Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


SOLVED Zabbix Agent on Cloudronserver?



  • Hi,

    first of all I'm very happy with Cloudron, the concept and way it works!

    I use a Zabbix server (https://www.zabbix.com/) to "probe" my Linux servers. They have Zabbix-Agent installed (https://www.zabbix.com/zabbix_agent).

    My question is:

    1. can I install this agent on a Cloudron-server with:

    wget https://repo.zabbix.com/zabbix/4.2/ubuntu/pool/main/z/zabbix-release/zabbix-release_4.2-1+bionic_all.deb
    dpkg -i zabbix-release_4.2-1+bionic_all.deb
    apt update
    apt install zabbix-agent
    service zabbix-agent start

    1. will it work and keep working regardless Cloudron updates or whatever will do?

    2. do I need to apt-get update / apt-get upgrade manually or is there already a Cloudron script doing this?

    Kind regards,

    Marcel.

    btw: maybe an App with Zabbix server can be added for all users?


  • Staff

    Hi,

    I do not have any experience with zabbix, but the agent looks like it would not interfere with system configs or updates, so it should be ok to use that. Cloudron itself will update packages where it makes sense through a Cloudron version update. However security updates are applied automatically in the background (this is also the reason why your Cloudron will sometimes show a notification about a required reboot)


  • App Dev

    A "bit" necroing here but since I use the Zabbix Agent on all my hosts, including multible Cloudron instances, I can say that installing and running the Zabbix Agent is no Problem.

    But you need to make sure you allow the Zabbix Agent Port in iptables.
    Also you need to install iptables-persistent as well to persist your manual changes.

    iptables -I CLOUDRON 2 -p tcp -m tcp --dport 10050 -j ACCEPT
    

    Why put the Rule into the CLOUDRON table and on second place? You may ask.

    Since the first table of iptables is

    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    CLOUDRON_RATELIMIT  all  --  anywhere             anywhere            
    CLOUDRON            all  --  anywhere             anywhere 
    

    This will first lookup the RATELIMIT table and then the CLOUDRON table:

    Chain CLOUDRON (1 references)
    target     prot opt source               destination         
    DROP       all  --  anywhere             anywhere             match-set cloudron_blocklist src
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:zabbix-agent
    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
    ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports ssh,smtp,http,at-nbp,https
    ACCEPT     tcp  --  anywhere             anywhere             multiport dports 3478,5349
    ACCEPT     udp  --  anywhere             anywhere             multiport dports 3478,5349
    ACCEPT     udp  --  anywhere             anywhere             multiport dports 50000:51000
    ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
    ACCEPT     icmp --  anywhere             anywhere             icmp echo-reply
    ACCEPT     udp  --  anywhere             anywhere             udp spt:domain
    ACCEPT     all  --  172.18.0.0/16        anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    LOG        all  --  anywhere             anywhere             limit: avg 2/min burst 5 LOG level debug prefix "IPTables Packet Dropped: "
    DROP       all  --  anywhere             anywhere
    

    First Rule is a DROP and last one is a DROP so we want the rule to be within the other ACCEPT rules.
    (Can see above the result of the command, the rule for zabbix is on the second place)



  • @BrutalBirdie said in Zabbix Agent on Cloudronserver?:

    But you need to make sure you allow the Zabbix Agent Port in iptables.

    Thanks for bringing up this old thread as I obviously never explained how I solved it: simply by installing Zabbix Agent and use the Active mode. Then you don't need to open ports and works perfect!

    Though I'm still curious how I can get insights of the Docker containers, I do get the all containers items but no data because of a "[13] Permissions denied".


  • App Dev

    @imc67

    My thought process:

    Zabbix Agent creates a user

    Example from one of my Cloudrons with Zabbix.

    zabbix:x:113:117::/var/lib/zabbix/:/usr/sbin/nologin
    

    The Zabbix Agent Service file states:

    ~# cat /lib/systemd/system/zabbix-agent.service
    [Unit]
    Description=Zabbix Agent
    After=syslog.target
    After=network.target
    
    [Service]
    Environment="CONFFILE=/etc/zabbix/zabbix_agentd.conf"
    EnvironmentFile=-/etc/default/zabbix-agent
    Type=forking
    Restart=on-failure
    PIDFile=/run/zabbix/zabbix_agentd.pid
    KillMode=control-group
    ExecStart=/usr/sbin/zabbix_agentd -c $CONFFILE
    ExecStop=/bin/kill -SIGTERM $MAINPID
    RestartSec=10s
    User=zabbix
    Group=zabbix
    
    [Install]
    WantedBy=multi-user.target
    

    Running as User:Group zabbix:zabbix and:

    ~# groups zabbix
    zabbix : zabbix
    

    Cloudron uses the user yellowtent - which has the docker group

    ~# groups yellowtent 
    yellowtent : yellowtent adm systemd-journal docker
    

    I would think that the zabbix user needs the docker group as well to get the information from docker and not get "[13] Permissions denied".

    copy pasta:

    usermod -aG docker zabbix
    

    Other option would be to edit zabbix_agentd.conf and set AllowRoot (Zabbix agent with root permissions): - Which I would not prefer...

    AllowRoot=1
    

    edit:
    Also your solution works but I prefer passiv agents.


  • Staff

    In Cloudron 5.6, we added a way to whitelist additional incoming ports - https://docs.cloudron.io/networking/#whitelist-ports


Log in to reply