the value returned by specified item is over limit of 255 characters. +# the value returned by specified item is over limit of 65535 characters. # This option is only used when HostMetadata is not defined. # # Mandatory: no # Default: # HostMetadataItem= +### Option: HostInterface +# Optional parameter that defines host interface. +# Host interface is used at host auto-registration process. +# An agent will issue an error and not start if the value is over limit of 255 characters. +# If not defined, value will be acquired from HostInterfaceItem. +# +# Mandatory: no +# Range: 0-255 characters +# Default: +# HostInterface= + +### Option: HostInterfaceItem +# Optional parameter that defines an item used for getting host interface. +# Host interface is used at host auto-registration process. +# During an auto-registration request an agent will log a warning message if +# the value returned by specified item is over limit of 255 characters. +# This option is only used when HostInterface is not defined. +# +# Mandatory: no +# Default: +# HostInterfaceItem= + ### Option: RefreshActiveChecks # How often list of active checks is refreshed, in seconds. # # Mandatory: no -# Range: 60-3600 +# Range: 1-86400 # Default: -# RefreshActiveChecks=120 +# RefreshActiveChecks=5 ### Option: BufferSend # Do not keep data longer than N seconds in buffer. @@ -212,6 +269,16 @@ Hostname={{ inventory_hostname }} # Default: # MaxLinesPerSecond=20 +### Option: HeartbeatFrequency +# Frequency of heartbeat messages in seconds. +# Used for monitoring availability of active checks. +# 0 - heartbeat messages disabled. +# +# Mandatory: no +# Range: 0-3600 +# Default: 60 +# HeartbeatFrequency= + ############ ADVANCED PARAMETERS ################# ### Option: Alias @@ -292,11 +359,22 @@ Include=/etc/zabbix/zabbix_agentd.d/*.conf # Default: # UserParameter= +### Option: UserParameterDir +# Directory to execute UserParameter commands from. Only one entry is allowed. +# When executing UserParameter commands the agent will change the working directory to the one +# specified in the UserParameterDir option. +# This way UserParameter commands can be specified using the relative ./ prefix. +# +# Mandatory: no +# Default: +# UserParameterDir= + ####### LOADABLE MODULES ####### ### Option: LoadModulePath # Full path to location of agent modules. # Default depends on compilation options. +# To see the default path run command "zabbix_agentd --help". # # Mandatory: no # Default: @@ -304,8 +382,12 @@ Include=/etc/zabbix/zabbix_agentd.d/*.conf ### Option: LoadModule # Module to load at agent startup. Modules are used to extend functionality of the agent. -# Format: LoadModule= -# The modules must be located in directory specified by LoadModulePath. +# Formats: +# LoadModule= +# LoadModule= +# LoadModule= +# Either the module must be located in directory specified by LoadModulePath or the path must precede the module name. +# If the preceding path is absolute (starts with '/') then LoadModulePath is ignored. # It is allowed to include multiple LoadModule parameters. # # Mandatory: no @@ -352,14 +434,14 @@ Include=/etc/zabbix/zabbix_agentd.d/*.conf # TLSCRLFile= ### Option: TLSServerCertIssuer -# Allowed server certificate issuer. +# Allowed server certificate issuer. # # Mandatory: no # Default: # TLSServerCertIssuer= ### Option: TLSServerCertSubject -# Allowed server certificate subject. +# Allowed server certificate subject. # # Mandatory: no # Default: @@ -392,3 +474,81 @@ Include=/etc/zabbix/zabbix_agentd.d/*.conf # Mandatory: no # Default: # TLSPSKFile= + +####### For advanced users - TLS ciphersuite selection criteria ####### + +### Option: TLSCipherCert13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# +# Mandatory: no +# Default: +# TLSCipherCert13= + +### Option: TLSCipherCert +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128 +# +# Mandatory: no +# Default: +# TLSCipherCert= + +### Option: TLSCipherPSK13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example: +# TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherPSK13= + +### Option: TLSCipherPSK +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL +# Example for OpenSSL: +# kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherPSK= + +### Option: TLSCipherAll13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example: +# TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherAll13= + +### Option: TLSCipherAll +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherAll= + +####### For advanced users - TCP-related fine-tuning parameters ####### + +## Option: ListenBacklog +# The maximum number of pending connections in the queue. This parameter is passed to +# listen() function as argument 'backlog' (see "man listen"). +# +# Mandatory: no +# Range: 0 - INT_MAX (depends on system, too large values may be silently truncated to implementation-specified maximum) +# Default: SOMAXCONN (hard-coded constant, depends on system) +# ListenBacklog= + diff --git a/templates/zabbix_proxy.conf.j2 b/templates/etc/zabbix/zabbix_proxy.conf.j2 similarity index 54% rename from templates/zabbix_proxy.conf.j2 rename to templates/etc/zabbix/zabbix_proxy.conf.j2 index 9a31ea3..1230aeb 100644 --- a/templates/zabbix_proxy.conf.j2 +++ b/templates/etc/zabbix/zabbix_proxy.conf.j2 @@ -13,24 +13,24 @@ ProxyMode={{ zabbix_proxy_mode }} ### Option: Server -# IP address (or hostname) of Zabbix server. -# Active proxy will get configuration data from the server. -# For a proxy in the passive mode this parameter will be ignored. +# If ProxyMode is set to active mode: +# IP address or DNS name (address:port) or cluster (address:port;address2:port) of Zabbix server to get configuration data from and send data to. +# If port is not specified, default port is used. +# Cluster nodes need to be separated by semicolon. +# If ProxyMode is set to passive mode: +# List of comma delimited IP addresses, optionally in CIDR notation, or DNS names of Zabbix server. +# Incoming connections will be accepted only from the addresses listed here. +# If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', '::ffff:127.0.0.1' are treated equally +# and '::/0' will allow any IPv4 or IPv6 address. +# '0.0.0.0/0' can be used to allow any IPv4 address. +# Example: Server=127.0.0.1,192.168.1.0/24,::1,2001:db8::/32,zabbix.example.com # -# Mandatory: yes (if ProxyMode is set to 0) +# Mandatory: yes # Default: # Server= Server={{ zabbix_proxy_master_server }} -### Option: ServerPort -# Port of Zabbix trapper on Zabbix server. -# For a proxy in the passive mode this parameter will be ignored. -# -# Mandatory: no -# Range: 1024-32767 -# Default: -# ServerPort=10051 ### Option: Hostname # Unique, case sensitive Proxy name. Make sure the Proxy name is known to the server! @@ -77,7 +77,7 @@ ListenPort={{ zabbix_proxy_listen_port }} ### Option: LogFile # Log file name for LogType 'file' parameter. # -# Mandatory: no +# Mandatory: yes, if LogType is set to file, otherwise no # Default: # LogFile= @@ -108,6 +108,24 @@ LogFileSize={{ zabbix_proxy_file_size }} # Default: DebugLevel={{ zabbix_proxy_debug_level }} +### Option: EnableRemoteCommands +# Whether remote commands from Zabbix server are allowed. +# 0 - not allowed +# 1 - allowed +# +# Mandatory: no +# Default: +# EnableRemoteCommands=0 + +### Option: LogRemoteCommands +# Enable logging of executed shell commands as warnings. +# 0 - disabled +# 1 - enabled +# +# Mandatory: no +# Default: +# LogRemoteCommands=0 + ### Option: PidFile # Name of PID file. # @@ -117,10 +135,22 @@ DebugLevel={{ zabbix_proxy_debug_level }} PidFile=/var/run/zabbix/zabbix_proxy.pid +### Option: SocketDir +# IPC socket directory. +# Directory to store IPC sockets used by internal Zabbix services. +# +# Mandatory: no +# Default: +# SocketDir=/tmp + +### NOTE: Support for Oracle DB is deprecated since Zabbix 7.0 and will be removed in future versions. + ### Option: DBHost # Database host name. # If set to localhost, socket is used for MySQL. # If set to empty string, socket is used for PostgreSQL. +# If set to empty string, the Net Service Name connection method is used to connect to Oracle database; also see +# the TNS_ADMIN environment variable to specify the directory where the tnsnames.ora file is located. # # Mandatory: no # Default: @@ -129,6 +159,9 @@ DBHost={{ zabbix_proxy_db_host }} ### Option: DBName # Database name. # For SQLite3 path to database file must be provided. DBUser and DBPassword are ignored. +# If the Net Service Name connection method is used to connect to Oracle database, specify the service name from +# the tnsnames.ora file or set to empty string; also see the TWO_TASK environment variable if DBName is set to +# empty string. # Warning: do not attempt to use the same database Zabbix server is using. # # Mandatory: yes @@ -136,7 +169,7 @@ DBHost={{ zabbix_proxy_db_host }} DBName={{ zabbix_proxy_db_name }} ### Option: DBSchema -# Schema name. Used for IBM DB2 and PostgreSQL. +# Schema name. Used for PostgreSQL. # # Mandatory: no # Default: @@ -161,14 +194,25 @@ DBPassword={{ zabbix_proxy_db_passwd }} # # Mandatory: no # Default: -# DBSocket=/tmp/mysql.sock +# DBSocket= # Option: DBPort # Database port when not using local socket. Ignored for SQLite. +# If the Net Service Name connection method is used to connect to Oracle database, the port number from the +# tnsnames.ora file will be used. The port number set here will be ignored. # # Mandatory: no -# Default (for MySQL): -# DBPort=3306 +# Default: +# DBPort= + +### Option: AllowUnsupportedDBVersions +# Allow proxy to work with unsupported database versions. +# 0 - do not allow +# 1 - allow +# +# Mandatory: no +# Default: +# AllowUnsupportedDBVersions=0 ######### PROXY SPECIFIC PARAMETERS ############# @@ -190,25 +234,49 @@ ProxyLocalBuffer={{ zabbix_proxy_local_buffer }} # Default: ProxyOfflineBuffer={{ zabbix_proxy_offline_buffer }} -### Option: HeartbeatFrequency -# Frequency of heartbeat messages in seconds. -# Used for monitoring availability of Proxy on server side. -# 0 - heartbeat messages disabled. -# For a proxy in the passive mode this parameter will be ignored. +### Option: ProxyBufferMode +# Specifies history, discovery and auto registration data storage mechanism: +# disk - data are stored in database and uploaded from database +# memory - data are stored in memory and uploaded from memory. +# If buffer runs out of memory the old data will be discarded. +# On shutdown the buffer is discarded. +# hybrid - the proxy buffer normally works like in memory mode until it runs out of memory or +# the oldest record exceeds the configured age. If that happens the buffer is flushed +# to database and it works like in disk mode until all data have been uploaded and +# it starts working with memory again. On shutdown the memory buffer is flushed +# to database. # # Mandatory: no -# Range: 0-3600 +# Values: disk, memory, hybrid # Default: -HeartbeatFrequency={{ zabbix_proxy_heartbeat_freq }} +# ProxyBufferMode=disk -### Option: ConfigFrequency +ProxyMemoryBufferSize=16M + +### Option: ProxyMemoryBufferAge +# Maximum age of data in proxy memory buffer, in seconds. +# When enabled (not zero) and records in proxy memory buffer are older, then it forces proxy buffer +# to switch to database mode until all records are uploaded to server. +# This parameter must be less or equal to ProxyOfflineBuffer parameter. +# +# Mandatory: no +# Range: 0,600-864000 +# Default: +# ProxyMemoryBufferAge=0 + +### Option: ConfigFrequency - Deprecated, use ProxyConfigFrequency +# How often proxy retrieves configuration data from Zabbix Server in seconds. +# For a proxy in the passive mode this parameter will be ignored. +# Mandatory: no + +### Option: ProxyConfigFrequency # How often proxy retrieves configuration data from Zabbix Server in seconds. # For a proxy in the passive mode this parameter will be ignored. # # Mandatory: no # Range: 1-3600*24*7 # Default: -ConfigFrequency={{ zabbix_proxy_config_freq }} +ProxyConfigFrequency={{ zabbix_proxy_config_freq }} ### Option: DataSenderFrequency # Proxy will send collected data to the Server every N seconds. @@ -229,14 +297,47 @@ DataSenderFrequency={{ zabbix_proxy_data_sernder_freq }} # Default: StartPollers={{ zabbix_proxy_start_pollers }} +### Option: StartAgentPollers +# Number of pre-forked instances of asynchronous Zabbix agent pollers. Also see MaxConcurrentChecksPerPoller. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartAgentPollers=1 + +### Option: StartHTTPAgentPollers +# Number of pre-forked instances of asynchronous HTTP agent pollers. Also see MaxConcurrentChecksPerPoller. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartHTTPAgentPollers=1 + +### Option: MaxConcurrentChecksPerPoller +# Maximum number of asynchronous checks that can be executed at once by each HTTP agent poller or agent poller. +# +# Mandatory: no +# Range: 1-1000 +# Default: +# MaxConcurrentChecksPerPoller=1000 + ### Option: StartIPMIPollers # Number of pre-forked instances of IPMI pollers. +# The IPMI manager process is automatically started when at least one IPMI poller is started. # # Mandatory: no # Range: 0-1000 # Default: StartIPMIPollers={{ zabbix_proxy_ipmi_pollers }} +### Option: StartPreprocessors +# Number of pre-started instances of preprocessing workers. +# +# Mandatory: no +# Range: 1-1000 +# Default: +# StartPreprocessors=3 + ### Option: StartPollersUnreachable # Number of pre-forked instances of pollers for unreachable hosts (including IPMI and Java). # At least one poller for unreachable hosts must be running if regular, IPMI or Java pollers @@ -265,12 +366,12 @@ StartIPMIPollers={{ zabbix_proxy_ipmi_pollers }} # StartPingers=1 ### Option: StartDiscoverers -# Number of pre-forked instances of discoverers. +# Number of pre-started instances of discovery workers. # # Mandatory: no -# Range: 0-250 +# Range: 0-1000 # Default: -# StartDiscoverers=1 +# StartDiscoverers=5 ### Option: StartHTTPPollers # Number of pre-forked instances of HTTP pollers. @@ -390,7 +491,7 @@ StartIPMIPollers={{ zabbix_proxy_ipmi_pollers }} # Shared memory size, for storing hosts and items data. # # Mandatory: no -# Range: 128K-8G +# Range: 128K-64G # Default: # CacheSize=8M @@ -462,9 +563,18 @@ Timeout=4 # Default: # UnreachableDelay=15 +## Option: StartODBCPollers +# Number of pre-forked ODBC poller instances. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartODBCPollers=1 + ### Option: ExternalScripts # Full path to location of external scripts. # Default depends on compilation options. +# To see the default path run command "zabbix_proxy --help". # # Mandatory: no # Default: @@ -553,6 +663,8 @@ LogSlowQueries=3000 ### Option: SSLCertLocation # Location of SSL client certificates. # This parameter is used only in web monitoring. +# Default depends on compilation options. +# To see the default path run command "zabbix_proxy --help". # # Mandatory: no # Default: @@ -561,6 +673,8 @@ LogSlowQueries=3000 ### Option: SSLKeyLocation # Location of private keys for SSL client certificates. # This parameter is used only in web monitoring. +# Default depends on compilation options. +# To see the default path run command "zabbix_proxy --help". # # Mandatory: no # Default: @@ -569,7 +683,7 @@ LogSlowQueries=3000 ### Option: SSLCALocation # Location of certificate authority (CA) files for SSL server certificate verification. # If not set, system-wide directory will be used. -# This parameter is used only in web monitoring. +# This parameter is used in web monitoring, HTTP agent items and for communication with Vault. # # Mandatory: no # Default: @@ -580,6 +694,7 @@ LogSlowQueries=3000 ### Option: LoadModulePath # Full path to location of proxy modules. # Default depends on compilation options. +# To see the default path run command "zabbix_proxy --help". # # Mandatory: no # Default: @@ -587,14 +702,32 @@ LogSlowQueries=3000 ### Option: LoadModule # Module to load at proxy startup. Modules are used to extend functionality of the proxy. -# Format: LoadModule= -# The modules must be located in directory specified by LoadModulePath. +# Formats: +# LoadModule= +# LoadModule= +# LoadModule= +# Either the module must be located in directory specified by LoadModulePath or the path must precede the module name. +# If the preceding path is absolute (starts with '/') then LoadModulePath is ignored. # It is allowed to include multiple LoadModule parameters. # # Mandatory: no # Default: # LoadModule= +### Option: StatsAllowedIP +# List of comma delimited IP addresses, optionally in CIDR notation, or DNS names of external Zabbix instances. +# Stats request will be accepted only from the addresses listed here. If this parameter is not set no stats requests +# will be accepted. +# If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', '::ffff:127.0.0.1' are treated equally +# and '::/0' will allow any IPv4 or IPv6 address. +# '0.0.0.0/0' can be used to allow any IPv4 address. +# Example: StatsAllowedIP=127.0.0.1,192.168.1.0/24,::1,2001:db8::/32,zabbix.example.com +# +# Mandatory: no +# Default: +# StatsAllowedIP= +#StatsAllowedIP=127.0.0.1 + ####### TLS-RELATED PARAMETERS ####### ### Option: TLSConnect @@ -635,14 +768,14 @@ LogSlowQueries=3000 # TLSCRLFile= ### Option: TLSServerCertIssuer -# Allowed server certificate issuer. +# Allowed server certificate issuer. # # Mandatory: no # Default: # TLSServerCertIssuer= ### Option: TLSServerCertSubject -# Allowed server certificate subject. +# Allowed server certificate subject. # # Mandatory: no # Default: @@ -675,3 +808,194 @@ LogSlowQueries=3000 # Mandatory: no # Default: # TLSPSKFile= + +####### For advanced users - TLS ciphersuite selection criteria ####### + +### Option: TLSCipherCert13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# +# Mandatory: no +# Default: +# TLSCipherCert13= + +### Option: TLSCipherCert +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128 +# +# Mandatory: no +# Default: +# TLSCipherCert= + +### Option: TLSCipherPSK13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example: +# TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherPSK13= + +### Option: TLSCipherPSK +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL +# Example for OpenSSL: +# kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherPSK= + +### Option: TLSCipherAll13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example: +# TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherAll13= + +### Option: TLSCipherAll +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherAll= + +### Option: DBTLSConnect +# Setting this option enforces to use TLS connection to database. +# required - connect using TLS +# verify_ca - connect using TLS and verify certificate +# verify_full - connect using TLS, verify certificate and verify that database identity specified by DBHost +# matches its certificate +# On MySQL starting from 5.7.11 and PostgreSQL following values are supported: "required", "verify_ca" and +# "verify_full". +# On MariaDB starting from version 10.2.6 "required" and "verify_full" values are supported. +# Default is not to set any option and behavior depends on database configuration +# +# Mandatory: no +# Default: +# DBTLSConnect= + +### Option: DBTLSCAFile +# Full pathname of a file containing the top-level CA(s) certificates for database certificate verification. +# Supported only for MySQL and PostgreSQL +# +# Mandatory: no +# (yes, if DBTLSConnect set to one of: verify_ca, verify_full) +# Default: +# DBTLSCAFile= + +### Option: DBTLSCertFile +# Full pathname of file containing Zabbix proxy certificate for authenticating to database. +# Supported only for MySQL and PostgreSQL +# +# Mandatory: no +# Default: +# DBTLSCertFile= + +### Option: DBTLSKeyFile +# Full pathname of file containing the private key for authenticating to database. +# Supported only for MySQL and PostgreSQL +# +# Mandatory: no +# Default: +# DBTLSKeyFile= + +### Option: DBTLSCipher +# The list of encryption ciphers that Zabbix proxy permits for TLS protocols up through TLSv1.2 +# Supported only for MySQL +# +# Mandatory no +# Default: +# DBTLSCipher= + +### Option: DBTLSCipher13 +# The list of encryption ciphersuites that Zabbix proxy permits for TLSv1.3 protocol +# Supported only for MySQL, starting from version 8.0.16 +# +# Mandatory no +# Default: +# DBTLSCipher13= + +### Option: Vault +# Specifies vault: +# HashiCorp - HashiCorp KV Secrets Engine - Version 2 +# CyberArk - CyberArk Central Credential Provider +# +# Mandatory: no +# Default: +# Vault=HashiCorp + +### Option: VaultToken +# Vault authentication token that should have been generated exclusively for Zabbix proxy with read only permission to path +# specified in optional VaultDBPath configuration parameter. +# It is an error if VaultToken and VAULT_TOKEN environment variable are defined at the same time. +# +# Mandatory: no +# (yes, if Vault is explicitly set to HashiCorp) +# Default: +# VaultToken= + +### Option: VaultURL +# Vault server HTTP[S] URL. System-wide CA certificates directory will be used if SSLCALocation is not specified. +# +# Mandatory: no +# Default: +# VaultURL=https://127.0.0.1:8200 + +### Option: VaultDBPath +# Vault path or query depending on the Vault from where credentials for database will be retrieved by keys. +# Keys used for HashiCorp are 'password' and 'username'. +# Example path: +# secret/zabbix/database +# Keys used for CyberArk are 'Content' and 'UserName'. +# Example query: +# AppID=zabbix_server&Query=Safe=passwordSafe;Object=zabbix_proxy_database +# This option can only be used if DBUser and DBPassword are not specified. +# +# Mandatory: no +# Default: +# VaultDBPath= + +### Option: VaultTLSCertFile +# Name of the SSL certificate file used for client authentication. The certificate file must be in PEM1 format. +# If the certificate file contains also the private key, leave the SSL key file field empty. The directory +# containing this file is specified by configuration parameter SSLCertLocation. +# +# Mandatory: no +# Default: +# VaultTLSCertFile= + +### Option: VaultTLSKeyFile +# Name of the SSL private key file used for client authentication. The private key file must be in PEM1 format. +# The directory containing this file is specified by configuration parameter SSLKeyLocation. +# +# Mandatory: no +# Default: +# VaultTLSKeyFile= + +####### For advanced users - TCP-related fine-tuning parameters ####### + +## Option: ListenBacklog +# The maximum number of pending connections in the queue. This parameter is passed to +# listen() function as argument 'backlog' (see "man listen"). +# +# Mandatory: no +# Range: 0 - INT_MAX (depends on system, too large values may be silently truncated to implementation-specified maximum) +# Default: SOMAXCONN (hard-coded constant, depends on system) +# ListenBacklog= + diff --git a/templates/zabbix_server.conf.j2 b/templates/etc/zabbix/zabbix_server.conf.j2 similarity index 54% rename from templates/zabbix_server.conf.j2 rename to templates/etc/zabbix/zabbix_server.conf.j2 index 3af0819..2ecc1ab 100644 --- a/templates/zabbix_server.conf.j2 +++ b/templates/etc/zabbix/zabbix_server.conf.j2 @@ -31,7 +31,7 @@ ListenPort={{ zabbix_server_listen_port }} ### Option: LogFile # Log file name for LogType 'file' parameter. # -# Mandatory: no +# Mandatory: yes, if LogType is set to file, otherwise no # Default: # LogFile= @@ -71,10 +71,22 @@ DebugLevel={{ zabbix_debug_level }} PidFile=/var/run/zabbix/zabbix_server.pid +### Option: SocketDir +# IPC socket directory. +# Directory to store IPC sockets used by internal Zabbix services. +# +# Mandatory: no +# Default: +# SocketDir=/tmp + +SocketDir=/run/zabbix + ### Option: DBHost # Database host name. # If set to localhost, socket is used for MySQL. # If set to empty string, socket is used for PostgreSQL. +# If set to empty string, the Net Service Name connection method is used to connect to Oracle database; also see +# the TNS_ADMIN environment variable to specify the directory where the tnsnames.ora file is located. # # Mandatory: no # Default: @@ -82,7 +94,9 @@ DBHost={{ zabbix_server_db_host }} ### Option: DBName # Database name. -# For SQLite3 path to database file must be provided. DBUser and DBPassword are ignored. +# If the Net Service Name connection method is used to connect to Oracle database, specify the service name from +# the tnsnames.ora file or set to empty string; also see the TWO_TASK environment variable if DBName is set to +# empty string. # # Mandatory: yes # Default: @@ -91,14 +105,14 @@ DBHost={{ zabbix_server_db_host }} DBName={{ zabbix_server_db_name }} ### Option: DBSchema -# Schema name. Used for IBM DB2 and PostgreSQL. +# Schema name. Used for PostgreSQL. # # Mandatory: no # Default: # DBSchema= ### Option: DBUser -# Database user. Ignored for SQLite. +# Database user. # # Mandatory: no # Default: @@ -107,7 +121,7 @@ DBName={{ zabbix_server_db_name }} DBUser={{ zabbix_server_db_user }} ### Option: DBPassword -# Database password. Ignored for SQLite. +# Database password. # Comment this line if no password is used. # # Mandatory: no @@ -119,15 +133,75 @@ DBPassword={{ zabbix_server_db_passwd }} # # Mandatory: no # Default: -# DBSocket=/tmp/mysql.sock +# DBSocket= ### Option: DBPort -# Database port when not using local socket. Ignored for SQLite. +# Database port when not using local socket. +# If the Net Service Name connection method is used to connect to Oracle database, the port number from the +# tnsnames.ora file will be used. The port number set here will be ignored. # # Mandatory: no # Range: 1024-65535 -# Default (for MySQL): -# DBPort=3306 +# Default: +# DBPort= + +### Option: AllowUnsupportedDBVersions +# Allow server to work with unsupported database versions. +# 0 - do not allow +# 1 - allow +# +# Mandatory: no +# Default: +# AllowUnsupportedDBVersions=0 + +### Option: HistoryStorageURL +# History storage HTTP[S] URL. +# +# Mandatory: no +# Default: +# HistoryStorageURL= + +### Option: HistoryStorageTypes +# Comma separated list of value types to be sent to the history storage. +# +# Mandatory: no +# Default: +# HistoryStorageTypes=uint,dbl,str,log,text + +### Option: HistoryStorageDateIndex +# Enable preprocessing of history values in history storage to store values in different indices based on date. +# 0 - disable +# 1 - enable +# +# Mandatory: no +# Default: +# HistoryStorageDateIndex=0 + +### Option: ExportDir +# Directory for real time export of events, history and trends in newline delimited JSON format. +# If set, enables real time export. +# +# Mandatory: no +# Default: +# ExportDir= + +### Option: ExportFileSize +# Maximum size per export file in bytes. +# Only used for rotation if ExportDir is set. +# +# Mandatory: no +# Range: 1M-1G +# Default: +# ExportFileSize=1G + +### Option: ExportType +# List of comma delimited types of real time export - allows to control export entities by their +# type (events, history, trends) individually. +# Valid only if ExportDir is set. +# +# Mandatory: no +# Default: +# ExportType=events,history,trends ############ ADVANCED PARAMETERS ################ @@ -141,12 +215,22 @@ StartPollers={{ zabbix_server_pollers }} ### Option: StartIPMIPollers # Number of pre-forked instances of IPMI pollers. +# The IPMI manager process is automatically started when at least one IPMI poller is started. # # Mandatory: no # Range: 0-1000 # Default: # StartIPMIPollers={{ zabbix_server_ipmi_pollers }} +### Option: StartPreprocessors +# Number of pre-forked instances of preprocessing workers. +# The preprocessing manager process is automatically started when preprocessor worker is started. +# +# Mandatory: no +# Range: 1-1000 +# Default: +# StartPreprocessors=3 + ### Option: StartPollersUnreachable # Number of pre-forked instances of pollers for unreachable hosts (including IPMI and Java). # At least one poller for unreachable hosts must be running if regular, IPMI or Java pollers @@ -157,6 +241,16 @@ StartPollers={{ zabbix_server_pollers }} # Default: # StartPollersUnreachable=1 +### Option: StartHistoryPollers +# Number of pre-forked instances of history pollers. +# Only required for calculated and internal checks. +# A database connection is required for each history poller instance. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartHistoryPollers=5 + ### Option: StartTrappers # Number of pre-forked instances of trappers. # Trappers accept incoming connections from Zabbix sender, active agents and active proxies. @@ -194,8 +288,9 @@ StartPollers={{ zabbix_server_pollers }} ### Option: StartTimers # Number of pre-forked instances of timers. -# Timers process time-based trigger functions and maintenance periods. -# Only the first timer process handles the maintenance periods. +# Timers process maintenance periods. +# Only the first timer process handles host maintenance updates. Problem suppression updates are shared +# between all timers. # # Mandatory: no # Range: 1-1000 @@ -206,10 +301,19 @@ StartPollers={{ zabbix_server_pollers }} # Number of pre-forked instances of escalators. # # Mandatory: no -# Range: 0-100 +# Range: 1-100 # Default: # StartEscalators=1 +### Option: StartAlerters +# Number of pre-forked instances of alerters. +# Alerters send the notifications created by action operations. +# +# Mandatory: no +# Range: 1-100 +# Default: +# StartAlerters=3 + ### Option: JavaGateway # IP address (or hostname) of Zabbix Java gateway. # Only required if Java pollers are started. @@ -284,6 +388,8 @@ StartPollers={{ zabbix_server_pollers }} # Default: # SNMPTrapperFile=/tmp/zabbix_traps.tmp +SNMPTrapperFile=/var/log/snmptrap/snmptrap.log + ### Option: StartSNMPTrapper # If 1, SNMP trapper process is started. # @@ -298,8 +404,6 @@ StartPollers={{ zabbix_server_pollers }} # # Mandatory: no # Default: -# ListenIP=0.0.0.0 - ListenIP=0.0.0.0 ### Option: HousekeepingFrequency @@ -322,7 +426,6 @@ ListenIP=0.0.0.0 # [housekeeperid], [tablename], [field], [value]. # No more than 'MaxHousekeeperDelete' rows (corresponding to [tablename], [field], [value]) # will be deleted per one task in one housekeeping cycle. -# SQLite3 does not use this parameter, deletes all corresponding rows without a limit. # If set to 0 then no limit is used at all. In this case you must know what you are doing! # # Mandatory: no @@ -330,20 +433,12 @@ ListenIP=0.0.0.0 # Default: # MaxHousekeeperDelete=5000 -### Option: SenderFrequency -# How often Zabbix will try to send unsent alerts (in seconds). -# -# Mandatory: no -# Range: 5-3600 -# Default: -# SenderFrequency=30 - ### Option: CacheSize # Size of configuration cache, in bytes. # Shared memory size for storing host, item and trigger data. # # Mandatory: no -# Range: 128K-8G +# Range: 128K-64G # Default: CacheSize={{ zabbix_cachesize }} @@ -382,7 +477,7 @@ CacheSize={{ zabbix_cachesize }} # HistoryIndexCacheSize=4M ### Option: TrendCacheSize -# Size of trend cache, in bytes. +# Size of trend write cache, in bytes. # Shared memory size for storing trends data. # # Mandatory: no @@ -390,6 +485,15 @@ CacheSize={{ zabbix_cachesize }} # Default: # TrendCacheSize=4M +### Option: TrendFunctionCacheSize +# Size of trend function cache, in bytes. +# Shared memory size for caching calculated trend function data. +# +# Mandatory: no +# Range: 128K-2G +# Default: +# TrendFunctionCacheSize=4M + ### Option: ValueCacheSize # Size of history value cache, in bytes. # Shared memory size for caching item history data requests. @@ -445,6 +549,7 @@ Timeout={{ zabbix_server_timeout }} ### Option: AlertScriptsPath # Full path to location of custom alert scripts. # Default depends on compilation options. +# To see the default path run command "zabbix_server --help". # # Mandatory: no # Default: @@ -455,6 +560,7 @@ AlertScriptsPath={{ zabbix_server_alert_scripts }} ### Option: ExternalScripts # Full path to location of external scripts. # Default depends on compilation options. +# To see the default path run command "zabbix_server --help". # # Mandatory: no # Default: @@ -535,6 +641,14 @@ LogSlowQueries={{ zabbix_server_queries_slow }} # Default: # ProxyDataFrequency=1 +### Option: StartLLDProcessors +# Number of pre-forked instances of low level discovery processors. +# +# Mandatory: no +# Range: 1-100 +# Default: +# StartLLDProcessors=2 + ### Option: AllowRoot # Allow the server to run as 'root'. If disabled and the server is started by 'root', the server # will try to switch to the user specified by the User configuration option instead. @@ -569,6 +683,8 @@ LogSlowQueries={{ zabbix_server_queries_slow }} ### Option: SSLCertLocation # Location of SSL client certificates. # This parameter is used only in web monitoring. +# Default depends on compilation options. +# To see the default path run command "zabbix_server --help". # # Mandatory: no # Default: @@ -577,6 +693,8 @@ LogSlowQueries={{ zabbix_server_queries_slow }} ### Option: SSLKeyLocation # Location of private keys for SSL client certificates. # This parameter is used only in web monitoring. +# Default depends on compilation options. +# To see the default path run command "zabbix_server --help". # # Mandatory: no # Default: @@ -591,11 +709,25 @@ LogSlowQueries={{ zabbix_server_queries_slow }} # Default: # SSLCALocation= +### Option: StatsAllowedIP +# List of comma delimited IP addresses, optionally in CIDR notation, or DNS names of external Zabbix instances. +# Stats request will be accepted only from the addresses listed here. If this parameter is not set no stats requests +# will be accepted. +# If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', '::ffff:127.0.0.1' are treated equally +# and '::/0' will allow any IPv4 or IPv6 address. +# '0.0.0.0/0' can be used to allow any IPv4 address. +# Example: StatsAllowedIP=127.0.0.1,192.168.1.0/24,::1,2001:db8::/32,zabbix.example.com +# +# Mandatory: no +# Default: +# StatsAllowedIP=127.0.0.1 + ####### LOADABLE MODULES ####### ### Option: LoadModulePath # Full path to location of server modules. # Default depends on compilation options. +# To see the default path run command "zabbix_server --help". # # Mandatory: no # Default: @@ -603,8 +735,12 @@ LogSlowQueries={{ zabbix_server_queries_slow }} ### Option: LoadModule # Module to load at server startup. Modules are used to extend functionality of the server. -# Format: LoadModule= -# The modules must be located in directory specified by LoadModulePath. +# Formats: +# LoadModule= +# LoadModule= +# LoadModule= +# Either the module must be located in directory specified by LoadModulePath or the path must precede the module name. +# If the preceding path is absolute (starts with '/') then LoadModulePath is ignored. # It is allowed to include multiple LoadModule parameters. # # Mandatory: no @@ -641,3 +777,225 @@ LogSlowQueries={{ zabbix_server_queries_slow }} # Mandatory: no # Default: # TLSKeyFile= + +####### For advanced users - TLS ciphersuite selection criteria ####### + +### Option: TLSCipherCert13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# +# Mandatory: no +# Default: +# TLSCipherCert13= + +### Option: TLSCipherCert +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128 +# +# Mandatory: no +# Default: +# TLSCipherCert= + +### Option: TLSCipherPSK13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example: +# TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherPSK13= + +### Option: TLSCipherPSK +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL +# Example for OpenSSL: +# kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherPSK= + +### Option: TLSCipherAll13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example: +# TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherAll13= + +### Option: TLSCipherAll +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherAll= + +### Option: DBTLSConnect +# Setting this option enforces to use TLS connection to database. +# required - connect using TLS +# verify_ca - connect using TLS and verify certificate +# verify_full - connect using TLS, verify certificate and verify that database identity specified by DBHost +# matches its certificate +# On MySQL starting from 5.7.11 and PostgreSQL following values are supported: "required", "verify_ca" and +# "verify_full". +# On MariaDB starting from version 10.2.6 "required" and "verify_full" values are supported. +# Default is not to set any option and behavior depends on database configuration +# +# Mandatory: no +# Default: +# DBTLSConnect= + +### Option: DBTLSCAFile +# Full pathname of a file containing the top-level CA(s) certificates for database certificate verification. +# Supported only for MySQL and PostgreSQL +# +# Mandatory: no +# (yes, if DBTLSConnect set to one of: verify_ca, verify_full) +# Default: +# DBTLSCAFile= + +### Option: DBTLSCertFile +# Full pathname of file containing Zabbix server certificate for authenticating to database. +# Supported only for MySQL and PostgreSQL +# +# Mandatory: no +# Default: +# DBTLSCertFile= + +### Option: DBTLSKeyFile +# Full pathname of file containing the private key for authenticating to database. +# Supported only for MySQL and PostgreSQL +# +# Mandatory: no +# Default: +# DBTLSKeyFile= + +### Option: DBTLSCipher +# The list of encryption ciphers that Zabbix server permits for TLS protocols up through TLSv1.2 +# Supported only for MySQL +# +# Mandatory no +# Default: +# DBTLSCipher= + +### Option: DBTLSCipher13 +# The list of encryption ciphersuites that Zabbix server permits for TLSv1.3 protocol +# Supported only for MySQL, starting from version 8.0.16 +# +# Mandatory no +# Default: +# DBTLSCipher13= + +### Option: VaultToken +# Vault authentication token that should have been generated exclusively for Zabbix server with read only permission +# to paths specified in Vault macros and read only permission to path specified in optional VaultDBPath +# configuration parameter. +# It is an error if VaultToken and VAULT_TOKEN environment variable are defined at the same time. +# +# Mandatory: no +# Default: +# VaultToken= + +### Option: VaultURL +# Vault server HTTP[S] URL. System-wide CA certificates directory will be used if SSLCALocation is not specified. +# +# Mandatory: no +# Default: +# VaultURL=https://127.0.0.1:8200 + +### Option: VaultDBPath +# Vault path from where credentials for database will be retrieved by keys 'password' and 'username'. +# Example: secret/zabbix/database +# This option can only be used if DBUser and DBPassword are not specified. +# +# Mandatory: no +# Default: +# VaultDBPath= + +### Option: StartReportWriters +# Number of pre-forked report writer instances. +# +# Mandatory: no +# Range: 0-100 +# Default: +# StartReportWriters=0 + +### Option: WebServiceURL +# URL to Zabbix web service, used to perform web related tasks. +# Example: http://localhost:10053/report +# +# Mandatory: no +# Default: +# WebServiceURL= + +### Option: ServiceManagerSyncFrequency +# How often Zabbix will synchronize configuration of a service manager (in seconds). +# +# Mandatory: no +# Range: 1-3600 +# Default: +# ServiceManagerSyncFrequency=60 + +### Option: ProblemHousekeepingFrequency +# How often Zabbix will delete problems for deleted triggers (in seconds). +# +# Mandatory: no +# Range: 1-3600 +# Default: +# ProblemHousekeepingFrequency=60 + +## Option: StartODBCPollers +# Number of pre-forked ODBC poller instances. +# +# Mandatory: no +# Range: 0-1000 +# Default: +# StartODBCPollers=1 + +####### For advanced users - TCP-related fine-tuning parameters ####### + +## Option: ListenBacklog +# The maximum number of pending connections in the queue. This parameter is passed to +# listen() function as argument 'backlog' (see "man listen"). +# +# Mandatory: no +# Range: 0 - INT_MAX (depends on system, too large values may be silently truncated to implementation-specified maximum) +# Default: SOMAXCONN (hard-coded constant, depends on system) +# ListenBacklog= + + +####### High availability cluster parameters ####### + +## Option: HANodeName +# The high availability cluster node name. +# When empty, server is working in standalone mode; a node with empty name is registered with address for the frontend to connect to. +# +# Mandatory: no +# Default: +# HANodeName= + +## Option: NodeAddress +# IP or hostname with optional port to specify how frontend should connect to the server. +# Format:
[:] +# +# If IP or hostname is not set, then ListenIP value will be used. In case ListenIP is not set, localhost will be used. +# If port is not set, then ListenPort value will be used. In case ListenPort is not set, 10051 will be used. +# This option can be overridden by address specified in frontend configuration. +# +# Mandatory: no +# Default: +# NodeAddress=localhost:10051 diff --git a/templates/zabbix.conf.php.j2 b/templates/zabbix.conf.php.j2 deleted file mode 100644 index a14ae5e..0000000 --- a/templates/zabbix.conf.php.j2 +++ /dev/null @@ -1,19 +0,0 @@ -