From 892e59371d2caffb9935f0de01fdc42444f5000f Mon Sep 17 00:00:00 2001 From: DEFERME Bert Date: Thu, 28 Jul 2022 13:23:49 +0200 Subject: [PATCH 01/26] Add sensitive support --- manifests/database.pp | 34 +- manifests/database/mysql.pp | 37 ++- manifests/database/postgresql.pp | 28 +- manifests/init.pp | 4 +- manifests/params.pp | 8 +- manifests/proxy.pp | 100 +++++- manifests/resources/web.pp | 8 +- manifests/server.pp | 107 +++++- manifests/web.pp | 123 ++++--- templates/api.conf.epp | 8 +- templates/web/zabbix.conf.php.epp | 83 +++++ templates/web/zabbix.conf.php.erb | 64 ---- ...x_proxy.conf.erb => zabbix_proxy.conf.epp} | 307 ++++++++++++------ ...server.conf.erb => zabbix_server.conf.epp} | 304 +++++++++++------ 14 files changed, 830 insertions(+), 385 deletions(-) create mode 100644 templates/web/zabbix.conf.php.epp delete mode 100644 templates/web/zabbix.conf.php.erb rename templates/{zabbix_proxy.conf.erb => zabbix_proxy.conf.epp} (58%) rename templates/{zabbix_server.conf.erb => zabbix_server.conf.epp} (57%) diff --git a/manifests/database.pp b/manifests/database.pp index cfa124094..4e1f49c79 100644 --- a/manifests/database.pp +++ b/manifests/database.pp @@ -64,23 +64,23 @@ # the zabbix_server and zabbix_web parameter. # @author Werner Dijkerman ikben@werner-dijkerman.nl class zabbix::database ( - $zabbix_type = 'server', - $zabbix_web = $zabbix::params::zabbix_web, - $zabbix_web_ip = $zabbix::params::zabbix_web_ip, - $zabbix_server = $zabbix::params::zabbix_server, - $zabbix_server_ip = $zabbix::params::zabbix_server_ip, - $zabbix_proxy = $zabbix::params::zabbix_proxy, - $zabbix_proxy_ip = $zabbix::params::zabbix_proxy_ip, - $manage_database = $zabbix::params::manage_database, - Zabbix::Databases $database_type = $zabbix::params::database_type, - $database_schema_path = $zabbix::params::database_schema_path, - $database_name = $zabbix::params::server_database_name, - $database_user = $zabbix::params::server_database_user, - $database_password = $zabbix::params::server_database_password, - $database_host = $zabbix::params::server_database_host, - $database_host_ip = $zabbix::params::server_database_host_ip, - $database_charset = $zabbix::params::server_database_charset, - $database_collate = $zabbix::params::server_database_collate, + $zabbix_type = 'server', + $zabbix_web = $zabbix::params::zabbix_web, + $zabbix_web_ip = $zabbix::params::zabbix_web_ip, + $zabbix_server = $zabbix::params::zabbix_server, + $zabbix_server_ip = $zabbix::params::zabbix_server_ip, + $zabbix_proxy = $zabbix::params::zabbix_proxy, + $zabbix_proxy_ip = $zabbix::params::zabbix_proxy_ip, + $manage_database = $zabbix::params::manage_database, + Zabbix::Databases $database_type = $zabbix::params::database_type, + $database_schema_path = $zabbix::params::database_schema_path, + $database_name = $zabbix::params::server_database_name, + $database_user = $zabbix::params::server_database_user, + Optional[Variant[String[1], Sensitive[String[1]]]] $database_password = $zabbix::params::server_database_password, + $database_host = $zabbix::params::server_database_host, + $database_host_ip = $zabbix::params::server_database_host_ip, + $database_charset = $zabbix::params::server_database_charset, + $database_collate = $zabbix::params::server_database_collate, Optional[String[1]] $database_tablespace = $zabbix::params::server_database_tablespace, ) inherits zabbix::params { # So lets create the databases and load all files. This can only be diff --git a/manifests/database/mysql.pp b/manifests/database/mysql.pp index bf6a923dc..75c6d2412 100644 --- a/manifests/database/mysql.pp +++ b/manifests/database/mysql.pp @@ -11,18 +11,24 @@ # @param database_path Path to the database executable # @author Werner Dijkerman class zabbix::database::mysql ( - $zabbix_type = '', - $zabbix_version = $zabbix::params::zabbix_version, - $database_schema_path = '', - $database_name = '', - $database_user = '', - $database_password = '', - $database_host = '', - Optional[Stdlib::Port::Unprivileged] $database_port = undef, - $database_path = $zabbix::params::database_path, + $zabbix_type = '', + $zabbix_version = $zabbix::params::zabbix_version, + $database_schema_path = '', + $database_name = '', + $database_user = '', + Optional[Variant[String[1], Sensitive[String[1]]]] $database_password = '', + $database_host = '', + Optional[Stdlib::Port::Unprivileged] $database_port = undef, + $database_path = $zabbix::params::database_path, ) inherits zabbix::params { assert_private() + $database_password_unsensitive = if $database_password =~ Sensitive[String] { + $database_password.unwrap + } else { + $database_password + } + if ($database_schema_path == false) or ($database_schema_path == '') { if versioncmp($zabbix_version, '6.0') >= 0 { $schema_path = '/usr/share/zabbix-sql-scripts/mysql/' @@ -45,14 +51,14 @@ case $zabbix_type { 'proxy': { $zabbix_proxy_create_sql = versioncmp($zabbix_version, '6.0') >= 0 ? { - true => "cd ${schema_path} && mysql -h '${database_host}' -u '${database_user}' -p'${database_password}' ${port}-D '${database_name}' < proxy.sql && touch /etc/zabbix/.schema.done", - false => "cd ${schema_path} && if [ -f schema.sql.gz ]; then gunzip -f schema.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password}' ${port}-D '${database_name}' < schema.sql && touch /etc/zabbix/.schema.done" + true => "cd ${schema_path} && mysql -h '${database_host}' -u '${database_user}' -p\"\${database_password}\" ${port}-D '${database_name}' < proxy.sql && touch /etc/zabbix/.schema.done", + false => "cd ${schema_path} && if [ -f schema.sql.gz ]; then gunzip -f schema.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p\"\${database_password}\" ${port}-D '${database_name}' < schema.sql && touch /etc/zabbix/.schema.done" } } default: { $zabbix_server_create_sql = versioncmp($zabbix_version, '6.0') >= 0 ? { - true => "cd ${schema_path} && if [ -f server.sql.gz ]; then gunzip -f server.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password}' ${port}-D '${database_name}' < server.sql && touch /etc/zabbix/.schema.done", - false => "cd ${schema_path} && if [ -f create.sql.gz ]; then gunzip -f create.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password}' ${port}-D '${database_name}' < create.sql && touch /etc/zabbix/.schema.done" + true => "cd ${schema_path} && if [ -f server.sql.gz ]; then gunzip -f server.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p\"\${database_password}\" ${port}-D '${database_name}' < server.sql && touch /etc/zabbix/.schema.done", + false => "cd ${schema_path} && if [ -f create.sql.gz ]; then gunzip -f create.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p\"\${database_password}\" ${port}-D '${database_name}' < create.sql && touch /etc/zabbix/.schema.done" } $zabbix_server_images_sql = 'touch /etc/zabbix/.images.done' $zabbix_server_data_sql = 'touch /etc/zabbix/.data.done' @@ -60,6 +66,7 @@ } # Loading the sql files. + $_mysql_env = [ "database_password=${database_password_unsensitive}" ] case $zabbix_type { 'proxy' : { exec { 'zabbix_proxy_create.sql': @@ -67,6 +74,7 @@ path => "/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:${database_path}", unless => 'test -f /etc/zabbix/.schema.done', provider => 'shell', + environment => $_mysql_env, } } 'server' : { @@ -75,18 +83,21 @@ path => "/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:${database_path}", unless => 'test -f /etc/zabbix/.schema.done', provider => 'shell', + environment => $_mysql_env, } -> exec { 'zabbix_server_images.sql': command => $zabbix_server_images_sql, path => "/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:${database_path}", unless => 'test -f /etc/zabbix/.images.done', provider => 'shell', + environment => $_mysql_env, } -> exec { 'zabbix_server_data.sql': command => $zabbix_server_data_sql, path => "/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:${database_path}", unless => 'test -f /etc/zabbix/.data.done', provider => 'shell', + environment => $_mysql_env, } } default : { diff --git a/manifests/database/postgresql.pp b/manifests/database/postgresql.pp index eb73c6588..cbeed173f 100644 --- a/manifests/database/postgresql.pp +++ b/manifests/database/postgresql.pp @@ -11,18 +11,24 @@ # @param database_path Path to the database executable # @author Werner Dijkerman class zabbix::database::postgresql ( - $zabbix_type = '', - $zabbix_version = $zabbix::params::zabbix_version, - $database_schema_path = '', - $database_name = '', - $database_user = '', - $database_password = '', - $database_host = '', - Stdlib::Port::Unprivileged $database_port = 5432, - $database_path = $zabbix::params::database_path, + $zabbix_type = '', + $zabbix_version = $zabbix::params::zabbix_version, + $database_schema_path = '', + $database_name = '', + $database_user = '', + Optional[Variant[String[1], Sensitive[String[1]]]] $database_password = undef, + $database_host = '', + Stdlib::Port::Unprivileged $database_port = 5432, + $database_path = $zabbix::params::database_path, ) inherits zabbix::params { assert_private() + $database_password_unsensitive = if $database_password =~ Sensitive[String] { + $database_password.unwrap + } else { + $database_password + } + if ($database_schema_path == false) or ($database_schema_path == '') { if member(['CentOS', 'RedHat', 'OracleLinux', 'VirtuozzoLinux'], $facts['os']['name']) { if versioncmp($zabbix_version, '6.0') >= 0 { @@ -63,9 +69,9 @@ } exec { 'update_pgpass': - command => "echo ${database_host}:${database_port}:${database_name}:${database_user}:${database_password} >> /root/.pgpass", + command => "echo ${database_host}:${database_port}:${database_name}:${database_user}:${database_password_unsensitive} >> /root/.pgpass", path => "/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:${database_path}", - unless => "grep \"${database_host}:${database_port}:${database_name}:${database_user}:${database_password}\" /root/.pgpass", + unless => "grep \"${database_host}:${database_port}:${database_name}:${database_user}:${database_password_unsensitive}\" /root/.pgpass", require => File['/root/.pgpass'], } diff --git a/manifests/init.pp b/manifests/init.pp index 7a23864c2..66ba45a7e 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -249,7 +249,7 @@ Optional[Stdlib::Absolutepath] $ldap_clientkey = $zabbix::params::ldap_clientkey, Optional[Enum['never', 'allow', 'try', 'demand', 'hard']] $ldap_reqcert = $zabbix::params::ldap_reqcert, $zabbix_api_user = $zabbix::params::server_api_user, - $zabbix_api_pass = $zabbix::params::server_api_pass, + Optional[Variant[String[1], Sensitive[String[1]]]] $zabbix_api_pass = $zabbix::params::server_api_pass, $listenport = $zabbix::params::server_listenport, $sourceip = $zabbix::params::server_sourceip, Enum['console', 'file', 'system'] $logtype = $zabbix::params::server_logtype, @@ -262,7 +262,7 @@ $database_schema = $zabbix::params::server_database_schema, Boolean $database_double_ieee754 = $zabbix::params::server_database_double_ieee754, $database_user = $zabbix::params::server_database_user, - $database_password = $zabbix::params::server_database_password, + Optional[Variant[String[1], Sensitive[String[1]]]] $database_password = $zabbix::params::server_database_password, $database_socket = $zabbix::params::server_database_socket, $database_port = $zabbix::params::server_database_port, $database_charset = $zabbix::params::server_database_charset, diff --git a/manifests/params.pp b/manifests/params.pp index 07470e85e..38639257f 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -182,7 +182,7 @@ $ldap_clientcert = undef $ldap_clientkey = undef $ldap_reqcert = undef - $server_api_pass = 'zabbix' + $server_api_pass = Sensitive('zabbix') $server_api_user = 'Admin' $server_database_double_ieee754 = false $saml_sp_key = undef @@ -203,7 +203,7 @@ $server_database_host = 'localhost' $server_database_host_ip = '127.0.0.1' $server_database_name = 'zabbix_server' - $server_database_password = 'zabbix_server' + $server_database_password = Sensitive('zabbix_server') $server_database_port = undef $server_database_schema = undef $server_database_socket = undef @@ -240,6 +240,7 @@ $server_snmptrapperfile = '/tmp/zabbix_traps.tmp' $server_sourceip = undef $server_sshkeylocation = undef + $server_sslcalocation = undef $server_sslcertlocation = '/usr/lib/zabbix/ssl/certs' $server_sslkeylocation = '/usr/lib/zabbix/ssl/keys' $server_startdbsyncers = '4' @@ -288,6 +289,7 @@ $server_vaulturl = 'https://127.0.0.1:8200' $server_vmwarecachesize = '8M' $server_vmwarefrequency = '60' + $server_vmwareperffrequency = undef $server_vmwaretimeout = undef $server_socketdir = undef @@ -369,7 +371,7 @@ $proxy_configfrequency = '3600' $proxy_database_host = 'localhost' $proxy_database_name = 'zabbix_proxy' - $proxy_database_password = 'zabbix-proxy' + $proxy_database_password = Sensitive('zabbix-proxy') $proxy_database_port = undef $proxy_database_schema = undef $proxy_database_socket = undef diff --git a/manifests/proxy.pp b/manifests/proxy.pp index 741dbf8e6..0b8b3ab54 100644 --- a/manifests/proxy.pp +++ b/manifests/proxy.pp @@ -219,7 +219,7 @@ $database_name = $zabbix::params::proxy_database_name, $database_schema = $zabbix::params::proxy_database_schema, $database_user = $zabbix::params::proxy_database_user, - $database_password = $zabbix::params::proxy_database_password, + Optional[Variant[String[1], Sensitive[String[1]]]] $database_password = $zabbix::params::proxy_database_password, $database_socket = $zabbix::params::proxy_database_socket, $database_port = $zabbix::params::proxy_database_port, $database_charset = $zabbix::params::server_database_charset, @@ -507,7 +507,103 @@ mode => '0644', require => Package["zabbix-proxy-${db}"], replace => true, - content => template('zabbix/zabbix_proxy.conf.erb'), + content => Sensitive(epp('zabbix/zabbix_proxy.conf.epp', { + 'allowroot' => $allowroot, + 'cachesize' => $cachesize, + 'configfrequency' => $configfrequency, + 'database_host' => $database_host, + 'database_name' => $database_name, + 'database_password' => $database_password, + 'database_port' => $database_port, + 'database_schema' => $database_schema, + 'database_socket' => $database_socket, + 'database_tlscafile' => $database_tlscafile, + 'database_tlscertfile' => $database_tlscertfile, + 'database_tlscipher' => $database_tlscipher, + 'database_tlscipher13' => $database_tlscipher13, + 'database_tlsconnect' => $database_tlsconnect, + 'database_tlskeyfile' => $database_tlskeyfile, + 'database_user' => $database_user, + 'datasenderfrequency' => $datasenderfrequency, + 'debuglevel' => $debuglevel, + 'enableremotecommands' => $enableremotecommands, + 'externalscripts' => $externalscripts, + 'fping6location' => $fping6location, + 'fpinglocation' => $fpinglocation, + 'heartbeatfrequency' => $heartbeatfrequency, + 'historycachesize' => $historycachesize, + 'historyindexcachesize' => $historyindexcachesize, + 'hostname' => $hostname, + 'housekeepingfrequency' => $housekeepingfrequency, + 'include_dir' => $include_dir, + 'javagateway' => $javagateway, + 'javagatewayport' => $javagatewayport, + 'listenip' => $listenip, + 'listenport' => $listenport, + 'loadmodule' => $loadmodule, + 'loadmodulepath' => $loadmodulepath, + 'localbuffer' => $localbuffer, + 'logfile' => $logfile, + 'logfilesize' => $logfilesize, + 'logremotecommands' => $logremotecommands, + 'logslowqueries' => $logslowqueries, + 'logtype' => $logtype, + 'mode' => $mode, + 'offlinebuffer' => $offlinebuffer, + 'pidfile' => $pidfile, + 'snmptrapper' => $snmptrapper, + 'snmptrapperfile' => $snmptrapperfile, + 'socketdir' => $socketdir, + 'sourceip' => $sourceip, + 'sshkeylocation' => $sshkeylocation, + 'sslcalocation_dir' => $sslcalocation_dir, + 'sslcertlocation_dir' => $sslcertlocation_dir, + 'sslkeylocation_dir' => $sslkeylocation_dir, + 'startdbsyncers' => $startdbsyncers, + 'startdiscoverers' => $startdiscoverers, + 'starthttppollers' => $starthttppollers, + 'startipmipollers' => $startipmipollers, + 'startjavapollers' => $startjavapollers, + 'startpingers' => $startpingers, + 'startpollers' => $startpollers, + 'startpollersunreachable' => $startpollersunreachable, + 'startpreprocessors' => $startpreprocessors, + 'starttrappers' => $starttrappers, + 'startvmwarecollectors' => $startvmwarecollectors, + 'timeout' => $timeout, + 'tlsaccept' => $tlsaccept, + 'tlscafile' => $tlscafile, + 'tlscertfile' => $tlscertfile, + 'tlscipherall' => $tlscipherall, + 'tlscipherall13' => $tlscipherall13, + 'tlsciphercert' => $tlsciphercert, + 'tlsciphercert13' => $tlsciphercert13, + 'tlscipherpsk' => $tlscipherpsk, + 'tlscipherpsk13' => $tlscipherpsk13, + 'tlsconnect' => $tlsconnect, + 'tlscrlfile' => $tlscrlfile, + 'tlskeyfile' => $tlskeyfile, + 'tlspskfile' => $tlspskfile, + 'tlspskidentity' => $tlspskidentity, + 'tlsservercertissuer' => $tlsservercertissuer, + 'tlsservercertsubject' => $tlsservercertsubject, + 'tmpdir' => $tmpdir, + 'trappertimeout' => $trappertimeout, + 'unavaliabledelay' => $unavaliabledelay, + 'unreachabedelay' => $unreachabedelay, + 'unreachableperiod' => $unreachableperiod, + 'vaultdbpath' => $vaultdbpath, + 'vaulttoken' => $vaulttoken, + 'vaulturl' => $vaulturl, + 'vmwarecachesize' => $vmwarecachesize, + 'vmwarefrequency' => $vmwarefrequency, + 'vmwareperffrequency' => $vmwareperffrequency, + 'vmwaretimeout' => $vmwaretimeout, + 'zabbix_server_host' => $zabbix_server_host, + 'zabbix_server_port' => $zabbix_server_port, + 'zabbix_user' => $zabbix::params::server_zabbix_user, + 'zabbix_version' => $zabbix_version, + })), } # Include dir for specific zabbix-proxy checks. diff --git a/manifests/resources/web.pp b/manifests/resources/web.pp index 8de4c2c97..9c55fcf66 100644 --- a/manifests/resources/web.pp +++ b/manifests/resources/web.pp @@ -4,10 +4,10 @@ # @param zabbix_pass API password. # @param apache_use_ssl Whether to use ssl or not. class zabbix::resources::web ( - String[1] $zabbix_url, - String[1] $zabbix_user, - String[1] $zabbix_pass, - Boolean $apache_use_ssl, + String[1] $zabbix_url, + String[1] $zabbix_user, + Variant[String[1], Sensitive[String[1]]] $zabbix_pass, + Boolean $apache_use_ssl, ) { file { '/etc/zabbix/api.conf': ensure => file, diff --git a/manifests/server.pp b/manifests/server.pp index 41d8f73b0..8eeb63ffc 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -66,6 +66,9 @@ # @param startreportwriters Number of pre-forked report writer instances. # @param webserviceurl URL to Zabbix web service, used to perform web related tasks. # @param vmwarefrequency How often zabbix will connect to vmware service to obtain a new datan. +# @param vmwareperffrequency +# Delay in seconds between performance counter statistics retrieval from a single VMware service. +# This delay should be set to the least update interval of any VMware monitoring item that uses VMware performance counters. # @param vaultdbpath Vault path from where credentials for database will be retrieved by keys 'password' and 'username'. # @param vaulttoken # Vault authentication token that should have been generated exclusively for Zabbix proxy with read-only @@ -132,6 +135,7 @@ # @param include_dir You may include individual files or all files in a directory in the configuration file. # @param loadmodulepath Full path to location of server modules. # @param loadmodule Module to load at server startup. +# @param sslcalocation_dir Location of certificate authority (CA) files for SSL server certificate verification. # @param sslcertlocation_dir Location of SSL client certificate files for client authentication. # @param sslkeylocation_dir Location of SSL private key files for client authentication. # @param manage_selinux Whether we should manage SELinux rules. @@ -191,7 +195,7 @@ $database_name = $zabbix::params::server_database_name, $database_schema = $zabbix::params::server_database_schema, $database_user = $zabbix::params::server_database_user, - $database_password = $zabbix::params::server_database_password, + Optional[Variant[String[1], Sensitive[String[1]]]] $database_password = $zabbix::params::server_database_password, $database_socket = $zabbix::params::server_database_socket, Optional[Stdlib::Port::Unprivileged] $database_port = $zabbix::params::server_database_port, Optional[Enum['required', 'verify_ca', 'verify_full']] $database_tlsconnect = $zabbix::params::server_database_tlsconnect, @@ -221,6 +225,7 @@ Optional[String[1]] $vaulttoken = $zabbix::params::server_vaulttoken, Stdlib::HTTPSUrl $vaulturl = $zabbix::params::server_vaulturl, $vmwarefrequency = $zabbix::params::server_vmwarefrequency, + $vmwareperffrequency = $zabbix::params::server_vmwareperffrequency, $vmwarecachesize = $zabbix::params::server_vmwarecachesize, $vmwaretimeout = $zabbix::params::server_vmwaretimeout, $snmptrapperfile = $zabbix::params::server_snmptrapperfile, @@ -264,8 +269,9 @@ $include_dir = $zabbix::params::server_include, $loadmodulepath = $zabbix::params::server_loadmodulepath, $loadmodule = $zabbix::params::server_loadmodule, - $sslcertlocation_dir = $zabbix::params::server_sslcertlocation, - $sslkeylocation_dir = $zabbix::params::server_sslkeylocation, + Optional[Stdlib::Absolutepath] $sslcalocation_dir = $zabbix::params::server_sslcalocation, + Optional[Stdlib::Absolutepath] $sslcertlocation_dir = $zabbix::params::server_sslcertlocation, + Optional[Stdlib::Absolutepath] $sslkeylocation_dir = $zabbix::params::server_sslkeylocation, Boolean $manage_selinux = $zabbix::params::manage_selinux, String $additional_service_params = $zabbix::params::additional_service_params, Optional[String[1]] $zabbix_user = $zabbix::params::server_zabbix_user, @@ -446,7 +452,100 @@ mode => '0640', require => Package["zabbix-server-${db}"], replace => true, - content => template('zabbix/zabbix_server.conf.erb'), + content => Sensitive(epp('zabbix/zabbix_server.conf.epp', { + 'alertscriptspath' => $alertscriptspath, + 'allowroot' => $allowroot, + 'cachesize' => $cachesize, + 'cacheupdatefrequency' => $cacheupdatefrequency, + 'database_host' => $database_host, + 'database_name' => $database_name, + 'database_password' => $database_password, + 'database_port' => $database_port, + 'database_schema' => $database_schema, + 'database_socket' => $database_socket, + 'database_tlscafile' => $database_tlscafile, + 'database_tlscertfile' => $database_tlscertfile, + 'database_tlscipher' => $database_tlscipher, + 'database_tlscipher13' => $database_tlscipher13, + 'database_tlsconnect' => $database_tlsconnect, + 'database_tlskeyfile' => $database_tlskeyfile, + 'database_user' => $database_user, + 'debuglevel' => $debuglevel, + 'externalscripts' => $externalscripts, + 'fping6location' => $fping6location, + 'fpinglocation' => $fpinglocation, + 'historycachesize' => $historycachesize, + 'historyindexcachesize' => $historyindexcachesize, + 'housekeepingfrequency' => $housekeepingfrequency, + 'include_dir' => $include_dir, + 'javagateway' => $javagateway, + 'javagatewayport' => $javagatewayport, + 'listenip' => $listenip, + 'listenport' => $listenport, + 'loadmodule' => $loadmodule, + 'loadmodulepath' => $loadmodulepath, + 'logfile' => $logfile, + 'logfilesize' => $logfilesize, + 'logslowqueries' => $logslowqueries, + 'logtype' => $logtype, + 'maxhousekeeperdelete' => $maxhousekeeperdelete, + 'pidfile' => $pidfile, + 'proxyconfigfrequency' => $proxyconfigfrequency, + 'proxydatafrequency' => $proxydatafrequency, + 'snmptrapperfile' => $snmptrapperfile, + 'socketdir' => $socketdir, + 'sourceip' => $sourceip, + 'sshkeylocation' => $sshkeylocation, + 'sslcalocation_dir' => $sslcalocation_dir, + 'sslcertlocation_dir' => $sslcertlocation_dir, + 'sslkeylocation_dir' => $sslkeylocation_dir, + 'startalerters' => $startalerters, + 'startdbsyncers' => $startdbsyncers, + 'startdiscoverers' => $startdiscoverers, + 'startescalators' => $startescalators, + 'starthttppollers' => $starthttppollers, + 'startipmipollers' => $startipmipollers, + 'startjavapollers' => $startjavapollers, + 'startlldprocessors' => $startlldprocessors, + 'startpingers' => $startpingers, + 'startpollers' => $startpollers, + 'startpollersunreachable' => $startpollersunreachable, + 'startpreprocessors' => $startpreprocessors, + 'startproxypollers' => $startproxypollers, + 'startreportwriters' => $startreportwriters, + 'startsnmptrapper' => $startsnmptrapper, + 'starttimers' => $starttimers, + 'starttrappers' => $starttrappers, + 'startvmwarecollectors' => $startvmwarecollectors, + 'timeout' => $timeout, + 'tlscafile' => $tlscafile, + 'tlscertfile' => $tlscertfile, + 'tlscipherall' => $tlscipherall, + 'tlscipherall13' => $tlscipherall13, + 'tlsciphercert' => $tlsciphercert, + 'tlsciphercert13' => $tlsciphercert13, + 'tlscipherpsk' => $tlscipherpsk, + 'tlscipherpsk13' => $tlscipherpsk13, + 'tlscrlfile' => $tlscrlfile, + 'tlskeyfile' => $tlskeyfile, + 'tmpdir' => $tmpdir, + 'trappertimeout' => $trappertimeout, + 'trendcachesize' => $trendcachesize, + 'unavailabledelay' => $unavailabledelay, + 'unreachabledelay' => $unreachabledelay, + 'unreachableperiod' => $unreachableperiod, + 'valuecachesize' => $valuecachesize, + 'vaultdbpath' => $vaultdbpath, + 'vaulttoken' => $vaulttoken, + 'vaulturl' => $vaulturl, + 'vmwarecachesize' => $vmwarecachesize, + 'vmwarefrequency' => $vmwarefrequency, + 'vmwareperffrequency' => $vmwareperffrequency, + 'vmwaretimeout' => $vmwaretimeout, + 'webserviceurl' => $webserviceurl, + 'zabbix_user' => $zabbix::params::server_zabbix_user, + 'zabbix_version' => $zabbix_version, + })), } # Include dir for specific zabbix-server checks. diff --git a/manifests/web.pp b/manifests/web.pp index 665ef4489..fc9a6620d 100644 --- a/manifests/web.pp +++ b/manifests/web.pp @@ -92,56 +92,56 @@ # } # @author Werner Dijkerman class zabbix::web ( - $zabbix_url = $zabbix::params::zabbix_url, - $database_type = $zabbix::params::database_type, - $manage_repo = $zabbix::params::manage_repo, - $zabbix_version = $zabbix::params::zabbix_version, - $zabbix_timezone = $zabbix::params::zabbix_timezone, - $zabbix_package_state = $zabbix::params::zabbix_package_state, - $zabbix_template_dir = $zabbix::params::zabbix_template_dir, - $web_config_owner = $zabbix::params::web_config_owner, - $web_config_group = $zabbix::params::web_config_group, - $manage_vhost = $zabbix::params::manage_vhost, - $default_vhost = $zabbix::params::default_vhost, - $manage_resources = $zabbix::params::manage_resources, - $apache_use_ssl = $zabbix::params::apache_use_ssl, - $apache_ssl_cert = $zabbix::params::apache_ssl_cert, - $apache_ssl_key = $zabbix::params::apache_ssl_key, - $apache_ssl_cipher = $zabbix::params::apache_ssl_cipher, - $apache_ssl_chain = $zabbix::params::apache_ssl_chain, - $apache_listen_ip = $zabbix::params::apache_listen_ip, - Variant[Array[Stdlib::Port], Stdlib::Port] $apache_listenport = $zabbix::params::apache_listenport, - Variant[Array[Stdlib::Port], Stdlib::Port] $apache_listenport_ssl = $zabbix::params::apache_listenport_ssl, - $zabbix_api_user = $zabbix::params::server_api_user, - $zabbix_api_pass = $zabbix::params::server_api_pass, - $database_host = $zabbix::params::server_database_host, - $database_name = $zabbix::params::server_database_name, - $database_schema = $zabbix::params::server_database_schema, - Boolean $database_double_ieee754 = $zabbix::params::server_database_double_ieee754, - $database_user = $zabbix::params::server_database_user, - $database_password = $zabbix::params::server_database_password, - $database_socket = $zabbix::params::server_database_socket, - $database_port = $zabbix::params::server_database_port, - $zabbix_server = $zabbix::params::zabbix_server, - Optional[String] $zabbix_server_name = $zabbix::params::zabbix_server, - $zabbix_listenport = $zabbix::params::server_listenport, - $apache_php_max_execution_time = $zabbix::params::apache_php_max_execution_time, - $apache_php_memory_limit = $zabbix::params::apache_php_memory_limit, - $apache_php_post_max_size = $zabbix::params::apache_php_post_max_size, - $apache_php_upload_max_filesize = $zabbix::params::apache_php_upload_max_filesize, - $apache_php_max_input_time = $zabbix::params::apache_php_max_input_time, - $apache_php_always_populate_raw_post_data = $zabbix::params::apache_php_always_populate_raw_post_data, - $apache_php_max_input_vars = $zabbix::params::apache_php_max_input_vars, - Optional[Stdlib::Absolutepath] $ldap_cacert = $zabbix::params::ldap_cacert, - Optional[Stdlib::Absolutepath] $ldap_clientcert = $zabbix::params::ldap_clientcert, - Optional[Stdlib::Absolutepath] $ldap_clientkey = $zabbix::params::ldap_clientkey, - Optional[Enum['never','allow','try','demand','hard']] $ldap_reqcert = $zabbix::params::ldap_reqcert, - Optional[Stdlib::Absolutepath] $saml_sp_key = $zabbix::params::saml_sp_key, - Optional[Stdlib::Absolutepath] $saml_sp_cert = $zabbix::params::saml_sp_cert, - Optional[Stdlib::Absolutepath] $saml_idp_cert = $zabbix::params::saml_idp_cert, - Hash[String[1], Variant[ScalarData, Hash]] $saml_settings = $zabbix::params::saml_settings, - $puppetgem = $zabbix::params::puppetgem, - Boolean $manage_selinux = $zabbix::params::manage_selinux, + $zabbix_url = $zabbix::params::zabbix_url, + $database_type = $zabbix::params::database_type, + $manage_repo = $zabbix::params::manage_repo, + $zabbix_version = $zabbix::params::zabbix_version, + $zabbix_timezone = $zabbix::params::zabbix_timezone, + $zabbix_package_state = $zabbix::params::zabbix_package_state, + $zabbix_template_dir = $zabbix::params::zabbix_template_dir, + $web_config_owner = $zabbix::params::web_config_owner, + $web_config_group = $zabbix::params::web_config_group, + $manage_vhost = $zabbix::params::manage_vhost, + $default_vhost = $zabbix::params::default_vhost, + $manage_resources = $zabbix::params::manage_resources, + $apache_use_ssl = $zabbix::params::apache_use_ssl, + $apache_ssl_cert = $zabbix::params::apache_ssl_cert, + $apache_ssl_key = $zabbix::params::apache_ssl_key, + $apache_ssl_cipher = $zabbix::params::apache_ssl_cipher, + $apache_ssl_chain = $zabbix::params::apache_ssl_chain, + $apache_listen_ip = $zabbix::params::apache_listen_ip, + Variant[Array[Stdlib::Port], Stdlib::Port] $apache_listenport = $zabbix::params::apache_listenport, + Variant[Array[Stdlib::Port], Stdlib::Port] $apache_listenport_ssl = $zabbix::params::apache_listenport_ssl, + $zabbix_api_user = $zabbix::params::server_api_user, + $zabbix_api_pass = $zabbix::params::server_api_pass, + $database_host = $zabbix::params::server_database_host, + $database_name = $zabbix::params::server_database_name, + $database_schema = $zabbix::params::server_database_schema, + Boolean $database_double_ieee754 = $zabbix::params::server_database_double_ieee754, + $database_user = $zabbix::params::server_database_user, + Optional[Variant[String[1], Sensitive[String[1]]]] $database_password = $zabbix::params::server_database_password, + $database_socket = $zabbix::params::server_database_socket, + $database_port = $zabbix::params::server_database_port, + $zabbix_server = $zabbix::params::zabbix_server, + Optional[String] $zabbix_server_name = $zabbix::params::zabbix_server, + $zabbix_listenport = $zabbix::params::server_listenport, + $apache_php_max_execution_time = $zabbix::params::apache_php_max_execution_time, + $apache_php_memory_limit = $zabbix::params::apache_php_memory_limit, + $apache_php_post_max_size = $zabbix::params::apache_php_post_max_size, + $apache_php_upload_max_filesize = $zabbix::params::apache_php_upload_max_filesize, + $apache_php_max_input_time = $zabbix::params::apache_php_max_input_time, + $apache_php_always_populate_raw_post_data = $zabbix::params::apache_php_always_populate_raw_post_data, + $apache_php_max_input_vars = $zabbix::params::apache_php_max_input_vars, + Optional[Stdlib::Absolutepath] $ldap_cacert = $zabbix::params::ldap_cacert, + Optional[Stdlib::Absolutepath] $ldap_clientcert = $zabbix::params::ldap_clientcert, + Optional[Stdlib::Absolutepath] $ldap_clientkey = $zabbix::params::ldap_clientkey, + Optional[Enum['never','allow','try','demand','hard']] $ldap_reqcert = $zabbix::params::ldap_reqcert, + Optional[Stdlib::Absolutepath] $saml_sp_key = $zabbix::params::saml_sp_key, + Optional[Stdlib::Absolutepath] $saml_sp_cert = $zabbix::params::saml_sp_cert, + Optional[Stdlib::Absolutepath] $saml_idp_cert = $zabbix::params::saml_idp_cert, + Hash[String[1], Variant[ScalarData, Hash]] $saml_settings = $zabbix::params::saml_settings, + $puppetgem = $zabbix::params::puppetgem, + Boolean $manage_selinux = $zabbix::params::manage_selinux, ) inherits zabbix::params { # check osfamily, Arch is currently not supported for web if $facts['os']['family'] in ['Archlinux', 'Gentoo',] { @@ -289,7 +289,28 @@ group => $web_config_group, mode => '0640', replace => true, - content => template('zabbix/web/zabbix.conf.php.erb'), + content => Sensitive(epp('zabbix/web/zabbix.conf.php.epp', { + 'database_type' => $database_type, + 'database_host' => $database_host, + 'database_port' => $database_port, + 'db_port' => $db_port, + 'database_name' => $database_name, + 'database_user' => $database_user, + 'database_password' => $database_password, + 'database_schema' => $database_schema, + 'database_double_ieee754' => $database_double_ieee754, + 'zabbix_server' => $zabbix_server, + 'zabbix_listenport' => $zabbix_listenport, + 'zabbix_server_name' => $zabbix_server_name, + 'ldap_cacert' => $ldap_cacert, + 'ldap_clientcert' => $ldap_clientcert, + 'ldap_clientkey' => $ldap_clientkey, + 'ldap_reqcert' => $ldap_reqcert, + 'saml_sp_key' => $saml_sp_key, + 'saml_sp_cert' => $saml_sp_cert, + 'saml_idp_cert' => $saml_idp_cert, + 'saml_settings' => $saml_settings, + })), } # For API to work on Zabbix 5.x zabbix.conf.php needs to be in the root folder. diff --git a/templates/api.conf.epp b/templates/api.conf.epp index 32679f37b..b8f4955ac 100644 --- a/templates/api.conf.epp +++ b/templates/api.conf.epp @@ -1,7 +1,7 @@ -<%- | String[1] $zabbix_url, - String[1] $zabbix_user, - String[1] $zabbix_pass, - Boolean $apache_use_ssl, +<%- | String[1] $zabbix_url, + String[1] $zabbix_user, + Variant[String[1], Sensitive[String[1]]] $zabbix_pass, + Boolean $apache_use_ssl, | -%> # MANAGED BY PUPPET [default] diff --git a/templates/web/zabbix.conf.php.epp b/templates/web/zabbix.conf.php.epp new file mode 100644 index 000000000..b020ba826 --- /dev/null +++ b/templates/web/zabbix.conf.php.epp @@ -0,0 +1,83 @@ +<%- | + String[1] $database_type, + String[1] $database_host, + Optional[String[1]] $database_port, + String[1] $db_port, + String[1] $database_name, + String[1] $database_user, + Variant[String[1], Sensitive[String[1]]] $database_password, + Optional[String[1]] $database_schema, + Boolean $database_double_ieee754, + Stdlib::Fqdn $zabbix_server, + String[1] $zabbix_listenport, + Stdlib::Fqdn $zabbix_server_name, + Optional[String[1]] $ldap_cacert, + Optional[String[1]] $ldap_clientcert, + Optional[String[1]] $ldap_clientkey, + Optional[String[1]] $ldap_reqcert, + Optional[String[1]] $saml_sp_key, + Optional[String[1]] $saml_sp_cert, + Optional[String[1]] $saml_idp_cert, + Hash[String[1],Variant[ScalarData, Hash]] $saml_settings, + | -%> + +'; +$DB['SERVER'] = '<%= $database_host %>'; +<% if $database_port { -%> +$DB['PORT'] = '<%= $database_port %>'; +<% } elsif $db_port { -%> +$DB['PORT'] = '<%= $db_port %>'; +<% } else { -%> +$DB['PORT'] = '0'; +<% } -%> +$DB['DATABASE'] = '<%= $database_name %>'; +$DB['USER'] = '<%= $database_user %>'; +$DB['PASSWORD'] = '<%= $database_password.unwrap %>'; + +// SCHEMA is relevant only for IBM_DB2 and PostgreSQL database +<% if $database_schema { -%> +$DB['SCHEMA'] = '<%= $database_schema %>'; +<% } else { -%> +$DB['SCHEMA'] = ''; +<% } -%> + +<% if $database_double_ieee754 { -%> +$DB['DOUBLE_IEEE754'] = 'true'; +<% } -%> + +$ZBX_SERVER = '<%= $zabbix_server %>'; +$ZBX_SERVER_PORT = '<%= $zabbix_listenport %>'; +$ZBX_SERVER_NAME = '<%= $zabbix_server_name %>'; + +$IMAGE_FORMAT_DEFAULT = IMAGE_FORMAT_PNG; + +<% if $ldap_cacert { -%> +putenv("LDAPTLS_CACERT=<%= $ldap_cacert %>"); +<% } -%> +<% if $ldap_clientcert { -%> +putenv("LDAPTLS_CERT=<%= $ldap_clientcert %>"); +<% } -%> +<% if $ldap_clientkey { -%> +putenv("LDAPTLS_KEY=<%= $ldap_clientkey %>"); +<% } -%> +<% if $ldap_reqcert { -%> +putenv("TLS_REQCERT=<%= $ldap_reqcert %>"); +<% } -%> + +<% if $saml_sp_key { -%> +$SSO['SP_KEY'] = '<%= $saml_sp_key -%>'; +<% } -%> +<% if $saml_sp_cert { -%> +$SSO['SP_CERT'] = '<%= $saml_sp_cert -%>'; +<% } -%> +<% if $saml_idp_cert { -%> +$SSO['IDP_CERT'] = '<%= $saml_idp_cert -%>'; +<% } -%> +<% unless empty($saml_settings) { -%> +$SSO['SETTINGS'] = [ <%= String($saml_settings,'%[h') %>; +<% } -%> +?> diff --git a/templates/web/zabbix.conf.php.erb b/templates/web/zabbix.conf.php.erb deleted file mode 100644 index a2666fa9c..000000000 --- a/templates/web/zabbix.conf.php.erb +++ /dev/null @@ -1,64 +0,0 @@ -'; -$DB['SERVER'] = '<%= @database_host %>'; -<% if @database_port -%> -$DB['PORT'] = '<%= @database_port %>'; -<% elsif @db_port -%> -$DB['PORT'] = '<%= @db_port %>'; -<% else -%> -$DB['PORT'] = '0'; -<% end -%> -$DB['DATABASE'] = '<%= @database_name %>'; -$DB['USER'] = '<%= @database_user %>'; -$DB['PASSWORD'] = '<%= @database_password %>'; - -// SCHEMA is relevant only for IBM_DB2 and PostgreSQL database -<% if @database_schema -%> -$DB['SCHEMA'] = '<%= @database_schema %>'; -<% else -%> -$DB['SCHEMA'] = ''; -<% end -%> - -<% if @database_double_ieee754 -%> -$DB['DOUBLE_IEEE754'] = 'true'; -<% end -%> - -$ZBX_SERVER = '<%= @zabbix_server %>'; -$ZBX_SERVER_PORT = '<%= @zabbix_listenport %>'; -$ZBX_SERVER_NAME = '<%= @zabbix_server_name %>'; - -$IMAGE_FORMAT_DEFAULT = IMAGE_FORMAT_PNG; - -<% if @ldap_cacert %> -putenv("LDAPTLS_CACERT=<%= @ldap_cacert %>"); -<% end %> -<% if @ldap_clientcert %> -putenv("LDAPTLS_CERT=<%= @ldap_clientcert %>"); -<% end %> -<% if @ldap_clientkey %> -putenv("LDAPTLS_KEY=<%= @ldap_clientkey %>"); -<% end %> -<% if @ldap_reqcert %> -putenv("TLS_REQCERT=<%= @ldap_reqcert %>"); -<% end %> - -<% if @saml_sp_key %> -$SSO['SP_KEY'] = '<%= @saml_sp_key -%>'; -<% end %> -<% if @saml_sp_cert %> -$SSO['SP_CERT'] = '<%= @saml_sp_cert -%>'; -<% end %> -<% if @saml_idp_cert %> -$SSO['IDP_CERT'] = '<%= @saml_idp_cert -%>'; -<% end %> -<% if @saml_settings %> -$SSO['SETTINGS'] = [ <%= JSON.pretty_generate(@saml_settings, space_before: " ") - .sub("{", "") - .gsub(" : ", " => ") - .gsub("{", "[") - .gsub("}", "]") -%>; -<% end %> -?> diff --git a/templates/zabbix_proxy.conf.erb b/templates/zabbix_proxy.conf.epp similarity index 58% rename from templates/zabbix_proxy.conf.erb rename to templates/zabbix_proxy.conf.epp index 97c46f365..6d1c2909a 100644 --- a/templates/zabbix_proxy.conf.erb +++ b/templates/zabbix_proxy.conf.epp @@ -1,3 +1,100 @@ +<%- | + String[1] $allowroot, + String[1] $cachesize, + String[1] $configfrequency, + String[1] $database_host, + String[1] $database_name, + Variant[String[1], Sensitive[String[8]]] $database_password, + Optional[String[1]] $database_port, + Optional[String[1]] $database_schema, + Optional[String[1]] $database_socket, + Optional[Stdlib::Absolutepath] $database_tlscafile, + Optional[Stdlib::Absolutepath] $database_tlscertfile, + Optional[String[1]] $database_tlscipher, + Optional[String[1]] $database_tlscipher13, + Optional[Enum['required', 'verify_ca', 'verify_full']] $database_tlsconnect, + Optional[Stdlib::Absolutepath] $database_tlskeyfile, + String[1] $database_user, + String[1] $datasenderfrequency, + String[1] $debuglevel, + Integer[0] $enableremotecommands, + String[1] $externalscripts, + String[1] $fping6location, + String[1] $fpinglocation, + String[1] $heartbeatfrequency, + String[1] $historycachesize, + Optional[String[1]] $historyindexcachesize, + Stdlib::Fqdn $hostname, + String[1] $housekeepingfrequency, + String[1] $include_dir, + Optional[String[1]] $javagateway, + String[1] $javagatewayport, + Optional[Stdlib::IP::Address] $listenip, + String[1] $listenport, + Optional[String[1]] $loadmodule, + String[1] $loadmodulepath, + String[1] $localbuffer, + Optional[Stdlib::Absolutepath] $logfile, + String[1] $logfilesize, + Integer[0] $logremotecommands, + Integer $logslowqueries, + Enum['console', 'file', 'system'] $logtype, + String[1] $mode, + String[1] $offlinebuffer, + String[1] $pidfile, + String[1] $snmptrapper, + String[1] $snmptrapperfile, + Optional[Stdlib::Absolutepath] $socketdir, + Optional[Stdlib::IP::Address] $sourceip, + Optional[String[1]] $sshkeylocation, + Optional[Stdlib::Absolutepath] $sslcalocation_dir, + Optional[Stdlib::Absolutepath] $sslcertlocation_dir, + Optional[Stdlib::Absolutepath] $sslkeylocation_dir, + Integer $startdbsyncers, + Integer $startdiscoverers, + Integer $starthttppollers, + Integer $startipmipollers, + Integer $startjavapollers, + Integer $startpingers, + Variant[Integer, String[1]] $startpollers, + Variant[Integer, String[1]] $startpollersunreachable, + Integer[1, 1000] $startpreprocessors, + Variant[Integer, String[1]] $starttrappers, + Variant[Integer, String[1]] $startvmwarecollectors, + Variant[Integer, String[1]] $timeout, + Optional[String[1]] $tlsaccept, + Optional[String[1]] $tlscafile, + Optional[String[1]] $tlscertfile, + Optional[String[1]] $tlscipherall, + Optional[String[1]] $tlscipherall13, + Optional[String[1]] $tlsciphercert, + Optional[String[1]] $tlsciphercert13, + Optional[String[1]] $tlscipherpsk, + Optional[String[1]] $tlscipherpsk13, + Optional[String[1]] $tlsconnect, + Optional[String[1]] $tlscrlfile, + Optional[String[1]] $tlskeyfile, + Optional[String[1]] $tlspskfile, + Optional[String[1]] $tlspskidentity, + Optional[String[1]] $tlsservercertissuer, + Optional[String[1]] $tlsservercertsubject, + String[1] $tmpdir, + Variant[Integer, String[1]] $trappertimeout, + String[1] $unavaliabledelay, + Optional[String[1]] $unreachabedelay, + String[1] $unreachableperiod, + Optional[String[1]] $vaultdbpath, + Optional[String[1]] $vaulttoken, + Optional[Stdlib::HTTPSUrl] $vaulturl, + String[1] $vmwarecachesize, + String[1] $vmwarefrequency, + Optional[String[1]] $vmwareperffrequency, + Optional[String[1]] $vmwaretimeout, + String[1] $zabbix_server_host, + String[1] $zabbix_server_port, + String[1] $zabbix_user, + String[1] $zabbix_version, + | -%> # This is a configuration file for Zabbix Proxy process # To get more information about Zabbix,_# visit http://www.zabbix.com @@ -8,26 +105,26 @@ # 0 - proxy in the active mode # 1 - proxy in the passive mode # -ProxyMode=<%= @mode %> +ProxyMode=<%= $mode %> ### Option: Server # IP address (or hostname) of Zabbix server. # Active proxy will get configuration data from the server. # For a proxy in the passive mode this parameter will be ignored. # -Server=<%= @zabbix_server_host %> +Server=<%= $zabbix_server_host %> ### Option: ServerPort # Port of Zabbix trapper on Zabbix server. # For a proxy in the passive mode this parameter will be ignored. # -ServerPort=<%= @zabbix_server_port %> +ServerPort=<%= $zabbix_server_port %> ### Option: Hostname # Unique, case sensitive Proxy name. Make sure the Proxy name is known to the server! # Value is acquired from HostnameItem if undefined. # -Hostname=<%= @hostname %> +Hostname=<%= $hostname %> ### Option: HostnameItem # Item used for generating Hostname if it is undefined. @@ -40,7 +137,7 @@ Hostname=<%= @hostname %> ### Option: ListenPort # Listen port for trapper. # -ListenPort=<%= @listenport %> +ListenPort=<%= $listenport %> ### Option: SourceIP # Source IP address for outgoing connections. @@ -48,7 +145,7 @@ ListenPort=<%= @listenport %> # Mandatory: no # Default: # SourceIP= -<% if @sourceip %>SourceIP=<%= @sourceip %><% end %> +<% if $sourceip { %>SourceIP=<%= $sourceip %><% } -%> ### Option: LogType # Specifies where log messages are written to: @@ -56,19 +153,19 @@ ListenPort=<%= @listenport %> # file - file specified with LogFile parameter # console - standard output # -<% if @logtype %>LogType=<%= @logtype %><% end %> +<% if $logtype { %>LogType=<%= $logtype %><% } -%> -<% if @logtype == 'file' -%> +<% if $logtype == 'file' { -%> ### Option: LogFile # Log file name for LogType 'file' parameter. # -LogFile=<%= @logfile %> +LogFile=<%= $logfile %> ### Option: LogFileSize # Maximum size of log file in MB. # 0 - disable automatic log rotation. # -LogFileSize=<%= @logfilesize %><% end -%> +LogFileSize=<%= $logfilesize %><% } -%> ### Option: DebugLevel # Specifies debug level @@ -78,14 +175,14 @@ LogFileSize=<%= @logfilesize %><% end -%> # 3 - warnings # 4 - for debugging (produces lots of information) # 5 - extended debugging (produces even more information) -DebugLevel=<%= @debuglevel %> +DebugLevel=<%= $debuglevel %> ### Option: PidFile # Name of PID file. # -PidFile=<%= @pidfile %> +PidFile=<%= $pidfile %> -<% if @zabbix_version.to_f >= 5.0 %> +<% if versioncmp($zabbix_version,'5') >= 0 { -%> ### Option: SocketDir # IPC socket directory. # Directory to store IPC sockets used by internal Zabbix services. @@ -93,62 +190,62 @@ PidFile=<%= @pidfile %> # Mandatory: no # Default: -<% if @socketdir %>SocketDir=<%= @socketdir %><% end %> -<% end %> +<% if $socketdir { %>SocketDir=<%= $socketdir %><% } -%> +<% } %> ### Option: DBHost # Database host name. # If set to localhost, socket is used for MySQL. # If set to empty string, socket is used for PostgreSQL. # -DBHost=<%= @database_host %> +DBHost=<%= $database_host %> ### Option: DBName # Database name. # For SQLite3 path to database file must be provided. DBUser and DBPassword are ignored. # Warning: do not attempt to use the same database Zabbix server is using. # -DBName=<%= @database_name %> +DBName=<%= $database_name %> ### Option: DBSchema # Schema name. Used for IBM DB2 and PostgreSQL. # -<% if @database_schema %>DBSchema=<%= @database_schema %><% end %> +<% if $database_schema { %>DBSchema=<%= $database_schema %><% } -%> ### Option: DBUser # Database user. Ignored for SQLite. # -DBUser=<%= @database_user %> +DBUser=<%= $database_user %> ### Option: DBPassword # Database password. Ignored for SQLite. # Comment this line if no password is used. # -DBPassword=<%= @database_password %> +DBPassword=<%= $database_password %> ### Option: DBSocket # Path to MySQL socket. # -<% if @database_socket %>DBSocket=<%= @database_socket %><% end %> +<% if $database_socket { %>DBSocket=<%= $database_socket %><% } -%> # Option: DBPort # Database port when not using local socket. Ignored for SQLite. # -<% if @database_port %>DBPort=<%= @database_port %><% end %> +<% if $database_port { %>DBPort=<%= $database_port %><% } -%> ### Option: EnableRemoteCommands # Whether remote commands from Zabbix server are allowed. # 0 - not allowed # 1 - allowed # -EnableRemoteCommands=<%= @enableremotecommands %> +EnableRemoteCommands=<%= $enableremotecommands %> ### Option: LogRemoteCommands # Enable logging of executed shell commands as warnings. # 0 - disabled # 1 - enabled # -LogRemoteCommands=<%= @logremotecommands %> +LogRemoteCommands=<%= $logremotecommands %> ######### PROXY SPECIFIC PARAMETERS ############# @@ -156,13 +253,13 @@ LogRemoteCommands=<%= @logremotecommands %> # Proxy will keep data locally for N hours, even if the data have already been synced with the server. # This parameter may be used if local data will be used by third party applications. # -ProxyLocalBuffer=<%= @localbuffer %> +ProxyLocalBuffer=<%= $localbuffer %> ### Option: ProxyOfflineBuffer # Proxy will keep data for N hours in case if no connectivity with Zabbix Server. # Older data will be lost. # -ProxyOfflineBuffer=<%= @offlinebuffer %> +ProxyOfflineBuffer=<%= $offlinebuffer %> ### Option: HeartbeatFrequency # Frequency of heartbeat messages in seconds. @@ -170,38 +267,38 @@ ProxyOfflineBuffer=<%= @offlinebuffer %> # 0 - heartbeat messages disabled. # For a proxy in the passive mode this parameter will be ignored. # -HeartbeatFrequency=<%= @heartbeatfrequency %> +HeartbeatFrequency=<%= $heartbeatfrequency %> ### Option: ConfigFrequency # How often proxy retrieves configuration data from Zabbix Server in seconds. # For a proxy in the passive mode this parameter will be ignored. # -ConfigFrequency=<%= @configfrequency %> +ConfigFrequency=<%= $configfrequency %> ### Option: DataSenderFrequency # Proxy will send collected data to the Server every N seconds. # For a proxy in the passive mode this parameter will be ignored. # -DataSenderFrequency=<%= @datasenderfrequency %> +DataSenderFrequency=<%= $datasenderfrequency %> ############ ADVANCED PARAMETERS ################ ### Option: StartPollers # Number of pre-forked instances of pollers. # -StartPollers=<%= @startpollers %> +StartPollers=<%= $startpollers %> ### Option: StartIPMIPollers # Number of pre-forked instances of IPMI pollers. # -StartIPMIPollers=<%= @startipmipollers %> +StartIPMIPollers=<%= $startipmipollers %> ### Option: StartPollersUnreachable # Number of pre-forked instances of pollers for unreachable hosts (including IPMI and Java). # At least one poller for unreachable hosts must be running if regular, IPMI or Java pollers # are started. # -StartPollersUnreachable=<%= @startpollersunreachable %> +StartPollersUnreachable=<%= $startpollersunreachable %> ### Option: StartPreprocessors # Number of pre-forked instances of preprocessing workers. @@ -211,90 +308,90 @@ StartPollersUnreachable=<%= @startpollersunreachable %> # Range: 1-1000 # Default: # StartPreprocessors=3 -<% if @startpreprocessors %>StartPreprocessors=<%= @startpreprocessors -%><% end %> +<% if $startpreprocessors { %>StartPreprocessors=<%= $startpreprocessors -%><% } -%> ### Option: StartTrappers # Number of pre-forked instances of trappers. # Trappers accept incoming connections from Zabbix sender and active agents. # -StartTrappers=<%= @starttrappers %> +StartTrappers=<%= $starttrappers %> ### Option: StartPingers # Number of pre-forked instances of ICMP pingers. # -StartPingers=<%= @startpingers %> +StartPingers=<%= $startpingers %> ### Option: StartDiscoverers # Number of pre-forked instances of discoverers. # -StartDiscoverers=<%= @startdiscoverers %> +StartDiscoverers=<%= $startdiscoverers %> ### Option: StartHTTPPollers # Number of pre-forked instances of HTTP pollers. # -StartHTTPPollers=<%= @starthttppollers %> +StartHTTPPollers=<%= $starthttppollers %> ### Option: JavaGateway # IP address (or hostname) of Zabbix Java gateway. # Only required if Java pollers are started. # -<% if @javagateway and @javagateway != '' %> -JavaGateway=<%= @javagateway %> +<% if $javagateway and $javagateway != '' { -%> +JavaGateway=<%= $javagateway %> ### Option: JavaGatewayPort # Port that Zabbix Java gateway listens on. # -JavaGatewayPort=<%= @javagatewayport %> +JavaGatewayPort=<%= $javagatewayport %> ### Option: StartJavaPollers # Number of pre-forked instances of Java pollers. # -StartJavaPollers=<%= @startjavapollers %> -<% end %> +StartJavaPollers=<%= $startjavapollers %> +<% } -%> ### Option: StartVMwareCollectors # Number of pre-forked vmware collector instances. # -StartVMwareCollectors=<%= @startvmwarecollectors %> +StartVMwareCollectors=<%= $startvmwarecollectors %> ### Option: VMwareFrequency # How often Zabbix will connect to VMware service to obtain a new data. # -VMwareFrequency=<%= @vmwarefrequency %> +VMwareFrequency=<%= $vmwarefrequency %> ### Option: VMwarePerfFrequency # How often Zabbix will connect to VMware service to obtain performance data. # -<% if @vmwareperffrequency %>VMwarePerfFrequency=<%= @vmwareperffrequency %><% end %> +<% if $vmwareperffrequency { %>VMwarePerfFrequency=<%= $vmwareperffrequency %><% } -%> ### Option: VMwareCacheSize # Size of VMware cache, in bytes. # Shared memory size for storing VMware data. # Only used if VMware collectors are started. # -VMwareCacheSize=<%= @vmwarecachesize %> +VMwareCacheSize=<%= $vmwarecachesize %> ### Option: VMwareTimeout # Specifies how many seconds vmware collector waits for response from VMware service. # -<% if @vmwaretimeout %>VMwareTimeout=<%= @vmwaretimeout %><% end %> +<% if $vmwaretimeout { %>VMwareTimeout=<%= $vmwaretimeout %><% } -%> ### Option: SNMPTrapperFile # Temporary file used for passing data from SNMP trap daemon to the proxy. # Must be the same as in zabbix_trap_receiver.pl or SNMPTT configuration file. # -SNMPTrapperFile=<%= @snmptrapperfile %> +SNMPTrapperFile=<%= $snmptrapperfile %> ### Option: StartSNMPTrapper # If 1, SNMP trapper process is started. # -StartSNMPTrapper=<%= @snmptrapper %> +StartSNMPTrapper=<%= $snmptrapper %> ### Option: ListenIP # List of comma delimited IP addresses that the trapper should listen on. # Trapper will listen on all network interfaces if this parameter is missing. # -<% if @listenip %>ListenIP=<%= @listenip %><% end %> +<% if $listenip { %>ListenIP=<%= $listenip %><% } -%> ### Option: HousekeepingFrequency # How often Zabbix will perform housekeeping procedure (in hours). @@ -306,91 +403,91 @@ StartSNMPTrapper=<%= @snmptrapper %> # In this case the period of outdated information deleted in one housekeeping cycle is 4 times the # period since the last housekeeping cycle, but not less than 4 hours and not greater than 4 days. # -HousekeepingFrequency=<%= @housekeepingfrequency %> +HousekeepingFrequency=<%= $housekeepingfrequency %> ### Option: CacheSize # Size of configuration cache, in bytes. # Shared memory size, for storing hosts and items data. # -CacheSize=<%= @cachesize %> +CacheSize=<%= $cachesize %> ### Option: StartDBSyncers # Number of pre-forked instances of DB Syncers # -StartDBSyncers=<%= @startdbsyncers %> +StartDBSyncers=<%= $startdbsyncers %> ### Option: HistoryCacheSize # Size of history cache, in bytes. # Shared memory size for storing history data. # -HistoryCacheSize=<%= @historycachesize %> +HistoryCacheSize=<%= $historycachesize %> ### Option: HistoryIndexCacheSize # Size of history index cache, in bytes. # Shared memory size for indexing history cache. # -<% if @historyindexcachesize %>HistoryIndexCacheSize=<%= @historyindexcachesize %><% end %> +<% if $historyindexcachesize { %>HistoryIndexCacheSize=<%= $historyindexcachesize %><% } -%> ### Option: Timeout # Specifies how long we wait for agent, SNMP device or external check (in seconds). # -Timeout=<%= @timeout %> +Timeout=<%= $timeout %> ### Option: TrapperTimeout # Specifies how many seconds trapper may spend processing new data. # -TrapperTimeout=<%= @trappertimeout %> +TrapperTimeout=<%= $trappertimeout %> ### Option: UnreachablePeriod # After how many seconds of unreachability treat a host as unavailable. # -UnreachablePeriod=<%= @unreachableperiod %> +UnreachablePeriod=<%= $unreachableperiod %> ### Option: UnavailableDelay # How often host is checked for availability during the unavailability period, in seconds. # -UnavailableDelay=<%= @unavaliabledelay %> +UnavailableDelay=<%= $unavaliabledelay %> ### Option: UnreachableDelay # How often host is checked for availability during the unreachability period, in seconds. # -UnreachableDelay=<%= @unreachabedelay %> +UnreachableDelay=<%= $unreachabedelay %> ### Option: ExternalScripts # Full path to location of external scripts. # Default depends on compilation options. # -ExternalScripts=<%= @externalscripts %> +ExternalScripts=<%= $externalscripts %> ### Option: FpingLocation # Location of fping. # Make sure that fping binary has root ownership and SUID flag set. # -FpingLocation=<%= @fpinglocation %> +FpingLocation=<%= $fpinglocation %> ### Option: Fping6Location # Location of fping6. # Make sure that fping6 binary has root ownership and SUID flag set. # Make empty if your fping utility is capable to process IPv6 addresses. # -Fping6Location=<%= @fping6location %> +Fping6Location=<%= $fping6location %> ### Option: SSHKeyLocation # Location of public and private keys for SSH checks and actions. # -<% if @sshkeylocation %>SSHKeyLocation=<%= @sshkeylocation %><% end %> +<% if $sshkeylocation { %>SSHKeyLocation=<%= $sshkeylocation %><% } -%> ### Option: LogSlowQueries # How long a database query may take before being logged (in milliseconds). # Only works if DebugLevel set to 3 or 4. # 0 - don't log slow queries. # -LogSlowQueries=<%= @logslowqueries %> +LogSlowQueries=<%= $logslowqueries %> ### Option: TmpDir # Temporary directory. # -TmpDir=<%= @tmpdir %> +TmpDir=<%= $tmpdir %> ### Option: AllowRoot # Allow the proxy to run as 'root'. If disabled and the proxy is started by 'root', the proxy @@ -399,38 +496,38 @@ TmpDir=<%= @tmpdir %> # 0 - do not allow # 1 - allow # -AllowRoot=<%= @allowroot %> +AllowRoot=<%= $allowroot %> ### Option: User # Drop privileges to a specific, existing user on the system. # Only has effect if run as 'root' and AllowRoot is disabled. # -<% if @zabbix_user %>User=<%= @zabbix_user %><% end %> +<% if $zabbix_user { %>User=<%= $zabbix_user %><% } -%> ### Option: Include # You may include individual files or all files in a directory in the configuration file. # Installing Zabbix will create include directory in /usr/local/etc, unless modified during the compile time. # -Include=<%= @include_dir %> +Include=<%= $include_dir %> ### Option: SSLCertLocation # Location of SSL client certificates. # This parameter is used only in web monitoring. # -<% if @sslcertlocation_dir %>SSLCertLocation=<%= @sslcertlocation_dir %><% end %> +<% if $sslcertlocation_dir { %>SSLCertLocation=<%= $sslcertlocation_dir %><% } -%> ### Option: SSLKeyLocation # Location of private keys for SSL client certificates. # This parameter is used only in web monitoring. # -<% if @sslkeylocation_dir %>SSLKeyLocation=<%= @sslkeylocation_dir %><% end %> +<% if $sslkeylocation_dir { %>SSLKeyLocation=<%= $sslkeylocation_dir %><% } -%> ### Option: SSLCALocation # Location of certificate authority (CA) files for SSL server certificate verification. # If not set, system-wide directory will be used. # This parameter is used only in web monitoring. # -<% if @sslcalocation_dir %>SSLCALocation=<%= @sslcalocation_dir %><% end %> +<% if $sslcalocation_dir { %>SSLCALocation=<%= $sslcalocation_dir %><% } -%> ####### LOADABLE MODULES ####### @@ -438,7 +535,7 @@ Include=<%= @include_dir %> # Full path to location of proxy modules. # Default depends on compilation options. # -LoadModulePath=<%= @loadmodulepath %> +LoadModulePath=<%= $loadmodulepath %> ### Option: LoadModule # Module to load at proxy startup. Modules are used to extend functionality of the proxy. @@ -446,7 +543,7 @@ LoadModulePath=<%= @loadmodulepath %> # The modules must be located in directory specified by LoadModulePath. # It is allowed to include multiple LoadModule parameters. # -<% if @loadmodule %>LoadModule=<%= @loadmodule %><% end %> +<% if $loadmodule { %>LoadModule=<%= $loadmodule %><% } -%> ####### TLS-RELATED PARAMETERS ####### @@ -460,7 +557,7 @@ LoadModulePath=<%= @loadmodulepath %> # Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection) # Default: # TLSConnect=unencrypted -<% if @tlsconnect %>TLSConnect=<%= @tlsconnect %><% end %> +<% if $tlsconnect { %>TLSConnect=<%= $tlsconnect %><% } -%> ### Option: TLSAccept # What incoming connections to accept from Zabbix server. Used for a passive proxy, ignored on an active proxy. @@ -472,51 +569,51 @@ LoadModulePath=<%= @loadmodulepath %> # Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection) # Default: # TLSAccept=unencrypted -<% if @tlsaccept %>TLSAccept=<%= @tlsaccept %><% end %> +<% if $tlsaccept { %>TLSAccept=<%= $tlsaccept %><% } -%> ### Option: TLSCAFile # Full pathname of a file containing the top-level CA(s) certificates for # peer certificate verification. # -<% if @tlscafile %>TLSCAFile=<%= @tlscafile %><% end %> +<% if $tlscafile { %>TLSCAFile=<%= $tlscafile %><% } -%> ### Option: TLSCRLFile # Full pathname of a file containing revoked certificates. # -<% if @tlscrlfile %>TLSCRLFile=<%= @tlscrlfile %><% end %> +<% if $tlscrlfile { %>TLSCRLFile=<%= $tlscrlfile %><% } -%> ### Option: TLSServerCertIssuer # Allowed server certificate issuer. # -<% if @tlsservercertissuer %>TLSServerCertIssuer=<%= @tlsservercertissuer %><% end %> +<% if $tlsservercertissuer { %>TLSServerCertIssuer=<%= $tlsservercertissuer %><% } -%> ### Option: TLSServerCertSubject # Allowed server certificate subject. # -<% if @tlsservercertsubject %>TLSServerCertSubject=<%= @tlsservercertsubject %><% end %> +<% if $tlsservercertsubject { %>TLSServerCertSubject=<%= $tlsservercertsubject %><% } -%> ### Option: TLSCertFile # Full pathname of a file containing the proxy certificate or certificate chain. # -<% if @tlscertfile %>TLSCertFile=<%= @tlscertfile %><% end %> +<% if $tlscertfile { %>TLSCertFile=<%= $tlscertfile %><% } -%> ### Option: TLSKeyFile # Full pathname of a file containing the proxy private key. # -<% if @tlskeyfile %>TLSKeyFile=<%= @tlskeyfile %><% end %> +<% if $tlskeyfile { %>TLSKeyFile=<%= $tlskeyfile %><% } -%> ### Option: TLSPSKIdentity # Unique, case sensitive string used to identify the pre-shared key. # -<% if @tlspskidentity %>TLSPSKIdentity=<%= @tlspskidentity %><% end %> +<% if $tlspskidentity { %>TLSPSKIdentity=<%= $tlspskidentity %><% } -%> ### Option: TLSPSKFile # Full pathname of a file containing the pre-shared key. # -<% if @tlspskfile %>TLSPSKFile=<%= @tlspskfile %><% end %> +<% if $tlspskfile { %>TLSPSKFile=<%= $tlspskfile %><% } -%> ####### For advanced users - TLS ciphersuite selection criteria ####### -<% if @zabbix_version.to_f >= 5.0 %> +<% if versioncmp($zabbix_version,'5') >= 0 { -%> ### Option: DBTLSConnect # Setting this option enforces to use TLS connection to database. # required - connect using TLS @@ -530,7 +627,7 @@ LoadModulePath=<%= @loadmodulepath %> # # Mandatory: no # Default: -<% if @database_tlsconnect %>DBTLSConnect=<%= @database_tlsconnect %><% end %> +<% if $database_tlsconnect { %>DBTLSConnect=<%= $database_tlsconnect %><% } -%> ### Option: DBTLSCAFile # Full pathname of a file containing the top-level CA(s) certificates for database certificate verification. @@ -539,7 +636,7 @@ LoadModulePath=<%= @loadmodulepath %> # Mandatory: no # (yes, if DBTLSConnect set to one of: verify_ca, verify_full) # Default: -<% if @database_tlscafile %>DBTLSCAFile=<%= @database_tlscafile %><% end %> +<% if $database_tlscafile { %>DBTLSCAFile=<%= $database_tlscafile %><% } -%> ### Option: DBTLSCertFile # Full pathname of file containing Zabbix server certificate for authenticating to database. @@ -547,7 +644,7 @@ LoadModulePath=<%= @loadmodulepath %> # # Mandatory: no # Default: -<% if @database_tlscertfile %>DBTLSCertFile=<%= @database_tlscertfile %><% end %> +<% if $database_tlscertfile { %>DBTLSCertFile=<%= $database_tlscertfile %><% } -%> ### Option: DBTLSKeyFile # Full pathname of file containing the private key for authenticating to database. @@ -555,7 +652,7 @@ LoadModulePath=<%= @loadmodulepath %> # # Mandatory: no # Default: -<% if @database_tlskeyfile %>DBTLSKeyFile=<%= @database_tlskeyfile %><% end %> +<% if $database_tlskeyfile { %>DBTLSKeyFile=<%= $database_tlskeyfile %><% } -%> ### Option: DBTLSCipher # The list of encryption ciphers that Zabbix server permits for TLS protocols up through TLSv1.2 @@ -563,7 +660,7 @@ LoadModulePath=<%= @loadmodulepath %> # # Mandatory no # Default: -<% if @database_tlscipher %>DBTLSCipher=<%= @database_tlscipher %><% end %> +<% if $database_tlscipher { %>DBTLSCipher=<%= $database_tlscipher %><% } -%> ### Option: DBTLSCipher13 # The list of encryption ciphersuites that Zabbix server permits for TLSv1.3 protocol @@ -571,10 +668,10 @@ LoadModulePath=<%= @loadmodulepath %> # # Mandatory no # Default: -<% if @database_tlscipher13 %>DBTLSCipher13=<%= @database_tlscipher13 %><% end %> -<% end %> +<% if $database_tlscipher13 { %>DBTLSCipher13=<%= $database_tlscipher13 %><% } -%> +<% } -%> -<% if @zabbix_version.to_f >= 5.0 %> +<% if versioncmp($zabbix_version,'5') >= 0 { -%> ### Option: TLSCipherCert13 # Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. # Override the default ciphersuite selection criteria for certificate-based encryption. @@ -582,7 +679,7 @@ LoadModulePath=<%= @loadmodulepath %> # Mandatory: no # Default: # TLSCipherCert13= -<% if @tlsciphercert13 %>TLSCipherCert13=<%= @tlsciphercert13 %><% end %> +<% if $tlsciphercert13 { %>TLSCipherCert13=<%= $tlsciphercert13 %><% } -%> ### Option: TLSCipherCert # GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. @@ -595,7 +692,7 @@ LoadModulePath=<%= @loadmodulepath %> # Mandatory: no # Default: # TLSCipherCert= -<% if @tlsciphercert %>TLSCipherCert=<%= @tlsciphercert %><% end %> +<% if $tlsciphercert { %>TLSCipherCert=<%= $tlsciphercert %><% } -%> ### Option: TLSCipherPSK13 # Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. @@ -606,7 +703,7 @@ LoadModulePath=<%= @loadmodulepath %> # Mandatory: no # Default: # TLSCipherPSK13= -<% if @tlscipherpsk13 %>TLSCipherPSK13=<%= @tlscipherpsk13 %><% end %> +<% if $tlscipherpsk13 { %>TLSCipherPSK13=<%= $tlscipherpsk13 %><% } -%> ### Option: TLSCipherPSK # GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. @@ -619,7 +716,7 @@ LoadModulePath=<%= @loadmodulepath %> # Mandatory: no # Default: # TLSCipherPSK= -<% if @tlscipherpsk %>TLSCipherPSK=<%= @tlscipherpsk %><% end %> +<% if $tlscipherpsk { %>TLSCipherPSK=<%= $tlscipherpsk %><% } -%> ### Option: TLSCipherAll13 # Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. @@ -630,7 +727,7 @@ LoadModulePath=<%= @loadmodulepath %> # Mandatory: no # Default: # TLSCipherAll13= -<% if @tlscipherall13 %>TLSCipherAll13=<%= @tlscipherall13 %><% end %> +<% if $tlscipherall13 { %>TLSCipherAll13=<%= $tlscipherall13 %><% } -%> ### Option: TLSCipherAll # GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. @@ -643,10 +740,10 @@ LoadModulePath=<%= @loadmodulepath %> # Mandatory: no # Default: # TLSCipherAll13= -<% if @tlscipherall %>TLSCipherAll=<%= @tlscipherall %><% end %> -<% end %> +<% if $tlscipherall { %>TLSCipherAll=<%= $tlscipherall %><% } -%> +<% } -%> -<% if @zabbix_version.to_f >= 5.2 %> +<% if versioncmp($zabbix_version,'6.2') >= 0 { -%> ### Option: VaultToken # Vault authentication token that should have been generated exclusively for Zabbix server with read only permission # to paths specified in Vault macros and read only permission to path specified in optional VaultDBPath @@ -656,7 +753,7 @@ LoadModulePath=<%= @loadmodulepath %> # Mandatory: no # Default: # VaultToken= -<% if @vaulttoken %>VaultToken=<%= @vaulttoken -%><% end %> +<% if $vaulttoken { %>VaultToken=<%= $vaulttoken -%><% } -%> ### Option: VaultURL # Vault server HTTP[S] URL. System-wide CA certificates directory will be used if SSLCALocation is not specified. @@ -664,7 +761,7 @@ LoadModulePath=<%= @loadmodulepath %> # Mandatory: no # Default: # VaultURL=https://127.0.0.1:8200 -<% if @vaulturl %>VaultURL=<%= @vaulturl -%><% end %> +<% if $vaulturl { %>VaultURL=<%= $vaulturl -%><% } -%> ### Option: VaultDBPath # Vault path from where credentials for database will be retrieved by keys 'password' and 'username'. @@ -674,5 +771,5 @@ LoadModulePath=<%= @loadmodulepath %> # Mandatory: no # Default: # VaultDBPath= -<% if @vaultdbpath %>VaultDBPath=<%= @vaultdbpath -%><% end %> -<% end %> +<% if $vaultdbpath { %>VaultDBPath=<%= $vaultdbpath -%><% } -%> +<% } -%> diff --git a/templates/zabbix_server.conf.erb b/templates/zabbix_server.conf.epp similarity index 57% rename from templates/zabbix_server.conf.erb rename to templates/zabbix_server.conf.epp index 169076f69..ea3edfce2 100644 --- a/templates/zabbix_server.conf.erb +++ b/templates/zabbix_server.conf.epp @@ -1,3 +1,97 @@ +<%- | + String[1] $alertscriptspath, + String[1] $allowroot, + String[1] $cachesize, + String[1] $cacheupdatefrequency, + String[1] $database_host, + String[1] $database_name, + Variant[String[1], Sensitive[String[8]]] $database_password, + Optional[String[1]] $database_port, + Optional[String[1]] $database_schema, + Optional[String[1]] $database_socket, + Optional[Stdlib::Absolutepath] $database_tlscafile, + Optional[Stdlib::Absolutepath] $database_tlscertfile, + Optional[String[1]] $database_tlscipher, + Optional[String[1]] $database_tlscipher13, + Optional[Enum['required', 'verify_ca', 'verify_full']] $database_tlsconnect, + Optional[Stdlib::Absolutepath] $database_tlskeyfile, + String[1] $database_user, + String[1] $debuglevel, + String[1] $externalscripts, + String[1] $fping6location, + String[1] $fpinglocation, + String[1] $historycachesize, + Optional[String[1]] $historyindexcachesize, + String[1] $housekeepingfrequency, + String[1] $include_dir, + Optional[String[1]] $javagateway, + String[1] $javagatewayport, + Optional[Stdlib::IP::Address] $listenip, + String[1] $listenport, + Optional[String[1]] $loadmodule, + String[1] $loadmodulepath, + Optional[Stdlib::Absolutepath] $logfile, + String[1] $logfilesize, + Integer $logslowqueries, + Enum['console', 'file', 'system'] $logtype, + String[1] $maxhousekeeperdelete, + String[1] $pidfile, + String[1] $proxyconfigfrequency, + String[1] $proxydatafrequency, + String[1] $snmptrapperfile, + Optional[Stdlib::Absolutepath] $socketdir, + Optional[Stdlib::IP::Address] $sourceip, + Optional[String[1]] $sshkeylocation, + Optional[Stdlib::Absolutepath] $sslcalocation_dir, + Optional[Stdlib::Absolutepath] $sslcertlocation_dir, + Optional[Stdlib::Absolutepath] $sslkeylocation_dir, + Integer[1,100] $startalerters, + String[1] $startdbsyncers, + String[1] $startdiscoverers, + Integer[1,100] $startescalators, + String[1] $starthttppollers, + String[1] $startipmipollers, + String[1] $startjavapollers, + Integer[1,100] $startlldprocessors, + Integer $startpingers, + Variant[Integer, String[1]] $startpollers, + Variant[Integer, String[1]] $startpollersunreachable, + Integer[1, 1000] $startpreprocessors, + Variant[Integer, String[1]] $startproxypollers, + Optional[String[1]] $startreportwriters, + Variant[Integer, String[1]] $startsnmptrapper, + Variant[Integer, String[1]] $starttimers, + Variant[Integer, String[1]] $starttrappers, + Variant[Integer, String[1]] $startvmwarecollectors, + Variant[Integer, String[1]] $timeout, + Optional[String[1]] $tlscafile, + Optional[String[1]] $tlscertfile, + Optional[String[1]] $tlscipherall, + Optional[String[1]] $tlscipherall13, + Optional[String[1]] $tlsciphercert, + Optional[String[1]] $tlsciphercert13, + Optional[String[1]] $tlscipherpsk, + Optional[String[1]] $tlscipherpsk13, + Optional[String[1]] $tlscrlfile, + Optional[String[1]] $tlskeyfile, + String[1] $tmpdir, + Variant[Integer, String[1]] $trappertimeout, + String[1] $trendcachesize, + String[1] $unavailabledelay, + Optional[String[1]] $unreachabledelay, + String[1] $unreachableperiod, + String[1] $valuecachesize, + Optional[String[1]] $vaultdbpath, + Optional[String[1]] $vaulttoken, + Optional[Stdlib::HTTPSUrl] $vaulturl, + String[1] $vmwarecachesize, + String[1] $vmwarefrequency, + Optional[String[1]] $vmwareperffrequency, + Optional[String[1]] $vmwaretimeout, + Optional[Stdlib::HTTPUrl] $webserviceurl, + String[1] $zabbix_user, + String[1] $zabbix_version, + | -%> # this is a configuration file for zabbix server process # to get more information about zabbix, # visit http://www.zabbix.com @@ -11,7 +105,7 @@ # Range: 1024-32767 # Default: # ListenPort=10051 -ListenPort=<%= @listenport %> +ListenPort=<%= $listenport %> ### Option: SourceIP # Source IP address for outgoing connections. @@ -19,28 +113,28 @@ ListenPort=<%= @listenport %> # Mandatory: no # Default: # SourceIP= -<% if @sourceip %>SourceIP=<%= @sourceip %><% end %> +<% if $sourceip { %>SourceIP=<%= $sourceip %><% } -%> -<% if @logtype %> +<% if $logtype { %> ### Option: LogType # Specifies where log messages are written to: # system - syslog # file - file specified with LogFile parameter # console - standard output # -LogType=<%= @logtype %><% end %> +LogType=<%= $logtype %><% } -%> -<% if @logtype == 'file' -%> +<% if $logtype == 'file' { -%> ### Option: LogFile # Log file name for LogType 'file' parameter. # -LogFile=<%= @logfile %> +LogFile=<%= $logfile %> ### Option: LogFileSize # Maximum size of log file in MB. # 0 - disable automatic log rotation. # -LogFileSize=<%= @logfilesize %><% end -%> +LogFileSize=<%= $logfilesize %><% } -%> ### Option: DebugLevel # Specifies debug level: @@ -50,12 +144,12 @@ LogFileSize=<%= @logfilesize %><% end -%> # 3 - warnings # 4 - for debugging (produces lots of information) # 5 - extended debugging (produces even more information) -DebugLevel=<%= @debuglevel %> +DebugLevel=<%= $debuglevel %> ### Option: PidFile # Name of PID file. # -PidFile=<%= @pidfile %> +PidFile=<%= $pidfile %> ### Option: SocketDir # IPC socket directory. @@ -63,58 +157,58 @@ PidFile=<%= @pidfile %> # # Mandatory: no # Default: -<% if @socketdir %>SocketDir=<%= @socketdir %><% end %> +<% if $socketdir { %>SocketDir=<%= $socketdir %><% } -%> ### Option: DBHost # Database host name. # If set to localhost, socket is used for MySQL. # If set to empty string, socket is used for PostgreSQL. # -DBHost=<%= @database_host %> +DBHost=<%= $database_host %> ### Option: DBName # Database name. # For SQLite3 path to database file must be provided. DBUser and DBPassword are ignored. # -DBName=<%= @database_name %> +DBName=<%= $database_name %> ### Option: DBSchema # Schema name. Used for IBM DB2 and PostgreSQL. # -<% if @database_schema %>DBSchema=<%= @database_schema %><% end %> +<% if $database_schema { %>DBSchema=<%= $database_schema %><% } -%> ### Option: DBUser # Database user. Ignored for SQLite. # -DBUser=<%= @database_user %> +DBUser=<%= $database_user %> ### Option: DBPassword # Database password. Ignored for SQLite. # Comment this line if no password is used. # -DBPassword=<%= @database_password %> +DBPassword=<%= $database_password %> ### Option: DBSocket # Path to MySQL socket. # -<% if @database_socket %>DBSocket=<%= @database_socket %><% end %> +<% if $database_socket { %>DBSocket=<%= $database_socket %><% } -%> ### Option: DBPort # Database port when not using local socket. Ignored for SQLite. # -<% if @database_port %>DBPort=<%= @database_port %><% end %> +<% if $database_port { %>DBPort=<%= $database_port %><% } -%> ############ ADVANCED PARAMETERS ################ ### Option: StartPollers # Number of pre-forked instances of pollers. # -StartPollers=<%= @startpollers %> +StartPollers=<%= $startpollers %> ### Option: StartIPMIPollers # Number of pre-forked instances of IPMI pollers. # -StartIPMIPollers=<%= @startipmipollers %> +StartIPMIPollers=<%= $startipmipollers %> ### Option: StartPreprocessors # Number of pre-forked instances of preprocessing workers. @@ -124,14 +218,14 @@ StartIPMIPollers=<%= @startipmipollers %> # Range: 1-1000 # Default: # StartPreprocessors=3 -<% if @startpreprocessors %>StartPreprocessors=<%= @startpreprocessors -%><% end %> +<% if $startpreprocessors { %>StartPreprocessors=<%= $startpreprocessors -%><% } -%> ### Option: StartPollersUnreachable # Number of pre-forked instances of pollers for unreachable hosts (including IPMI and Java). # At least one poller for unreachable hosts must be running if regular, IPMI or Java pollers # are started. # -StartPollersUnreachable=<%= @startpollersunreachable %> +StartPollersUnreachable=<%= $startpollersunreachable %> ### Option: StartTrappers # Number of pre-forked instances of trappers. @@ -139,34 +233,34 @@ StartPollersUnreachable=<%= @startpollersunreachable %> # At least one trapper process must be running to display server availability and view queue # in the frontend. # -StartTrappers=<%= @starttrappers %> +StartTrappers=<%= $starttrappers %> ### Option: StartPingers # Number of pre-forked instances of ICMP pingers. # -StartPingers=<%= @startpingers %> +StartPingers=<%= $startpingers %> ### Option: StartDiscoverers # Number of pre-forked instances of discoverers. # -StartDiscoverers=<%= @startdiscoverers %> +StartDiscoverers=<%= $startdiscoverers %> ### Option: StartHTTPPollers # Number of pre-forked instances of HTTP pollers. # -StartHTTPPollers=<%= @starthttppollers %> +StartHTTPPollers=<%= $starthttppollers %> ### Option: StartTimers # Number of pre-forked instances of timers. # Timers process time-based trigger functions and maintenance periods. # Only the first timer process handles the maintenance periods. # -StartTimers=<%= @starttimers %> +StartTimers=<%= $starttimers %> ### Option: StartEscalators # Number of pre-forked instances of escalators. # -<% if @startescalators %>StartEscalators=<%= @startescalators %><% end %> +<% if $startescalators { %>StartEscalators=<%= $startescalators %><% } -%> ### Option: StartAlerters # Number of pre-forked instances of alerters. @@ -176,69 +270,69 @@ StartTimers=<%= @starttimers %> # Range: 0-100 # Default: # StartAlerters=3 -<% if @startalerters %>StartAlerters=<%= @startalerters %><% end %> +<% if $startalerters { %>StartAlerters=<%= $startalerters %><% } -%> -<% if @javagateway %> +<% if $javagateway { -%> ### Option: JavaGateway # IP address (or hostname) of Zabbix Java gateway. # Only required if Java pollers are started. # -JavaGateway=<%= @javagateway %> +JavaGateway=<%= $javagateway %> ### Option: JavaGatewayPort # Port that Zabbix Java gateway listens on. # -JavaGatewayPort=<%= @javagatewayport %> +JavaGatewayPort=<%= $javagatewayport %> ### Option: StartJavaPollers # Number of pre-forked instances of Java pollers. # -StartJavaPollers=<%= @startjavapollers %> -<% end %> +StartJavaPollers=<%= $startjavapollers %> +<% } -%> ### Option: StartVMwareCollectors # Number of pre-forked vmware collector instances. # -StartVMwareCollectors=<%= @startvmwarecollectors %> +StartVMwareCollectors=<%= $startvmwarecollectors %> ### Option: VMwareFrequency # How often Zabbix will connect to VMware service to obtain a new data. # -VMwareFrequency=<%= @vmwarefrequency %> +VMwareFrequency=<%= $vmwarefrequency %> ### Option: VMwarePerfFrequency # How often Zabbix will connect to VMware service to obtain performance data. # -<% if @vmwareperffrequency %>VMwarePerfFrequency=<%= @vmwareperffrequency %><% end %> +<% if $vmwareperffrequency { %>VMwarePerfFrequency=<%= $vmwareperffrequency %><% } -%> ### Option: VMwareCacheSize # Size of VMware cache, in bytes. # Shared memory size for storing VMware data. # Only used if VMware collectors are started. # -VMwareCacheSize=<%= @vmwarecachesize %> +VMwareCacheSize=<%= $vmwarecachesize %> ### Option: VMwareTimeout # Specifies how many seconds vmware collector waits for response from VMware service. # -<% if @vmwaretimeout %>VMwareTimeout=<%= @vmwaretimeout %><% end %> +<% if $vmwaretimeout { %>VMwareTimeout=<%= $vmwaretimeout %><% } -%> ### Option: SNMPTrapperFile # Temporary file used for passing data from SNMP trap daemon to the server. # Must be the same as in zabbix_trap_receiver.pl or SNMPTT configuration file. # -SNMPTrapperFile=<%= @snmptrapperfile %> +SNMPTrapperFile=<%= $snmptrapperfile %> ### Option: StartSNMPTrapper # If 1, SNMP trapper process is started. # -StartSNMPTrapper=<%= @startsnmptrapper %> +StartSNMPTrapper=<%= $startsnmptrapper %> ### Option: ListenIP # List of comma delimited IP addresses that the trapper should listen on. # Trapper will listen on all network interfaces if this parameter is missing. # -<% if @listenip %>ListenIP=<%= @listenip %><% end %> +<% if $listenip { %>ListenIP=<%= $listenip %><% } -%> ### Option: HousekeepingFrequency # How often Zabbix will perform housekeeping procedure (in hours). @@ -247,7 +341,7 @@ StartSNMPTrapper=<%= @startsnmptrapper %> # hours of outdated information are deleted in one housekeeping cycle, for each item. # To lower load on server startup housekeeping is postponed for 30 minutes after server start. # -HousekeepingFrequency=<%= @housekeepingfrequency %> +HousekeepingFrequency=<%= $housekeepingfrequency %> ### Option: MaxHousekeeperDelete # The table "housekeeper" contains "tasks" for housekeeping procedure in the format: @@ -257,134 +351,134 @@ HousekeepingFrequency=<%= @housekeepingfrequency %> # SQLite3 does not use this parameter, deletes all corresponding rows without a limit. # If set to 0 then no limit is used at all. In this case you must know what you are doing! # -MaxHousekeeperDelete=<%= @maxhousekeeperdelete %> +MaxHousekeeperDelete=<%= $maxhousekeeperdelete %> ### Option: CacheSize # Size of configuration cache, in bytes. # Shared memory size for storing host, item and trigger data. # -CacheSize=<%= @cachesize %> +CacheSize=<%= $cachesize %> ### Option: CacheUpdateFrequency # How often Zabbix will perform update of configuration cache, in seconds. # -CacheUpdateFrequency=<%= @cacheupdatefrequency %> +CacheUpdateFrequency=<%= $cacheupdatefrequency %> ### Option: StartDBSyncers # Number of pre-forked instances of DB Syncers # -StartDBSyncers=<%= @startdbsyncers %> +StartDBSyncers=<%= $startdbsyncers %> ### Option: HistoryCacheSize # Size of history cache, in bytes. # Shared memory size for storing history data. # -HistoryCacheSize=<%= @historycachesize %> +HistoryCacheSize=<%= $historycachesize %> ### Option: HistoryIndexCacheSize # Size of history index cache, in bytes. # Shared memory size for indexing history cache. # -<% if @historyindexcachesize %>HistoryIndexCacheSize=<%= @historyindexcachesize %><% end %> +<% if $historyindexcachesize { %>HistoryIndexCacheSize=<%= $historyindexcachesize %><% } -%> ### Option: TrendCacheSize # Size of trend cache, in bytes. # Shared memory size for storing trends data. # -TrendCacheSize=<%= @trendcachesize %> +TrendCacheSize=<%= $trendcachesize %> ### Option: ValueCacheSize # Size of history value cache, in bytes. # Shared memory size for caching item history data requests. # Setting to 0 disables value cache. # -ValueCacheSize=<%= @valuecachesize %> +ValueCacheSize=<%= $valuecachesize %> ### Option: Timeout # Specifies how long we wait for agent, SNMP device or external check (in seconds). # -Timeout=<%= @timeout %> +Timeout=<%= $timeout %> ### Option: TrapperTimeout # Specifies how many seconds trapper may spend processing new data. # -TrapperTimeout=<%= @trappertimeout %> +TrapperTimeout=<%= $trappertimeout %> ### Option: UnreachablePeriod # After how many seconds of unreachability treat a host as unavailable. # -UnreachablePeriod=<%= @unreachableperiod %> +UnreachablePeriod=<%= $unreachableperiod %> ### Option: UnavailableDelay # How often host is checked for availability during the unavailability period, in seconds. # -UnavailableDelay=<%= @unavailabledelay %> +UnavailableDelay=<%= $unavailabledelay %> ### Option: UnreachableDelay # How often host is checked for availability during the unreachability period, in seconds. # -UnreachableDelay=<%= @unreachabledelay %> +UnreachableDelay=<%= $unreachabledelay %> ### Option: AlertScriptsPath # Full path to location of custom alert scripts. # Default depends on compilation options. # -AlertScriptsPath=<%= @alertscriptspath %> +AlertScriptsPath=<%= $alertscriptspath %> ### Option: ExternalScripts # Full path to location of external scripts. # Default depends on compilation options. # -ExternalScripts=<%= @externalscripts %> +ExternalScripts=<%= $externalscripts %> ### Option: FpingLocation # Location of fping. # Make sure that fping binary has root ownership and SUID flag set. # -FpingLocation=<%= @fpinglocation %> +FpingLocation=<%= $fpinglocation %> ### Option: Fping6Location # Location of fping6. # Make sure that fping6 binary has root ownership and SUID flag set. # Make empty if your fping utility is capable to process IPv6 addresses. # -Fping6Location=<%= @fping6location %> +Fping6Location=<%= $fping6location %> ### Option: SSHKeyLocation # Location of public and private keys for SSH checks and actions. # -<% if @sshkeylocation %>SSHKeyLocation=<%= @sshkeylocation %><% end %> +<% if $sshkeylocation { %>SSHKeyLocation=<%= $sshkeylocation %><% } -%> ### Option: LogSlowQueries # How long a database query may take before being logged (in milliseconds). # Only works if DebugLevel set to 3 or 4 or 5. # 0 - don't log slow queries. # -LogSlowQueries=<%= @logslowqueries %> +LogSlowQueries=<%= $logslowqueries %> ### Option: TmpDir # Temporary directory. # -TmpDir=<%= @tmpdir %> +TmpDir=<%= $tmpdir %> ### Option: StartProxyPollers # Number of pre-forked instances of pollers for passive proxies. # -StartProxyPollers=<%= @startproxypollers %> +StartProxyPollers=<%= $startproxypollers %> ### Option: ProxyConfigFrequency # How often Zabbix Server sends configuration data to a Zabbix Proxy in seconds. # This parameter is used only for proxies in the passive mode. # -ProxyConfigFrequency=<%= @proxyconfigfrequency %> +ProxyConfigFrequency=<%= $proxyconfigfrequency %> ### Option: ProxyDataFrequency # How often Zabbix Server requests history data from a Zabbix Proxy in seconds. # This parameter is used only for proxies in the passive mode. # -ProxyDataFrequency=<%= @proxydatafrequency %> +ProxyDataFrequency=<%= $proxydatafrequency %> -<% if @zabbix_version.to_f >= 5.0 %> +<% if versioncmp($zabbix_version,'5') >= 0 { -%> ### Option: StartLLDProcessors # Number of pre-forked instances of low level discovery processors. # @@ -392,8 +486,8 @@ ProxyDataFrequency=<%= @proxydatafrequency %> # Range: 1-100 # Default: # StartLLDProcessors=2 -<% if @startlldprocessors %>StartLLDProcessors=<%= @startlldprocessors -%><% end %> -<% end %> +<% if $startlldprocessors { %>StartLLDProcessors=<%= $startlldprocessors -%><% } -%> +<% } -%> ### Option: AllowRoot # Allow the server to run as 'root'. If disabled and the server is started by 'root', the server @@ -402,7 +496,7 @@ ProxyDataFrequency=<%= @proxydatafrequency %> # 0 - do not allow # 1 - allow # -AllowRoot=<%= @allowroot %> +AllowRoot=<%= $allowroot %> ### Option: User # Drop privileges to a specific, existing user on the system. @@ -411,32 +505,32 @@ AllowRoot=<%= @allowroot %> # Mandatory: no # Default: # User=zabbix -<% if @zabbix_user %>User=<%= @zabbix_user %><% end %> +<% if $zabbix_user { %>User=<%= $zabbix_user %><% } -%> ### Option: Include # You may include individual files or all files in a directory in the configuration file. # Installing Zabbix will create include directory in /usr/local/etc, unless modified during the compile time. # -Include=<%= @include_dir %> +Include=<%= $include_dir %> ### Option: SSLCertLocation # Location of SSL client certificates. # This parameter is used only in web monitoring. # -SSLCertLocation=<%= @sslcertlocation_dir %> +SSLCertLocation=<%= $sslcertlocation_dir %> ### Option: SSLKeyLocation # Location of private keys for SSL client certificates. # This parameter is used only in web monitoring. # -SSLKeyLocation=<%= @sslkeylocation_dir %> +SSLKeyLocation=<%= $sslkeylocation_dir %> ### Option: SSLCALocation # Override the location of certificate authority (CA) files for SSL server certificate verification. # If not set, system-wide directory will be used. # This parameter is used only in web monitoring. # -<% if @sslcalocation_dir %>SSLCALocation=<%= @sslcalocation_dir %><% end %> +<% if $sslcalocation_dir { %>SSLCALocation=<%= $sslcalocation_dir %><% } -%> ####### LOADABLE MODULES ####### @@ -444,7 +538,7 @@ SSLKeyLocation=<%= @sslkeylocation_dir %> # Full path to location of server modules. # Default depends on compilation options. # -LoadModulePath=<%= @loadmodulepath %> +LoadModulePath=<%= $loadmodulepath %> ### Option: LoadModule # Module to load at server startup. Modules are used to extend functionality of the server. @@ -452,7 +546,7 @@ LoadModulePath=<%= @loadmodulepath %> # The modules must be located in directory specified by LoadModulePath. # It is allowed to include multiple LoadModule parameters. # -<% if @loadmodule %>LoadModule = <%= @loadmodule %><% end %> +<% if $loadmodule { %>LoadModule = <%= $loadmodule %><% } -%> ####### TLS-RELATED PARAMETERS ####### @@ -463,7 +557,7 @@ LoadModulePath=<%= @loadmodulepath %> # Mandatory: no # Default: # TLSCAFile= -<% if @tlscafile %>TLSCAFile=<%= @tlscafile %><% end %> +<% if $tlscafile { %>TLSCAFile=<%= $tlscafile %><% } -%> ### Option: TLSCRLFile # Full pathname of a file containing revoked certificates. @@ -471,7 +565,7 @@ LoadModulePath=<%= @loadmodulepath %> # Mandatory: no # Default: # TLSCRLFile= -<% if @tlscrlfile %>TLSCRLFile=<%= @tlscrlfile %><% end %> +<% if $tlscrlfile { %>TLSCRLFile=<%= $tlscrlfile %><% } -%> ### Option: TLSCertFile # Full pathname of a file containing the server certificate or certificate chain. @@ -479,7 +573,7 @@ LoadModulePath=<%= @loadmodulepath %> # Mandatory: no # Default: # TLSCertFile= -<% if @tlscertfile %>TLSCertFile=<%= @tlscertfile %><% end %> +<% if $tlscertfile { %>TLSCertFile=<%= $tlscertfile %><% } -%> ### Option: TLSKeyFile # Full pathname of a file containing the server private key. @@ -487,10 +581,10 @@ LoadModulePath=<%= @loadmodulepath %> # Mandatory: no # Default: # TLSKeyFile= -<% if @tlskeyfile %>TLSKeyFile=<%= @tlskeyfile %><% end %> +<% if $tlskeyfile { %>TLSKeyFile=<%= $tlskeyfile %><% } -%> ####### For advanced users - TLS ciphersuite selection criteria ####### -<% if @zabbix_version.to_f >= 5.0 %> +<% if versioncmp($zabbix_version,'5') >= 0 { -%> ### Option: DBTLSConnect # Setting this option enforces to use TLS connection to database. # required - connect using TLS @@ -504,7 +598,7 @@ LoadModulePath=<%= @loadmodulepath %> # # Mandatory: no # Default: -<% if @database_tlsconnect %>DBTLSConnect=<%= @database_tlsconnect %><% end %> +<% if $database_tlsconnect { %>DBTLSConnect=<%= $database_tlsconnect %><% } -%> ### Option: DBTLSCAFile # Full pathname of a file containing the top-level CA(s) certificates for database certificate verification. @@ -513,7 +607,7 @@ LoadModulePath=<%= @loadmodulepath %> # Mandatory: no # (yes, if DBTLSConnect set to one of: verify_ca, verify_full) # Default: -<% if @database_tlscafile %>DBTLSCAFile=<%= @database_tlscafile %><% end %> +<% if $database_tlscafile { %>DBTLSCAFile=<%= $database_tlscafile %><% } -%> ### Option: DBTLSCertFile # Full pathname of file containing Zabbix server certificate for authenticating to database. @@ -521,7 +615,7 @@ LoadModulePath=<%= @loadmodulepath %> # # Mandatory: no # Default: -<% if @database_tlscertfile %>DBTLSCertFile=<%= @database_tlscertfile %><% end %> +<% if $database_tlscertfile { %>DBTLSCertFile=<%= $database_tlscertfile %><% } -%> ### Option: DBTLSKeyFile # Full pathname of file containing the private key for authenticating to database. @@ -529,7 +623,7 @@ LoadModulePath=<%= @loadmodulepath %> # # Mandatory: no # Default: -<% if @database_tlskeyfile %>DBTLSKeyFile=<%= @database_tlskeyfile %><% end %> +<% if $database_tlskeyfile { %>DBTLSKeyFile=<%= $database_tlskeyfile %><% } -%> ### Option: DBTLSCipher # The list of encryption ciphers that Zabbix server permits for TLS protocols up through TLSv1.2 @@ -537,7 +631,7 @@ LoadModulePath=<%= @loadmodulepath %> # # Mandatory no # Default: -<% if @database_tlscipher %>DBTLSCipher=<%= @database_tlscipher %><% end %> +<% if $database_tlscipher { %>DBTLSCipher=<%= $database_tlscipher %><% } -%> ### Option: DBTLSCipher13 # The list of encryption ciphersuites that Zabbix server permits for TLSv1.3 protocol @@ -545,10 +639,10 @@ LoadModulePath=<%= @loadmodulepath %> # # Mandatory no # Default: -<% if @database_tlscipher13 %>DBTLSCipher13=<%= @database_tlscipher13 %><% end %> -<% end %> +<% if $database_tlscipher13 { %>DBTLSCipher13=<%= $database_tlscipher13 %><% } -%> +<% } %> -<% if @zabbix_version.to_f >= 5.0 %> +<% if versioncmp($zabbix_version,'5') >= 0 { -%> ### Option: TLSCipherCert13 # Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. # Override the default ciphersuite selection criteria for certificate-based encryption. @@ -556,7 +650,7 @@ LoadModulePath=<%= @loadmodulepath %> # Mandatory: no # Default: # TLSCipherCert13= -<% if @tlsciphercert13 %>TLSCipherCert13=<%= @tlsciphercert13 %><% end %> +<% if $tlsciphercert13 { %>TLSCipherCert13=<%= $tlsciphercert13 %><% } -%> ### Option: TLSCipherCert # GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. @@ -569,7 +663,7 @@ LoadModulePath=<%= @loadmodulepath %> # Mandatory: no # Default: # TLSCipherCert= -<% if @tlsciphercert %>TLSCipherCert=<%= @tlsciphercert %><% end %> +<% if $tlsciphercert { %>TLSCipherCert=<%= $tlsciphercert %><% } -%> ### Option: TLSCipherPSK13 # Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. @@ -580,7 +674,7 @@ LoadModulePath=<%= @loadmodulepath %> # Mandatory: no # Default: # TLSCipherPSK13= -<% if @tlscipherpsk13 %>TLSCipherPSK13=<%= @tlscipherpsk13 %><% end %> +<% if $tlscipherpsk13 { %>TLSCipherPSK13=<%= $tlscipherpsk13 %><% } -%> ### Option: TLSCipherPSK # GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. @@ -593,7 +687,7 @@ LoadModulePath=<%= @loadmodulepath %> # Mandatory: no # Default: # TLSCipherPSK= -<% if @tlscipherpsk %>TLSCipherPSK=<%= @tlscipherpsk %><% end %> +<% if $tlscipherpsk { %>TLSCipherPSK=<%= $tlscipherpsk %><% } -%> ### Option: TLSCipherAll13 # Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. @@ -604,7 +698,7 @@ LoadModulePath=<%= @loadmodulepath %> # Mandatory: no # Default: # TLSCipherAll13= -<% if @tlscipherall13 %>TLSCipherAll13=<%= @tlscipherall13 %><% end %> +<% if $tlscipherall13 { %>TLSCipherAll13=<%= $tlscipherall13 %><% } -%> ### Option: TLSCipherAll # GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. @@ -617,10 +711,10 @@ LoadModulePath=<%= @loadmodulepath %> # Mandatory: no # Default: # TLSCipherAll13= -<% if @tlscipherall %>TLSCipherAll=<%= @tlscipherall %><% end %> -<% end %> +<% if $tlscipherall { %>TLSCipherAll=<%= $tlscipherall %><% } -%> +<% } -%> -<% if @zabbix_version.to_f >= 5.2 %> +<% if versioncmp($zabbix_version,'6.2') >= 0 { -%> ### Option: VaultToken # Vault authentication token that should have been generated exclusively for Zabbix server with read only permission # to paths specified in Vault macros and read only permission to path specified in optional VaultDBPath @@ -630,7 +724,7 @@ LoadModulePath=<%= @loadmodulepath %> # Mandatory: no # Default: # VaultToken= -<% if @vaulttoken %>VaultToken=<%= @vaulttoken -%><% end %> +<% if $vaulttoken { %>VaultToken=<%= $vaulttoken -%><% } -%> ### Option: VaultURL # Vault server HTTP[S] URL. System-wide CA certificates directory will be used if SSLCALocation is not specified. @@ -638,7 +732,7 @@ LoadModulePath=<%= @loadmodulepath %> # Mandatory: no # Default: # VaultURL=https://127.0.0.1:8200 -<% if @vaulturl %>VaultURL=<%= @vaulturl -%><% end %> +<% if $vaulturl { %>VaultURL=<%= $vaulturl -%><% } -%> ### Option: VaultDBPath # Vault path from where credentials for database will be retrieved by keys 'password' and 'username'. @@ -648,11 +742,11 @@ LoadModulePath=<%= @loadmodulepath %> # Mandatory: no # Default: # VaultDBPath= -<% if @vaultdbpath %>VaultDBPath=<%= @vaultdbpath -%><% end %> -<% end %> +<% if $vaultdbpath { %>VaultDBPath=<%= $vaultdbpath -%><% } -%> +<% } -%> -<% if @zabbix_version.to_f >= 5.4 %> +<% if versioncmp($zabbix_version,'5.4') >= 0 { -%> ### Option: StartReportWriters # Number of pre-forked report writer instances. # @@ -660,7 +754,7 @@ LoadModulePath=<%= @loadmodulepath %> # Range: 0-100 # Default: # StartReportWriters=0 -<% if @startreportwriters %>StartReportWriters=<%= @startreportwriters -%><% end %> +<% if $startreportwriters { %>StartReportWriters=<%= $startreportwriters -%><% } -%> ### Option: WebServiceURL # URL to Zabbix web service, used to perform web related tasks. @@ -669,5 +763,5 @@ LoadModulePath=<%= @loadmodulepath %> # Mandatory: no # Default: # WebServiceURL= -<% if @webserviceurl %>WebServiceURL=<%= @webserviceurl -%><% end %> -<% end %> +<% if $webserviceurl { %>WebServiceURL=<%= $webserviceurl -%><% } -%> +<% } -%> From d975ad9097ebd9238c0a8321676f29762e32cf74 Mon Sep 17 00:00:00 2001 From: DEFERME Bert Date: Fri, 5 Aug 2022 17:00:22 +0200 Subject: [PATCH 02/26] Fix exposing password for debug mode --- manifests/database/postgresql.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/database/postgresql.pp b/manifests/database/postgresql.pp index cbeed173f..6c1a59e4e 100644 --- a/manifests/database/postgresql.pp +++ b/manifests/database/postgresql.pp @@ -69,9 +69,9 @@ } exec { 'update_pgpass': - command => "echo ${database_host}:${database_port}:${database_name}:${database_user}:${database_password_unsensitive} >> /root/.pgpass", + command => Sensitive("echo ${database_host}:${database_port}:${database_name}:${database_user}:${database_password_unsensitive} >> /root/.pgpass"), path => "/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:${database_path}", - unless => "grep \"${database_host}:${database_port}:${database_name}:${database_user}:${database_password_unsensitive}\" /root/.pgpass", + unless => Sensitive("grep \"${database_host}:${database_port}:${database_name}:${database_user}:${database_password_unsensitive}\" /root/.pgpass"), require => File['/root/.pgpass'], } From 31ac5d7967696691bacf6ed9b99a88be52921993 Mon Sep 17 00:00:00 2001 From: DEFERME Bert Date: Wed, 19 Oct 2022 09:25:29 +0200 Subject: [PATCH 03/26] Lint fixes --- manifests/database/mysql.pp | 34 +++---- manifests/proxy.pp | 190 ++++++++++++++++++------------------ manifests/web.pp | 40 ++++---- 3 files changed, 132 insertions(+), 132 deletions(-) diff --git a/manifests/database/mysql.pp b/manifests/database/mysql.pp index 75c6d2412..f0891fa4a 100644 --- a/manifests/database/mysql.pp +++ b/manifests/database/mysql.pp @@ -66,37 +66,37 @@ } # Loading the sql files. - $_mysql_env = [ "database_password=${database_password_unsensitive}" ] + $_mysql_env = ["database_password=${database_password_unsensitive}"] case $zabbix_type { 'proxy' : { exec { 'zabbix_proxy_create.sql': - command => $zabbix_proxy_create_sql, - path => "/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:${database_path}", - unless => 'test -f /etc/zabbix/.schema.done', - provider => 'shell', + command => $zabbix_proxy_create_sql, + path => "/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:${database_path}", + unless => 'test -f /etc/zabbix/.schema.done', + provider => 'shell', environment => $_mysql_env, } } 'server' : { exec { 'zabbix_server_create.sql': - command => $zabbix_server_create_sql, - path => "/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:${database_path}", - unless => 'test -f /etc/zabbix/.schema.done', - provider => 'shell', + command => $zabbix_server_create_sql, + path => "/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:${database_path}", + unless => 'test -f /etc/zabbix/.schema.done', + provider => 'shell', environment => $_mysql_env, } -> exec { 'zabbix_server_images.sql': - command => $zabbix_server_images_sql, - path => "/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:${database_path}", - unless => 'test -f /etc/zabbix/.images.done', - provider => 'shell', + command => $zabbix_server_images_sql, + path => "/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:${database_path}", + unless => 'test -f /etc/zabbix/.images.done', + provider => 'shell', environment => $_mysql_env, } -> exec { 'zabbix_server_data.sql': - command => $zabbix_server_data_sql, - path => "/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:${database_path}", - unless => 'test -f /etc/zabbix/.data.done', - provider => 'shell', + command => $zabbix_server_data_sql, + path => "/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:${database_path}", + unless => 'test -f /etc/zabbix/.data.done', + provider => 'shell', environment => $_mysql_env, } } diff --git a/manifests/proxy.pp b/manifests/proxy.pp index 0b8b3ab54..558843cf1 100644 --- a/manifests/proxy.pp +++ b/manifests/proxy.pp @@ -508,101 +508,101 @@ require => Package["zabbix-proxy-${db}"], replace => true, content => Sensitive(epp('zabbix/zabbix_proxy.conf.epp', { - 'allowroot' => $allowroot, - 'cachesize' => $cachesize, - 'configfrequency' => $configfrequency, - 'database_host' => $database_host, - 'database_name' => $database_name, - 'database_password' => $database_password, - 'database_port' => $database_port, - 'database_schema' => $database_schema, - 'database_socket' => $database_socket, - 'database_tlscafile' => $database_tlscafile, - 'database_tlscertfile' => $database_tlscertfile, - 'database_tlscipher' => $database_tlscipher, - 'database_tlscipher13' => $database_tlscipher13, - 'database_tlsconnect' => $database_tlsconnect, - 'database_tlskeyfile' => $database_tlskeyfile, - 'database_user' => $database_user, - 'datasenderfrequency' => $datasenderfrequency, - 'debuglevel' => $debuglevel, - 'enableremotecommands' => $enableremotecommands, - 'externalscripts' => $externalscripts, - 'fping6location' => $fping6location, - 'fpinglocation' => $fpinglocation, - 'heartbeatfrequency' => $heartbeatfrequency, - 'historycachesize' => $historycachesize, - 'historyindexcachesize' => $historyindexcachesize, - 'hostname' => $hostname, - 'housekeepingfrequency' => $housekeepingfrequency, - 'include_dir' => $include_dir, - 'javagateway' => $javagateway, - 'javagatewayport' => $javagatewayport, - 'listenip' => $listenip, - 'listenport' => $listenport, - 'loadmodule' => $loadmodule, - 'loadmodulepath' => $loadmodulepath, - 'localbuffer' => $localbuffer, - 'logfile' => $logfile, - 'logfilesize' => $logfilesize, - 'logremotecommands' => $logremotecommands, - 'logslowqueries' => $logslowqueries, - 'logtype' => $logtype, - 'mode' => $mode, - 'offlinebuffer' => $offlinebuffer, - 'pidfile' => $pidfile, - 'snmptrapper' => $snmptrapper, - 'snmptrapperfile' => $snmptrapperfile, - 'socketdir' => $socketdir, - 'sourceip' => $sourceip, - 'sshkeylocation' => $sshkeylocation, - 'sslcalocation_dir' => $sslcalocation_dir, - 'sslcertlocation_dir' => $sslcertlocation_dir, - 'sslkeylocation_dir' => $sslkeylocation_dir, - 'startdbsyncers' => $startdbsyncers, - 'startdiscoverers' => $startdiscoverers, - 'starthttppollers' => $starthttppollers, - 'startipmipollers' => $startipmipollers, - 'startjavapollers' => $startjavapollers, - 'startpingers' => $startpingers, - 'startpollers' => $startpollers, - 'startpollersunreachable' => $startpollersunreachable, - 'startpreprocessors' => $startpreprocessors, - 'starttrappers' => $starttrappers, - 'startvmwarecollectors' => $startvmwarecollectors, - 'timeout' => $timeout, - 'tlsaccept' => $tlsaccept, - 'tlscafile' => $tlscafile, - 'tlscertfile' => $tlscertfile, - 'tlscipherall' => $tlscipherall, - 'tlscipherall13' => $tlscipherall13, - 'tlsciphercert' => $tlsciphercert, - 'tlsciphercert13' => $tlsciphercert13, - 'tlscipherpsk' => $tlscipherpsk, - 'tlscipherpsk13' => $tlscipherpsk13, - 'tlsconnect' => $tlsconnect, - 'tlscrlfile' => $tlscrlfile, - 'tlskeyfile' => $tlskeyfile, - 'tlspskfile' => $tlspskfile, - 'tlspskidentity' => $tlspskidentity, - 'tlsservercertissuer' => $tlsservercertissuer, - 'tlsservercertsubject' => $tlsservercertsubject, - 'tmpdir' => $tmpdir, - 'trappertimeout' => $trappertimeout, - 'unavaliabledelay' => $unavaliabledelay, - 'unreachabedelay' => $unreachabedelay, - 'unreachableperiod' => $unreachableperiod, - 'vaultdbpath' => $vaultdbpath, - 'vaulttoken' => $vaulttoken, - 'vaulturl' => $vaulturl, - 'vmwarecachesize' => $vmwarecachesize, - 'vmwarefrequency' => $vmwarefrequency, - 'vmwareperffrequency' => $vmwareperffrequency, - 'vmwaretimeout' => $vmwaretimeout, - 'zabbix_server_host' => $zabbix_server_host, - 'zabbix_server_port' => $zabbix_server_port, - 'zabbix_user' => $zabbix::params::server_zabbix_user, - 'zabbix_version' => $zabbix_version, + 'allowroot' => $allowroot, + 'cachesize' => $cachesize, + 'configfrequency' => $configfrequency, + 'database_host' => $database_host, + 'database_name' => $database_name, + 'database_password' => $database_password, + 'database_port' => $database_port, + 'database_schema' => $database_schema, + 'database_socket' => $database_socket, + 'database_tlscafile' => $database_tlscafile, + 'database_tlscertfile' => $database_tlscertfile, + 'database_tlscipher' => $database_tlscipher, + 'database_tlscipher13' => $database_tlscipher13, + 'database_tlsconnect' => $database_tlsconnect, + 'database_tlskeyfile' => $database_tlskeyfile, + 'database_user' => $database_user, + 'datasenderfrequency' => $datasenderfrequency, + 'debuglevel' => $debuglevel, + 'enableremotecommands' => $enableremotecommands, + 'externalscripts' => $externalscripts, + 'fping6location' => $fping6location, + 'fpinglocation' => $fpinglocation, + 'heartbeatfrequency' => $heartbeatfrequency, + 'historycachesize' => $historycachesize, + 'historyindexcachesize' => $historyindexcachesize, + 'hostname' => $hostname, + 'housekeepingfrequency' => $housekeepingfrequency, + 'include_dir' => $include_dir, + 'javagateway' => $javagateway, + 'javagatewayport' => $javagatewayport, + 'listenip' => $listenip, + 'listenport' => $listenport, + 'loadmodule' => $loadmodule, + 'loadmodulepath' => $loadmodulepath, + 'localbuffer' => $localbuffer, + 'logfile' => $logfile, + 'logfilesize' => $logfilesize, + 'logremotecommands' => $logremotecommands, + 'logslowqueries' => $logslowqueries, + 'logtype' => $logtype, + 'mode' => $mode, + 'offlinebuffer' => $offlinebuffer, + 'pidfile' => $pidfile, + 'snmptrapper' => $snmptrapper, + 'snmptrapperfile' => $snmptrapperfile, + 'socketdir' => $socketdir, + 'sourceip' => $sourceip, + 'sshkeylocation' => $sshkeylocation, + 'sslcalocation_dir' => $sslcalocation_dir, + 'sslcertlocation_dir' => $sslcertlocation_dir, + 'sslkeylocation_dir' => $sslkeylocation_dir, + 'startdbsyncers' => $startdbsyncers, + 'startdiscoverers' => $startdiscoverers, + 'starthttppollers' => $starthttppollers, + 'startipmipollers' => $startipmipollers, + 'startjavapollers' => $startjavapollers, + 'startpingers' => $startpingers, + 'startpollers' => $startpollers, + 'startpollersunreachable' => $startpollersunreachable, + 'startpreprocessors' => $startpreprocessors, + 'starttrappers' => $starttrappers, + 'startvmwarecollectors' => $startvmwarecollectors, + 'timeout' => $timeout, + 'tlsaccept' => $tlsaccept, + 'tlscafile' => $tlscafile, + 'tlscertfile' => $tlscertfile, + 'tlscipherall' => $tlscipherall, + 'tlscipherall13' => $tlscipherall13, + 'tlsciphercert' => $tlsciphercert, + 'tlsciphercert13' => $tlsciphercert13, + 'tlscipherpsk' => $tlscipherpsk, + 'tlscipherpsk13' => $tlscipherpsk13, + 'tlsconnect' => $tlsconnect, + 'tlscrlfile' => $tlscrlfile, + 'tlskeyfile' => $tlskeyfile, + 'tlspskfile' => $tlspskfile, + 'tlspskidentity' => $tlspskidentity, + 'tlsservercertissuer' => $tlsservercertissuer, + 'tlsservercertsubject' => $tlsservercertsubject, + 'tmpdir' => $tmpdir, + 'trappertimeout' => $trappertimeout, + 'unavaliabledelay' => $unavaliabledelay, + 'unreachabedelay' => $unreachabedelay, + 'unreachableperiod' => $unreachableperiod, + 'vaultdbpath' => $vaultdbpath, + 'vaulttoken' => $vaulttoken, + 'vaulturl' => $vaulturl, + 'vmwarecachesize' => $vmwarecachesize, + 'vmwarefrequency' => $vmwarefrequency, + 'vmwareperffrequency' => $vmwareperffrequency, + 'vmwaretimeout' => $vmwaretimeout, + 'zabbix_server_host' => $zabbix_server_host, + 'zabbix_server_port' => $zabbix_server_port, + 'zabbix_user' => $zabbix::params::server_zabbix_user, + 'zabbix_version' => $zabbix_version, })), } diff --git a/manifests/web.pp b/manifests/web.pp index fc9a6620d..04d29a7e2 100644 --- a/manifests/web.pp +++ b/manifests/web.pp @@ -290,26 +290,26 @@ mode => '0640', replace => true, content => Sensitive(epp('zabbix/web/zabbix.conf.php.epp', { - 'database_type' => $database_type, - 'database_host' => $database_host, - 'database_port' => $database_port, - 'db_port' => $db_port, - 'database_name' => $database_name, - 'database_user' => $database_user, - 'database_password' => $database_password, - 'database_schema' => $database_schema, - 'database_double_ieee754' => $database_double_ieee754, - 'zabbix_server' => $zabbix_server, - 'zabbix_listenport' => $zabbix_listenport, - 'zabbix_server_name' => $zabbix_server_name, - 'ldap_cacert' => $ldap_cacert, - 'ldap_clientcert' => $ldap_clientcert, - 'ldap_clientkey' => $ldap_clientkey, - 'ldap_reqcert' => $ldap_reqcert, - 'saml_sp_key' => $saml_sp_key, - 'saml_sp_cert' => $saml_sp_cert, - 'saml_idp_cert' => $saml_idp_cert, - 'saml_settings' => $saml_settings, + 'database_type' => $database_type, + 'database_host' => $database_host, + 'database_port' => $database_port, + 'db_port' => $db_port, + 'database_name' => $database_name, + 'database_user' => $database_user, + 'database_password' => $database_password, + 'database_schema' => $database_schema, + 'database_double_ieee754' => $database_double_ieee754, + 'zabbix_server' => $zabbix_server, + 'zabbix_listenport' => $zabbix_listenport, + 'zabbix_server_name' => $zabbix_server_name, + 'ldap_cacert' => $ldap_cacert, + 'ldap_clientcert' => $ldap_clientcert, + 'ldap_clientkey' => $ldap_clientkey, + 'ldap_reqcert' => $ldap_reqcert, + 'saml_sp_key' => $saml_sp_key, + 'saml_sp_cert' => $saml_sp_cert, + 'saml_idp_cert' => $saml_idp_cert, + 'saml_settings' => $saml_settings, })), } From 58ec2af641c02346338a6c62ed2f8dc32c38531d Mon Sep 17 00:00:00 2001 From: DEFERME Bert Date: Mon, 12 Dec 2022 11:43:48 +0100 Subject: [PATCH 04/26] Make mysql db password undef by default --- manifests/database/mysql.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/database/mysql.pp b/manifests/database/mysql.pp index f0891fa4a..704d6c3be 100644 --- a/manifests/database/mysql.pp +++ b/manifests/database/mysql.pp @@ -16,7 +16,7 @@ $database_schema_path = '', $database_name = '', $database_user = '', - Optional[Variant[String[1], Sensitive[String[1]]]] $database_password = '', + Optional[Variant[String[1], Sensitive[String[1]]]] $database_password = undef, $database_host = '', Optional[Stdlib::Port::Unprivileged] $database_port = undef, $database_path = $zabbix::params::database_path, From f34d8655f5a8f55b0e0edaa78e94a53029ba1ab2 Mon Sep 17 00:00:00 2001 From: Patrick Brideau Date: Mon, 12 Dec 2022 09:46:56 -0500 Subject: [PATCH 05/26] test: fix mysql test for password as variable --- spec/classes/database_mysql_spec.rb | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/spec/classes/database_mysql_spec.rb b/spec/classes/database_mysql_spec.rb index 7cddd91aa..836886ec8 100644 --- a/spec/classes/database_mysql_spec.rb +++ b/spec/classes/database_mysql_spec.rb @@ -58,7 +58,7 @@ it { is_expected.to contain_class('zabbix::database::mysql') } it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_exec('zabbix_server_create.sql').with_command("cd #{path} && if [ -f #{sql_server}.gz ]; then gunzip -f #{sql_server}.gz ; fi && mysql -h 'rspec.puppet.com' -u 'zabbix-server' -p'zabbix-server' -P 3306 -D 'zabbix-server' < #{sql_server} && touch /etc/zabbix/.schema.done") } + it { is_expected.to contain_exec('zabbix_server_create.sql').with_command("cd #{path} && if [ -f #{sql_server}.gz ]; then gunzip -f #{sql_server}.gz ; fi && mysql -h 'rspec.puppet.com' -u 'zabbix-server' -p\"${database_password}\" -P 3306 -D 'zabbix-server' < #{sql_server} && touch /etc/zabbix/.schema.done") } it { is_expected.to contain_exec('zabbix_server_images.sql').with_command('touch /etc/zabbix/.images.done') } it { is_expected.to contain_exec('zabbix_server_data.sql').with_command('touch /etc/zabbix/.data.done') } end @@ -77,7 +77,7 @@ it { is_expected.to contain_class('zabbix::database::mysql') } it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_exec('zabbix_server_create.sql').with_command("cd #{path} && if [ -f #{sql_server}.gz ]; then gunzip -f #{sql_server}.gz ; fi && mysql -h 'rspec.puppet.com' -u 'zabbix-server' -p'zabbix-server' -D 'zabbix-server' < #{sql_server} && touch /etc/zabbix/.schema.done") } + it { is_expected.to contain_exec('zabbix_server_create.sql').with_command("cd #{path} && if [ -f #{sql_server}.gz ]; then gunzip -f #{sql_server}.gz ; fi && mysql -h 'rspec.puppet.com' -u 'zabbix-server' -p\"${database_password}\" -D 'zabbix-server' < #{sql_server} && touch /etc/zabbix/.schema.done") } it { is_expected.to contain_exec('zabbix_server_images.sql').with_command('touch /etc/zabbix/.images.done') } it { is_expected.to contain_exec('zabbix_server_data.sql').with_command('touch /etc/zabbix/.data.done') } end @@ -101,9 +101,9 @@ it { is_expected.to compile.with_all_deps } if Puppet::Util::Package.versioncmp(zabbix_version, '6.0') < 0 - it { is_expected.to contain_exec('zabbix_proxy_create.sql').with_command("cd #{path} && if [ -f schema.sql.gz ]; then gunzip -f schema.sql.gz ; fi && mysql -h 'rspec.puppet.com' -u 'zabbix-proxy' -p'zabbix-proxy' -P 3306 -D 'zabbix-proxy' < schema.sql && touch /etc/zabbix/.schema.done") } + it { is_expected.to contain_exec('zabbix_proxy_create.sql').with_command("cd #{path} && if [ -f schema.sql.gz ]; then gunzip -f schema.sql.gz ; fi && mysql -h 'rspec.puppet.com' -u 'zabbix-proxy' -p\"${database_password}\" -P 3306 -D 'zabbix-proxy' < schema.sql && touch /etc/zabbix/.schema.done") } else - it { is_expected.to contain_exec('zabbix_proxy_create.sql').with_command("cd #{path} && mysql -h 'rspec.puppet.com' -u 'zabbix-proxy' -p'zabbix-proxy' -P 3306 -D 'zabbix-proxy' < proxy.sql && touch /etc/zabbix/.schema.done") } + it { is_expected.to contain_exec('zabbix_proxy_create.sql').with_command("cd #{path} && mysql -h 'rspec.puppet.com' -u 'zabbix-proxy' -p\"${database_password}\" -P 3306 -D 'zabbix-proxy' < proxy.sql && touch /etc/zabbix/.schema.done") } end end @@ -123,9 +123,9 @@ it { is_expected.to compile.with_all_deps } if Puppet::Util::Package.versioncmp(zabbix_version, '6.0') < 0 - it { is_expected.to contain_exec('zabbix_proxy_create.sql').with_command("cd #{path} && if [ -f schema.sql.gz ]; then gunzip -f schema.sql.gz ; fi && mysql -h 'rspec.puppet.com' -u 'zabbix-proxy' -p'zabbix-proxy' -D 'zabbix-proxy' < schema.sql && touch /etc/zabbix/.schema.done") } + it { is_expected.to contain_exec('zabbix_proxy_create.sql').with_command("cd #{path} && if [ -f schema.sql.gz ]; then gunzip -f schema.sql.gz ; fi && mysql -h 'rspec.puppet.com' -u 'zabbix-proxy' -p\"${database_password}\" -D 'zabbix-proxy' < schema.sql && touch /etc/zabbix/.schema.done") } else - it { is_expected.to contain_exec('zabbix_proxy_create.sql').with_command("cd #{path} && mysql -h 'rspec.puppet.com' -u 'zabbix-proxy' -p'zabbix-proxy' -D 'zabbix-proxy' < proxy.sql && touch /etc/zabbix/.schema.done") } + it { is_expected.to contain_exec('zabbix_proxy_create.sql').with_command("cd #{path} && mysql -h 'rspec.puppet.com' -u 'zabbix-proxy' -p\"${database_password}\" -D 'zabbix-proxy' < proxy.sql && touch /etc/zabbix/.schema.done") } end end end From fbb5a458769cacf77487e0906a1fc92987013695 Mon Sep 17 00:00:00 2001 From: Patrick Brideau Date: Mon, 12 Dec 2022 10:19:26 -0500 Subject: [PATCH 06/26] test: fix postgresql sensitive /root/.pgpass content --- spec/classes/database_postgresql_spec.rb | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/spec/classes/database_postgresql_spec.rb b/spec/classes/database_postgresql_spec.rb index 49603fed5..371da1e33 100644 --- a/spec/classes/database_postgresql_spec.rb +++ b/spec/classes/database_postgresql_spec.rb @@ -62,7 +62,7 @@ end it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_exec('update_pgpass').with_command('echo node01.example.com:5432:zabbix-server:zabbix-server:zabbix-server >> /root/.pgpass') } + it { is_expected.to contain_exec('update_pgpass').with_command(sensitive('echo node01.example.com:5432:zabbix-server:zabbix-server:zabbix-server >> /root/.pgpass')) } it { is_expected.to contain_exec('zabbix_server_create.sql').with_command("cd #{path} && if [ -f #{sql_server}.gz ]; then gunzip -f #{sql_server}.gz ; fi && psql -h 'node01.example.com' -U 'zabbix-server' -p 5432 -d 'zabbix-server' -f #{sql_server} && touch /etc/zabbix/.schema.done") } it { is_expected.to contain_exec('zabbix_server_images.sql').with_command('touch /etc/zabbix/.images.done') } it { is_expected.to contain_exec('zabbix_server_data.sql').with_command('touch /etc/zabbix/.data.done') } @@ -83,7 +83,7 @@ end it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_exec('update_pgpass').with_command('echo node01.example.com:5432:zabbix-server:zabbix-server:zabbix-server >> /root/.pgpass') } + it { is_expected.to contain_exec('update_pgpass').with_command(sensitive('echo node01.example.com:5432:zabbix-server:zabbix-server:zabbix-server >> /root/.pgpass')) } it { is_expected.to contain_exec('zabbix_server_create.sql').with_command("cd #{path} && if [ -f #{sql_server}.gz ]; then gunzip -f #{sql_server}.gz ; fi && psql -h 'node01.example.com' -U 'zabbix-server' -p 5432 -d 'zabbix-server' -f #{sql_server} && touch /etc/zabbix/.schema.done") } it { is_expected.to contain_exec('zabbix_server_images.sql').with_command('touch /etc/zabbix/.images.done') } it { is_expected.to contain_exec('zabbix_server_data.sql').with_command('touch /etc/zabbix/.data.done') } @@ -105,7 +105,7 @@ end it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_exec('update_pgpass').with_command('echo node01.example.com:6432:zabbix-server:zabbix-server:zabbix-server >> /root/.pgpass') } + it { is_expected.to contain_exec('update_pgpass').with_command(sensitive('echo node01.example.com:6432:zabbix-server:zabbix-server:zabbix-server >> /root/.pgpass')) } it { is_expected.to contain_exec('zabbix_server_create.sql').with_command("cd #{path} && if [ -f #{sql_server}.gz ]; then gunzip -f #{sql_server}.gz ; fi && psql -h 'node01.example.com' -U 'zabbix-server' -p 6432 -d 'zabbix-server' -f #{sql_server} && touch /etc/zabbix/.schema.done") } it { is_expected.to contain_exec('zabbix_server_images.sql').with_command('touch /etc/zabbix/.images.done') } it { is_expected.to contain_exec('zabbix_server_data.sql').with_command('touch /etc/zabbix/.data.done') } @@ -127,7 +127,7 @@ end it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_exec('update_pgpass').with_command('echo node01.example.com:5432:zabbix-proxy:zabbix-proxy:zabbix-proxy >> /root/.pgpass') } + it { is_expected.to contain_exec('update_pgpass').with_command(sensitive('echo node01.example.com:5432:zabbix-proxy:zabbix-proxy:zabbix-proxy >> /root/.pgpass')) } if Puppet::Util::Package.versioncmp(zabbix_version, '6.0') < 0 it { is_expected.to contain_exec('zabbix_proxy_create.sql').with_command("cd #{path} && if [ -f schema.sql.gz ]; then gunzip -f schema.sql.gz ; fi && psql -h 'node01.example.com' -U 'zabbix-proxy' -p 5432 -d 'zabbix-proxy' -f schema.sql && touch /etc/zabbix/.schema.done") } @@ -150,7 +150,8 @@ end it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_exec('update_pgpass').with_command('echo node01.example.com:5432:zabbix-proxy:zabbix-proxy:zabbix-proxy >> /root/.pgpass') } + #it { is_expected.to contain_exec('update_pgpass').with_command('echo node01.example.com:5432:zabbix-proxy:zabbix-proxy:zabbix-proxy >> /root/.pgpass') } + it { is_expected.to contain_exec('update_pgpass').with_command(sensitive('echo node01.example.com:5432:zabbix-proxy:zabbix-proxy:zabbix-proxy >> /root/.pgpass')) } if Puppet::Util::Package.versioncmp(zabbix_version, '6.0') < 0 it { is_expected.to contain_exec('zabbix_proxy_create.sql').with_command("cd #{path} && if [ -f schema.sql.gz ]; then gunzip -f schema.sql.gz ; fi && psql -h 'node01.example.com' -U 'zabbix-proxy' -p 5432 -d 'zabbix-proxy' -f schema.sql && touch /etc/zabbix/.schema.done") } From a4ad06477b888268a07d9cd47463bf269f94f3a5 Mon Sep 17 00:00:00 2001 From: Patrick Brideau Date: Mon, 12 Dec 2022 12:21:53 -0500 Subject: [PATCH 07/26] fix: values are already masked when Sensitive type is used within epp --- manifests/proxy.pp | 4 ++-- manifests/server.pp | 4 ++-- manifests/web.pp | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/manifests/proxy.pp b/manifests/proxy.pp index 558843cf1..63470cdfe 100644 --- a/manifests/proxy.pp +++ b/manifests/proxy.pp @@ -507,7 +507,7 @@ mode => '0644', require => Package["zabbix-proxy-${db}"], replace => true, - content => Sensitive(epp('zabbix/zabbix_proxy.conf.epp', { + content => epp('zabbix/zabbix_proxy.conf.epp', { 'allowroot' => $allowroot, 'cachesize' => $cachesize, 'configfrequency' => $configfrequency, @@ -603,7 +603,7 @@ 'zabbix_server_port' => $zabbix_server_port, 'zabbix_user' => $zabbix::params::server_zabbix_user, 'zabbix_version' => $zabbix_version, - })), + }), } # Include dir for specific zabbix-proxy checks. diff --git a/manifests/server.pp b/manifests/server.pp index 8eeb63ffc..1395b6888 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -452,7 +452,7 @@ mode => '0640', require => Package["zabbix-server-${db}"], replace => true, - content => Sensitive(epp('zabbix/zabbix_server.conf.epp', { + content => epp('zabbix/zabbix_server.conf.epp', { 'alertscriptspath' => $alertscriptspath, 'allowroot' => $allowroot, 'cachesize' => $cachesize, @@ -545,7 +545,7 @@ 'webserviceurl' => $webserviceurl, 'zabbix_user' => $zabbix::params::server_zabbix_user, 'zabbix_version' => $zabbix_version, - })), + }), } # Include dir for specific zabbix-server checks. diff --git a/manifests/web.pp b/manifests/web.pp index 04d29a7e2..107610f64 100644 --- a/manifests/web.pp +++ b/manifests/web.pp @@ -289,7 +289,7 @@ group => $web_config_group, mode => '0640', replace => true, - content => Sensitive(epp('zabbix/web/zabbix.conf.php.epp', { + content => epp('zabbix/web/zabbix.conf.php.epp', { 'database_type' => $database_type, 'database_host' => $database_host, 'database_port' => $database_port, @@ -310,7 +310,7 @@ 'saml_sp_cert' => $saml_sp_cert, 'saml_idp_cert' => $saml_idp_cert, 'saml_settings' => $saml_settings, - })), + }), } # For API to work on Zabbix 5.x zabbix.conf.php needs to be in the root folder. From 3ff1d950efc23014e48f791b1f26fbcc63e51f7e Mon Sep 17 00:00:00 2001 From: Patrick Brideau Date: Mon, 12 Dec 2022 12:25:55 -0500 Subject: [PATCH 08/26] fix: use known types (and what tests are using) in zabbix_server.conf.epp --- templates/zabbix_server.conf.epp | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/templates/zabbix_server.conf.epp b/templates/zabbix_server.conf.epp index ea3edfce2..761f62daa 100644 --- a/templates/zabbix_server.conf.epp +++ b/templates/zabbix_server.conf.epp @@ -6,7 +6,7 @@ String[1] $database_host, String[1] $database_name, Variant[String[1], Sensitive[String[8]]] $database_password, - Optional[String[1]] $database_port, + Optional[Stdlib::Port::Unprivileged] $database_port, Optional[String[1]] $database_schema, Optional[String[1]] $database_socket, Optional[Stdlib::Absolutepath] $database_tlscafile, @@ -32,7 +32,7 @@ String[1] $loadmodulepath, Optional[Stdlib::Absolutepath] $logfile, String[1] $logfilesize, - Integer $logslowqueries, + Variant[Integer,String[1]] $logslowqueries, Enum['console', 'file', 'system'] $logtype, String[1] $maxhousekeeperdelete, String[1] $pidfile, @@ -53,12 +53,12 @@ String[1] $startipmipollers, String[1] $startjavapollers, Integer[1,100] $startlldprocessors, - Integer $startpingers, + Variant[Integer, String[1]] $startpingers, Variant[Integer, String[1]] $startpollers, Variant[Integer, String[1]] $startpollersunreachable, Integer[1, 1000] $startpreprocessors, Variant[Integer, String[1]] $startproxypollers, - Optional[String[1]] $startreportwriters, + Optional[Integer] $startreportwriters, Variant[Integer, String[1]] $startsnmptrapper, Variant[Integer, String[1]] $starttimers, Variant[Integer, String[1]] $starttrappers, @@ -714,7 +714,7 @@ LoadModulePath=<%= $loadmodulepath %> <% if $tlscipherall { %>TLSCipherAll=<%= $tlscipherall %><% } -%> <% } -%> -<% if versioncmp($zabbix_version,'6.2') >= 0 { -%> +<% if versioncmp($zabbix_version,'5.2') >= 0 { -%> ### Option: VaultToken # Vault authentication token that should have been generated exclusively for Zabbix server with read only permission # to paths specified in Vault macros and read only permission to path specified in optional VaultDBPath From 28198393b8492b1caa218c46768f243733ad3d57 Mon Sep 17 00:00:00 2001 From: Patrick Brideau Date: Mon, 12 Dec 2022 12:27:59 -0500 Subject: [PATCH 09/26] test: cleartext password to not mask part of template --- spec/classes/server_spec.rb | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/spec/classes/server_spec.rb b/spec/classes/server_spec.rb index 5da1b15e7..5a0e78986 100644 --- a/spec/classes/server_spec.rb +++ b/spec/classes/server_spec.rb @@ -347,6 +347,7 @@ context 'with zabbix_server.conf and version 5.0' do let :params do { + database_password: 'notsecret', # cleartext password must be explicitly declared in this test, otherwise the parser will secure content of the file socketdir: '/var/run/zabbix', zabbix_version: '5.0' } @@ -359,6 +360,7 @@ describe 'as system' do let :params do { + database_password: 'notsecret', # cleartext password must be explicitly declared in this test, otherwise the parser will secure content of the file logtype: 'system' } end @@ -371,6 +373,7 @@ describe 'as console' do let :params do { + database_password: 'notsecret', # cleartext password must be explicitly declared in this test, otherwise the parser will secure content of the file logtype: 'console' } end @@ -383,6 +386,7 @@ describe 'as file' do let :params do { + database_password: 'notsecret', # cleartext password must be explicitly declared in this test, otherwise the parser will secure content of the file logtype: 'file' } end @@ -398,6 +402,7 @@ describe 'with zabbix_version 5.2 and Vault parameters defined' do let :params do { + database_password: 'notsecret', # cleartext password must be explicitly declared in this test, otherwise the parser will secure content of the file zabbix_version: '5.2', vaultdbpath: 'secret/zabbix/database', vaulttoken: 'FKTYPEGL156DK', @@ -413,6 +418,7 @@ describe 'with zabbix_version 5.4 and report parameters defined' do let :params do { + database_password: 'notsecret', # cleartext password must be explicitly declared in this test, otherwise the parser will secure content of the file zabbix_version: '5.4', startreportwriters: 1, webserviceurl: 'http://localhost:10053/report', From e5ced74c8449efe9283e1ed5d14f7df02da0495b Mon Sep 17 00:00:00 2001 From: Patrick Brideau Date: Mon, 12 Dec 2022 15:01:34 -0500 Subject: [PATCH 10/26] fix: define settings similar to what was in old erb --- templates/web/zabbix.conf.php.epp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/templates/web/zabbix.conf.php.epp b/templates/web/zabbix.conf.php.epp index b020ba826..32645ffad 100644 --- a/templates/web/zabbix.conf.php.epp +++ b/templates/web/zabbix.conf.php.epp @@ -78,6 +78,10 @@ $SSO['SP_CERT'] = '<%= $saml_sp_cert -%>'; $SSO['IDP_CERT'] = '<%= $saml_idp_cert -%>'; <% } -%> <% unless empty($saml_settings) { -%> -$SSO['SETTINGS'] = [ <%= String($saml_settings,'%[h') %>; +$SSO['SETTINGS'] = [ <%= to_json_pretty($saml_settings, undef, {space_before => " "}) + .regsubst("{", "") + .regsubst(" : ", " => ",'G') + .regsubst("{", "[",'G') + .regsubst("}", "]",'G') -%>; <% } -%> ?> From b4729ac7ccea832ec70ad3ee9c1728f9181d083c Mon Sep 17 00:00:00 2001 From: Patrick Brideau Date: Mon, 12 Dec 2022 15:03:39 -0500 Subject: [PATCH 11/26] test: fix for the new template (erb to epp) --- spec/classes/web_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/classes/web_spec.rb b/spec/classes/web_spec.rb index 0b306c40b..5076ba491 100644 --- a/spec/classes/web_spec.rb +++ b/spec/classes/web_spec.rb @@ -233,7 +233,7 @@ it { is_expected.to contain_file('/etc/zabbix/web/zabbix.conf.php').with_content(%r{^\$SSO\['SP_KEY'\] = '/etc/zabbix/web/sp.key'}) } it { is_expected.to contain_file('/etc/zabbix/web/zabbix.conf.php').with_content(%r{^\$SSO\['SP_CERT'\] = '/etc/zabbix/web/sp.cert'}) } it { is_expected.to contain_file('/etc/zabbix/web/zabbix.conf.php').with_content(%r{^\$SSO\['IDP_CERT'\] = '/etc/zabbix/web/idp.cert'}) } - it { is_expected.to contain_file('/etc/zabbix/web/zabbix.conf.php').with_content(%r{^\$SSO\['SETTINGS'\] = \[ \n "strict" => true,\n "baseurl" => "http://example.com/sp/",\n "security" => \[\n "signatureAlgorithm" => "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384",\n "digestAlgorithm" => "http://www.w3.org/2001/04/xmldsig-more#sha384",\n "singleLogoutService" => \[\n "responseUrl" => ""\n \]\n \]\n\];}) } + it { is_expected.to contain_file('/etc/zabbix/web/zabbix.conf.php').with_content(%r{^\$SSO\['SETTINGS'\] = \[ \n "strict" => true,\n "baseurl" => "http://example.com/sp/",\n "security" => \[\n "signatureAlgorithm" => "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384",\n "digestAlgorithm" => "http://www.w3.org/2001/04/xmldsig-more#sha384",\n "singleLogoutService" => \[\n "responseUrl" => ""\n \]\n \]\n\]\n;}) } end end end From 2733015da4c28da06ee899d309adebaf57217fa8 Mon Sep 17 00:00:00 2001 From: Patrick Brideau Date: Mon, 12 Dec 2022 15:04:25 -0500 Subject: [PATCH 12/26] test: cleartext password to not mask part of template --- spec/classes/web_spec.rb | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/spec/classes/web_spec.rb b/spec/classes/web_spec.rb index 5076ba491..806c82946 100644 --- a/spec/classes/web_spec.rb +++ b/spec/classes/web_spec.rb @@ -116,9 +116,10 @@ describe 'when manage_resources is true' do let :params do - super().merge( - manage_resources: true - ) + super().merge( { + manage_resources: true, + zabbix_api_pass: 'zabbix' # cleartext password must be explicitly declared in this test, otherwise the parser will secure content of the file + }) end it do From 02662c53b4388fc132d25077b403a4f44b6f2744 Mon Sep 17 00:00:00 2001 From: Patrick Brideau Date: Mon, 12 Dec 2022 15:11:35 -0500 Subject: [PATCH 13/26] test: fix linter --- spec/classes/database_postgresql_spec.rb | 1 - spec/classes/web_spec.rb | 10 ++++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/spec/classes/database_postgresql_spec.rb b/spec/classes/database_postgresql_spec.rb index 371da1e33..76db83538 100644 --- a/spec/classes/database_postgresql_spec.rb +++ b/spec/classes/database_postgresql_spec.rb @@ -150,7 +150,6 @@ end it { is_expected.to compile.with_all_deps } - #it { is_expected.to contain_exec('update_pgpass').with_command('echo node01.example.com:5432:zabbix-proxy:zabbix-proxy:zabbix-proxy >> /root/.pgpass') } it { is_expected.to contain_exec('update_pgpass').with_command(sensitive('echo node01.example.com:5432:zabbix-proxy:zabbix-proxy:zabbix-proxy >> /root/.pgpass')) } if Puppet::Util::Package.versioncmp(zabbix_version, '6.0') < 0 diff --git a/spec/classes/web_spec.rb b/spec/classes/web_spec.rb index 806c82946..ad58a2a61 100644 --- a/spec/classes/web_spec.rb +++ b/spec/classes/web_spec.rb @@ -116,10 +116,12 @@ describe 'when manage_resources is true' do let :params do - super().merge( { - manage_resources: true, - zabbix_api_pass: 'zabbix' # cleartext password must be explicitly declared in this test, otherwise the parser will secure content of the file - }) + super().merge( + { + manage_resources: true, + zabbix_api_pass: 'zabbix' # cleartext password must be explicitly declared in this test, otherwise the parser will secure content of the file + } + ) end it do From e206bbd8c79f958ade69c7282c698289b871132e Mon Sep 17 00:00:00 2001 From: Patrick Brideau Date: Mon, 12 Dec 2022 15:22:14 -0500 Subject: [PATCH 14/26] fix: linter --- manifests/proxy.pp | 190 ++++++++++++++++++++++---------------------- manifests/server.pp | 184 +++++++++++++++++++++--------------------- manifests/web.pp | 40 +++++----- 3 files changed, 207 insertions(+), 207 deletions(-) diff --git a/manifests/proxy.pp b/manifests/proxy.pp index 63470cdfe..a2ebdffe0 100644 --- a/manifests/proxy.pp +++ b/manifests/proxy.pp @@ -508,101 +508,101 @@ require => Package["zabbix-proxy-${db}"], replace => true, content => epp('zabbix/zabbix_proxy.conf.epp', { - 'allowroot' => $allowroot, - 'cachesize' => $cachesize, - 'configfrequency' => $configfrequency, - 'database_host' => $database_host, - 'database_name' => $database_name, - 'database_password' => $database_password, - 'database_port' => $database_port, - 'database_schema' => $database_schema, - 'database_socket' => $database_socket, - 'database_tlscafile' => $database_tlscafile, - 'database_tlscertfile' => $database_tlscertfile, - 'database_tlscipher' => $database_tlscipher, - 'database_tlscipher13' => $database_tlscipher13, - 'database_tlsconnect' => $database_tlsconnect, - 'database_tlskeyfile' => $database_tlskeyfile, - 'database_user' => $database_user, - 'datasenderfrequency' => $datasenderfrequency, - 'debuglevel' => $debuglevel, - 'enableremotecommands' => $enableremotecommands, - 'externalscripts' => $externalscripts, - 'fping6location' => $fping6location, - 'fpinglocation' => $fpinglocation, - 'heartbeatfrequency' => $heartbeatfrequency, - 'historycachesize' => $historycachesize, - 'historyindexcachesize' => $historyindexcachesize, - 'hostname' => $hostname, - 'housekeepingfrequency' => $housekeepingfrequency, - 'include_dir' => $include_dir, - 'javagateway' => $javagateway, - 'javagatewayport' => $javagatewayport, - 'listenip' => $listenip, - 'listenport' => $listenport, - 'loadmodule' => $loadmodule, - 'loadmodulepath' => $loadmodulepath, - 'localbuffer' => $localbuffer, - 'logfile' => $logfile, - 'logfilesize' => $logfilesize, - 'logremotecommands' => $logremotecommands, - 'logslowqueries' => $logslowqueries, - 'logtype' => $logtype, - 'mode' => $mode, - 'offlinebuffer' => $offlinebuffer, - 'pidfile' => $pidfile, - 'snmptrapper' => $snmptrapper, - 'snmptrapperfile' => $snmptrapperfile, - 'socketdir' => $socketdir, - 'sourceip' => $sourceip, - 'sshkeylocation' => $sshkeylocation, - 'sslcalocation_dir' => $sslcalocation_dir, - 'sslcertlocation_dir' => $sslcertlocation_dir, - 'sslkeylocation_dir' => $sslkeylocation_dir, - 'startdbsyncers' => $startdbsyncers, - 'startdiscoverers' => $startdiscoverers, - 'starthttppollers' => $starthttppollers, - 'startipmipollers' => $startipmipollers, - 'startjavapollers' => $startjavapollers, - 'startpingers' => $startpingers, - 'startpollers' => $startpollers, - 'startpollersunreachable' => $startpollersunreachable, - 'startpreprocessors' => $startpreprocessors, - 'starttrappers' => $starttrappers, - 'startvmwarecollectors' => $startvmwarecollectors, - 'timeout' => $timeout, - 'tlsaccept' => $tlsaccept, - 'tlscafile' => $tlscafile, - 'tlscertfile' => $tlscertfile, - 'tlscipherall' => $tlscipherall, - 'tlscipherall13' => $tlscipherall13, - 'tlsciphercert' => $tlsciphercert, - 'tlsciphercert13' => $tlsciphercert13, - 'tlscipherpsk' => $tlscipherpsk, - 'tlscipherpsk13' => $tlscipherpsk13, - 'tlsconnect' => $tlsconnect, - 'tlscrlfile' => $tlscrlfile, - 'tlskeyfile' => $tlskeyfile, - 'tlspskfile' => $tlspskfile, - 'tlspskidentity' => $tlspskidentity, - 'tlsservercertissuer' => $tlsservercertissuer, - 'tlsservercertsubject' => $tlsservercertsubject, - 'tmpdir' => $tmpdir, - 'trappertimeout' => $trappertimeout, - 'unavaliabledelay' => $unavaliabledelay, - 'unreachabedelay' => $unreachabedelay, - 'unreachableperiod' => $unreachableperiod, - 'vaultdbpath' => $vaultdbpath, - 'vaulttoken' => $vaulttoken, - 'vaulturl' => $vaulturl, - 'vmwarecachesize' => $vmwarecachesize, - 'vmwarefrequency' => $vmwarefrequency, - 'vmwareperffrequency' => $vmwareperffrequency, - 'vmwaretimeout' => $vmwaretimeout, - 'zabbix_server_host' => $zabbix_server_host, - 'zabbix_server_port' => $zabbix_server_port, - 'zabbix_user' => $zabbix::params::server_zabbix_user, - 'zabbix_version' => $zabbix_version, + 'allowroot' => $allowroot, + 'cachesize' => $cachesize, + 'configfrequency' => $configfrequency, + 'database_host' => $database_host, + 'database_name' => $database_name, + 'database_password' => $database_password, + 'database_port' => $database_port, + 'database_schema' => $database_schema, + 'database_socket' => $database_socket, + 'database_tlscafile' => $database_tlscafile, + 'database_tlscertfile' => $database_tlscertfile, + 'database_tlscipher' => $database_tlscipher, + 'database_tlscipher13' => $database_tlscipher13, + 'database_tlsconnect' => $database_tlsconnect, + 'database_tlskeyfile' => $database_tlskeyfile, + 'database_user' => $database_user, + 'datasenderfrequency' => $datasenderfrequency, + 'debuglevel' => $debuglevel, + 'enableremotecommands' => $enableremotecommands, + 'externalscripts' => $externalscripts, + 'fping6location' => $fping6location, + 'fpinglocation' => $fpinglocation, + 'heartbeatfrequency' => $heartbeatfrequency, + 'historycachesize' => $historycachesize, + 'historyindexcachesize' => $historyindexcachesize, + 'hostname' => $hostname, + 'housekeepingfrequency' => $housekeepingfrequency, + 'include_dir' => $include_dir, + 'javagateway' => $javagateway, + 'javagatewayport' => $javagatewayport, + 'listenip' => $listenip, + 'listenport' => $listenport, + 'loadmodule' => $loadmodule, + 'loadmodulepath' => $loadmodulepath, + 'localbuffer' => $localbuffer, + 'logfile' => $logfile, + 'logfilesize' => $logfilesize, + 'logremotecommands' => $logremotecommands, + 'logslowqueries' => $logslowqueries, + 'logtype' => $logtype, + 'mode' => $mode, + 'offlinebuffer' => $offlinebuffer, + 'pidfile' => $pidfile, + 'snmptrapper' => $snmptrapper, + 'snmptrapperfile' => $snmptrapperfile, + 'socketdir' => $socketdir, + 'sourceip' => $sourceip, + 'sshkeylocation' => $sshkeylocation, + 'sslcalocation_dir' => $sslcalocation_dir, + 'sslcertlocation_dir' => $sslcertlocation_dir, + 'sslkeylocation_dir' => $sslkeylocation_dir, + 'startdbsyncers' => $startdbsyncers, + 'startdiscoverers' => $startdiscoverers, + 'starthttppollers' => $starthttppollers, + 'startipmipollers' => $startipmipollers, + 'startjavapollers' => $startjavapollers, + 'startpingers' => $startpingers, + 'startpollers' => $startpollers, + 'startpollersunreachable' => $startpollersunreachable, + 'startpreprocessors' => $startpreprocessors, + 'starttrappers' => $starttrappers, + 'startvmwarecollectors' => $startvmwarecollectors, + 'timeout' => $timeout, + 'tlsaccept' => $tlsaccept, + 'tlscafile' => $tlscafile, + 'tlscertfile' => $tlscertfile, + 'tlscipherall' => $tlscipherall, + 'tlscipherall13' => $tlscipherall13, + 'tlsciphercert' => $tlsciphercert, + 'tlsciphercert13' => $tlsciphercert13, + 'tlscipherpsk' => $tlscipherpsk, + 'tlscipherpsk13' => $tlscipherpsk13, + 'tlsconnect' => $tlsconnect, + 'tlscrlfile' => $tlscrlfile, + 'tlskeyfile' => $tlskeyfile, + 'tlspskfile' => $tlspskfile, + 'tlspskidentity' => $tlspskidentity, + 'tlsservercertissuer' => $tlsservercertissuer, + 'tlsservercertsubject' => $tlsservercertsubject, + 'tmpdir' => $tmpdir, + 'trappertimeout' => $trappertimeout, + 'unavaliabledelay' => $unavaliabledelay, + 'unreachabedelay' => $unreachabedelay, + 'unreachableperiod' => $unreachableperiod, + 'vaultdbpath' => $vaultdbpath, + 'vaulttoken' => $vaulttoken, + 'vaulturl' => $vaulturl, + 'vmwarecachesize' => $vmwarecachesize, + 'vmwarefrequency' => $vmwarefrequency, + 'vmwareperffrequency' => $vmwareperffrequency, + 'vmwaretimeout' => $vmwaretimeout, + 'zabbix_server_host' => $zabbix_server_host, + 'zabbix_server_port' => $zabbix_server_port, + 'zabbix_user' => $zabbix::params::server_zabbix_user, + 'zabbix_version' => $zabbix_version, }), } diff --git a/manifests/server.pp b/manifests/server.pp index 1395b6888..02bf60a0c 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -453,98 +453,98 @@ require => Package["zabbix-server-${db}"], replace => true, content => epp('zabbix/zabbix_server.conf.epp', { - 'alertscriptspath' => $alertscriptspath, - 'allowroot' => $allowroot, - 'cachesize' => $cachesize, - 'cacheupdatefrequency' => $cacheupdatefrequency, - 'database_host' => $database_host, - 'database_name' => $database_name, - 'database_password' => $database_password, - 'database_port' => $database_port, - 'database_schema' => $database_schema, - 'database_socket' => $database_socket, - 'database_tlscafile' => $database_tlscafile, - 'database_tlscertfile' => $database_tlscertfile, - 'database_tlscipher' => $database_tlscipher, - 'database_tlscipher13' => $database_tlscipher13, - 'database_tlsconnect' => $database_tlsconnect, - 'database_tlskeyfile' => $database_tlskeyfile, - 'database_user' => $database_user, - 'debuglevel' => $debuglevel, - 'externalscripts' => $externalscripts, - 'fping6location' => $fping6location, - 'fpinglocation' => $fpinglocation, - 'historycachesize' => $historycachesize, - 'historyindexcachesize' => $historyindexcachesize, - 'housekeepingfrequency' => $housekeepingfrequency, - 'include_dir' => $include_dir, - 'javagateway' => $javagateway, - 'javagatewayport' => $javagatewayport, - 'listenip' => $listenip, - 'listenport' => $listenport, - 'loadmodule' => $loadmodule, - 'loadmodulepath' => $loadmodulepath, - 'logfile' => $logfile, - 'logfilesize' => $logfilesize, - 'logslowqueries' => $logslowqueries, - 'logtype' => $logtype, - 'maxhousekeeperdelete' => $maxhousekeeperdelete, - 'pidfile' => $pidfile, - 'proxyconfigfrequency' => $proxyconfigfrequency, - 'proxydatafrequency' => $proxydatafrequency, - 'snmptrapperfile' => $snmptrapperfile, - 'socketdir' => $socketdir, - 'sourceip' => $sourceip, - 'sshkeylocation' => $sshkeylocation, - 'sslcalocation_dir' => $sslcalocation_dir, - 'sslcertlocation_dir' => $sslcertlocation_dir, - 'sslkeylocation_dir' => $sslkeylocation_dir, - 'startalerters' => $startalerters, - 'startdbsyncers' => $startdbsyncers, - 'startdiscoverers' => $startdiscoverers, - 'startescalators' => $startescalators, - 'starthttppollers' => $starthttppollers, - 'startipmipollers' => $startipmipollers, - 'startjavapollers' => $startjavapollers, - 'startlldprocessors' => $startlldprocessors, - 'startpingers' => $startpingers, - 'startpollers' => $startpollers, - 'startpollersunreachable' => $startpollersunreachable, - 'startpreprocessors' => $startpreprocessors, - 'startproxypollers' => $startproxypollers, - 'startreportwriters' => $startreportwriters, - 'startsnmptrapper' => $startsnmptrapper, - 'starttimers' => $starttimers, - 'starttrappers' => $starttrappers, - 'startvmwarecollectors' => $startvmwarecollectors, - 'timeout' => $timeout, - 'tlscafile' => $tlscafile, - 'tlscertfile' => $tlscertfile, - 'tlscipherall' => $tlscipherall, - 'tlscipherall13' => $tlscipherall13, - 'tlsciphercert' => $tlsciphercert, - 'tlsciphercert13' => $tlsciphercert13, - 'tlscipherpsk' => $tlscipherpsk, - 'tlscipherpsk13' => $tlscipherpsk13, - 'tlscrlfile' => $tlscrlfile, - 'tlskeyfile' => $tlskeyfile, - 'tmpdir' => $tmpdir, - 'trappertimeout' => $trappertimeout, - 'trendcachesize' => $trendcachesize, - 'unavailabledelay' => $unavailabledelay, - 'unreachabledelay' => $unreachabledelay, - 'unreachableperiod' => $unreachableperiod, - 'valuecachesize' => $valuecachesize, - 'vaultdbpath' => $vaultdbpath, - 'vaulttoken' => $vaulttoken, - 'vaulturl' => $vaulturl, - 'vmwarecachesize' => $vmwarecachesize, - 'vmwarefrequency' => $vmwarefrequency, - 'vmwareperffrequency' => $vmwareperffrequency, - 'vmwaretimeout' => $vmwaretimeout, - 'webserviceurl' => $webserviceurl, - 'zabbix_user' => $zabbix::params::server_zabbix_user, - 'zabbix_version' => $zabbix_version, + 'alertscriptspath' => $alertscriptspath, + 'allowroot' => $allowroot, + 'cachesize' => $cachesize, + 'cacheupdatefrequency' => $cacheupdatefrequency, + 'database_host' => $database_host, + 'database_name' => $database_name, + 'database_password' => $database_password, + 'database_port' => $database_port, + 'database_schema' => $database_schema, + 'database_socket' => $database_socket, + 'database_tlscafile' => $database_tlscafile, + 'database_tlscertfile' => $database_tlscertfile, + 'database_tlscipher' => $database_tlscipher, + 'database_tlscipher13' => $database_tlscipher13, + 'database_tlsconnect' => $database_tlsconnect, + 'database_tlskeyfile' => $database_tlskeyfile, + 'database_user' => $database_user, + 'debuglevel' => $debuglevel, + 'externalscripts' => $externalscripts, + 'fping6location' => $fping6location, + 'fpinglocation' => $fpinglocation, + 'historycachesize' => $historycachesize, + 'historyindexcachesize' => $historyindexcachesize, + 'housekeepingfrequency' => $housekeepingfrequency, + 'include_dir' => $include_dir, + 'javagateway' => $javagateway, + 'javagatewayport' => $javagatewayport, + 'listenip' => $listenip, + 'listenport' => $listenport, + 'loadmodule' => $loadmodule, + 'loadmodulepath' => $loadmodulepath, + 'logfile' => $logfile, + 'logfilesize' => $logfilesize, + 'logslowqueries' => $logslowqueries, + 'logtype' => $logtype, + 'maxhousekeeperdelete' => $maxhousekeeperdelete, + 'pidfile' => $pidfile, + 'proxyconfigfrequency' => $proxyconfigfrequency, + 'proxydatafrequency' => $proxydatafrequency, + 'snmptrapperfile' => $snmptrapperfile, + 'socketdir' => $socketdir, + 'sourceip' => $sourceip, + 'sshkeylocation' => $sshkeylocation, + 'sslcalocation_dir' => $sslcalocation_dir, + 'sslcertlocation_dir' => $sslcertlocation_dir, + 'sslkeylocation_dir' => $sslkeylocation_dir, + 'startalerters' => $startalerters, + 'startdbsyncers' => $startdbsyncers, + 'startdiscoverers' => $startdiscoverers, + 'startescalators' => $startescalators, + 'starthttppollers' => $starthttppollers, + 'startipmipollers' => $startipmipollers, + 'startjavapollers' => $startjavapollers, + 'startlldprocessors' => $startlldprocessors, + 'startpingers' => $startpingers, + 'startpollers' => $startpollers, + 'startpollersunreachable' => $startpollersunreachable, + 'startpreprocessors' => $startpreprocessors, + 'startproxypollers' => $startproxypollers, + 'startreportwriters' => $startreportwriters, + 'startsnmptrapper' => $startsnmptrapper, + 'starttimers' => $starttimers, + 'starttrappers' => $starttrappers, + 'startvmwarecollectors' => $startvmwarecollectors, + 'timeout' => $timeout, + 'tlscafile' => $tlscafile, + 'tlscertfile' => $tlscertfile, + 'tlscipherall' => $tlscipherall, + 'tlscipherall13' => $tlscipherall13, + 'tlsciphercert' => $tlsciphercert, + 'tlsciphercert13' => $tlsciphercert13, + 'tlscipherpsk' => $tlscipherpsk, + 'tlscipherpsk13' => $tlscipherpsk13, + 'tlscrlfile' => $tlscrlfile, + 'tlskeyfile' => $tlskeyfile, + 'tmpdir' => $tmpdir, + 'trappertimeout' => $trappertimeout, + 'trendcachesize' => $trendcachesize, + 'unavailabledelay' => $unavailabledelay, + 'unreachabledelay' => $unreachabledelay, + 'unreachableperiod' => $unreachableperiod, + 'valuecachesize' => $valuecachesize, + 'vaultdbpath' => $vaultdbpath, + 'vaulttoken' => $vaulttoken, + 'vaulturl' => $vaulturl, + 'vmwarecachesize' => $vmwarecachesize, + 'vmwarefrequency' => $vmwarefrequency, + 'vmwareperffrequency' => $vmwareperffrequency, + 'vmwaretimeout' => $vmwaretimeout, + 'webserviceurl' => $webserviceurl, + 'zabbix_user' => $zabbix::params::server_zabbix_user, + 'zabbix_version' => $zabbix_version, }), } diff --git a/manifests/web.pp b/manifests/web.pp index 107610f64..74863ab40 100644 --- a/manifests/web.pp +++ b/manifests/web.pp @@ -290,26 +290,26 @@ mode => '0640', replace => true, content => epp('zabbix/web/zabbix.conf.php.epp', { - 'database_type' => $database_type, - 'database_host' => $database_host, - 'database_port' => $database_port, - 'db_port' => $db_port, - 'database_name' => $database_name, - 'database_user' => $database_user, - 'database_password' => $database_password, - 'database_schema' => $database_schema, - 'database_double_ieee754' => $database_double_ieee754, - 'zabbix_server' => $zabbix_server, - 'zabbix_listenport' => $zabbix_listenport, - 'zabbix_server_name' => $zabbix_server_name, - 'ldap_cacert' => $ldap_cacert, - 'ldap_clientcert' => $ldap_clientcert, - 'ldap_clientkey' => $ldap_clientkey, - 'ldap_reqcert' => $ldap_reqcert, - 'saml_sp_key' => $saml_sp_key, - 'saml_sp_cert' => $saml_sp_cert, - 'saml_idp_cert' => $saml_idp_cert, - 'saml_settings' => $saml_settings, + 'database_type' => $database_type, + 'database_host' => $database_host, + 'database_port' => $database_port, + 'db_port' => $db_port, + 'database_name' => $database_name, + 'database_user' => $database_user, + 'database_password' => $database_password, + 'database_schema' => $database_schema, + 'database_double_ieee754' => $database_double_ieee754, + 'zabbix_server' => $zabbix_server, + 'zabbix_listenport' => $zabbix_listenport, + 'zabbix_server_name' => $zabbix_server_name, + 'ldap_cacert' => $ldap_cacert, + 'ldap_clientcert' => $ldap_clientcert, + 'ldap_clientkey' => $ldap_clientkey, + 'ldap_reqcert' => $ldap_reqcert, + 'saml_sp_key' => $saml_sp_key, + 'saml_sp_cert' => $saml_sp_cert, + 'saml_idp_cert' => $saml_idp_cert, + 'saml_settings' => $saml_settings, }), } From 1032eee2797030aa4b8bccd46b49758f1bc24347 Mon Sep 17 00:00:00 2001 From: Patrick Brideau Date: Mon, 12 Dec 2022 17:04:21 -0500 Subject: [PATCH 15/26] test: enable tests of proxy on CentOS --- spec/classes/proxy_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/classes/proxy_spec.rb b/spec/classes/proxy_spec.rb index 36e2f9ad3..9deca75ef 100644 --- a/spec/classes/proxy_spec.rb +++ b/spec/classes/proxy_spec.rb @@ -20,7 +20,7 @@ context 'with all defaults' do it { is_expected.not_to compile } end - when 'RedHat' + when 'CentOS' let :pre_condition do "include 'postgresql::server' include 'mysql::server'" From ee0c75bc7bd1e171db5f363ae7344fb3d5c9b71e Mon Sep 17 00:00:00 2001 From: Patrick Brideau Date: Mon, 12 Dec 2022 17:05:55 -0500 Subject: [PATCH 16/26] fix: define settings similar to what was in old erb --- templates/zabbix_proxy.conf.epp | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/templates/zabbix_proxy.conf.epp b/templates/zabbix_proxy.conf.epp index 6d1c2909a..51e79c925 100644 --- a/templates/zabbix_proxy.conf.epp +++ b/templates/zabbix_proxy.conf.epp @@ -37,7 +37,7 @@ Optional[Stdlib::Absolutepath] $logfile, String[1] $logfilesize, Integer[0] $logremotecommands, - Integer $logslowqueries, + Variant[Integer,String[1]] $logslowqueries, Enum['console', 'file', 'system'] $logtype, String[1] $mode, String[1] $offlinebuffer, @@ -50,12 +50,12 @@ Optional[Stdlib::Absolutepath] $sslcalocation_dir, Optional[Stdlib::Absolutepath] $sslcertlocation_dir, Optional[Stdlib::Absolutepath] $sslkeylocation_dir, - Integer $startdbsyncers, - Integer $startdiscoverers, - Integer $starthttppollers, - Integer $startipmipollers, - Integer $startjavapollers, - Integer $startpingers, + String[1] $startdbsyncers, + String[1] $startdiscoverers, + String[1] $starthttppollers, + String[1] $startipmipollers, + String[1] $startjavapollers, + String[1] $startpingers, Variant[Integer, String[1]] $startpollers, Variant[Integer, String[1]] $startpollersunreachable, Integer[1, 1000] $startpreprocessors, @@ -90,7 +90,7 @@ String[1] $vmwarefrequency, Optional[String[1]] $vmwareperffrequency, Optional[String[1]] $vmwaretimeout, - String[1] $zabbix_server_host, + Optional[String[1]] $zabbix_server_host, String[1] $zabbix_server_port, String[1] $zabbix_user, String[1] $zabbix_version, @@ -743,7 +743,7 @@ LoadModulePath=<%= $loadmodulepath %> <% if $tlscipherall { %>TLSCipherAll=<%= $tlscipherall %><% } -%> <% } -%> -<% if versioncmp($zabbix_version,'6.2') >= 0 { -%> +<% if versioncmp($zabbix_version,'5.2') >= 0 { -%> ### Option: VaultToken # Vault authentication token that should have been generated exclusively for Zabbix server with read only permission # to paths specified in Vault macros and read only permission to path specified in optional VaultDBPath From de0755cfac3528805d0f2dd8ffa83ed210e2903f Mon Sep 17 00:00:00 2001 From: Patrick Brideau Date: Mon, 12 Dec 2022 17:06:34 -0500 Subject: [PATCH 17/26] test: cleartext password to not mask part of template --- spec/classes/proxy_spec.rb | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/spec/classes/proxy_spec.rb b/spec/classes/proxy_spec.rb index 9deca75ef..841daf654 100644 --- a/spec/classes/proxy_spec.rb +++ b/spec/classes/proxy_spec.rb @@ -112,6 +112,7 @@ context 'with zabbix::database::postgresql class' do let :params do { + database_password: 'zabbix-proxy', database_type: 'postgresql', manage_database: true } @@ -128,6 +129,7 @@ context 'with zabbix::database::mysql class' do let(:params) do { + database_password: 'zabbix-proxy', database_type: 'mysql', manage_database: true } @@ -149,6 +151,7 @@ context 'when manage_database is true' do let(:params) do { + database_password: 'zabbix-proxy', manage_database: true } end @@ -365,6 +368,7 @@ context 'with zabbix_proxy.conf and version 4.0' do let :params do { + database_password: 'notsecret', # cleartext password must be explicitly declared in this test, otherwise the parser will secure content of the file tlsaccept: 'cert', tlscafile: '/etc/zabbix/keys/zabbix-server.ca', tlscrlfile: '/etc/zabbix/keys/zabbix-server.crl', @@ -392,6 +396,7 @@ context 'with zabbix_proxy.conf and version 5.0' do let :params do { + database_password: 'notsecret', # cleartext password must be explicitly declared in this test, otherwise the parser will secure content of the file socketdir: '/var/run/zabbix', zabbix_version: '5.0' } @@ -404,6 +409,7 @@ describe 'as system' do let :params do { + database_password: 'notsecret', # cleartext password must be explicitly declared in this test, otherwise the parser will secure content of the file logtype: 'system' } end @@ -416,6 +422,7 @@ describe 'as console' do let :params do { + database_password: 'notsecret', # cleartext password must be explicitly declared in this test, otherwise the parser will secure content of the file logtype: 'console' } end @@ -428,6 +435,7 @@ describe 'as file' do let :params do { + database_password: 'notsecret', # cleartext password must be explicitly declared in this test, otherwise the parser will secure content of the file logtype: 'file' } end @@ -441,6 +449,7 @@ describe 'with zabbix_version 5.2 and Vault parameters defined' do let :params do { + database_password: 'notsecret', # cleartext password must be explicitly declared in this test, otherwise the parser will secure content of the file zabbix_version: '5.2', vaultdbpath: 'secret/zabbix/database', vaulttoken: 'FKTYPEGL156DK', From bdab8bfb0a6e6cc4058da27396127cbd1299e50b Mon Sep 17 00:00:00 2001 From: Patrick Brideau Date: Mon, 12 Dec 2022 17:11:27 -0500 Subject: [PATCH 18/26] test: is_expected_to compile when sensitive password is passed --- spec/classes/proxy_spec.rb | 11 +++++++++++ spec/classes/server_spec.rb | 10 ++++++++++ spec/classes/web_spec.rb | 10 ++++++++++ 3 files changed, 31 insertions(+) diff --git a/spec/classes/proxy_spec.rb b/spec/classes/proxy_spec.rb index 841daf654..0c1aa5ccd 100644 --- a/spec/classes/proxy_spec.rb +++ b/spec/classes/proxy_spec.rb @@ -365,6 +365,17 @@ it { is_expected.to contain_file('/etc/zabbix/zabbix_proxy.conf').with_content %r{^TLSCipherAll13=EECDH\+aRSA\+AES128:RSA\+aRSA\+AES128:kECDHEPSK\+AES128:kPSK\+AES128$} } end + context 'with zabbix_proxy.conf and sensitive database_password' do + let :params do + { + database_password: sensitive('secret') + } + end + + it { is_expected.to compile } + end + + context 'with zabbix_proxy.conf and version 4.0' do let :params do { diff --git a/spec/classes/server_spec.rb b/spec/classes/server_spec.rb index 5a0e78986..c77c4914a 100644 --- a/spec/classes/server_spec.rb +++ b/spec/classes/server_spec.rb @@ -344,6 +344,16 @@ it { is_expected.to contain_file('/etc/zabbix/zabbix_server.conf').with_content %r{^TLSCipherAll13=EECDH\+aRSA\+AES128:RSA\+aRSA\+AES128:kECDHEPSK\+AES128:kPSK\+AES128$} } end + context 'with zabbix_server.conf and sensitive database_password' do + let :params do + { + database_password: sensitive('secret') + } + end + + it { is_expected.to compile } + end + context 'with zabbix_server.conf and version 5.0' do let :params do { diff --git a/spec/classes/web_spec.rb b/spec/classes/web_spec.rb index ad58a2a61..7dc3c06d7 100644 --- a/spec/classes/web_spec.rb +++ b/spec/classes/web_spec.rb @@ -197,6 +197,16 @@ it { is_expected.to contain_file('/etc/zabbix/web/zabbix.conf.php').with_content(%r{^\$ZBX_SERVER_NAME = 'localhost'}) } end + context 'with sensitive database_password' do + let :params do + { + database_password: sensitive('secret') + } + end + + it { is_expected.to compile } + end + describe 'with LDAP settings defined' do let :params do super().merge( From 1081c1b82a98ea668011cd1a115fc72ce0a98d5b Mon Sep 17 00:00:00 2001 From: Patrick Brideau Date: Mon, 12 Dec 2022 17:13:13 -0500 Subject: [PATCH 19/26] test: linter --- spec/classes/proxy_spec.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/spec/classes/proxy_spec.rb b/spec/classes/proxy_spec.rb index 0c1aa5ccd..d04d60059 100644 --- a/spec/classes/proxy_spec.rb +++ b/spec/classes/proxy_spec.rb @@ -375,7 +375,6 @@ it { is_expected.to compile } end - context 'with zabbix_proxy.conf and version 4.0' do let :params do { From 1ac48692dacf54fe39b77f432a67e198430c4e6b Mon Sep 17 00:00:00 2001 From: Patrick Brideau Date: Tue, 13 Dec 2022 10:38:01 -0500 Subject: [PATCH 20/26] fix: add sensitive type for api_pass in web.pp --- manifests/web.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/web.pp b/manifests/web.pp index 74863ab40..6f69d6249 100644 --- a/manifests/web.pp +++ b/manifests/web.pp @@ -113,7 +113,7 @@ Variant[Array[Stdlib::Port], Stdlib::Port] $apache_listenport = $zabbix::params::apache_listenport, Variant[Array[Stdlib::Port], Stdlib::Port] $apache_listenport_ssl = $zabbix::params::apache_listenport_ssl, $zabbix_api_user = $zabbix::params::server_api_user, - $zabbix_api_pass = $zabbix::params::server_api_pass, + Optional[Variant[String[1], Sensitive[String[1]]]] $zabbix_api_pass = $zabbix::params::server_api_pass, $database_host = $zabbix::params::server_database_host, $database_name = $zabbix::params::server_database_name, $database_schema = $zabbix::params::server_database_schema, From 90576c913f08021f4d125797fbe71dcb2fb738a0 Mon Sep 17 00:00:00 2001 From: Patrick Brideau Date: Mon, 13 Feb 2023 10:20:05 -0500 Subject: [PATCH 21/26] refactor: Remove vmwareperffrequency parameter Should be in its own pull request --- manifests/params.pp | 2 -- manifests/proxy.pp | 3 --- manifests/server.pp | 5 ----- templates/zabbix_proxy.conf.epp | 6 ------ templates/zabbix_server.conf.epp | 6 ------ 5 files changed, 22 deletions(-) diff --git a/manifests/params.pp b/manifests/params.pp index 38639257f..1d3b2b3bd 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -289,7 +289,6 @@ $server_vaulturl = 'https://127.0.0.1:8200' $server_vmwarecachesize = '8M' $server_vmwarefrequency = '60' - $server_vmwareperffrequency = undef $server_vmwaretimeout = undef $server_socketdir = undef @@ -460,7 +459,6 @@ $proxy_vaulturl = 'https://127.0.0.1:8200' $proxy_vmwarecachesize = '8M' $proxy_vmwarefrequency = '60' - $proxy_vmwareperffrequency = undef $proxy_vmwaretimeout = undef $proxy_zabbix_server_host = undef $proxy_zabbix_server_port = '10051' diff --git a/manifests/proxy.pp b/manifests/proxy.pp index a2ebdffe0..0480e0ad9 100644 --- a/manifests/proxy.pp +++ b/manifests/proxy.pp @@ -73,7 +73,6 @@ # @param startjavapollers Number of pre-forked instances of java pollers. # @param startvmwarecollectors Number of pre-forked vmware collector instances. # @param vmwarefrequency How often zabbix will connect to vmware service to obtain a new datan. -# @param vmwareperffrequency # Delay in seconds between performance counter statistics retrieval from a single VMware service. # This delay should be set to the least update interval of any VMware monitoring item that uses VMware performance counters. # @param vmwaretimeout The maximum number of seconds vmware collector will wait for a response from VMware service (vCenter or ESX hypervisor). @@ -251,7 +250,6 @@ Optional[String[1]] $vaulttoken = $zabbix::params::proxy_vaulttoken, Stdlib::HTTPSUrl $vaulturl = $zabbix::params::proxy_vaulturl, $vmwarefrequency = $zabbix::params::proxy_vmwarefrequency, - $vmwareperffrequency = $zabbix::params::proxy_vmwareperffrequency, $vmwarecachesize = $zabbix::params::proxy_vmwarecachesize, $vmwaretimeout = $zabbix::params::proxy_vmwaretimeout, $snmptrapperfile = $zabbix::params::proxy_snmptrapperfile, @@ -597,7 +595,6 @@ 'vaulturl' => $vaulturl, 'vmwarecachesize' => $vmwarecachesize, 'vmwarefrequency' => $vmwarefrequency, - 'vmwareperffrequency' => $vmwareperffrequency, 'vmwaretimeout' => $vmwaretimeout, 'zabbix_server_host' => $zabbix_server_host, 'zabbix_server_port' => $zabbix_server_port, diff --git a/manifests/server.pp b/manifests/server.pp index 02bf60a0c..ebcc6f45b 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -66,9 +66,6 @@ # @param startreportwriters Number of pre-forked report writer instances. # @param webserviceurl URL to Zabbix web service, used to perform web related tasks. # @param vmwarefrequency How often zabbix will connect to vmware service to obtain a new datan. -# @param vmwareperffrequency -# Delay in seconds between performance counter statistics retrieval from a single VMware service. -# This delay should be set to the least update interval of any VMware monitoring item that uses VMware performance counters. # @param vaultdbpath Vault path from where credentials for database will be retrieved by keys 'password' and 'username'. # @param vaulttoken # Vault authentication token that should have been generated exclusively for Zabbix proxy with read-only @@ -225,7 +222,6 @@ Optional[String[1]] $vaulttoken = $zabbix::params::server_vaulttoken, Stdlib::HTTPSUrl $vaulturl = $zabbix::params::server_vaulturl, $vmwarefrequency = $zabbix::params::server_vmwarefrequency, - $vmwareperffrequency = $zabbix::params::server_vmwareperffrequency, $vmwarecachesize = $zabbix::params::server_vmwarecachesize, $vmwaretimeout = $zabbix::params::server_vmwaretimeout, $snmptrapperfile = $zabbix::params::server_snmptrapperfile, @@ -540,7 +536,6 @@ 'vaulturl' => $vaulturl, 'vmwarecachesize' => $vmwarecachesize, 'vmwarefrequency' => $vmwarefrequency, - 'vmwareperffrequency' => $vmwareperffrequency, 'vmwaretimeout' => $vmwaretimeout, 'webserviceurl' => $webserviceurl, 'zabbix_user' => $zabbix::params::server_zabbix_user, diff --git a/templates/zabbix_proxy.conf.epp b/templates/zabbix_proxy.conf.epp index 51e79c925..98597e569 100644 --- a/templates/zabbix_proxy.conf.epp +++ b/templates/zabbix_proxy.conf.epp @@ -88,7 +88,6 @@ Optional[Stdlib::HTTPSUrl] $vaulturl, String[1] $vmwarecachesize, String[1] $vmwarefrequency, - Optional[String[1]] $vmwareperffrequency, Optional[String[1]] $vmwaretimeout, Optional[String[1]] $zabbix_server_host, String[1] $zabbix_server_port, @@ -359,11 +358,6 @@ StartVMwareCollectors=<%= $startvmwarecollectors %> # VMwareFrequency=<%= $vmwarefrequency %> -### Option: VMwarePerfFrequency -# How often Zabbix will connect to VMware service to obtain performance data. -# -<% if $vmwareperffrequency { %>VMwarePerfFrequency=<%= $vmwareperffrequency %><% } -%> - ### Option: VMwareCacheSize # Size of VMware cache, in bytes. # Shared memory size for storing VMware data. diff --git a/templates/zabbix_server.conf.epp b/templates/zabbix_server.conf.epp index 761f62daa..48151672c 100644 --- a/templates/zabbix_server.conf.epp +++ b/templates/zabbix_server.conf.epp @@ -86,7 +86,6 @@ Optional[Stdlib::HTTPSUrl] $vaulturl, String[1] $vmwarecachesize, String[1] $vmwarefrequency, - Optional[String[1]] $vmwareperffrequency, Optional[String[1]] $vmwaretimeout, Optional[Stdlib::HTTPUrl] $webserviceurl, String[1] $zabbix_user, @@ -300,11 +299,6 @@ StartVMwareCollectors=<%= $startvmwarecollectors %> # VMwareFrequency=<%= $vmwarefrequency %> -### Option: VMwarePerfFrequency -# How often Zabbix will connect to VMware service to obtain performance data. -# -<% if $vmwareperffrequency { %>VMwarePerfFrequency=<%= $vmwareperffrequency %><% } -%> - ### Option: VMwareCacheSize # Size of VMware cache, in bytes. # Shared memory size for storing VMware data. From 8cf65573a66802d4b092bea4199434b6773ca569 Mon Sep 17 00:00:00 2001 From: Patrick Brideau Date: Mon, 13 Feb 2023 10:29:34 -0500 Subject: [PATCH 22/26] refactor: remove sslcalocation_dir parameter It should be in its own PR --- manifests/proxy.pp | 3 --- manifests/server.pp | 3 --- spec/classes/proxy_spec.rb | 2 -- templates/zabbix_proxy.conf.epp | 8 -------- templates/zabbix_server.conf.epp | 8 -------- 5 files changed, 24 deletions(-) diff --git a/manifests/proxy.pp b/manifests/proxy.pp index 0480e0ad9..30f97abad 100644 --- a/manifests/proxy.pp +++ b/manifests/proxy.pp @@ -128,7 +128,6 @@ # @param fpinglocation Location of fping. # @param fping6location Location of fping6. # @param sshkeylocation Location of public and private keys for ssh checks and actions. -# @param sslcalocation_dir Location of certificate authority (CA) files for SSL server certificate verification. # @param sslcertlocation_dir Location of SSL client certificate files for client authentication. # @param sslkeylocation_dir Location of SSL private key files for client authentication. # @param logslowqueries How long a database query may take before being logged (in milliseconds). @@ -290,7 +289,6 @@ $tmpdir = $zabbix::params::proxy_tmpdir, $allowroot = $zabbix::params::proxy_allowroot, $include_dir = $zabbix::params::proxy_include, - Optional[Stdlib::Absolutepath] $sslcalocation_dir = $zabbix::params::proxy_sslcalocation, Optional[Stdlib::Absolutepath] $sslcertlocation_dir = $zabbix::params::proxy_sslcertlocation, Optional[Stdlib::Absolutepath] $sslkeylocation_dir = $zabbix::params::proxy_sslkeylocation, $loadmodulepath = $zabbix::params::proxy_loadmodulepath, @@ -554,7 +552,6 @@ 'socketdir' => $socketdir, 'sourceip' => $sourceip, 'sshkeylocation' => $sshkeylocation, - 'sslcalocation_dir' => $sslcalocation_dir, 'sslcertlocation_dir' => $sslcertlocation_dir, 'sslkeylocation_dir' => $sslkeylocation_dir, 'startdbsyncers' => $startdbsyncers, diff --git a/manifests/server.pp b/manifests/server.pp index ebcc6f45b..c356107f2 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -132,7 +132,6 @@ # @param include_dir You may include individual files or all files in a directory in the configuration file. # @param loadmodulepath Full path to location of server modules. # @param loadmodule Module to load at server startup. -# @param sslcalocation_dir Location of certificate authority (CA) files for SSL server certificate verification. # @param sslcertlocation_dir Location of SSL client certificate files for client authentication. # @param sslkeylocation_dir Location of SSL private key files for client authentication. # @param manage_selinux Whether we should manage SELinux rules. @@ -265,7 +264,6 @@ $include_dir = $zabbix::params::server_include, $loadmodulepath = $zabbix::params::server_loadmodulepath, $loadmodule = $zabbix::params::server_loadmodule, - Optional[Stdlib::Absolutepath] $sslcalocation_dir = $zabbix::params::server_sslcalocation, Optional[Stdlib::Absolutepath] $sslcertlocation_dir = $zabbix::params::server_sslcertlocation, Optional[Stdlib::Absolutepath] $sslkeylocation_dir = $zabbix::params::server_sslkeylocation, Boolean $manage_selinux = $zabbix::params::manage_selinux, @@ -492,7 +490,6 @@ 'socketdir' => $socketdir, 'sourceip' => $sourceip, 'sshkeylocation' => $sshkeylocation, - 'sslcalocation_dir' => $sslcalocation_dir, 'sslcertlocation_dir' => $sslcertlocation_dir, 'sslkeylocation_dir' => $sslkeylocation_dir, 'startalerters' => $startalerters, diff --git a/spec/classes/proxy_spec.rb b/spec/classes/proxy_spec.rb index d04d60059..0d73606f3 100644 --- a/spec/classes/proxy_spec.rb +++ b/spec/classes/proxy_spec.rb @@ -261,7 +261,6 @@ sshkeylocation: '/home/zabbix/.ssh/', sslcertlocation_dir: '/usr/lib/zabbix/ssl/certs', sslkeylocation_dir: '/usr/lib/zabbix/ssl/keys', - sslcalocation_dir: '/usr/lib/zabbix/ssl/certs', startdbsyncers: '4', startdiscoverers: '15', starthttppollers: '15', @@ -354,7 +353,6 @@ it { is_expected.to contain_file('/etc/zabbix/zabbix_proxy.conf').with_content %r{^Include=/etc/zabbix/zabbix_proxy.conf.d$} } it { is_expected.to contain_file('/etc/zabbix/zabbix_proxy.conf').with_content %r{^SSLCertLocation=/usr/lib/zabbix/ssl/certs} } it { is_expected.to contain_file('/etc/zabbix/zabbix_proxy.conf').with_content %r{^SSLKeyLocation=/usr/lib/zabbix/ssl/keys} } - it { is_expected.to contain_file('/etc/zabbix/zabbix_proxy.conf').with_content %r{^SSLCALocation=/usr/lib/zabbix/ssl/certs} } it { is_expected.to contain_file('/etc/zabbix/zabbix_proxy.conf').with_content %r{^LoadModulePath=\$\{libdir\}/modules$} } it { is_expected.to contain_file('/etc/zabbix/zabbix_proxy.conf').with_content %r{^LoadModule=pizza$} } it { is_expected.to contain_file('/etc/zabbix/zabbix_proxy.conf').with_content %r{^TLSCipherCert=EECDH\+aRSA\+AES128:RSA\+aRSA\+AES128$} } diff --git a/templates/zabbix_proxy.conf.epp b/templates/zabbix_proxy.conf.epp index 98597e569..b93429618 100644 --- a/templates/zabbix_proxy.conf.epp +++ b/templates/zabbix_proxy.conf.epp @@ -47,7 +47,6 @@ Optional[Stdlib::Absolutepath] $socketdir, Optional[Stdlib::IP::Address] $sourceip, Optional[String[1]] $sshkeylocation, - Optional[Stdlib::Absolutepath] $sslcalocation_dir, Optional[Stdlib::Absolutepath] $sslcertlocation_dir, Optional[Stdlib::Absolutepath] $sslkeylocation_dir, String[1] $startdbsyncers, @@ -516,13 +515,6 @@ Include=<%= $include_dir %> # <% if $sslkeylocation_dir { %>SSLKeyLocation=<%= $sslkeylocation_dir %><% } -%> -### Option: SSLCALocation -# Location of certificate authority (CA) files for SSL server certificate verification. -# If not set, system-wide directory will be used. -# This parameter is used only in web monitoring. -# -<% if $sslcalocation_dir { %>SSLCALocation=<%= $sslcalocation_dir %><% } -%> - ####### LOADABLE MODULES ####### ### Option: LoadModulePath diff --git a/templates/zabbix_server.conf.epp b/templates/zabbix_server.conf.epp index 48151672c..36696d267 100644 --- a/templates/zabbix_server.conf.epp +++ b/templates/zabbix_server.conf.epp @@ -42,7 +42,6 @@ Optional[Stdlib::Absolutepath] $socketdir, Optional[Stdlib::IP::Address] $sourceip, Optional[String[1]] $sshkeylocation, - Optional[Stdlib::Absolutepath] $sslcalocation_dir, Optional[Stdlib::Absolutepath] $sslcertlocation_dir, Optional[Stdlib::Absolutepath] $sslkeylocation_dir, Integer[1,100] $startalerters, @@ -519,13 +518,6 @@ SSLCertLocation=<%= $sslcertlocation_dir %> # SSLKeyLocation=<%= $sslkeylocation_dir %> -### Option: SSLCALocation -# Override the location of certificate authority (CA) files for SSL server certificate verification. -# If not set, system-wide directory will be used. -# This parameter is used only in web monitoring. -# -<% if $sslcalocation_dir { %>SSLCALocation=<%= $sslcalocation_dir %><% } -%> - ####### LOADABLE MODULES ####### ### Option: LoadModulePath From e0e2d079349cc1812a4bc43451cbb00b3cebc895 Mon Sep 17 00:00:00 2001 From: Patrick Brideau Date: Tue, 14 Feb 2023 09:05:49 -0500 Subject: [PATCH 23/26] fix: duplicate parameter after merge --- manifests/init.pp | 1 - 1 file changed, 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index eb00a0ce3..96522e1a8 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -251,7 +251,6 @@ Optional[Enum['never', 'allow', 'try', 'demand', 'hard']] $ldap_reqcert = $zabbix::params::ldap_reqcert, $zabbix_api_user = $zabbix::params::server_api_user, Optional[Variant[String[1], Sensitive[String[1]]]] $zabbix_api_pass = $zabbix::params::server_api_pass, - $zabbix_api_pass = $zabbix::params::server_api_pass, Optional[Array[Stdlib::Host,1]] $zabbix_api_access = $zabbix::params::server_api_access, $listenport = $zabbix::params::server_listenport, $sourceip = $zabbix::params::server_sourceip, From fe65cd92e2312d2e4905de3c0d48640565cecbb6 Mon Sep 17 00:00:00 2001 From: "Brideau, Patrick" Date: Wed, 3 Jul 2024 09:25:24 -0400 Subject: [PATCH 24/26] fix: update REFERENCE.md --- REFERENCE.md | 37 ++++++++++++++++++++++++++++--------- 1 file changed, 28 insertions(+), 9 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 92e260d75..5e9203b92 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -539,7 +539,7 @@ Default value: `$zabbix::params::server_api_user` ##### `zabbix_api_pass` -Data type: `Any` +Data type: `Optional[Variant[String[1], Sensitive[String[1]]]]` Password of the user which connects to the api. Default: zabbix @@ -653,7 +653,7 @@ Default value: `$zabbix::params::server_database_user` ##### `database_password` -Data type: `Any` +Data type: `Optional[Variant[String[1], Sensitive[String[1]]]]` Database password. ignored for sqlite. @@ -2290,7 +2290,7 @@ Default value: `$zabbix::params::server_database_user` ##### `database_password` -Data type: `Any` +Data type: `Optional[Variant[String[1], Sensitive[String[1]]]]` The password of the database_user. @@ -2898,7 +2898,7 @@ Default value: `$zabbix::params::proxy_database_user` ##### `database_password` -Data type: `Any` +Data type: `Optional[Variant[String[1], Sensitive[String[1]]]]` Database password. ignored for sqlite. @@ -3860,7 +3860,7 @@ API username. ##### `zabbix_pass` -Data type: `String[1]` +Data type: `Variant[String[1], Sensitive[String[1]]]` API password. @@ -3996,6 +3996,7 @@ The following parameters are available in the `zabbix::server` class: * [`startreportwriters`](#-zabbix--server--startreportwriters) * [`webserviceurl`](#-zabbix--server--webserviceurl) * [`vmwarefrequency`](#-zabbix--server--vmwarefrequency) +* [`vmwareperffrequency`](#-zabbix--server--vmwareperffrequency) * [`vaultdbpath`](#-zabbix--server--vaultdbpath) * [`vaulttoken`](#-zabbix--server--vaulttoken) * [`vaulturl`](#-zabbix--server--vaulturl) @@ -4052,6 +4053,7 @@ The following parameters are available in the `zabbix::server` class: * [`socketdir`](#-zabbix--server--socketdir) * [`hanodename`](#-zabbix--server--hanodename) * [`nodeaddress`](#-zabbix--server--nodeaddress) +* [`sslcalocation_dir`](#-zabbix--server--sslcalocation_dir) ##### `database_type` @@ -4269,7 +4271,7 @@ Default value: `$zabbix::params::server_database_user` ##### `database_password` -Data type: `Any` +Data type: `Optional[Variant[String[1], Sensitive[String[1]]]]` Database password. ignored for sqlite. @@ -4502,6 +4504,15 @@ How often zabbix will connect to vmware service to obtain a new datan. Default value: `$zabbix::params::server_vmwarefrequency` +##### `vmwareperffrequency` + +Data type: `Any` + +Delay in seconds between performance counter statistics retrieval from a single VMware service. +This delay should be set to the least update interval of any VMware monitoring item that uses VMware performance counters. + +Default value: `$zabbix::params::server_vmwareperffrequency` + ##### `vaultdbpath` Data type: `Optional[String[1]]` @@ -4892,7 +4903,7 @@ Default value: `$zabbix::params::server_loadmodule` ##### `sslcertlocation_dir` -Data type: `Any` +Data type: `Optional[Stdlib::Absolutepath]` Location of SSL client certificate files for client authentication. @@ -4900,7 +4911,7 @@ Default value: `$zabbix::params::server_sslcertlocation` ##### `sslkeylocation_dir` -Data type: `Any` +Data type: `Optional[Stdlib::Absolutepath]` Location of SSL private key files for client authentication. @@ -4964,6 +4975,14 @@ Directory to store IPC sockets used by internal Zabbix services. Default value: `$zabbix::params::server_nodeaddress` +##### `sslcalocation_dir` + +Data type: `Optional[Stdlib::Absolutepath]` + + + +Default value: `$zabbix::params::server_sslcalocation` + ### `zabbix::userparameter` This class can be used when you use hiera or The Foreman. With this tools you can't use and define. This make use of "create_resources". @@ -5312,7 +5331,7 @@ Default value: `$zabbix::params::server_database_user` ##### `database_password` -Data type: `Any` +Data type: `Optional[Variant[String[1], Sensitive[String[1]]]]` Database password. ignored for sqlite. From 887219d8121d7c7d651b275167f06063cb166352 Mon Sep 17 00:00:00 2001 From: "Brideau, Patrick" Date: Wed, 3 Jul 2024 11:30:12 -0400 Subject: [PATCH 25/26] doc: sslcalocation_dir --- REFERENCE.md | 18 +++++++++--------- manifests/server.pp | 1 + 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 5e9203b92..b6deddb1b 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -4044,6 +4044,7 @@ The following parameters are available in the `zabbix::server` class: * [`statsallowedip`](#-zabbix--server--statsallowedip) * [`loadmodulepath`](#-zabbix--server--loadmodulepath) * [`loadmodule`](#-zabbix--server--loadmodule) +* [`sslcalocation_dir`](#-zabbix--server--sslcalocation_dir) * [`sslcertlocation_dir`](#-zabbix--server--sslcertlocation_dir) * [`sslkeylocation_dir`](#-zabbix--server--sslkeylocation_dir) * [`manage_selinux`](#-zabbix--server--manage_selinux) @@ -4053,7 +4054,6 @@ The following parameters are available in the `zabbix::server` class: * [`socketdir`](#-zabbix--server--socketdir) * [`hanodename`](#-zabbix--server--hanodename) * [`nodeaddress`](#-zabbix--server--nodeaddress) -* [`sslcalocation_dir`](#-zabbix--server--sslcalocation_dir) ##### `database_type` @@ -4901,6 +4901,14 @@ Module to load at server startup. Default value: `$zabbix::params::server_loadmodule` +##### `sslcalocation_dir` + +Data type: `Optional[Stdlib::Absolutepath]` + +Location of certificate authority (CA) files for SSL server certificate verification. + +Default value: `$zabbix::params::server_sslcalocation` + ##### `sslcertlocation_dir` Data type: `Optional[Stdlib::Absolutepath]` @@ -4975,14 +4983,6 @@ Directory to store IPC sockets used by internal Zabbix services. Default value: `$zabbix::params::server_nodeaddress` -##### `sslcalocation_dir` - -Data type: `Optional[Stdlib::Absolutepath]` - - - -Default value: `$zabbix::params::server_sslcalocation` - ### `zabbix::userparameter` This class can be used when you use hiera or The Foreman. With this tools you can't use and define. This make use of "create_resources". diff --git a/manifests/server.pp b/manifests/server.pp index 6bd2de092..08b73143e 100755 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -137,6 +137,7 @@ # @param statsallowedip list of allowed ipadresses that can access the internal stats of zabbix server over network # @param loadmodulepath Full path to location of server modules. # @param loadmodule Module to load at server startup. +# @param sslcalocation_dir Location of certificate authority (CA) files for SSL server certificate verification. # @param sslcertlocation_dir Location of SSL client certificate files for client authentication. # @param sslkeylocation_dir Location of SSL private key files for client authentication. # @param manage_selinux Whether we should manage SELinux rules. From 0a42efbe71934a148452dc8a6fe42ed9131796a3 Mon Sep 17 00:00:00 2001 From: "Brideau, Patrick" Date: Wed, 3 Jul 2024 11:58:41 -0400 Subject: [PATCH 26/26] fix: add back unsensitive password removed from upstream merge --- manifests/database/postgresql.pp | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/manifests/database/postgresql.pp b/manifests/database/postgresql.pp index 2a9b8ea45..4dc2a34c9 100644 --- a/manifests/database/postgresql.pp +++ b/manifests/database/postgresql.pp @@ -23,6 +23,12 @@ ) inherits zabbix::params { assert_private() + $database_password_unsensitive = if $database_password =~ Sensitive[String] { + $database_password.unwrap + } else { + $database_password + } + if $database_schema_path != false and $database_schema_path != '' { $schema_path = $database_schema_path } elsif versioncmp($zabbix_version, '6.0') >= 0 { @@ -56,7 +62,7 @@ "PGHOST=${database_host}", "PGPORT=${database_port}", "PGUSER=${database_user}", - "PGPASSWORD=${database_password}", + "PGPASSWORD=${database_password_unsensitive}", "PGDATABASE=${database_name}", ]