Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Support
  3. Zabbix Agent on Cloudronserver?

Zabbix Agent on Cloudronserver?

Scheduled Pinned Locked Moved Solved Support
monitoringzabbix
6 Posts 4 Posters 1.2k Views 4 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • imc67I Offline
      imc67I Offline
      imc67
      translator
      wrote on last edited by imc67
      #1

      Hi,

      first of all I'm very happy with Cloudron, the concept and way it works!

      I use a Zabbix server (https://www.zabbix.com/) to "probe" my Linux servers. They have Zabbix-Agent installed (https://www.zabbix.com/zabbix_agent).

      My question is:

      1. can I install this agent on a Cloudron-server with:

      wget https://repo.zabbix.com/zabbix/4.2/ubuntu/pool/main/z/zabbix-release/zabbix-release_4.2-1+bionic_all.deb
      dpkg -i zabbix-release_4.2-1+bionic_all.deb
      apt update
      apt install zabbix-agent
      service zabbix-agent start

      1. will it work and keep working regardless Cloudron updates or whatever will do?

      2. do I need to apt-get update / apt-get upgrade manually or is there already a Cloudron script doing this?

      Kind regards,

      Marcel.

      btw: maybe an App with Zabbix server can be added for all users?

      1 Reply Last reply
      0
      • nebulonN Offline
        nebulonN Offline
        nebulon
        Staff
        wrote on last edited by
        #2

        Hi,

        I do not have any experience with zabbix, but the agent looks like it would not interfere with system configs or updates, so it should be ok to use that. Cloudron itself will update packages where it makes sense through a Cloudron version update. However security updates are applied automatically in the background (this is also the reason why your Cloudron will sometimes show a notification about a required reboot)

        1 Reply Last reply
        0
        • BrutalBirdieB Offline
          BrutalBirdieB Offline
          BrutalBirdie
          Partner
          wrote on last edited by BrutalBirdie
          #3

          A "bit" necroing here but since I use the Zabbix Agent on all my hosts, including multible Cloudron instances, I can say that installing and running the Zabbix Agent is no Problem.

          But you need to make sure you allow the Zabbix Agent Port in iptables.
          Also you need to install iptables-persistent as well to persist your manual changes.

          iptables -I CLOUDRON 2 -p tcp -m tcp --dport 10050 -j ACCEPT
          

          Why put the Rule into the CLOUDRON table and on second place? You may ask.

          Since the first table of iptables is

          Chain INPUT (policy ACCEPT)
          target     prot opt source               destination         
          CLOUDRON_RATELIMIT  all  --  anywhere             anywhere            
          CLOUDRON            all  --  anywhere             anywhere 
          

          This will first lookup the RATELIMIT table and then the CLOUDRON table:

          Chain CLOUDRON (1 references)
          target     prot opt source               destination         
          DROP       all  --  anywhere             anywhere             match-set cloudron_blocklist src
          ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:zabbix-agent
          ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
          ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports ssh,smtp,http,at-nbp,https
          ACCEPT     tcp  --  anywhere             anywhere             multiport dports 3478,5349
          ACCEPT     udp  --  anywhere             anywhere             multiport dports 3478,5349
          ACCEPT     udp  --  anywhere             anywhere             multiport dports 50000:51000
          ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
          ACCEPT     icmp --  anywhere             anywhere             icmp echo-reply
          ACCEPT     udp  --  anywhere             anywhere             udp spt:domain
          ACCEPT     all  --  172.18.0.0/16        anywhere            
          ACCEPT     all  --  anywhere             anywhere            
          LOG        all  --  anywhere             anywhere             limit: avg 2/min burst 5 LOG level debug prefix "IPTables Packet Dropped: "
          DROP       all  --  anywhere             anywhere
          

          First Rule is a DROP and last one is a DROP so we want the rule to be within the other ACCEPT rules.
          (Can see above the result of the command, the rule for zabbix is on the second place)

          Like my work? Consider donating a drink. Cheers!

          imc67I 1 Reply Last reply
          0
          • BrutalBirdieB BrutalBirdie

            A "bit" necroing here but since I use the Zabbix Agent on all my hosts, including multible Cloudron instances, I can say that installing and running the Zabbix Agent is no Problem.

            But you need to make sure you allow the Zabbix Agent Port in iptables.
            Also you need to install iptables-persistent as well to persist your manual changes.

            iptables -I CLOUDRON 2 -p tcp -m tcp --dport 10050 -j ACCEPT
            

            Why put the Rule into the CLOUDRON table and on second place? You may ask.

            Since the first table of iptables is

            Chain INPUT (policy ACCEPT)
            target     prot opt source               destination         
            CLOUDRON_RATELIMIT  all  --  anywhere             anywhere            
            CLOUDRON            all  --  anywhere             anywhere 
            

            This will first lookup the RATELIMIT table and then the CLOUDRON table:

            Chain CLOUDRON (1 references)
            target     prot opt source               destination         
            DROP       all  --  anywhere             anywhere             match-set cloudron_blocklist src
            ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:zabbix-agent
            ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
            ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports ssh,smtp,http,at-nbp,https
            ACCEPT     tcp  --  anywhere             anywhere             multiport dports 3478,5349
            ACCEPT     udp  --  anywhere             anywhere             multiport dports 3478,5349
            ACCEPT     udp  --  anywhere             anywhere             multiport dports 50000:51000
            ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
            ACCEPT     icmp --  anywhere             anywhere             icmp echo-reply
            ACCEPT     udp  --  anywhere             anywhere             udp spt:domain
            ACCEPT     all  --  172.18.0.0/16        anywhere            
            ACCEPT     all  --  anywhere             anywhere            
            LOG        all  --  anywhere             anywhere             limit: avg 2/min burst 5 LOG level debug prefix "IPTables Packet Dropped: "
            DROP       all  --  anywhere             anywhere
            

            First Rule is a DROP and last one is a DROP so we want the rule to be within the other ACCEPT rules.
            (Can see above the result of the command, the rule for zabbix is on the second place)

            imc67I Offline
            imc67I Offline
            imc67
            translator
            wrote on last edited by
            #4

            @BrutalBirdie said in Zabbix Agent on Cloudronserver?:

            But you need to make sure you allow the Zabbix Agent Port in iptables.

            Thanks for bringing up this old thread as I obviously never explained how I solved it: simply by installing Zabbix Agent and use the Active mode. Then you don't need to open ports and works perfect!

            Though I'm still curious how I can get insights of the Docker containers, I do get the all containers items but no data because of a "[13] Permissions denied".

            BrutalBirdieB 1 Reply Last reply
            0
            • imc67I imc67

              @BrutalBirdie said in Zabbix Agent on Cloudronserver?:

              But you need to make sure you allow the Zabbix Agent Port in iptables.

              Thanks for bringing up this old thread as I obviously never explained how I solved it: simply by installing Zabbix Agent and use the Active mode. Then you don't need to open ports and works perfect!

              Though I'm still curious how I can get insights of the Docker containers, I do get the all containers items but no data because of a "[13] Permissions denied".

              BrutalBirdieB Offline
              BrutalBirdieB Offline
              BrutalBirdie
              Partner
              wrote on last edited by BrutalBirdie
              #5

              @imc67

              My thought process:

              Zabbix Agent creates a user

              Example from one of my Cloudrons with Zabbix.

              zabbix:x:113:117::/var/lib/zabbix/:/usr/sbin/nologin
              

              The Zabbix Agent Service file states:

              ~# cat /lib/systemd/system/zabbix-agent.service
              [Unit]
              Description=Zabbix Agent
              After=syslog.target
              After=network.target
              
              [Service]
              Environment="CONFFILE=/etc/zabbix/zabbix_agentd.conf"
              EnvironmentFile=-/etc/default/zabbix-agent
              Type=forking
              Restart=on-failure
              PIDFile=/run/zabbix/zabbix_agentd.pid
              KillMode=control-group
              ExecStart=/usr/sbin/zabbix_agentd -c $CONFFILE
              ExecStop=/bin/kill -SIGTERM $MAINPID
              RestartSec=10s
              User=zabbix
              Group=zabbix
              
              [Install]
              WantedBy=multi-user.target
              

              Running as User:Group zabbix:zabbix and:

              ~# groups zabbix
              zabbix : zabbix
              

              Cloudron uses the user yellowtent - which has the docker group

              ~# groups yellowtent 
              yellowtent : yellowtent adm systemd-journal docker
              

              I would think that the zabbix user needs the docker group as well to get the information from docker and not get "[13] Permissions denied".

              copy pasta:

              usermod -aG docker zabbix
              

              Other option would be to edit zabbix_agentd.conf and set AllowRoot (Zabbix agent with root permissions): - Which I would not prefer...

              AllowRoot=1
              

              edit:
              Also your solution works but I prefer passiv agents.

              Like my work? Consider donating a drink. Cheers!

              1 Reply Last reply
              0
              • girishG Offline
                girishG Offline
                girish
                Staff
                wrote on last edited by
                #6

                In Cloudron 5.6, we added a way to whitelist additional incoming ports - https://docs.cloudron.io/networking/#whitelist-ports

                1 Reply Last reply
                1
                Reply
                • Reply as topic
                Log in to reply
                • Oldest to Newest
                • Newest to Oldest
                • Most Votes


                  • Login

                  • Don't have an account? Register

                  • Login or register to search.
                  • First post
                    Last post
                  0
                  • Categories
                  • Recent
                  • Tags
                  • Popular
                  • Bookmarks
                  • Search