sudo for status script

[juanpebalsa]

It is very well explained everything (in fact the best I have seen in terms of Zabbix templates) so I leave you with the problems that have come up to me and how I have solved them, in case you want to add them:

I had to add the two scripts to visudo in order for it to work properly: zabbix ALL = NOPASSWD: /etc/zabbix/zabbix_php_fpm_discovery.sh zabbix ALL = NOPASSWD: /etc/zabbix/zabbix_php_fpm_status.sh

The discovery script gave me an error in the grep (/bin/grep: write errors), so I had to modify line 216 to fix it: mapfile -t PS_LIST < <($S_PS ax | $S_GREP -F "php-fpm: pool " | $S_GREP -F -v "grep" 2>/dev/null)

[rvalitov]

Thank you very much for your contribution!

1. About the sudo Why do you run both scripts with sudo? Only the discovery script requires sudo as written in the Wiki. What is the reason to run status script with sudo? As far as I understand your idea, you think we should add the status script (the discovery script is already there) to the Wiki to make it work properly?

2. About grep Can you please tell the name and version of your OS? And version of grep, for example:

   user@server:/# grep -V
   grep (GNU grep) 2.27

Thank you!

[juanpebalsa]

1. In my case, launching it without sudo does not return any value. putting it as sudo works correctly.

2. I use Centos7 updated today. Grep has version 2.20

[rvalitov]

I installed a clean version of CentOS 7 to test your case. My system info:

# rpm -q centos-release
centos-release-7-8.2003.0.el7.centos.x86_64

# bash --version
GNU bash, version 4.2.46(2)-release (x86_64-redhat-linux-gnu)

# grep -V
grep (GNU grep) 2.20

# zabbix_get -V
zabbix_get (Zabbix) 4.0.20
Revision 3b651d1b0b 27 April 2020, compilation time: Apr 27 2020 13:05:34

Unfortunately I couldn't reproduce any of the issues you reported.

1. I followed the standard installation guide and it was enough for me to specify only one script /etc/zabbix/zabbix_php_fpm_discovery.sh via visudo. The only problem I had is SELinux that I had to disable (Wiki updated). Otherwise the visudo was ignored at all. But still I don't understand why you need to specify the second script /etc/zabbix/zabbix_php_fpm_status.sh there. The latter does not require any sudo. May be the reason is that you added sudo to it by mistake in the /etc/zabbix/zabbix_agentd.d/userparameter_php_fpm.conf? Can you please check that?

2. For the grep issue can you please check your bash version and provide debug output of the zabbix discovery script, more info here https://github.com/rvalitov/zabbix-php-fpm/wiki/Testing-and-Troubleshooting#1-discover-php-fpm-pools

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[rieschl]

I just installed the template and also had to add sudo to the status script. I'm no UNIX socket expert, but I think the problem is, that the socket file cannot be read by other than root and www-data: srw-rw---- 1 www-data www-data 0 Jun 18 16:49 php7.3-fpm-prod.sock. adding the status script also to the sudoers and inserting sudo in the userparam obviously fixes that. I think it would also be possible to change the listen.mode in the pool config, but for me it seems to be more secure to just allow zabbix (via sudo) to access the socket.

[rvalitov]

I couldn't reproduce this issue 🤦‍♂️ In my case only discovery script required sudo or root. The script to retrieve data works fine without that. I will try to investigate this again and I hope I will succeed to reproduce this problem. I like your comment about listen.mode. Could it be that we have different default values here? In my tests I usually use ISPConfig that could override some parameters of the default PHP config provided by its package. What value of listen.mode do you have?

[rieschl]

There is no value set explicitly, but the default is 0660. As you can see in my previous post, that seems to be right: srw-rw---- 1 www-data www-data 0 Jun 18 16:49 php7.3-fpm-prod.sock

Also, the config says

; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
;                 mode is set to 0660

So maybe in CentOS the permissions aren't respected?

[rvalitov]

sudo is required if the PHP pool uses sockets. sudo is not required if the PHP pool operates via IP and port. That's the reason why sometimes the script worked without sudo. Bug confirm and is fixed in latest PR.