Page MenuHomeVyOS Platform
Create Task
Maniphest T5657

Add VRF support for zabbix-agent
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

Most monitoring is typically driven over a management network, which is usually bound to a VRF, which for some reason is missing in the current implementation. Proposing to add it :)

Details

Version
-
Is it a breaking change?
Perfectly compatible

Related Objects

Event Timeline

bbabich created this task.Oct 14 2023, 2:36 PM
bbabich created this object in space S1 VyOS Public.
Viacheslav subscribed.Oct 14 2023, 5:23 PM

Did you test it in vrf? Is it really works as expected?

pasik subscribed.Oct 14 2023, 5:50 PM
bbabich added a comment.Oct 17 2023, 3:03 AM

Yep looks fine @Viacheslav
I've been using it like this for a while now but figure it may be useful as part of making 'VRFs' complete...

$ sudo ip vrf exec RCS3 mtr 192.168.222.11

image.png (282×1 px, 120 KB)

Viacheslav added a comment.Oct 17 2023, 6:43 AM
In T5657#162236, @bbabich wrote:

Yep looks fine @Viacheslav
I've been using it like this for a while now but figure it may be useful as part of making 'VRFs' complete...

$ sudo ip vrf exec RCS3 mtr 192.168.222.11

image.png (282×1 px, 120 KB)

How does MTR related to Zabbix?

bbabich added a comment.Oct 17 2023, 8:08 AM

Good point @Viacheslav apologies I was distracted at the time.
I can make it work by starting manually ( # ip vrf exec RCS3 zabbix_agent2 -c /run/zabbix/zabbix-agent2.conf )so I guess updating the systemd units file (/lib/systemd/system/zabbix-agent2.service) should make this work.

bbabich changed the task status from Open to In progress.Nov 6 2023, 4:52 AM
bbabich claimed this task.
Viacheslav added a comment.Jan 19 2024, 10:58 PM

@bbabich Are you working on it?

dmbaturin removed a project: VyOS 1.4 Sagitta.Apr 12 2024, 2:37 PM
Viacheslav changed the subtype of this task from "Task" to "Feature Request".Apr 12 2024, 3:23 PM
vyosbot removed bbabich as the assignee of this task.Jul 12 2024, 6:02 AM
Viacheslav claimed this task.Jul 31 2024, 11:48 AM
Viacheslav added a comment.Jul 31 2024, 1:48 PM

There are issues with cgroups when enabling VRF

$ git diff
diff --git a/data/templates/zabbix-agent/10-override.conf.j2 b/data/templates/zabbix-agent/10-override.conf.j2
index 7c296e8fd..0acf775be 100644
--- a/data/templates/zabbix-agent/10-override.conf.j2
+++ b/data/templates/zabbix-agent/10-override.conf.j2
@@ -1,3 +1,4 @@
+{% set zabbix_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %}
 [Unit]
 After=
 After=vyos-router.service
@@ -7,7 +8,9 @@ ConditionPathExists=/run/zabbix/zabbix-agent2.conf
 [Service]
 EnvironmentFile=
 ExecStart=
-ExecStart=/usr/sbin/zabbix_agent2 --config /run/zabbix/zabbix-agent2.conf --foreground
+ExecStart={{ zabbix_command }}/usr/sbin/zabbix_agent2 --config /run/zabbix/zabbix-agent2.conf --foreground
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_BPF CAP_DAC_OVERRIDE CAP_FOWNER
+AmbientCapabilities=CAP_NET_ADMIN CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_BPF CAP_DAC_OVERRIDE CAP_FOWNER
 WorkingDirectory=
 WorkingDirectory=/run/zabbix
 Restart=always
diff --git a/interface-definitions/service_monitoring_zabbix-agent.xml.in b/interface-definitions/service_monitoring_zabbix-agent.xml.in
index 3754e9145..e44b31312 100644
--- a/interface-definitions/service_monitoring_zabbix-agent.xml.in
+++ b/interface-definitions/service_monitoring_zabbix-agent.xml.in
@@ -185,6 +185,7 @@
                 </properties>
                 <defaultValue>3</defaultValue>
               </leafNode>
+              #include <include/interface/vrf.xml.i>
             </children>
           </node>
         </children>

config:

set service monitoring zabbix-agent host-name 'r4'
set service monitoring zabbix-agent server '192.168.122.1'
set service monitoring zabbix-agent vrf 'mgmt'

log:

Jul 31 16:47:30 r4 systemd[1]: zabbix-agent2.service: Scheduled restart job, restart counter is at 282.
Jul 31 16:47:30 r4 systemd[1]: Stopped zabbix-agent2.service - Zabbix Agent 2.
Jul 31 16:47:30 r4 systemd[1]: Started zabbix-agent2.service - Zabbix Agent 2.
Jul 31 16:47:30 r4 ip[9020]: mkdir failed for /sys/fs/cgroup/system.slice/zabbix-agent2.service/vrf: Permission denied
Jul 31 16:47:30 r4 ip[9020]: Failed to setup vrf cgroup2 directory
Jul 31 16:47:30 r4 systemd[1]: zabbix-agent2.service: Main process exited, code=exited, status=255/EXCEPTION
Jul 31 16:47:30 r4 systemd[1]: zabbix-agent2.service: Failed with result 'exit-code'.

The only solution that I found is starting the unit from the User=root

Viacheslav added a comment.Jul 31 2024, 3:34 PM

PR https://github.com/vyos/vyos-1x/pull/3919

Restricted Repository Identity mentioned this in rVYOSONEXcab6560949ac: Merge pull request #3919 from sever-sever/T5657.Aug 1 2024, 5:44 AM
Viacheslav mentioned this in rVYOSONEXab331fab9e92: T5657: Add VRF support for zabbix-agent.Aug 1 2024, 5:44 AM
Viacheslav added a comment.Aug 1 2024, 10:03 AM

Request to drop privileges https://support.zabbix.com/browse/ZBXNEXT-9380

syncer edited projects, added VyOS Rolling; removed VyOS 1.5 Circinus.Oct 30 2024, 10:49 PM
syncer added a subscriber: Global Notifications.Nov 1 2024, 9:19 PM
Viacheslav closed this task as Resolved.Feb 17 2025, 7:35 AM
Viacheslav moved this task from Need Triage to Completed on the VyOS Rolling board.