zabbix-tools / libzbxpgsql

Monitor PostgreSQL with Zabbix
http://cavaliercoder.com/libzbxpgsql/
Other
157 stars 64 forks source link

Where to place .pgpass file for module #110

Open trojanc opened 7 years ago

trojanc commented 7 years ago

Hi

I'm having a hard time getting this module to authenticate. I have a default zabbix agent install on Centos 7.4

30948:20171013:160007.183 Starting Zabbix Agent [myserver.mydomain]. Zabbix 3.4.2 (revision 72885).
 30948:20171013:160007.184 **** Enabled features ****
 30948:20171013:160007.184 IPv6 support:          YES
 30948:20171013:160007.184 TLS support:           YES
 30948:20171013:160007.184 **************************
 30948:20171013:160007.184 using configuration file: /etc/zabbix/zabbix_agentd.conf
 30948:20171013:160007.198 starting agent module libzbxpgsql 1.1.0
 30948:20171013:160007.198 using module configuration file: /etc/zabbix/libzbxpgsql.conf
 30948:20171013:160007.198 loaded modules: libzbxpgsql.so
 30948:20171013:160007.200 agent #0 started [main process]
 30949:20171013:160007.203 agent #1 started [collector]
 30950:20171013:160007.204 agent #2 started [listener #1]
 30952:20171013:160007.211 agent #4 started [listener #3]
 30953:20171013:160007.216 agent #5 started [active checks #1]
 30951:20171013:160007.223 agent #3 started [listener #2]
 30953:20171013:160007.420 PostgreSQL: fe_sendauth: no password supplied
 30953:20171013:160107.479 PostgreSQL: fe_sendauth: no password supplied
 30953:20171013:160207.605 active check "pg.backends.count[host=11.22.33.44 port=5432 user=zabbix connect_timeout=10,postgres]" is not supported: fe_sendauth: no password supplied

The agent runs as root as the default install does. I have my .pgpass file in the home directory of the root user.

 ls -al /root
-rw-------.  1 root root   65 Oct 13 15:47 .pgpass

When I try connect with the details I can see is being attempted above, I can successfully authenticate from the command line using psql from the same machine where the agent is installed using the root user.

psql -h 11.22.33.44 postgres zabbix

The .pgpass file gets picked up and signed in with my password

Any ideas would be appreciated. I can't use socket binding, it connects to an another host (docker/kubernetes port). Using command line works fine, so I'd expect my config work work the same like I have it set up...

trojanc commented 7 years ago

Using the following command line also works

psql "host=11.22.33.44 port=5432 user=zabbix connect_timeout=10 dbname=postgres"

Which is what I think the plugin does?

pg.backends.count[host=11.22.33.44 port=5432 user=zabbix connect_timeout=10,postgres]

Takes the second parameter postgres and appends dbname=postgres to the connection string.

   936:20171013:155746.348 In pg_connect()
   936:20171013:155746.348 Connecting to PostgreSQL with: host=11.22.33.44 port=5432 user=zabbix connect_timeout=10 dbname=postgres
   936:20171013:155746.352 PostgreSQL: fe_sendauth: no password supplied

So I'm convinced I just have the .pgpass file in the wrong place...

ps aux | grep zabbix
root      6356  0.0  0.0 112660   972 pts/0    S+   16:42   0:00 grep --color=auto zabbix
zabbix   30948  0.0  0.1  91592  2416 ?        S    16:00   0:00 /usr/sbin/zabbix_agentd -c /etc/zabbix/zabbix_agentd.conf
zabbix   30949  0.0  0.0  91592  1388 ?        S    16:00   0:00 /usr/sbin/zabbix_agentd: collector [idle 1 sec]
zabbix   30950  0.0  0.1  93796  3292 ?        S    16:00   0:02 /usr/sbin/zabbix_agentd: listener #1 [waiting for connection]
zabbix   30951  0.1  0.1  93796  3272 ?        S    16:00   0:02 /usr/sbin/zabbix_agentd: listener #2 [waiting for connection]
zabbix   30952  0.0  0.1  93796  3276 ?        S    16:00   0:02 /usr/sbin/zabbix_agentd: listener #3 [waiting for connection]
zabbix   30953  0.0  0.1  93888  3248 ?        S    16:00   0:00 /usr/sbin/zabbix_agentd: active checks #1 [idle 1 sec]

I think I'm starting to answer myself...anyway I'll keep commenting because it might help someone. Looking at the above process stats, zabbix is not running as root, but as a "zabbix" user... I'll have to figure out where its home is...

trojanc commented 7 years ago
getent passwd zabbix
zabbix:x:998:994:Zabbix Monitoring System:/var/lib/zabbix:/sbin/nologin

Indicated that the zabbix user home is /var/lib/zabbix (for my centos environment)

mkdir -p /var/lib/zabbix
cp ~/.pgpass /var/lib/zabbix/.pgpass
chown -R zabbix:zabbix /var/lib/zabbix
ls -al /var/lib/zabbix
-rw-------.  1 zabbix zabbix   81 Oct 13 16:46 .pgpass

Now I have the .pgpass in the correct directory for the user...but I still get same authentication problem...

trojanc commented 7 years ago

When adding the password to the connection macro, it works as expected

{$PG_CONN} host=11.22.33.44 port=5432 user=zabbix password=secret connect_timeout=10

So I know the module is working... still just that silly .pgpass file making trouble :(

ShrikantPaste commented 6 years ago

I am facing similar issue, can i specify the passfile location explicitly in the connection string and also wanted to know if passfile should be on postgres server on which we have zabbix agent or if the passfile needs to be on zabbix server.

ShrikantPaste commented 6 years ago

I also tried to change ownership of the file to zabbix user as well as root user, also tried coping the .pgpass file to root and /var/lib/zabbix folder on zabbix server as well as postgres server

ShrikantPaste commented 6 years ago

Selinux was blocking zabbix agent from reading .pgpass file after i disable selinux on the postgresql server which i was monitoring it has been able to update connect and update values, now checking what settings in selinux should be made for it to work in enforced mode

ShrikantPaste commented 6 years ago

used following command

semanage fcontext -a -t FILE_TYPE '/var/lib/zabbix/.pgpass'

Where FILE_TYPE is as following zabbix_agent_exec_t, zabbix_agent_initrc_exec_t, zabbix_exec_t, zabbix_initrc_exec_t, zabbix_log_t, zabbix_script_exec_t, zabbix_tmp_t, zabbix_tmpfs_t, zabbix_var_run_t

I ran the command using each file type once then executed following command restorecon -v '/var/lib/zabbix/.pgpass'

After making this changes i am able to fetch the data even when selinux is set to enforcing mode

Also made zabbix user the owner of the .pgpass file

directionsystems commented 6 years ago

i'm with this problem too.

directionsystems commented 6 years ago

Now its works for me.

I did the follow:

I created the path /var/lib/zabbix with this access -rw----r-- 1 zabbix zabbix After change the .pgpass file to /var/lib/zabbix its works!!

buzzing-bee commented 5 years ago

Now its works for me.

I did the follow:

I created the path /var/lib/zabbix with this access -rw----r-- 1 zabbix zabbix After change the .pgpass file to /var/lib/zabbix its works!!

I have the exact same problem with this .pgpass file. may I know whether you did an EXPORT to the .pgpass file??

something like: export PGPASSFILE='/var/lib/zabbix/.pgpass' ??

prcdpr commented 4 years ago
chmod -R 600 /var/lib/zabbix/

solves the problem for me

lpossamai commented 3 years ago

I have the same problem.

ls -la /var/lib/zabbix/
-rw-------  1 zabbix zabbix  207 Jun  1 23:50 .pgpass