zabbix_proxy_tlspskfile fails silently if the file does not exist.

[CompPhy]

SUMMARY

If you specify zabbix_proxy_tlspskfile variable, there is nothing in the roles to actually create this file. There is a check to make sure the directory exists, but nothing to make sure the file itself exists. The role will complete and even restarts the service, but then the service will fail shortly after startup with the error below. I've specifically seen this on the Zabbix Proxy role, but would expect this can probably happen on any role that does PSK configuration.

cannot open file "/var/lib/zabbix/zabbix.psk": [2] No such file or directory

The only work around I've found is to manually create this file before running the Zabbix role. The better solution would be to have the role create the file, if it doesn't already exist. Doing something like openssl rand -hex 32 is sufficient for the content of this file.

I'm currently using the 2.4.0 release of the collection, but looking at the relevant tasks on the current main branch and I don't see anything for this issue. I do have a work around in our usage currently, but it sure would be nice if the collection would fix this eventually.

ISSUE TYPE

• Bug Report

COMPONENT NAME

Zabbix Proxy role, possibly others as well.

ANSIBLE VERSION

ansible [core 2.15.12]
  config file = /home/kshutt/projects/iaas/ansible.cfg
  configured module search path = ['/home/kshutt/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/kshutt/venv39/lib64/python3.9/site-packages/ansible
  ansible collection location = /home/kshutt/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/kshutt/venv39/bin/ansible
  python version = 3.9.19 (main, May 16 2024, 11:40:09) [GCC 8.5.0 20210514 (Red Hat 8.5.0-22)] (/home/kshutt/venv39/bin/python3.9)
  jinja version = 3.1.4
  libyaml = True

CONFIGURATION

ANSIBLE_PIPELINING(/home/kshutt/projects/iaas/ansible.cfg) = True
CALLBACKS_ENABLED(/home/kshutt/projects/iaas/ansible.cfg) = ['profile_tasks', 'profile_roles']
CONFIG_FILE() = /home/kshutt/projects/iaas/ansible.cfg
DEFAULT_HASH_BEHAVIOUR(/home/kshutt/projects/iaas/ansible.cfg) = merge
DEFAULT_HOST_LIST(/home/kshutt/projects/iaas/ansible.cfg) = ['/home/kshutt/projects/iaas/inventory']
DEFAULT_JINJA2_EXTENSIONS(/home/kshutt/projects/iaas/ansible.cfg) = jinja2.ext.loopcontrols
DEFAULT_TIMEOUT(/home/kshutt/projects/iaas/ansible.cfg) = 120
DEFAULT_VAULT_PASSWORD_FILE(/home/kshutt/projects/iaas/ansible.cfg) = /home/kshutt/projects/iaas/tools/vault.txt
GALAXY_SERVER_LIST(/home/kshutt/projects/iaas/ansible.cfg) = ['automation_hub', 'release_galaxy']
HOST_KEY_CHECKING(/home/kshutt/projects/iaas/ansible.cfg) = False
INTERPRETER_PYTHON(/home/kshutt/projects/iaas/ansible.cfg) = auto
SHOW_CUSTOM_STATS(/home/kshutt/projects/iaas/ansible.cfg) = True

OS / ENVIRONMENT / Zabbix Version

We are currently targeting latest RedHat 8 and 9 releases, and the same issue appears in both.

STEPS TO REPRODUCE

Just set `zabbix_proxy_tlspskfile` to a file name, but don't create the file ahead of time.

EXPECTED RESULTS

If the file doesn't exist, the role should just create a reasonable default based on a random hash. In our case we set this variable to /var/lib/zabbix/zabbix.psk.

ACTUAL RESULTS

The community.zabbix.zabbix_proxy role will run to successful completion, but then the zabbix proxy service will fail after startup with error:  

cannot open file "/var/lib/zabbix/zabbix.psk": [2] No such file or directory

[sshmanko]

I have a related issue, when not specifying anything related to PSK, default configuration file includes the line (file doesn't exist):

TLSPSKFile=/etc/zabbix/tls_psk_auto.secret

And zabbix-agent fails to start:

zabbix_agent2 [107816]: ERROR: cannot use encryption configuration: TLSPSKFile configuration parameter set without PSK being used

Workaround is to set zabbix_agent_tlspskfile to empty string when calling agent role.

Ubuntu 22 & collection 2.5.1

[pyrodie18]

I have a related issue, when not specifying anything related to PSK, default configuration file includes the line (file doesn't exist):

TLSPSKFile=/etc/zabbix/tls_psk_auto.secret

And zabbix-agent fails to start:

zabbix_agent2 [107816]: ERROR: cannot use encryption configuration: TLSPSKFile configuration parameter set without PSK being used

Workaround is to set zabbix_agent_tlspskfile to empty string when calling agent role.

Ubuntu 22 & collection 2.5.1

@sshmanko Would encourage you to check the latest release and see if you still have this problem. If you do, create a new ticket specific to your problem because while your issue is similar to the one originally posted here, it is completely different in what is/was causing the issue.

[BGmot]

If you want Ansible to create this file then you need to provide the content of this file too in variable zabbix_proxy_tlspsk_secret

[pyrodie18]

@BGmot I'm curious on your thoughts. Playing with the idea of adding the same auto-psk stuff we have in the agent role. Think its better to copy/past or to put it into a new role that deals with the PSK that can be called by both agent and proxy?

[BGmot]

To be honest I don't like "auto-psk" functionality. That is a security stuff. Distribution of these files (along with certificates, keys, CA's certificate) must be (in my opinion) carefully designed/planned and deployed as an activity not tight to Zabbix components' deployment. Zabbix is just using these files.
What do you think?

[pyrodie18]

When it comes to the cert I completely agree. We should not be generating a cert. I'm less concerned about generating a pre-shared key (although I suppose that in this case at least, the difference between a cert and a psk is not huge)

[BGmot]

If you feel like implementing it then sure, go ahead please. But anyway you'll need to read PSK file from every host to configure all the hosts in Zabbix (via zabbix_host module).