Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-10717

missing error message if zabbix daemon doesn't have required permission to conf file

    XMLWordPrintable

    Details

      Description

      I believe it's related to any daemon, but here will consider only agent daemon.

      It's obvious that "zabbix" account should have READ permissions to conf file.
      But when the requirement is not satisfied, it's not very clear what happens if try to run zabbix agent from root shell (exactly how it usually happens).

      For example if run NOT from root shell:

      # sudo -u zabbix ./zabbix_agentd3.0 -c /zab/bin/3.0/zabbix_agentd.conf; echo $?
      zabbix_agentd3.0 [12004]: cannot open config file "/zab/bin/3.0/zabbix_agentd.conf": [13] Permission denied
      1
      

      the error is printed to STDERR and that's fine, but zabbix agent usually is not started in this way.

      But if try to run as root (as usually):

      # ./zabbix_agentd3.0 -c /zab/bin/3.0/zabbix_agentd.conf; echo $?
      0
      

      it looked like started successfully, but actually it does not.

      If in zabbix_agentd.conf logging is configured to native log file then we can see these lines:

      zabbix_agentd3.0 [12186]: cannot create IPC key for path '/zab/bin/3.0/etc/zabbix_agentd.conf', try to create for path '.': [13] Permission denied
       12186:20160427:160845.337 Starting Zabbix Agent [it0]. Zabbix 3.0.2rc1 (revision 58788).
       12186:20160427:160845.337 **** Enabled features ****
       12186:20160427:160845.337 IPv6 support:          YES
       12186:20160427:160845.337 TLS support:            NO
       12186:20160427:160845.337 **************************
       12186:20160427:160845.337 using configuration file: /zab/bin/3.0/etc/zabbix_agentd.conf
      zabbix_agentd3.0 [12186]: cannot create IPC key for path [/zab/bin/3.0/etc/zabbix_agentd.conf] id [l]: [13] Permission denied
       12186:20160427:160845.337 cannot create IPC key for collector
      

      if configured to syslog, then is syslog:

       
      Apr 27 16:10:02 it0 zabbix_agentd[12246]: Starting Zabbix Agent [it0]. Zabbix 3.0.2rc1 (revision 58788).
      Apr 27 16:10:02 it0 zabbix_agentd[12246]: **** Enabled features ****
      Apr 27 16:10:02 it0 zabbix_agentd[12246]: IPv6 support:          YES
      Apr 27 16:10:02 it0 zabbix_agentd[12246]: TLS support:            NO
      Apr 27 16:10:02 it0 zabbix_agentd[12246]: **************************
      Apr 27 16:10:02 it0 zabbix_agentd[12246]: using configuration file: /zab/bin/3.0/etc/zabbix_agentd.conf
      Apr 27 16:10:02 it0 zabbix_agentd[12246]: cannot create IPC key for collector
      

      Note the difference in logged lines in syslog and native log - that's also not very good because in syslog we don't have human "understandable" part like "Permission denied"

      Just in case, with LogType=console but without AllowRoot=1, as expected:

      # ./zabbix_agentd3.0 -c /zab/bin/3.0/etc/zabbix_agentd.conf -f
      zabbix_agentd3.0 [20082]: cannot run as root!
      

      So, because of double forking, zabbix agent was able to actually read the config file (to know where to write log to), but when it switched to "zabbix" account it could not work correctly and stopped.

      Such specific behavior is not very clear and I believe have to be improved to not mislead zabbix users.

      Ideally agent should print the error message to STDERR in any case and exit with error code 1 (that's very important for init scripts too).

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            zalex_ua Oleksii Zagorskyi
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: