Uploaded image for project: 'ZABBIX FEATURE REQUESTS'
  1. ZABBIX FEATURE REQUESTS
  2. ZBXNEXT-9380

Support zabix-agent2 to drop privilegies

XMLWordPrintable

    • Icon: Change Request Change Request
    • Resolution: Unresolved
    • Icon: Medium Medium
    • None
    • 6.0.31
    • Agent2 plugin (N)
    • VyOS 1.5-rolling-202408010023

      Background:

      We integrated zabbix-agent2 to support VRF to the VyOS (based on Debian bookworm)

      So, the same is true for Debian.

      And had issues if systemd unit was started from the user `zabbix` under VRF

      ```
      Jul 31 16:47:30 r4 systemd[1]: zabbix-agent2.service: Scheduled restart job, restart counter is at 282.
      Jul 31 16:47:30 r4 systemd[1]: Stopped zabbix-agent2.service - Zabbix Agent 2.
      Jul 31 16:47:30 r4 systemd[1]: Started zabbix-agent2.service - Zabbix Agent 2.
      Jul 31 16:47:30 r4 ip[9020]: mkdir failed for /sys/fs/cgroup/system.slice/zabbix-agent2.service/vrf: Permission denied
      Jul 31 16:47:30 r4 ip[9020]: Failed to setup vrf cgroup2 directory
      Jul 31 16:47:30 r4 systemd[1]: zabbix-agent2.service: Main process exited, code=exited, status=255/EXCEPTION
      Jul 31 16:47:30 r4 systemd[1]: zabbix-agent2.service: Failed with result 'exit-code'.
       ```

      Additional capabilities do not work https://vyos.dev/T5657#196808

      ```
      +CapabilityBoundingSet=CAP_NET_ADMIN CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_BPF CAP_DAC_OVERRIDE CAP_FOWNER+AmbientCapabilities=CAP_NET_ADMIN CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_BPF CAP_DAC_OVERRIDE CAP_FOWNER
       ```

      We have to use user "root" to the systemd unit to start the service correctly under VRF

      User=root

      ```

      set vrf name mgmt table '123'
      set interfaces dummy dum123 vrf 'mgmt'

      set vrf bind-to-all
      set service monitoring zabbix-agent host-name 'r4'
      set service monitoring zabbix-agent server '192.0.2.5'
      set service monitoring zabbix-agent vrf 'mgmt'

      ```

      Status

      ```

      vyos@r4# sudo systemctl status zabbix-agent2
      ● zabbix-agent2.service - Zabbix Agent 2
           Loaded: loaded (/lib/systemd/system/zabbix-agent2.service; disabled; preset: enabled)
          Drop-In: /run/systemd/system/zabbix-agent2.service.d
                   └─10-override.conf
           Active: active (running) since Thu 2024-08-01 12:37:55 EEST; 1min 49s ago
             Docs: man:zabbix_agent2
         Main PID: 6230 (zabbix_agent2)
            Tasks: 9 (limit: 18718)
           Memory: 26.5M
              CPU: 392ms
           CGroup: /system.slice/zabbix-agent2.service
                   └─vrf
                     └─mgmt
                       └─6230 /usr/sbin/zabbix_agent2 --config /run/zabbix/zabbix-agent2.conf --foreground

      Aug 01 12:37:55 r4 systemd[1]: Started zabbix-agent2.service - Zabbix Agent 2.
      Aug 01 12:37:55 r4 ip[6230]: Starting Zabbix Agent 2 (6.0.14)
      Aug 01 12:37:55 r4 ip[6230]: Zabbix Agent2 hostname: [r4]
      Aug 01 12:37:55 r4 ip[6230]: Press Ctrl+C to exit.
      [edit]
      vyos@r4# 

      ```

      Dropping privileges will be an excellent option, as starting the unit under the root is insecure.

       

            vjaceslavs Vjaceslavs Bogdanovs
            Sever Viacheslav
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:

                Estimated:
                Original Estimate - 26h
                26h
                Remaining:
                Remaining Estimate - 26h
                26h
                Logged:
                Time Spent - Not Specified
                Not Specified