-
Incident report
-
Resolution: Unresolved
-
Trivial
-
None
-
3.0.2
I believe it's related to any daemon, but here will consider only agent daemon.
It's obvious that "zabbix" account should have READ permissions to conf file.
But when the requirement is not satisfied, it's not very clear what happens if try to run zabbix agent from root shell (exactly how it usually happens).
For example if run NOT from root shell:
# sudo -u zabbix ./zabbix_agentd3.0 -c /zab/bin/3.0/zabbix_agentd.conf; echo $?
zabbix_agentd3.0 [12004]: cannot open config file "/zab/bin/3.0/zabbix_agentd.conf": [13] Permission denied
1
the error is printed to STDERR and that's fine, but zabbix agent usually is not started in this way.
But if try to run as root (as usually):
# ./zabbix_agentd3.0 -c /zab/bin/3.0/zabbix_agentd.conf; echo $? 0
it looked like started successfully, but actually it does not.
If in zabbix_agentd.conf logging is configured to native log file then we can see these lines:
zabbix_agentd3.0 [12186]: cannot create IPC key for path '/zab/bin/3.0/etc/zabbix_agentd.conf', try to create for path '.': [13] Permission denied 12186:20160427:160845.337 Starting Zabbix Agent [it0]. Zabbix 3.0.2rc1 (revision 58788). 12186:20160427:160845.337 **** Enabled features **** 12186:20160427:160845.337 IPv6 support: YES 12186:20160427:160845.337 TLS support: NO 12186:20160427:160845.337 ************************** 12186:20160427:160845.337 using configuration file: /zab/bin/3.0/etc/zabbix_agentd.conf zabbix_agentd3.0 [12186]: cannot create IPC key for path [/zab/bin/3.0/etc/zabbix_agentd.conf] id [l]: [13] Permission denied 12186:20160427:160845.337 cannot create IPC key for collector
if configured to syslog, then is syslog:
Apr 27 16:10:02 it0 zabbix_agentd[12246]: Starting Zabbix Agent [it0]. Zabbix 3.0.2rc1 (revision 58788).
Apr 27 16:10:02 it0 zabbix_agentd[12246]: **** Enabled features ****
Apr 27 16:10:02 it0 zabbix_agentd[12246]: IPv6 support: YES
Apr 27 16:10:02 it0 zabbix_agentd[12246]: TLS support: NO
Apr 27 16:10:02 it0 zabbix_agentd[12246]: **************************
Apr 27 16:10:02 it0 zabbix_agentd[12246]: using configuration file: /zab/bin/3.0/etc/zabbix_agentd.conf
Apr 27 16:10:02 it0 zabbix_agentd[12246]: cannot create IPC key for collector
Note the difference in logged lines in syslog and native log - that's also not very good because in syslog we don't have human "understandable" part like "Permission denied"
Just in case, with LogType=console but without AllowRoot=1, as expected:
# ./zabbix_agentd3.0 -c /zab/bin/3.0/etc/zabbix_agentd.conf -f zabbix_agentd3.0 [20082]: cannot run as root!
So, because of double forking, zabbix agent was able to actually read the config file (to know where to write log to), but when it switched to "zabbix" account it could not work correctly and stopped.
Such specific behavior is not very clear and I believe have to be improved to not mislead zabbix users.
Ideally agent should print the error message to STDERR in any case and exit with error code 1 (that's very important for init scripts too).