ちょっとZabbix環境を構築する機会があってついでにSELinuxを有効にしたまま構築しようとしたら色々嵌ったのでその備忘録。
0. 環境
Host
- macOS Sierra
- VirtualBox 5.1.x
- Vagrant 2.0.x
Guest
$ vagrant box list centos/7 (virtualbox, 1710.01)
[vagrant@localhost ~]$ cat /etc/centos-release CentOS Linux release 7.4.1708 (Core)
1. 必要なパッケージのインストール
$ yes | sudo yum update $ sudo rpm -ivh http://repo.zabbix.com/zabbix/3.4/rhel/7/x86_64/zabbix-release-3.4-2.el7.noarch.rpm $ yes | sudo yum install zabbix-server-mysql zabbix-web-mysql zabbix-web-japanese $ yes | sudo yum install mariadb mariadb-server $ sudo systemctl start mariadb $ sudo systemctl status mariadb
2. DBにZabbix用のDBとユーザーを作る
検証なのでパスワード設定はザルです。
ちゃんと構築するときにはしっかりと設定します。
$ mysql -u root CREATE USER zabbix@localhost IDENTIFIED BY 'zabbix'; CREATE DATABASE zabbix CHARACTER SET utf8 COLLATE utf8_bin; GRANT ALL PRIVILEGES ON zabbix.* TO zabbix@localhost; FLUSH PRIVILEGES; \q $ zcat /usr/share/doc/zabbix-server-mysql-3.4.4/create.sql.gz | mysql -uzabbix -p zabbix
Zabbixの設定ファイルにDB系の設定(パスワードなど)を追加します。
$ sudo vi /etc/zabbix/zabbix_server.conf
3. サービスの起動
$ sudo systemctl start httpd $ sudo systemctl enable httpd Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service. $ sudo systemctl enable mariadb Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service. $ sudo systemctl start mariadb $ sudo systemctl enable zabbix-server Created symlink from /etc/systemd/system/multi-user.target.wants/zabbix-server.service to /usr/lib/systemd/system/zabbix-server.service. $ sudo systemctl start zabbix-server $ sudo systemctl status zabbix-server -l ● zabbix-server.service - Zabbix Server Loaded: loaded (/usr/lib/systemd/system/zabbix-server.service; enabled; vendor preset: disabled) Active: activating (auto-restart) (Result: resources) since Mon 2017-11-13 12:28:02 UTC; 2s ago Process: 2703 ExecStop=/bin/kill -SIGTERM $MAINPID (code=exited, status=1/FAILURE) Process: 2722 ExecStart=/usr/sbin/zabbix_server -c $CONFFILE (code=exited, status=0/SUCCESS) Main PID: 2702 (code=exited, status=1/FAILURE) Nov 13 12:28:02 localhost.localdomain systemd[1]: zabbix-server.service never wrote its PID file. Failing. Nov 13 12:28:02 localhost.localdomain systemd[1]: Failed to start Zabbix Server. Nov 13 12:28:02 localhost.localdomain systemd[1]: Unit zabbix-server.service entered failed state. Nov 13 12:28:02 localhost.localdomain systemd[1]: zabbix-server.service failed.
zabbix-serverの起動に失敗
4. SELinuxポリシー設定の試行錯誤
zabbix-serverが起動しないためstackoverflowを参考にselinuxのポリシーを設定する(参考リンクは末尾参照)
$ yes | sudo yum install policycoreutils-python $ sudo semanage permissive -a zabbix_agent_t
semanage
の実行には少々時間がかかりました
再びzabbix-serverを起動してみるもエラー。
CentOSの再起動を試してみるもやっぱり起動しません。
続けて他の試行錯誤を試します。
$ getsebool -a|grep zabbix httpd_can_connect_zabbix --> off zabbix_can_network --> off $ sudo setsebool -P httpd_can_connect_zabbix on $ sudo setsebool -P zabbix_can_network on
やっぱり起動しない…
試しにSELinuxを無効化すると起動したので、ポリシー周りが足りていないのが原因の模様。
$ sudo setenforce 0 $ sudo systemctl status zabbix-server ● zabbix-server.service - Zabbix Server Loaded: loaded (/usr/lib/systemd/system/zabbix-server.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2017-11-13 12:43:54 UTC; 11s ago Process: 2264 ExecStart=/usr/sbin/zabbix_server -c $CONFFILE (code=exited, status=0/SUCCESS) Main PID: 2266 (zabbix_server) CGroup: /system.slice/zabbix-server.service ├─2266 /usr/sbin/zabbix_server -c /etc/zabbix/zabbix_server.conf ├─2271 /usr/sbin/zabbix_server: configuration syncer [waiting 60 s... ├─2272 /usr/sbin/zabbix_server: alerter #1 started ├─2273 /usr/sbin/zabbix_server: alerter #2 started ├─2274 /usr/sbin/zabbix_server: alerter #3 started ├─2275 /usr/sbin/zabbix_server: housekeeper [startup idle for 30 m... ├─2276 /usr/sbin/zabbix_server: timer #1 [processed 0 triggers, 0 ... ├─2277 /usr/sbin/zabbix_server: http poller #1 [got 0 values in 0.... ├─2278 /usr/sbin/zabbix_server: discoverer #1 [processed 0 rules i... ├─2279 /usr/sbin/zabbix_server: history syncer #1 [synced 0 items ... ├─2280 /usr/sbin/zabbix_server: history syncer #2 [synced 0 items ... ├─2281 /usr/sbin/zabbix_server: history syncer #3 [synced 0 items ... ├─2282 /usr/sbin/zabbix_server: history syncer #4 [synced 0 items ... ├─2283 /usr/sbin/zabbix_server: escalator #1 [processed 0 escalati... ├─2284 /usr/sbin/zabbix_server: proxy poller #1 [exchanged data wi... ├─2285 /usr/sbin/zabbix_server: self-monitoring [processed data in... ├─2286 /usr/sbin/zabbix_server: task manager [processed 0 task(s) ... ├─2287 /usr/sbin/zabbix_server: poller #1 [got 0 values in 0.00000... ├─2288 /usr/sbin/zabbix_server: poller #2 [got 0 values in 0.00000... ├─2289 /usr/sbin/zabbix_server: poller #3 [got 0 values in 0.00000... ├─2290 /usr/sbin/zabbix_server: poller #4 [got 0 values in 0.00000... ├─2291 /usr/sbin/zabbix_server: poller #5 [got 0 values in 0.00000... ├─2292 /usr/sbin/zabbix_server: unreachable poller #1 [got 0 value... ├─2293 /usr/sbin/zabbix_server: trapper #1 [processed data in 0.00... ├─2294 /usr/sbin/zabbix_server: trapper #2 [processed data in 0.00... ├─2295 /usr/sbin/zabbix_server: trapper #3 [processed data in 0.00... ├─2296 /usr/sbin/zabbix_server: trapper #4 [processed data in 0.00... ├─2297 /usr/sbin/zabbix_server: trapper #5 [processed data in 0.00... ├─2298 /usr/sbin/zabbix_server: icmp pinger #1 [got 0 values in 0.... ├─2299 /usr/sbin/zabbix_server: alert manager #1 [sent 0, failed 0... ├─2300 /usr/sbin/zabbix_server: preprocessing manager #1 [queued 0... ├─2301 /usr/sbin/zabbix_server: preprocessing worker #1 started ├─2302 /usr/sbin/zabbix_server: preprocessing worker #2 started └─2303 /usr/sbin/zabbix_server: preprocessing worker #3 started Nov 13 12:43:54 localhost.localdomain systemd[1]: zabbix-server.service holdo... Nov 13 12:43:54 localhost.localdomain systemd[1]: Starting Zabbix Server... Nov 13 12:43:54 localhost.localdomain systemd[1]: PID file /run/zabbix/zabbix... Nov 13 12:43:54 localhost.localdomain systemd[1]: Started Zabbix Server. Hint: Some lines were ellipsized, use -l to show in full.
permissiveで起動したのでauditログを確認します。
[vagrant@localhost ~]$ sudo less /var/log/messages [vagrant@localhost ~]$ sudo sealert -l 8d624bbe-b4db-4211-a8d2-3c44d8eb9fea (略) # ausearch -c 'zabbix_server' --raw | audit2allow -M my-zabbixserver # semodule -i my-zabbixserver.pp [vagrant@localhost ~]$ sudo ausearch -c 'zabbix_server' --raw | sudo audit2allow -M my-zabbixserver ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i my-zabbixserver.pp [vagrant@localhost ~]$ sudo semodule -i my-zabbixserver.pp
OSを再起動するとSELinuxが有効の状態でも起動しました。
http://127.0.0.1:8080/zabbix/setup.php
5. おまけ
Zabbix Webページの言語選択で日本語が選べなかったので、ロケール設定を修正しました。
sudo localedef -f UTF-8 -i ja_JP ja_JP $ sudo systemctl restart httpd
x. 参考資料
- https://www.zabbix.com/documentation/3.4/manual/installation
- https://knowledge.sakura.ad.jp/585/2/
- https://qiita.com/atanaka7/items/294a639effdb804cfdaa
- https://stackoverflow.com/questions/39919179/zabbix-agent-service-failed-pid-not-readable
- https://qiita.com/yunano/items/857ab36faa0d695573dd
- http://kakakakakku.hatenablog.com/entry/2013/12/05/165339
- https://www.zabbix.org/wiki/How_to/install_locale