Zabbix:zabbix-server.service failed. / cannot set resource limit: [13] Permission denied
如题所示的错误,发生在Zabbix服务启动的时候。
具体如下:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
[root@zabbix ~]# systemctl start zabbix-server [root@zabbix ~]# systemctl status zabbix-server ● zabbix-server.service - Zabbix Server Loaded: loaded (/usr/lib/systemd/system/zabbix-server.service; disabled; vendor preset: disabled) Active: activating (auto-restart) (Result: exit-code) since Fri 2018-03-30 23:39:16 CST; 6s ago Process: 26215 ExecStop=/bin/kill -SIGTERM $MAINPID (code=exited, status=1/FAILURE) Process: 26207 ExecStart=/usr/sbin/zabbix_server -c $CONFFILE (code=exited, status=0/SUCCESS) Main PID: 26212 (code=exited, status=1/FAILURE) Mar 30 23:39:16 zabbix systemd[1]: Unit zabbix-server.service entered faile...e. Mar 30 23:39:16 zabbix systemd[1]: zabbix-server.service failed. Hint: Some lines were ellipsized, use -l to show in full. [root@zabbix ~]# [root@zabbix ~]# service zabbix-server status Redirecting to /bin/systemctl status zabbix-server.service ● zabbix-server.service - Zabbix Server Loaded: loaded (/usr/lib/systemd/system/zabbix-server.service; disabled; vendor preset: disabled) Active: activating (auto-restart) (Result: resources) since Fri 2018-03-30 23:39:57 CST; 8s ago Process: 26255 ExecStop=/bin/kill -SIGTERM $MAINPID (code=exited, status=1/FAILURE) Process: 26297 ExecStart=/usr/sbin/zabbix_server -c $CONFFILE (code=exited, status=0/SUCCESS) Main PID: 26253 (code=exited, status=1/FAILURE) Mar 30 23:39:57 zabbix systemd[1]: zabbix-server.service never wrote its PID file. Failing. Mar 30 23:39:57 zabbix systemd[1]: Failed to start Zabbix Server. Mar 30 23:39:57 zabbix systemd[1]: Unit zabbix-server.service entered failed state. Mar 30 23:39:57 zabbix systemd[1]: zabbix-server.service failed. [root@zabbix ~]# |
这个过程中,日志报错如下:【/var/log/zabbix/zabbix_server.log】
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
26392:20180330:234027.616 Starting Zabbix Server. Zabbix 3.4.7 (revision 77720). 26392:20180330:234027.617 ****** Enabled features ****** 26392:20180330:234027.617 SNMP monitoring: YES 26392:20180330:234027.617 IPMI monitoring: YES 26392:20180330:234027.617 Web monitoring: YES 26392:20180330:234027.617 VMware monitoring: YES 26392:20180330:234027.617 SMTP authentication: YES 26392:20180330:234027.617 Jabber notifications: YES 26392:20180330:234027.617 Ez Texting notifications: YES 26392:20180330:234027.617 ODBC: YES 26392:20180330:234027.617 SSH2 support: YES 26392:20180330:234027.617 IPv6 support: YES 26392:20180330:234027.617 TLS support: YES 26392:20180330:234027.617 ****************************** 26392:20180330:234027.617 using configuration file: /etc/zabbix/zabbix_server.conf 26392:20180330:234027.633 cannot set resource limit: [13] Permission denied 26392:20180330:234027.633 cannot disable core dump, exiting... |
造成该问题的原因是:SELINUX启动。
|
1 2 3 4 5 6 7 8 9 10 11 |
[root@zabbix ~]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: disabled Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 [root@zabbix ~]# |
解决该问题的方法很多:
1. 不关闭SELINUX的解决方法
分析SELINUX的日志
安装工具并生成阅读报告:
|
1 2 3 4 5 6 7 8 9 10 11 12 |
[root@zabbix ~]# yum install setroubleshoot Loaded plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile * base: mirrors.163.com * epel: mirrors.ustc.edu.cn * extras: mirrors.163.com * updates: mirrors.163.com Package setroubleshoot-3.2.28-3.el7.x86_64 already installed and latest version Nothing to do [root@zabbix ~]# [root@zabbix ~]# sealert -a /var/log/audit/audit.log > selinux_report.log [root@zabbix ~]# |
报告内容如下:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 |
[root@zabbix ~]# ll total 48 -rw-------. 1 root root 1611 Mar 27 13:01 anaconda-ks.cfg -rw-r--r--. 1 root root 15080 Oct 3 01:52 epel-release-latest-7.noarch.rpm -rw-r--r--. 1 root root 1659 Mar 27 13:42 initial-setup-ks.cfg -rw-r--r--. 1 root root 4722 Mar 30 23:51 selinux_report.log -rw-r--r--. 1 root root 13392 Sep 14 2016 zabbix-release-3.2-1.el7.noarch.rpm [root@zabbix ~]# [root@zabbix ~]# cat selinux_report.log | wc -l 92 [root@zabbix ~]# [root@zabbix ~]# cat selinux_report.log found 2 alerts in /var/log/audit/audit.log -------------------------------------------------------------------------------- SELinux is preventing /usr/libexec/accounts-daemon from write access on the directory /root. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that accounts-daemon should be allowed write access on the root directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'accounts-daemon' --raw | audit2allow -M my-accountsdaemon # semodule -i my-accountsdaemon.pp Additional Information: Source Context system_u:system_r:accountsd_t:s0 Target Context system_u:object_r:admin_home_t:s0 Target Objects /root [ dir ] Source accounts-daemon Source Path /usr/libexec/accounts-daemon Port <Unknown> Host <Unknown> Source RPM Packages accountsservice-0.6.45-2.el7.x86_64 Target RPM Packages filesystem-3.2-21.el7.x86_64 Policy RPM selinux-policy-3.13.1-166.el7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name zabbix Platform Linux zabbix 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64 x86_64 Alert Count 1 First Seen 2018-03-27 13:40:34 CST Last Seen 2018-03-27 13:40:34 CST Local ID 7bd4fd45-fa3e-4a19-a45d-a828759ac344 Raw Audit Messages type=AVC msg=audit(1522129234.188:28): avc: denied { write } for pid=735 comm="accounts-daemon" name="root" dev="dm-0" ino=67153985 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir type=SYSCALL msg=audit(1522129234.188:28): arch=x86_64 syscall=mkdir success=no exit=EACCES a0=56144b7db880 a1=1c0 a2=0 a3=7ffe905fe4e0 items=0 ppid=1 pid=735 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=accounts-daemon exe=/usr/libexec/accounts-daemon subj=system_u:system_r:accountsd_t:s0 key=(null) Hash: accounts-daemon,accountsd_t,admin_home_t,dir,write -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/zabbix_server_mysql from using the setrlimit access on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that zabbix_server_mysql should be allowed setrlimit access on processes labeled zabbix_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'zabbix_server' --raw | audit2allow -M my-zabbixserver # semodule -i my-zabbixserver.pp Additional Information: Source Context system_u:system_r:zabbix_t:s0 Target Context system_u:system_r:zabbix_t:s0 Target Objects Unknown [ process ] Source zabbix_server Source Path /usr/sbin/zabbix_server_mysql Port <Unknown> Host <Unknown> Source RPM Packages zabbix-server-mysql-3.4.7-1.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-166.el7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name zabbix Platform Linux zabbix 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64 x86_64 Alert Count 75 First Seen 2018-03-30 23:39:16 CST Last Seen 2018-03-30 23:51:15 CST Local ID 3d8d6200-b03d-43ff-8762-a5eba5b6ef9a Raw Audit Messages type=AVC msg=audit(1522425075.610:4653): avc: denied { setrlimit } for pid=27304 comm="zabbix_server" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:system_r:zabbix_t:s0 tclass=process type=SYSCALL msg=audit(1522425075.610:4653): arch=x86_64 syscall=setrlimit success=no exit=EACCES a0=4 a1=7ffd7faeaa40 a2=0 a3=8 items=0 ppid=27303 pid=27304 auid=4294967295 uid=990 gid=985 euid=990 suid=990 fsuid=990 egid=985 sgid=985 fsgid=985 tty=(none) ses=4294967295 comm=zabbix_server exe=/usr/sbin/zabbix_server_mysql subj=system_u:system_r:zabbix_t:s0 key=(null) Hash: zabbix_server,zabbix_t,zabbix_t,process,setrlimit [root@zabbix ~]# |
可以很清楚的看到ZABBIX启动失败,就是SELINUX阻拦下来了
按照报告中写的,临时允许ZABBIX的方法:
|
1 2 3 4 5 6 7 8 9 |
[root@zabbix ~]# ausearch -c 'zabbix_server' --raw | audit2allow -M my-zabbixserver ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i my-zabbixserver.pp [root@zabbix ~]# [root@zabbix ~]# semodule -i my-zabbixserver.pp [root@zabbix ~]# |
或者关掉SELINUX:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
[root@zabbix ~]# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted [root@zabbix ~]# |
启动服务:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 |
[root@zabbix ~]# sestatus SELinux status: disabled [root@zabbix ~]# [root@zabbix ~]# [root@zabbix ~]# service zabbix-server status Redirecting to /bin/systemctl status zabbix-server.service ● zabbix-server.service - Zabbix Server Loaded: loaded (/usr/lib/systemd/system/zabbix-server.service; disabled; vendor preset: disabled) Active: inactive (dead) [root@zabbix ~]# [root@zabbix ~]# service zabbix-server start Redirecting to /bin/systemctl start zabbix-server.service [root@zabbix ~]# [root@zabbix ~]# service zabbix-server status Redirecting to /bin/systemctl status zabbix-server.service ● zabbix-server.service - Zabbix Server Loaded: loaded (/usr/lib/systemd/system/zabbix-server.service; disabled; vendor preset: disabled) Active: active (running) since Sat 2018-03-31 00:07:51 CST; 12s ago Process: 1712 ExecStart=/usr/sbin/zabbix_server -c $CONFFILE (code=exited, status=0/SUCCESS) Main PID: 1715 (zabbix_server) CGroup: /system.slice/zabbix-server.service ├─1715 /usr/sbin/zabbix_server -c /etc/zabbix/zabbix_server.conf ├─1720 /usr/sbin/zabbix_server: configuration syncer [waiting 60 sec for processes] ├─1721 /usr/sbin/zabbix_server: alerter #1 started ├─1722 /usr/sbin/zabbix_server: alerter #2 started ├─1723 /usr/sbin/zabbix_server: alerter #3 started ├─1724 /usr/sbin/zabbix_server: housekeeper [startup idle for 30 minutes] ├─1725 /usr/sbin/zabbix_server: timer #1 [processed 0 triggers, 0 events in 0.000128 sec, 0 maintenances in 0.014956 ... ├─1726 /usr/sbin/zabbix_server: http poller #1 [got 0 values in 0.000693 sec, idle 5 sec] ├─1727 /usr/sbin/zabbix_server: discoverer #1 [processed 0 rules in 0.010007 sec, idle 60 sec] ├─1728 /usr/sbin/zabbix_server: history syncer #1 [synced 0 items in 0.000002 sec, idle 1 sec] ├─1729 /usr/sbin/zabbix_server: history syncer #2 [synced 0 items in 0.000003 sec, idle 1 sec] ├─1732 /usr/sbin/zabbix_server: history syncer #3 [synced 0 items in 0.000002 sec, idle 1 sec] ├─1733 /usr/sbin/zabbix_server: history syncer #4 [synced 0 items in 0.000001 sec, idle 1 sec] ├─1736 /usr/sbin/zabbix_server: escalator #1 [processed 0 escalations in 0.000602 sec, idle 3 sec] ├─1737 /usr/sbin/zabbix_server: proxy poller #1 [exchanged data with 0 proxies in 0.000003 sec, idle 5 sec] ├─1738 /usr/sbin/zabbix_server: self-monitoring [processed data in 0.000006 sec, idle 1 sec] ├─1739 /usr/sbin/zabbix_server: task manager [processed 0 task(s) in 0.000690 sec, idle 5 sec] ├─1740 /usr/sbin/zabbix_server: poller #1 [got 0 values in 0.000011 sec, idle 5 sec] ├─1742 /usr/sbin/zabbix_server: poller #2 [got 0 values in 0.000005 sec, idle 5 sec] ├─1743 /usr/sbin/zabbix_server: poller #3 [got 0 values in 0.000005 sec, idle 5 sec] ├─1744 /usr/sbin/zabbix_server: poller #4 [got 0 values in 0.000005 sec, idle 5 sec] ├─1745 /usr/sbin/zabbix_server: poller #5 [got 0 values in 0.000003 sec, idle 5 sec] ├─1748 /usr/sbin/zabbix_server: unreachable poller #1 [got 0 values in 0.000004 sec, idle 5 sec] ├─1749 /usr/sbin/zabbix_server: trapper #1 [processed data in 0.000000 sec, waiting for connection] ├─1750 /usr/sbin/zabbix_server: trapper #2 [processed data in 0.000000 sec, waiting for connection] ├─1751 /usr/sbin/zabbix_server: trapper #3 [processed data in 0.000000 sec, waiting for connection] ├─1752 /usr/sbin/zabbix_server: trapper #4 [processed data in 0.000000 sec, waiting for connection] ├─1753 /usr/sbin/zabbix_server: trapper #5 [processed data in 0.000000 sec, waiting for connection] ├─1754 /usr/sbin/zabbix_server: icmp pinger #1 [got 0 values in 0.000006 sec, idle 5 sec] ├─1755 /usr/sbin/zabbix_server: alert manager #1 [sent 0, failed 0 alerts, idle 5.008712 sec during 5.008714 sec] ├─1756 /usr/sbin/zabbix_server: preprocessing manager #1 [queued 0, processed 0 values, idle 5.004940 sec during 5.00... ├─1758 /usr/sbin/zabbix_server: preprocessing worker #1 started ├─1759 /usr/sbin/zabbix_server: preprocessing worker #2 started └─1761 /usr/sbin/zabbix_server: preprocessing worker #3 started Mar 31 00:07:51 zabbix systemd[1]: Starting Zabbix Server... Mar 31 00:07:51 zabbix systemd[1]: zabbix-server.service: Supervising process 1715 which is not our child. We'll most lik... exits. Mar 31 00:07:51 zabbix systemd[1]: Started Zabbix Server. Hint: Some lines were ellipsized, use -l to show in full. [root@zabbix ~]# |
日志:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 |
[root@zabbix ~]# tail -f /var/log/zabbix/zabbix_server.log 28693:20180331:000124.442 server #22 started [unreachable poller #1] 28700:20180331:000124.443 server #29 started [alert manager #1] 28701:20180331:000124.446 cannot start preprocessing service: Cannot bind socket to "/var/run/zabbix/zabbix_server_preprocessing.sock": [13] Permission denied. 28700:20180331:000124.448 cannot start alert manager service: Cannot bind socket to "/var/run/zabbix/zabbix_server_alerter.sock": [13] Permission denied. 28671:20180331:000124.450 One child process died (PID:28701,exitcode/signal:1). Exiting ... 28671:20180331:000126.452 syncing history data... 28671:20180331:000126.452 syncing history data done 28671:20180331:000126.452 syncing trend data... 28671:20180331:000126.452 syncing trend data done 28671:20180331:000126.452 Zabbix Server stopped. Zabbix 3.4.7 (revision 77720). 1715:20180331:000751.516 Starting Zabbix Server. Zabbix 3.4.7 (revision 77720). 1715:20180331:000751.516 ****** Enabled features ****** 1715:20180331:000751.516 SNMP monitoring: YES 1715:20180331:000751.516 IPMI monitoring: YES 1715:20180331:000751.516 Web monitoring: YES 1715:20180331:000751.516 VMware monitoring: YES 1715:20180331:000751.516 SMTP authentication: YES 1715:20180331:000751.516 Jabber notifications: YES 1715:20180331:000751.516 Ez Texting notifications: YES 1715:20180331:000751.516 ODBC: YES 1715:20180331:000751.517 SSH2 support: YES 1715:20180331:000751.517 IPv6 support: YES 1715:20180331:000751.517 TLS support: YES 1715:20180331:000751.517 ****************************** 1715:20180331:000751.517 using configuration file: /etc/zabbix/zabbix_server.conf 1715:20180331:000751.630 current database version (mandatory/optional): 03040000/03040006 1715:20180331:000751.631 required mandatory version: 03040000 1715:20180331:000751.968 server #0 started [main process] 1720:20180331:000751.969 server #1 started [configuration syncer #1] 1721:20180331:000751.969 server #2 started [alerter #1] 1722:20180331:000751.970 server #3 started [alerter #2] 1723:20180331:000751.971 server #4 started [alerter #3] 1724:20180331:000751.972 server #5 started [housekeeper #1] 1725:20180331:000751.973 server #6 started [timer #1] 1726:20180331:000751.975 server #7 started [http poller #1] 1727:20180331:000751.977 server #8 started [discoverer #1] 1728:20180331:000751.978 server #9 started [history syncer #1] 1729:20180331:000751.980 server #10 started [history syncer #2] 1732:20180331:000751.982 server #11 started [history syncer #3] 1733:20180331:000751.982 server #12 started [history syncer #4] 1736:20180331:000751.983 server #13 started [escalator #1] 1737:20180331:000751.984 server #14 started [proxy poller #1] 1738:20180331:000751.984 server #15 started [self-monitoring #1] 1739:20180331:000751.985 server #16 started [task manager #1] 1740:20180331:000751.987 server #17 started [poller #1] 1742:20180331:000751.988 server #18 started [poller #2] 1744:20180331:000751.989 server #20 started [poller #4] 1752:20180331:000751.994 server #26 started [trapper #4] 1745:20180331:000751.994 server #21 started [poller #5] 1751:20180331:000751.995 server #25 started [trapper #3] 1756:20180331:000751.998 server #30 started [preprocessing manager #1] 1758:20180331:000751.999 server #31 started [preprocessing worker #1] 1754:20180331:000752.000 server #28 started [icmp pinger #1] 1750:20180331:000752.001 server #24 started [trapper #2] 1753:20180331:000752.001 server #27 started [trapper #5] 1759:20180331:000752.003 server #32 started [preprocessing worker #2] 1748:20180331:000752.003 server #22 started [unreachable poller #1] 1749:20180331:000752.003 server #23 started [trapper #1] 1755:20180331:000752.005 server #29 started [alert manager #1] 1743:20180331:000752.005 server #19 started [poller #3] 1761:20180331:000752.008 server #33 started [preprocessing worker #3] ^C [root@zabbix ~]# |
——————————————————
Done。
i loove you SO MUCH , thanksss !!!!!