Zabbix Agent on Cloudronserver?

imc67

Hi,

first of all I'm very happy with Cloudron, the concept and way it works!

I use a Zabbix server (https://www.zabbix.com/) to "probe" my Linux servers. They have Zabbix-Agent installed (https://www.zabbix.com/zabbix_agent).

My question is:

1. can I install this agent on a Cloudron-server with:

wget https://repo.zabbix.com/zabbix/4.2/ubuntu/pool/main/z/zabbix-release/zabbix-release_4.2-1+bionic_all.deb
dpkg -i zabbix-release_4.2-1+bionic_all.deb
apt update
apt install zabbix-agent
service zabbix-agent start

2. will it work and keep working regardless Cloudron updates or whatever will do?

3. do I need to apt-get update / apt-get upgrade manually or is there already a Cloudron script doing this?

Kind regards,

Marcel.

btw: maybe an App with Zabbix server can be added for all users?

nebulon

Hi,

I do not have any experience with zabbix, but the agent looks like it would not interfere with system configs or updates, so it should be ok to use that. Cloudron itself will update packages where it makes sense through a Cloudron version update. However security updates are applied automatically in the background (this is also the reason why your Cloudron will sometimes show a notification about a required reboot)

BrutalBirdie

A "bit" necroing here but since I use the Zabbix Agent on all my hosts, including multible Cloudron instances, I can say that installing and running the Zabbix Agent is no Problem.

But you need to make sure you allow the Zabbix Agent Port in iptables.
Also you need to install iptables-persistent as well to persist your manual changes.

iptables -I CLOUDRON 2 -p tcp -m tcp --dport 10050 -j ACCEPT

Why put the Rule into the CLOUDRON table and on second place? You may ask.

Since the first table of iptables is

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
CLOUDRON_RATELIMIT  all  --  anywhere             anywhere            
CLOUDRON            all  --  anywhere             anywhere 

This will first lookup the RATELIMIT table and then the CLOUDRON table:

Chain CLOUDRON (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             match-set cloudron_blocklist src
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:zabbix-agent
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports ssh,smtp,http,at-nbp,https
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 3478,5349
ACCEPT     udp  --  anywhere             anywhere             multiport dports 3478,5349
ACCEPT     udp  --  anywhere             anywhere             multiport dports 50000:51000
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     icmp --  anywhere             anywhere             icmp echo-reply
ACCEPT     udp  --  anywhere             anywhere             udp spt:domain
ACCEPT     all  --  172.18.0.0/16        anywhere            
ACCEPT     all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere             limit: avg 2/min burst 5 LOG level debug prefix "IPTables Packet Dropped: "
DROP       all  --  anywhere             anywhere

First Rule is a DROP and last one is a DROP so we want the rule to be within the other ACCEPT rules.
(Can see above the result of the command, the rule for zabbix is on the second place)

imc67

@BrutalBirdie said in Zabbix Agent on Cloudronserver?:

But you need to make sure you allow the Zabbix Agent Port in iptables.

Thanks for bringing up this old thread as I obviously never explained how I solved it: simply by installing Zabbix Agent and use the Active mode. Then you don't need to open ports and works perfect!

Though I'm still curious how I can get insights of the Docker containers, I do get the all containers items but no data because of a "[13] Permissions denied".

BrutalBirdie

@imc67

My thought process:

Zabbix Agent creates a user

Example from one of my Cloudrons with Zabbix.

zabbix:x:113:117::/var/lib/zabbix/:/usr/sbin/nologin

The Zabbix Agent Service file states:

~# cat /lib/systemd/system/zabbix-agent.service
[Unit]
Description=Zabbix Agent
After=syslog.target
After=network.target

[Service]
Environment="CONFFILE=/etc/zabbix/zabbix_agentd.conf"
EnvironmentFile=-/etc/default/zabbix-agent
Type=forking
Restart=on-failure
PIDFile=/run/zabbix/zabbix_agentd.pid
KillMode=control-group
ExecStart=/usr/sbin/zabbix_agentd -c $CONFFILE
ExecStop=/bin/kill -SIGTERM $MAINPID
RestartSec=10s
User=zabbix
Group=zabbix

[Install]
WantedBy=multi-user.target

Running as User:Group zabbix:zabbix and:

~# groups zabbix
zabbix : zabbix

Cloudron uses the user yellowtent - which has the docker group

~# groups yellowtent 
yellowtent : yellowtent adm systemd-journal docker

I would think that the zabbix user needs the docker group as well to get the information from docker and not get "[13] Permissions denied".

copy pasta:

usermod -aG docker zabbix

Other option would be to edit zabbix_agentd.conf and set AllowRoot (Zabbix agent with root permissions): - Which I would not prefer...

AllowRoot=1

edit:
Also your solution works but I prefer passiv agents.

girish

In Cloudron 5.6, we added a way to whitelist additional incoming ports - https://docs.cloudron.io/networking/#whitelist-ports