zabbix_server role must be run as root.

[beargiles]

SUMMARY

The zabbix_server role must be run as root.

I'm calling this a 'bug', not a 'feature enhancement', since so many places have policies against
running ansible playbooks as root. It is acceptable to use the -K flag and use 'become:' as little
as possible since this allows finer control of access (in sudoers) and better logging of what's done.

ISSUE TYPE

• Bug Report

COMPONENT NAME

zabbix_server role

ANSIBLE VERSION

ansible [core 2.14.3]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/bgiles/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  ansible collection location = /home/bgiles/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.10.6 (main, Mar 10 2023, 10:55:28) [GCC 11.3.0] (/usr/bin/python3)
  jinja version = 3.0.3
  libyaml = True

CONFIGURATION

CONFIG_FILE() = /etc/ansible/ansible.cfg

OS / ENVIRONMENT / Zabbix Version

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION="Ubuntu 22.04.2 LTS"

Linux rack0.coyotesong.net 5.19.0-35-generic #36~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Feb 17 15:17:25 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

STEPS TO REPRODUCE

Use this playbook using ansible-playbook -K install-server.yml:

- hosts: zabbix-server
  vars:
    # elided...
  tasks:
    - name: install zabbix server
      vars:
        zabbix_server_database: pgsql
        zabbix_server_database_long: postgresql
      ansible.builtin.include_role:
        name: community.zabbix.zabbix_server

The documentation's equivalent is:

  - hosts: zabbix-server
    roles:
      - role: community.zabbix.zabbix_server
        zabbix_server_database: mysql
        zabbix_server_database_long: mysql

EXPECTED RESULTS

Successful completion of the ansible script.

Successful launch of the zabbix-server service.

● zabbix-server.service - Zabbix Server
     Loaded: loaded (/lib/systemd/system/zabbix-server.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2023-03-21 13:09:49 MDT; 2h 25min ago
    Process: 2625177 ExecStart=/usr/sbin/zabbix_server -c $CONFFILE (code=exited, status=0/SUCCESS)
   Main PID: 2625179 (zabbix_server)
      Tasks: 48 (limit: 76979)
     Memory: 70.2M
        CPU: 17.360s
     CGroup: /system.slice/zabbix-server.service
             ├─2625179 /usr/sbin/zabbix_server -c /etc/zabbix/zabbix_server.conf

• when calling touch /etc/zabbix/schema.done in a script (no permissions)
• when copying the new zabbix-server.conf file from the temporary working directory to /etc/zabbix/.

The former can be handled by briefly setting the directory permissions to 0777 but the later would
also require changing the ownership of the initial file that's created earlier in the scripts.

ACTUAL RESULTS

First the 'create database schema' failed due to insufficient permissions when attempting
to run touch /etc/zabbix/schema.done in a child shell.

After changing the permissions on /etc/zabbix' to 0777 and rerunning the scripts failed
when attempting to copy the new zabbix-server.conf file iunto /etc/zabbix. (Apparently because
the temporray file created earlier is now owned by root.)

The script successfully completes when I run it as root: sudo ansible-playbook ....

At first glance it looks like it might be possible to successfully run the script using

$ sudo -u zabbix ansible-playbook ....

but this would require some preparation (e.g., creating the user, group, and directory). If this
works it should be added as a comment in the example playbook.

However I think it would be better to have 'become: true, become_user: zabbix' everywhere required.

[markuman]

Try to set become on role-level, when you don't want to set it on play-level.
Imo, run ansible with sudo is not necessary.

  - hosts: zabbix-server
    roles:
      - role: community.zabbix.zabbix_server
        zabbix_server_database: mysql
        zabbix_server_database_long: mysql
        become: true

[dj-wasabi]

@markuman

Just like with the zabbix-agent, which has several tasks that has become: true, the TS wants to have a similar setup with the Zabbix Server deployment where only the real 'root' related tasks should be executed as user root. With specifying the become: true on role level - which probably is done by most of the users - results that even all the tasks will run as root, even though probably 9 out of 10 tasks is not needed to run as user 'root'. So it is also a security related improvement.

[beargiles]

Thanks for taking this seriously.