|
Today on IRC a user described a workaround for setting encryption after auto-registration (slightly edited version):
<fayazabdul> hi, I need to run a custom script on zabbix master as part of auto registration. In general auto registration works fine but I want to invoke the script to add and do some other actions, script itself is not being called.
<ccooke> fayazabdul: The easiest way to do that right now is to create a special media type for each distinct thing you need to do, then create an automation user to hang them from.
Then in your registration actions you can "send a message" to that media type, triggering the script you wrote. I'm currently doing that to set the correct encryption options on hosts, for instance.
<AmiralThrawn> ccooke: can you share that custom script for auto-registration and encryption setting ?
<ccooke> This one? https://gist.github.com/ccooke/4091eea6db0acdcfcefadd631c0e9397
<AmiralThrawn> ccooke: thanks .. so using the api on itself to set encryption. nice
<ccooke> yeah. That bit of the API is actually semi-undocumented (or was, when I wrote this), but a bit of poking found the right stuff.
Basically, that's set as a media type and I have an admin-script user that has a media object defined of that type.
The auto-registration action then sends a message to the media type, with the hostname as subject. Not too complicated.
|
|
permit to send clear autoregistration to a tls configured agent
|
|
If someone is interested in .. I made a small patch that permit to an encrypted agent to send the 1st packet, the one containing metadata, in clear.
Basically this permits to zabbix server to trigger an action and create an host with tls encryption
|
|
Duplicate ZBXNEXT-3711 has a patch too.
|
|
This is not entirely the same case..
In Andris case I think you have to manually reconfigure agent to let encryption begin, otherwise encryption will works only on direction server -> client.
Andris patch should be an extension of my case, 'cause involve a needed step, reconfiguration of server part.
The difference is that in my case you don't need to reconfigure the client because it starts automatically to sends encrypted data, but you can eventually reconfigure server in order to update active checks through secure channel.
|
|
This should be done natively by the Zabbix protocols.
What would be the most elegant solution to this problem?
|
|
It's a weird decision to make an auto-registration feature where you need then modify the agent in order to have a secured/encrypted connection. I guess that zabbix lacks a way, at least for community edition, to autoregister zabbix agent seamlessly. Any idea on this feature?
|
|
Having the possibility to encrypt also the autoregistration packet should be a good security feature and I suggest to implement it.
It's something that could be needed in the providers/carriers world.
Anyway we start to use our solution (with agent patched) on more then 900 sites around the world and we're satisfied with it.
|
|
@Marco, I've read your patch and it's an interesting solution. I think the hardest is to create the whole toolchain to build and compile the agent for every platform. Nice workaround!
|
|
Wouldn't it make sense to simply use TLS with the Zabbix server's certificate when sending the initial auto registration message, and then enable the agent to generate a PSK and share it with the server over this TLS connection to permanently enable encryption?
|
|
@Steen, Autoregistration just right now goes to server ports (or proxy ) and are accepted only in zabbix protocol w/o encryption.
Using API through TLS should be another solution, but you've to create your autoconfiguration script that create host and keys via API, and of course having api user and password stored in you remote systems.
Cheers
Marco
|
|
A secure solution would be so set a PSK/cert for a hostgroup/template/globally on the zabbix server, you can then trust any agent able to authenticate to autoregister itself.
|
|
A "trivial" ticket priority seems odd here, as this feature is required for bulk auto-registration and bulk discovery in environments where host <> server comms must be encrypted.
Auto-registration and discovery are there to remove the need for manually adding hosts, but the lack of any kind of template or group based encryption feature means that all hosts requiring encrypted comms must be visited in Zabbix. Compare that with a script-based deployment / update of Zabbix agents to machines in a group etc via GPO in Windows, or an ansible playbook in Linux.
Please can the priority of this ticket be raised?
|
|
Available in development branch feature/ZBXNEXT-3497-4.3.
Pull request [ZBXNEXT-3497] added support of PSK-based encryption in autoregistration
|
|
Fixed in:
|
|
Updated documentation:
|
Generated at Fri Apr 19 18:50:45 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.
020-agent-sends-clear.patch
Team A