[ZBX-15002] Agent Update Reverts tmpfiles.d config Back to Default Created: 2018 Oct 13 Updated: 2018 Dec 27 Resolved: 2018 Dec 27 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | Agent (G), Installation (I) |
Affects Version/s: | 3.4.14 |
Fix Version/s: | None |
Type: | Incident report | Priority: | Minor |
Reporter: | Frank Ucman | Assignee: | Unassigned |
Resolution: | Won't fix | Votes: | 0 |
Labels: | None | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified | ||
Environment: |
Red Hat Enterprise Linux Server release 7.5 (Maipo) |
Description |
Steps to reproduce: 1. Prior to update have zabbix-agent-3.4.12-1.el7.x86_64 installed, can see in the rpm verify settings tmpfiles.d/zabbix-agent.conf is not tagged as a config file $ rpm -V zabbix-agent S.5....T. c /etc/logrotate.d/zabbix-agent S.5....T. c /etc/zabbix/zabbix_agentd.conf ..5....T. /usr/lib/tmpfiles.d/zabbix-agent.conf .....UG.. /var/log/zabbix .M....... /var/run/zabbix Contents of the tmpfiles.d/zabbix-agent.conf file has settings for /var/run/ to be 777 so service account can write to it after reboot. $ cat /usr/lib/tmpfiles.d/zabbix-agent.conf d /run/zabbix 0777 zabbix zabbix - - 2. run "yum update zabbix-agent"
Result: Contents of the tmpfiles.d/zabbix-agent.conf get set back to default. $ cat /usr/lib/tmpfiles.d/zabbix-agent.conf d /run/zabbix 0755 zabbix zabbix - - and permissions on /var/run/zabbix changed to 0755 $ ls -ld /var/run/zabbix drwxr-xr-x. 2 zabbix zabbix 40 Oct 12 18:11 /var/run/zabbix so the service account being used can not write to /var/run/zabbix and agent fails to start. Expected: The yum update of zabbix-agent would not overwrite the contents of /usr/lib/tmpfiles.d/zabbix-agent.conf. We need this as company policy won't allow us to use the default zabbix user, and after a yum update the service account can no longer start zabbix, without updating the tmpfiles.d config and permissions on /var/run/zabbix. Thanks |
Comments |
Comment by Frank Ucman [ 2018 Oct 23 ] |
looks like this also affects RHEL 6 servers when updating from 3.4.12 to 3.4.14 the ownership of /var/run/zabbix is changed to the default "zabbix" user. |
Comment by Aigars Kadikis [ 2018 Oct 23 ] |
Hello Frank, Thank you for making Zabbix a better product. Could you please give us some reference links regarding conf tagging topic? Would you mind to include some pointers on how we can actually prepare the package to suit this standard? Kind regards, |
Comment by Frank Ucman [ 2018 Oct 23 ] |
I was unable to find any reference of /usr/lib/tmpfiles.d/zabbix-agent.conf on the official Zabbix sites.
What I am seeing is after default install using agent version 3.4.12 the contents are. d /run/zabbix 0755 zabbix zabbix - - To run as a different user need to change user here or open permissions so users other than zabbix can write to /var/run/zabbix. We changed to. d /run/zabbix 0777 zabbix zabbix - - So that the service account we use for Zabbix would be able to write there. This worked fine until patching to version 3.4.14. After patching the contents went back to the original settings and our service account cannot write /var/log/zabbix without updating permissions on /var/run/zabbix and the contents of /usr/lib/tmpfiles.d/zabbix-agent.conf again.
This also appears to be happening in our RHEL 6 servers, just without the tmpfiles.d configuration file. After updating to version 3.4.14 the ownership and permissions on /var/run/zabbix are changed back to the default 0755 and zabbix user so other service accounts cannot start Zabbix. Thanks |
Comment by Aigars Kadikis [ 2018 Dec 27 ] |
Hello Frank, This is supposed to be like that. As a workaround, you can create your custom package including '/usr/lib/tmpfiles.d/zabbix-agent.conf' which will reset/set your custom permissions. I will close this issue as Won't fix. |