Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

T5657: start zabbix-agent under user zabbix for VRF #3976

Closed
wants to merge 1 commit into from
Closed

T5657: start zabbix-agent under user zabbix for VRF #3976

wants to merge 1 commit into from

Conversation

sever-sever
Copy link
Member

Change Summary

Add user zabbix to sudoers.d and allow to start zabbix-agent2 service under VRF
Remove the user root from the systemd unit override, as we want to start the service from the user zabbix

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe): Start zabbix-agent under user zabbix

Related Task(s)

Related PR(s)

Component(s) name

zabbix-agent

Proposed changes

How to test

set service monitoring zabbix-agent host-name 'r4'
set service monitoring zabbix-agent server '192.0.2.5'
set service monitoring zabbix-agent vrf 'mgmt'

check status

vyos@r4# sudo systemctl status zabbix-agent2
● zabbix-agent2.service - Zabbix Agent 2
     Loaded: loaded (/lib/systemd/system/zabbix-agent2.service; disabled; preset: enabled)
    Drop-In: /run/systemd/system/zabbix-agent2.service.d
             └─10-override.conf
     Active: active (running) since Tue 2024-08-13 11:32:40 EEST; 7min ago
       Docs: man:zabbix_agent2
   Main PID: 9587 (sudo)
      Tasks: 8 (limit: 18718)
     Memory: 16.5M
        CPU: 78ms
     CGroup: /system.slice/zabbix-agent2.service
             ├─9587 sudo ip vrf exec mgmt /usr/sbin/zabbix_agent2 --config /run/zabbix/zabbix-agent2.conf --foreground
             └─vrf
               └─mgmt
                 └─9588 /usr/sbin/zabbix_agent2 --config /run/zabbix/zabbix-agent2.conf --foreground

Aug 13 11:32:40 r4 systemd[1]: Started zabbix-agent2.service - Zabbix Agent 2.
Aug 13 11:32:40 r4 sudo[9587]:   zabbix : PWD=/run/zabbix ; USER=root ; COMMAND=/bin/ip vrf exec mgmt /usr/sbin/zabbix_agent2 --config /run/zabbix/zabbix-agent2.conf --for>
Aug 13 11:32:40 r4 sudo[9587]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=101)
Aug 13 11:32:40 r4 sudo[9588]: Starting Zabbix Agent 2 (6.0.14)
Aug 13 11:32:40 r4 sudo[9588]: Zabbix Agent2 hostname: [r4]
Aug 13 11:32:40 r4 sudo[9588]: Press Ctrl+C to exit.
[edit]
vyos@r4#

Smoketest result

vyos@r4:~$ /usr/libexec/vyos/tests/smoke/cli/test_service_monitoring_zabbix-agent.py
test_01_zabbix_agent (__main__.TestZabbixAgent.test_01_zabbix_agent) ... ok

----------------------------------------------------------------------
Ran 1 test in 13.926s

OK
vyos@r4:~$

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@sever-sever sever-sever requested a review from a team as a code owner August 13, 2024 08:42
@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 13, 2024
edited
Loading

👍
No issues in PR Title / Commit Title

@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 13, 2024
edited
Loading

✅ No issues found in unused-imports check.. Please refer the workflow run

@sever-sever sever-sever marked this pull request as draft August 13, 2024 08:50
@sever-sever
Copy link
Member Author

Only one bug with this solution when stop the service

Aug 13 14:15:30 r4 systemd[1]: Stopping zabbix-agent2.service - Zabbix Agent 2...
Aug 13 14:15:30 r4 systemd[1]: zabbix-agent2.service: Couldn't add UID/GID reference to unit, proceeding without: Device or resource busy
Aug 13 14:15:30 r4 sh[5010]: --: line 1: kill: (4883) - Operation not permitted
Aug 13 14:15:30 r4 systemd[1]: zabbix-agent2.service: Control process exited, code=exited, status=1/FAILURE
Aug 13 14:15:30 r4 ip[4884]: Zabbix Agent 2 stopped. (6.0.14)
Aug 13 14:15:30 r4 sudo[4883]: pam_unix(sudo:session): session closed for user zabbix
Aug 13 14:15:30 r4 systemd[1]: zabbix-agent2.service: Failed with result 'exit-code'.
Aug 13 14:15:30 r4 systemd[1]: Stopped zabbix-agent2.service - Zabbix Agent 2.
Aug 13 14:15:30 r4 sudo[4970]: pam_unix(sudo:session): session closed for user root
Aug 13 14:15:30 r4 systemd[1]: opt-vyatta-config-tmp-new_config_4611.mount: Deactivated successfully.

c-po
c-po reviewed Aug 15, 2024
View reviewed changes
data/templates/zabbix-agent/10-override.conf.j2
ExecStart=
ExecStart={{ zabbix_command }}/usr/sbin/zabbix_agent2 --config /run/zabbix/zabbix-agent2.conf --foreground
ExecStart={{ zabbix_command }}sudo -E -n -u zabbix /usr/sbin/zabbix_agent2 --config /run/zabbix/zabbix-agent2.conf --foreground
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is sudo required?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For VRF

Jul 31 16:47:30 r4 systemd[1]: zabbix-agent2.service: Scheduled restart job, restart counter is at 282.
Jul 31 16:47:30 r4 systemd[1]: Stopped zabbix-agent2.service - Zabbix Agent 2.
Jul 31 16:47:30 r4 systemd[1]: Started zabbix-agent2.service - Zabbix Agent 2.
Jul 31 16:47:30 r4 ip[9020]: mkdir failed for /sys/fs/cgroup/system.slice/zabbix-agent2.service/vrf: Permission denied
Jul 31 16:47:30 r4 ip[9020]: Failed to setup vrf cgroup2 directory
Jul 31 16:47:30 r4 systemd[1]: zabbix-agent2.service: Main process exited, code=exited, status=255/EXCEPTION
Jul 31 16:47:30 r4 systemd[1]: zabbix-agent2.service: Failed with result 'exit-code'.

@c-po
Copy link
Member

c-po commented Sep 18, 2024

What about ip vrf exec red runuser -u zabbix /usr/bin/zabbix? Can you try it?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@c-po c-po c-po left review comments

@dmbaturin dmbaturin Awaiting requested review from dmbaturin dmbaturin is a code owner automatically assigned from vyos/reviewers

@sarthurdev sarthurdev Awaiting requested review from sarthurdev sarthurdev is a code owner automatically assigned from vyos/reviewers

@zdc zdc Awaiting requested review from zdc zdc is a code owner automatically assigned from vyos/reviewers

@jestabro jestabro Awaiting requested review from jestabro jestabro is a code owner automatically assigned from vyos/reviewers

@nicolas-fort nicolas-fort Awaiting requested review from nicolas-fort nicolas-fort is a code owner automatically assigned from vyos/reviewers

Assignees

@sever-sever sever-sever

Labels
current
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sever-sever @c-po