Configuration_of_scripts-1.png
Configuration_of_scripts.png
Team A
[ZBX-17916] agent2 frontendscripts error in allow parameter Created: 2020 Jun 16 Updated: 2024 Apr 10 Resolved: 2020 Oct 09 |
|
| Status: | Closed |
| Project: | ZABBIX BUGS AND ISSUES |
| Component/s: | Agent (G) |
| Affects Version/s: | 5.0.1 |
| Fix Version/s: | 5.0.5rc1, 5.2.0beta2, 5.2 (plan) |
| Type: | Problem report | Priority: | Trivial |
| Reporter: | Patrik Uytterhoeven | Assignee: | Andris Mednis |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | agent, agent2, scripts | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
ubuntu 18 |
||
| Attachments: |
Configuration_of_scripts-1.png
Configuration_of_scripts.png
|
| Team: | Team A |
| Sprint: | Sprint 68 (Sep 2020), Sprint 69 (Oct 2020) |
| Story Points: | 0.5 |
| Description |
|
zabbix server has a frontend script that executes sudo /sbin/reboot
agent 2 has a config : AllowKey=system.run[sudo /sbin/reboot]
the agent will fail to reboot solution AllowKey=system.run[sudo /sbin/reboot,wait]
so the agent2 is expecting the 2nd parameter instead of using the default value 2020/06/16 12:31:10.109972 [1] registering new client |
| Comments |
| Comment by Kristians Pavars [ 2020 Jun 18 ] |
|
Hi patrik
Thanks for reaching out to public bug tracker. Have you tried to execute the key with zabbix_get command? config: AllowKey=system.run[/sbin/reboot] DenyKey=system.run[*] command:
zabbix_get -s 127.0.0.1 -p 10040 -k "system.run[/sbin/reboot]"
What is your frontend script configuration?
Thanks, |
| Comment by Patrik Uytterhoeven [ 2020 Jun 19 ] |
|
|
| Comment by Kristians Pavars [ 2020 Jun 19 ] |
|
Hi patrik,
Confirmed this behavior on both agent and agent 2, though the error message is different. Seems that in both cases the frontend script automatically adds 'wait' parameter but is not executed due to it not being explicitly allowed in AllowKey Allowed Keys in agents:
AllowKey=system.run[echo test]
AllowKey=system.run[echo 'test with wait',wait]
DenyKey=system.run[*]
From logs: Zabbix Agent 2: 2020/06/19 14:50:28.830465 received passive check request: 'system.run[echo test,wait]' from '127.0.0.1' 2020/06/19 14:50:28.830560 [1] processing update request (1 requests) 2020/06/19 14:50:28.830589 [1] cannot monitor metric "system.run[echo test,wait]": Unknown metric system.run 2020/06/19 14:50:28.830616 sending passive check response: ZBX_NOTSUPPORTED: 'Unknown metric system.run' to '127.0.0.1' [..] 2020/06/19 14:50:31.856237 received passive check request: 'system.run[echo 'test with wait',wait]' from '127.0.0.1' 2020/06/19 14:50:31.856422 [1] processing update request (1 requests) 2020/06/19 14:50:31.856464 [1] adding new request for key: 'system.run[echo 'test with wait',wait]' 2020/06/19 14:50:31.856485 [1] created direct exporter task for plugin 'SystemRun' itemid:0 key 'system.run[echo 'test with wait',wait]' 2020/06/19 14:50:31.856498 [1] created configurator task for plugin SystemRun 2020/06/19 14:50:31.856540 plugin SystemRun: executing configurator task 2020/06/19 14:50:31.858327 executing direct exporter task for key 'system.run[echo 'test with wait',wait]' 2020/06/19 14:50:31.858372 [SystemRun] Executing command:'echo 'test with wait'' 2020/06/19 14:50:31.866550 [SystemRun] command:'echo 'test with wait'' length:14 output:'test with wait' 2020/06/19 14:50:31.866857 executed direct exporter task for key 'system.run[echo 'test with wait',wait]' 2020/06/19 14:50:31.867626 sending passive check response: 'test with wait' to '127.0.0.1' Zabbix Agent: 1330:20200619:145913.202 Requested [system.run[echo test,wait]] 1330:20200619:145913.202 Key access denied: "system.run[echo test,wait]" 1330:20200619:145913.202 Sending back [ZBX_NOTSUPPORTED: Unsupported item key.] [..] 1332:20200619:145921.460 Requested [system.run[echo 'test with wait',wait]] 1332:20200619:145921.460 Executing command 'echo 'test with wait'' 1332:20200619:145921.460 In zbx_popen() command:'echo 'test with wait'' 1332:20200619:145921.461 End of zbx_popen():7 1416:20200619:145921.461 zbx_popen(): executing script 1332:20200619:145921.462 In zbx_waitpid() 1332:20200619:145921.462 zbx_waitpid() exited, status:0 1332:20200619:145921.462 End of zbx_waitpid():1416 1332:20200619:145921.462 EXECUTE_STR() command:'echo 'test with wait'' len:14 cmd_result:'test with wait' 1332:20200619:145921.463 Sending back [test with wait]
Thanks, |
| Comment by Andris Mednis [ 2020 Sep 26 ] |
|
It is more complicated than previously thought. Zabbix server adds "wait" or nowait" to system.run[] for a reason. Let's take as an example a shell command "ls -l /vmlinuz". Zabbix server can send "ls -l /vmlinuz" to agent via system.run[]:
The agent checks AllowKey/DenyKey. Specifying only It was decided to stop adding "wait" in Zabbix server - it is a default. |
| Comment by Andris Mednis [ 2020 Sep 28 ] |
|
(1) [D] improve documentation about agent and agent2 AllowKey parameter: martins-v, can you take a look? I propose to modify only https://www.zabbix.com/documentation/current/manual/config/items/restrict_checks by adding a new section system.run and AllowKeyLet's take a hypothetical script 'myscript.sh'. It can be executed on a host via Zabbix agent in several ways:
If we set AllowKey like AllowKey=system.run[myscript.sh] then system.run[myscript.sh] will be allowed but system.run[myscript.sh,wait] and system.run[myscript.sh,nowait] will not be allowed - the script will not be run if invoked as a step of Action. To allow all described variants you can put AllowKey=system.run[myscript.sh,*] DenyKey=system.run[*] into zabbix_agentd and zabbix_agent2 configuration. martins-v Thanks, RESOLVED andris: Thanks! I forgot about active checks. Can you modify As an item key in a passive check, for example: to As an item key in a passive or active check, for example: ? martins-v RESOLVED andris: CLOSED |
| Comment by Patrik Uytterhoeven [ 2020 Sep 28 ] |
|
thx Vladislavs and Kristiāns |
| Comment by Andris Mednis [ 2020 Sep 30 ] |
|
Available in versions:
Updated documentation: |
