[#ZBXNEXT-9380] Support zabix-agent2 to drop privilegies

[ZBXNEXT-9380] Support zabix-agent2 to drop privilegies Created: 2024 Aug 01 Updated: 2024 Aug 01
Status:	Open
Project:	ZABBIX FEATURE REQUESTS
Component/s:	Agent2 plugin (G)
Affects Version/s:	6.0.31
Fix Version/s:	None

Type:

Change Request

Priority:

Medium

Reporter:

Viacheslav

Assignee:

Vjaceslavs Bogdanovs

Resolution:

Unresolved

Votes:

Labels:

vyos

Remaining Estimate:

26h

Time Spent:

Not Specified

Original Estimate:

26h

Environment:

VyOS 1.5-rolling-202408010023

Description

Background:

We integrated zabbix-agent2 to support VRF to the VyOS (based on Debian bookworm)

So, the same is true for Debian.

And had issues if systemd unit was started from the user `zabbix` under VRF

```
Jul 31 16:47:30 r4 systemd[1]: zabbix-agent2.service: Scheduled restart job, restart counter is at 282.
Jul 31 16:47:30 r4 systemd[1]: Stopped zabbix-agent2.service - Zabbix Agent 2.
Jul 31 16:47:30 r4 systemd[1]: Started zabbix-agent2.service - Zabbix Agent 2.
Jul 31 16:47:30 r4 ip[9020]: mkdir failed for /sys/fs/cgroup/system.slice/zabbix-agent2.service/vrf: Permission denied
Jul 31 16:47:30 r4 ip[9020]: Failed to setup vrf cgroup2 directory
Jul 31 16:47:30 r4 systemd[1]: zabbix-agent2.service: Main process exited, code=exited, status=255/EXCEPTION
Jul 31 16:47:30 r4 systemd[1]: zabbix-agent2.service: Failed with result 'exit-code'.
```

Additional capabilities do not work https://vyos.dev/T5657#196808

```
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_BPF CAP_DAC_OVERRIDE CAP_FOWNER+AmbientCapabilities=CAP_NET_ADMIN CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_BPF CAP_DAC_OVERRIDE CAP_FOWNER
```

We have to use user "root" to the systemd unit to start the service correctly under VRF

User=root

```

set vrf name mgmt table '123'
set interfaces dummy dum123 vrf 'mgmt'

set vrf bind-to-all
set service monitoring zabbix-agent host-name 'r4'
set service monitoring zabbix-agent server '192.0.2.5'
set service monitoring zabbix-agent vrf 'mgmt'

```

Status

```

vyos@r4# sudo systemctl status zabbix-agent2
● zabbix-agent2.service - Zabbix Agent 2
Loaded: loaded (/lib/systemd/system/zabbix-agent2.service; disabled; preset: enabled)
Drop-In: /run/systemd/system/zabbix-agent2.service.d
└─10-override.conf
Active: active (running) since Thu 2024-08-01 12:37:55 EEST; 1min 49s ago
Docs: man:zabbix_agent2
Main PID: 6230 (zabbix_agent2)
Tasks: 9 (limit: 18718)
Memory: 26.5M
CPU: 392ms
CGroup: /system.slice/zabbix-agent2.service
└─vrf
└─mgmt
└─6230 /usr/sbin/zabbix_agent2 --config /run/zabbix/zabbix-agent2.conf --foreground

Aug 01 12:37:55 r4 systemd[1]: Started zabbix-agent2.service - Zabbix Agent 2.
Aug 01 12:37:55 r4 ip[6230]: Starting Zabbix Agent 2 (6.0.14)
Aug 01 12:37:55 r4 ip[6230]: Zabbix Agent2 hostname: [r4]
Aug 01 12:37:55 r4 ip[6230]: Press Ctrl+C to exit.
[edit]
vyos@r4#

```

Dropping privileges will be an excellent option, as starting the unit under the root is insecure.

Generated at Sat Aug 02 09:02:34 EEST 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.

[ZBXNEXT-9380] Support zabix-agent2 to drop privilegies Created: 2024 Aug 01 Updated: 2024 Aug 01