[ZBX-10717] missing error message if zabbix daemon doesn't have required permission to conf file Created: 2016 Apr 27 Updated: 2019 Dec 10 |
|
| Status: | Open |
| Project: | ZABBIX BUGS AND ISSUES |
| Component/s: | Agent (G), Proxy (P), Server (S) |
| Affects Version/s: | 3.0.2 |
| Fix Version/s: | None |
| Type: | Incident report | Priority: | Trivial |
| Reporter: | Oleksii Zagorskyi | Assignee: | Unassigned |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | configfile, exitcodes, permissions | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Description |
|
I believe it's related to any daemon, but here will consider only agent daemon. It's obvious that "zabbix" account should have READ permissions to conf file. For example if run NOT from root shell:
# sudo -u zabbix ./zabbix_agentd3.0 -c /zab/bin/3.0/zabbix_agentd.conf; echo $?
zabbix_agentd3.0 [12004]: cannot open config file "/zab/bin/3.0/zabbix_agentd.conf": [13] Permission denied
1
the error is printed to STDERR and that's fine, but zabbix agent usually is not started in this way. But if try to run as root (as usually): # ./zabbix_agentd3.0 -c /zab/bin/3.0/zabbix_agentd.conf; echo $? 0 it looked like started successfully, but actually it does not. If in zabbix_agentd.conf logging is configured to native log file then we can see these lines: zabbix_agentd3.0 [12186]: cannot create IPC key for path '/zab/bin/3.0/etc/zabbix_agentd.conf', try to create for path '.': [13] Permission denied 12186:20160427:160845.337 Starting Zabbix Agent [it0]. Zabbix 3.0.2rc1 (revision 58788). 12186:20160427:160845.337 **** Enabled features **** 12186:20160427:160845.337 IPv6 support: YES 12186:20160427:160845.337 TLS support: NO 12186:20160427:160845.337 ************************** 12186:20160427:160845.337 using configuration file: /zab/bin/3.0/etc/zabbix_agentd.conf zabbix_agentd3.0 [12186]: cannot create IPC key for path [/zab/bin/3.0/etc/zabbix_agentd.conf] id [l]: [13] Permission denied 12186:20160427:160845.337 cannot create IPC key for collector if configured to syslog, then is syslog:
Apr 27 16:10:02 it0 zabbix_agentd[12246]: Starting Zabbix Agent [it0]. Zabbix 3.0.2rc1 (revision 58788).
Apr 27 16:10:02 it0 zabbix_agentd[12246]: **** Enabled features ****
Apr 27 16:10:02 it0 zabbix_agentd[12246]: IPv6 support: YES
Apr 27 16:10:02 it0 zabbix_agentd[12246]: TLS support: NO
Apr 27 16:10:02 it0 zabbix_agentd[12246]: **************************
Apr 27 16:10:02 it0 zabbix_agentd[12246]: using configuration file: /zab/bin/3.0/etc/zabbix_agentd.conf
Apr 27 16:10:02 it0 zabbix_agentd[12246]: cannot create IPC key for collector
Note the difference in logged lines in syslog and native log - that's also not very good because in syslog we don't have human "understandable" part like "Permission denied" Just in case, with LogType=console but without AllowRoot=1, as expected: # ./zabbix_agentd3.0 -c /zab/bin/3.0/etc/zabbix_agentd.conf -f zabbix_agentd3.0 [20082]: cannot run as root! So, because of double forking, zabbix agent was able to actually read the config file (to know where to write log to), but when it switched to "zabbix" account it could not work correctly and stopped. Such specific behavior is not very clear and I believe have to be improved to not mislead zabbix users. Ideally agent should print the error message to STDERR in any case and exit with error code 1 (that's very important for init scripts too). |
| Comments |
| Comment by Oleksii Zagorskyi [ 2016 Apr 27 ] |
|
not related, just a link here - |
| Comment by Aleksandrs Saveljevs [ 2016 Apr 27 ] |
|
Can this be considered a duplicate of ZBX-8893? zalex_ua well, I agree that they are very related and ZBX-8893 would improve (or even fix) current one too. |
