Zabbix Agent on Cloudronserver?
-
Hi,
first of all I'm very happy with Cloudron, the concept and way it works!
I use a Zabbix server (https://www.zabbix.com/) to "probe" my Linux servers. They have Zabbix-Agent installed (https://www.zabbix.com/zabbix_agent).
My question is:
- can I install this agent on a Cloudron-server with:
wget https://repo.zabbix.com/zabbix/4.2/ubuntu/pool/main/z/zabbix-release/zabbix-release_4.2-1+bionic_all.deb
dpkg -i zabbix-release_4.2-1+bionic_all.deb
apt update
apt install zabbix-agent
service zabbix-agent start-
will it work and keep working regardless Cloudron updates or whatever will do?
-
do I need to apt-get update / apt-get upgrade manually or is there already a Cloudron script doing this?
Kind regards,
Marcel.
btw: maybe an App with Zabbix server can be added for all users?
-
Hi,
I do not have any experience with zabbix, but the agent looks like it would not interfere with system configs or updates, so it should be ok to use that. Cloudron itself will update packages where it makes sense through a Cloudron version update. However security updates are applied automatically in the background (this is also the reason why your Cloudron will sometimes show a notification about a required reboot)
-
A "bit" necroing here but since I use the Zabbix Agent on all my hosts, including multible Cloudron instances, I can say that installing and running the Zabbix Agent is no Problem.
But you need to make sure you allow the Zabbix Agent Port in iptables.
Also you need to install iptables-persistent as well to persist your manual changes.iptables -I CLOUDRON 2 -p tcp -m tcp --dport 10050 -j ACCEPTWhy put the Rule into the CLOUDRON table and on second place? You may ask.
Since the first table of iptables is
Chain INPUT (policy ACCEPT) target prot opt source destination CLOUDRON_RATELIMIT all -- anywhere anywhere CLOUDRON all -- anywhere anywhereThis will first lookup the RATELIMIT table and then the CLOUDRON table:
Chain CLOUDRON (1 references) target prot opt source destination DROP all -- anywhere anywhere match-set cloudron_blocklist src ACCEPT tcp -- anywhere anywhere tcp dpt:zabbix-agent ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp multiport dports ssh,smtp,http,at-nbp,https ACCEPT tcp -- anywhere anywhere multiport dports 3478,5349 ACCEPT udp -- anywhere anywhere multiport dports 3478,5349 ACCEPT udp -- anywhere anywhere multiport dports 50000:51000 ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT udp -- anywhere anywhere udp spt:domain ACCEPT all -- 172.18.0.0/16 anywhere ACCEPT all -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 2/min burst 5 LOG level debug prefix "IPTables Packet Dropped: " DROP all -- anywhere anywhereFirst Rule is a DROP and last one is a DROP so we want the rule to be within the other ACCEPT rules.
(Can see above the result of the command, the rule for zabbix is on the second place) -
@BrutalBirdie said in Zabbix Agent on Cloudronserver?:
But you need to make sure you allow the Zabbix Agent Port in iptables.
Thanks for bringing up this old thread as I obviously never explained how I solved it: simply by installing Zabbix Agent and use the Active mode. Then you don't need to open ports and works perfect!
Though I'm still curious how I can get insights of the Docker containers, I do get the all containers items but no data because of a "[13] Permissions denied".
-
My thought process:
Zabbix Agent creates a user
Example from one of my Cloudrons with Zabbix.
zabbix:x:113:117::/var/lib/zabbix/:/usr/sbin/nologinThe Zabbix Agent Service file states:
~# cat /lib/systemd/system/zabbix-agent.service [Unit] Description=Zabbix Agent After=syslog.target After=network.target [Service] Environment="CONFFILE=/etc/zabbix/zabbix_agentd.conf" EnvironmentFile=-/etc/default/zabbix-agent Type=forking Restart=on-failure PIDFile=/run/zabbix/zabbix_agentd.pid KillMode=control-group ExecStart=/usr/sbin/zabbix_agentd -c $CONFFILE ExecStop=/bin/kill -SIGTERM $MAINPID RestartSec=10s User=zabbix Group=zabbix [Install] WantedBy=multi-user.targetRunning as User:Group zabbix:zabbix and:
~# groups zabbix zabbix : zabbixCloudron uses the user
yellowtent- which has the docker group~# groups yellowtent yellowtent : yellowtent adm systemd-journal dockerI would think that the zabbix user needs the docker group as well to get the information from docker and not get
"[13] Permissions denied".copy pasta:
usermod -aG docker zabbixOther option would be to edit
zabbix_agentd.confand set AllowRoot (Zabbix agent with root permissions): - Which I would not prefer...AllowRoot=1edit:
Also your solution works but I prefer passiv agents.
