Request to drop privileges https://support.zabbix.com/browse/ZBXNEXT-9380
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
All Stories
Aug 1 2024
Jul 31 2024
There are issues with cgroups when enabling VRF
$ git diff diff --git a/data/templates/zabbix-agent/10-override.conf.j2 b/data/templates/zabbix-agent/10-override.conf.j2 index 7c296e8fd..0acf775be 100644 --- a/data/templates/zabbix-agent/10-override.conf.j2 +++ b/data/templates/zabbix-agent/10-override.conf.j2 @@ -1,3 +1,4 @@ +{% set zabbix_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %} [Unit] After= After=vyos-router.service @@ -7,7 +8,9 @@ ConditionPathExists=/run/zabbix/zabbix-agent2.conf [Service] EnvironmentFile= ExecStart= -ExecStart=/usr/sbin/zabbix_agent2 --config /run/zabbix/zabbix-agent2.conf --foreground +ExecStart={{ zabbix_command }}/usr/sbin/zabbix_agent2 --config /run/zabbix/zabbix-agent2.conf --foreground +CapabilityBoundingSet=CAP_NET_ADMIN CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_BPF CAP_DAC_OVERRIDE CAP_FOWNER +AmbientCapabilities=CAP_NET_ADMIN CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_BPF CAP_DAC_OVERRIDE CAP_FOWNER WorkingDirectory= WorkingDirectory=/run/zabbix Restart=always diff --git a/interface-definitions/service_monitoring_zabbix-agent.xml.in b/interface-definitions/service_monitoring_zabbix-agent.xml.in index 3754e9145..e44b31312 100644 --- a/interface-definitions/service_monitoring_zabbix-agent.xml.in +++ b/interface-definitions/service_monitoring_zabbix-agent.xml.in @@ -185,6 +185,7 @@ </properties> <defaultValue>3</defaultValue> </leafNode> + #include <include/interface/vrf.xml.i> </children> </node> </children>
I was hoping some combination of the newer QAT driver 4.24 and newer kernel in the latest rolling releases might fix this... but seemingly not.
I finally managed to give 1.5 a run and the first thing I did was check this. Perfect! Thank you everyone,
Jul 30 2024
Can someone test/check if it works as expected?
My opinion is largely based on my recent use-case for this, the GRE-match ethertype fields. I remember grumbling a couple of times about needing to convert bases to decimal in the past, but it's been too long to remember specifically what I was configuring at the time.
I have a related question too.
I am not against the Python implementation, but why isn't ulogd2 simply used for this?
Top level op mode words have specific meanings in VyOS. clear is reserved for completely non-disruptive operations: clearing the screen, clearing rule counters... reset is for locally-disruptive operations.
Since removing a neighbor table entry can lead to lost packets or increased latencies for new connections, it doesn't qualify for clear, which is why it was called reset.
I'd prefer to keep that terminology consistent. BGP neighbors in Cisco IOS are also under clear, but we don't plan to mimic that, do we? ;)