zabbix是基于WEB界面提供分布式系统监视以及网络监视功能的企业级开源解决方案,能监视各种网络参数,保证服务器系统的安全运营;并提供灵活的通知机制以让系统管理员快速定位/解决存在的各种问题。 做为开源用户的支持者,我们大部分环境用的软件包含监控软件、数据库、继承应用、操作系统等都是用开源的,例如centos、PG、zabbix、openshift等,但是开源的在成熟度上是不错,但是安装软件有时比较麻烦,例如centos的安全开关,默认情况下会导致我们在安装openshift、zabbix等导致失败,而错误日志提示往往与实际十万三千里,但是有经验的在安装完系统后会有意识性的去修改配置,避免不必要的问题, 如下问题: 在安装配置好zabbix后无法正常启动,原因是SELINUX设置问题导致启动失败, 故障分析: [root@localhost zabbix]# systemctl start zabbix-server.service Job for zabbix-server.service failed because a configured resource limit was exceeded. See "systemctl status zabbix-server.service" and "journalctl -xe" for details. [root@localhost zabbix]# journalctl -xe -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit zabbix-server.service has begun starting up. 1月 07 15:21:17 localhost.localdomain systemd[1]: PID file /run/zabbix/zabbix_server.pid not readable (yet?) after start. 1月 07 15:21:17 localhost.localdomain systemd[1]: zabbix-server.service never wrote its PID file. Failing. 1月 07 15:21:17 localhost.localdomain systemd[1]: Failed to start Zabbix Server. -- Subject: Unit zabbix-server.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit zabbix-server.service has failed. -- -- The result is failed. 1月 07 15:21:17 localhost.localdomain systemd[1]: Unit zabbix-server.service entered failed state. 1月 07 15:21:17 localhost.localdomain systemd[1]: zabbix-server.service failed. 1月 07 15:21:17 localhost.localdomain polkitd[804]: Unregistered Authentication Agent for unix-process:6787:8831344 (system bus name 1月 07 15:21:24 localhost.localdomain polkitd[804]: Registered Authentication Agent for unix-process:6797:8832061 (system bus name : 1月 07 15:21:27 localhost.localdomain systemd[1]: zabbix-server.service holdoff time over, scheduling restart. 1月 07 15:21:27 localhost.localdomain systemd[1]: Starting Zabbix Server... -- Subject: Unit zabbix-server.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- Unit zabbix-server.service has begun starting up. 1月 07 15:21:27 localhost.localdomain systemd[1]: PID file /run/zabbix/zabbix_server.pid not readable (yet?) after start. 1月 07 15:21:27 localhost.localdomain systemd[1]: zabbix-server.service never wrote its PID file. Failing. 1月 07 15:21:27 localhost.localdomain systemd[1]: Failed to start Zabbix Server. -- Subject: Unit zabbix-server.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit zabbix-server.service has failed. -- -- The result is failed. 1月 07 15:21:27 localhost.localdomain systemd[1]: Unit zabbix-server.service entered failed state. 1月 07 15:21:27 localhost.localdomain systemd[1]: zabbix-server.service failed. 1月 07 15:21:27 localhost.localdomain polkitd[804]: Unregistered Authentication Agent for unix-process:6797:8832061 (system bus name lines 1907-1944/1944 (END) Last login: Tue Jan 7 23:24:43 2020 from 10.100.81.67
查看 zabbix 日志分析: 发现日志提示权限问题:
5966:20200107:145500.376 using configuration file: /etc/zabbix/zabbix_server.conf 5966:20200107:145500.376 cannot set resource limit: [13] Permission denied 5966:20200107:145500.376 cannot disable core dump, exiting... 5976:20200107:145506.314 Starting Zabbix Server. Zabbix 4.4.4 (revision 3131fdac04
问题根源分析:
[root@localhost logs]# getenforce Enforcing------这时发现selinux的配置是Enforcing [root@localhost logs]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 [root@localhost logs]# cd /etc/selinux [root@localhost selinux]# ls config final semanage.conf targeted tmp
直接把selinux 关掉如下: [root@localhost selinux]# vi config
This file controls the state of SELinux on the system. SELINUX= can take one of these three values: enforcing - SELinux security policy is enforced. permissive - SELinux prints warnings instead of enforcing. disabled - No SELinux policy is loaded. SELINUX=disabled SELINUXTYPE= can take one of three two values: targeted - Targeted processes are protected, minimum - Modification of targeted policy. Only selected processes are protected. mls - Multi Level Security protection. SELINUXTYPE=targeted
**优化修改SELINUX=disabled ** [root@localhost selinux]# vi config
#This file controls the state of SELinux on the system. #SELINUX= can take one of these three values: #enforcing - SELinux security policy is enforced. #permissive - SELinux prints warnings instead of enforcing. #disabled - No SELinux policy is loaded. SELINUX=disabled #SELINUXTYPE= can take one of three two values: #targeted - Targeted processes are protected, #minimum - Modification of targeted policy. Only selected #processes are protected. #mls - Multi Level Security protection. SELINUXTYPE=targeted
重新启动:
[root@localhost ~]# systemctl start zabbix-server.service [root@localhost ~]# systemctl status zabbix-server.service ● zabbix-server.service - Zabbix Server Loaded: loaded (/usr/lib/systemd/system/zabbix-server.service; disabled; vendor preset: disabled) Active: active (running) since 二 2020-01-07 15:26:56 CST; 6s ago Process: 1529 ExecStart=/usr/sbin/zabbix_server -c $CONFFILE (code=exited, status=0/SUCCESS) Main PID: 1531 (zabbix_server) CGroup: /system.slice/zabbix-server.service └─1531 /usr/sbin/zabbix_server -c /etc/zabbix/zabbix_server.conf
1月 07 15:26:56 localhost.localdomain systemd[1]: Starting Zabbix Server... 1月 07 15:26:56 localhost.localdomain systemd[1]: zabbix-server.service: Supervising process 1531 which is not our child. ...exits. 1月 07 15:26:56 localhost.localdomain systemd[1]: Started Zabbix Server. Hint: Some lines were ellipsized, use -l to show in full. [root@localhost ~]#
因此,一般在安装一些开源软件,如MYSQL、POSTGRES、zabbix、openshift等,在安装前先检查下系统对应版本是否与需安装的软件兼容性、在检查下下,防火墙、安全等是否开启,如下: 1、iptables开启和关闭 2、SELinux开启和关闭 3、CentOS 6和CentOS 7 firewalld防火墙的开与关等
