ちょっとZabbix環境を構築する機会があってついでにSELinuxを有効にしたまま構築しようとしたら色々嵌ったのでその備忘録。

0. 環境

Host

• macOS Sierra
• VirtualBox 5.1.x
• Vagrant 2.0.x

Guest

• Vagrant BoxのCentOS/7を利用

$ vagrant box list
centos/7 (virtualbox, 1710.01)

[vagrant@localhost ~]$ cat /etc/centos-release
CentOS Linux release 7.4.1708 (Core)

1. 必要なパッケージのインストール

$ yes | sudo yum update
$ sudo rpm -ivh http://repo.zabbix.com/zabbix/3.4/rhel/7/x86_64/zabbix-release-3.4-2.el7.noarch.rpm
$ yes | sudo yum install zabbix-server-mysql zabbix-web-mysql zabbix-web-japanese
$ yes | sudo yum install mariadb mariadb-server
$ sudo systemctl start mariadb
$ sudo systemctl status mariadb

2. DBにZabbix用のDBとユーザーを作る

検証なのでパスワード設定はザルです。
ちゃんと構築するときにはしっかりと設定します。

$ mysql -u root
CREATE USER zabbix@localhost IDENTIFIED BY 'zabbix';
CREATE DATABASE zabbix CHARACTER SET utf8 COLLATE utf8_bin;
GRANT ALL PRIVILEGES ON zabbix.* TO zabbix@localhost;
FLUSH PRIVILEGES;
\q
$ zcat /usr/share/doc/zabbix-server-mysql-3.4.4/create.sql.gz | mysql -uzabbix -p zabbix

Zabbixの設定ファイルにDB系の設定(パスワードなど)を追加します。

$ sudo vi /etc/zabbix/zabbix_server.conf

3. サービスの起動

$ sudo systemctl start httpd
$ sudo systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
$ sudo systemctl enable mariadb
Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.
$ sudo systemctl start mariadb
$ sudo systemctl enable zabbix-server
Created symlink from /etc/systemd/system/multi-user.target.wants/zabbix-server.service to /usr/lib/systemd/system/zabbix-server.service.
$ sudo systemctl start zabbix-server
$ sudo systemctl status zabbix-server -l
● zabbix-server.service - Zabbix Server
   Loaded: loaded (/usr/lib/systemd/system/zabbix-server.service; enabled; vendor preset: disabled)
   Active: activating (auto-restart) (Result: resources) since Mon 2017-11-13 12:28:02 UTC; 2s ago
  Process: 2703 ExecStop=/bin/kill -SIGTERM $MAINPID (code=exited, status=1/FAILURE)
  Process: 2722 ExecStart=/usr/sbin/zabbix_server -c $CONFFILE (code=exited, status=0/SUCCESS)
 Main PID: 2702 (code=exited, status=1/FAILURE)

Nov 13 12:28:02 localhost.localdomain systemd[1]: zabbix-server.service never wrote its PID file. Failing.
Nov 13 12:28:02 localhost.localdomain systemd[1]: Failed to start Zabbix Server.
Nov 13 12:28:02 localhost.localdomain systemd[1]: Unit zabbix-server.service entered failed state.
Nov 13 12:28:02 localhost.localdomain systemd[1]: zabbix-server.service failed.

zabbix-serverの起動に失敗

4. SELinuxポリシー設定の試行錯誤

zabbix-serverが起動しないためstackoverflowを参考にselinuxのポリシーを設定する(参考リンクは末尾参照)

$ yes | sudo yum install policycoreutils-python
$ sudo semanage permissive -a zabbix_agent_t

semanageの実行には少々時間がかかりました

再びzabbix-serverを起動してみるもエラー。
CentOSの再起動を試してみるもやっぱり起動しません。
続けて他の試行錯誤を試します。

$ getsebool -a|grep zabbix
httpd_can_connect_zabbix --> off
zabbix_can_network --> off
$ sudo setsebool -P httpd_can_connect_zabbix on
$ sudo setsebool -P zabbix_can_network on

やっぱり起動しない…

試しにSELinuxを無効化すると起動したので、ポリシー周りが足りていないのが原因の模様。

$ sudo setenforce 0

$ sudo systemctl status zabbix-server
● zabbix-server.service - Zabbix Server
   Loaded: loaded (/usr/lib/systemd/system/zabbix-server.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2017-11-13 12:43:54 UTC; 11s ago
  Process: 2264 ExecStart=/usr/sbin/zabbix_server -c $CONFFILE (code=exited, status=0/SUCCESS)
 Main PID: 2266 (zabbix_server)
   CGroup: /system.slice/zabbix-server.service
           ├─2266 /usr/sbin/zabbix_server -c /etc/zabbix/zabbix_server.conf
           ├─2271 /usr/sbin/zabbix_server: configuration syncer [waiting 60 s...
           ├─2272 /usr/sbin/zabbix_server: alerter #1 started
           ├─2273 /usr/sbin/zabbix_server: alerter #2 started
           ├─2274 /usr/sbin/zabbix_server: alerter #3 started
           ├─2275 /usr/sbin/zabbix_server: housekeeper [startup idle for 30 m...
           ├─2276 /usr/sbin/zabbix_server: timer #1 [processed 0 triggers, 0 ...
           ├─2277 /usr/sbin/zabbix_server: http poller #1 [got 0 values in 0....
           ├─2278 /usr/sbin/zabbix_server: discoverer #1 [processed 0 rules i...
           ├─2279 /usr/sbin/zabbix_server: history syncer #1 [synced 0 items ...
           ├─2280 /usr/sbin/zabbix_server: history syncer #2 [synced 0 items ...
           ├─2281 /usr/sbin/zabbix_server: history syncer #3 [synced 0 items ...
           ├─2282 /usr/sbin/zabbix_server: history syncer #4 [synced 0 items ...
           ├─2283 /usr/sbin/zabbix_server: escalator #1 [processed 0 escalati...
           ├─2284 /usr/sbin/zabbix_server: proxy poller #1 [exchanged data wi...
           ├─2285 /usr/sbin/zabbix_server: self-monitoring [processed data in...
           ├─2286 /usr/sbin/zabbix_server: task manager [processed 0 task(s) ...
           ├─2287 /usr/sbin/zabbix_server: poller #1 [got 0 values in 0.00000...
           ├─2288 /usr/sbin/zabbix_server: poller #2 [got 0 values in 0.00000...
           ├─2289 /usr/sbin/zabbix_server: poller #3 [got 0 values in 0.00000...
           ├─2290 /usr/sbin/zabbix_server: poller #4 [got 0 values in 0.00000...
           ├─2291 /usr/sbin/zabbix_server: poller #5 [got 0 values in 0.00000...
           ├─2292 /usr/sbin/zabbix_server: unreachable poller #1 [got 0 value...
           ├─2293 /usr/sbin/zabbix_server: trapper #1 [processed data in 0.00...
           ├─2294 /usr/sbin/zabbix_server: trapper #2 [processed data in 0.00...
           ├─2295 /usr/sbin/zabbix_server: trapper #3 [processed data in 0.00...
           ├─2296 /usr/sbin/zabbix_server: trapper #4 [processed data in 0.00...
           ├─2297 /usr/sbin/zabbix_server: trapper #5 [processed data in 0.00...
           ├─2298 /usr/sbin/zabbix_server: icmp pinger #1 [got 0 values in 0....
           ├─2299 /usr/sbin/zabbix_server: alert manager #1 [sent 0, failed 0...
           ├─2300 /usr/sbin/zabbix_server: preprocessing manager #1 [queued 0...
           ├─2301 /usr/sbin/zabbix_server: preprocessing worker #1 started
           ├─2302 /usr/sbin/zabbix_server: preprocessing worker #2 started
           └─2303 /usr/sbin/zabbix_server: preprocessing worker #3 started

Nov 13 12:43:54 localhost.localdomain systemd[1]: zabbix-server.service holdo...
Nov 13 12:43:54 localhost.localdomain systemd[1]: Starting Zabbix Server...
Nov 13 12:43:54 localhost.localdomain systemd[1]: PID file /run/zabbix/zabbix...
Nov 13 12:43:54 localhost.localdomain systemd[1]: Started Zabbix Server.
Hint: Some lines were ellipsized, use -l to show in full.

permissiveで起動したのでauditログを確認します。

[vagrant@localhost ~]$ sudo less /var/log/messages
[vagrant@localhost ~]$ sudo sealert -l 8d624bbe-b4db-4211-a8d2-3c44d8eb9fea
(略)

# ausearch -c 'zabbix_server' --raw | audit2allow -M my-zabbixserver
# semodule -i my-zabbixserver.pp

[vagrant@localhost ~]$ sudo ausearch -c 'zabbix_server' --raw | sudo audit2allow -M my-zabbixserver
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-zabbixserver.pp

[vagrant@localhost ~]$ sudo semodule -i my-zabbixserver.pp

OSを再起動するとSELinuxが有効の状態でも起動しました。

http://127.0.0.1:8080/zabbix/setup.php

5. おまけ

Zabbix Webページの言語選択で日本語が選べなかったので、ロケール設定を修正しました。

sudo localedef -f UTF-8 -i ja_JP ja_JP
$ sudo systemctl restart httpd

x. 参考資料

• https://www.zabbix.com/documentation/3.4/manual/installation
• https://knowledge.sakura.ad.jp/585/2/
• https://qiita.com/atanaka7/items/294a639effdb804cfdaa
• https://stackoverflow.com/questions/39919179/zabbix-agent-service-failed-pid-not-readable
• https://qiita.com/yunano/items/857ab36faa0d695573dd
• http://kakakakakku.hatenablog.com/entry/2013/12/05/165339
• https://www.zabbix.org/wiki/How_to/install_locale