zabbix4.4 啟動失敗分析

zabbix是基于WEB界面提供分布式系統監視以及網絡監視功能的企業級開源解決方案，能監視各種網絡參數，保證服務器系統的安全運營；并提供靈活的通知機制以讓系統管理員快速定位/解決存在的各種問題。
做為開源用戶的支持者，我們大部分環境用的軟件包含監控軟件、數據庫、繼承應用、操作系統等都是用開源的，例如centos、PG、zabbix、openshift等，但是開源的在成熟度上是不錯，但是安裝軟件有時比較麻煩，例如centos的安全開關，默認情況下會導致我們在安裝openshift、zabbix等導致失敗，而錯誤日志提示往往與實際十萬三千里，但是有經驗的在安裝完系統后會有意識性的去修改配置，避免不必要的問題，
如下問題：
在安裝配置好zabbix后無法正常啟動，原因是SELINUX設置問題導致啟動失敗，
故障分析：
[root@localhost zabbix]# systemctl start zabbix-server.service
Job for zabbix-server.service failed because a configured resource limit was exceeded. See "systemctl status zabbix-server.service" and "journalctl -xe" for details.
[root@localhost zabbix]# journalctl -xe
-- Defined-By: systemd
-- Support:?http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--?
-- Unit zabbix-server.service has begun starting up.
1月 07 15:21:17 localhost.localdomain systemd[1]: PID file /run/zabbix/zabbix_server.pid not readable (yet?) after start.
1月 07 15:21:17 localhost.localdomain systemd[1]: zabbix-server.service never wrote its PID file. Failing.
1月 07 15:21:17 localhost.localdomain systemd[1]: Failed to start Zabbix Server.
-- Subject: Unit zabbix-server.service has failed
-- Defined-By: systemd
-- Support:?http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--?
-- Unit zabbix-server.service has failed.
--?
-- The result is failed.
1月 07 15:21:17 localhost.localdomain systemd[1]: Unit zabbix-server.service entered failed state.
1月 07 15:21:17 localhost.localdomain systemd[1]: zabbix-server.service failed.
1月 07 15:21:17 localhost.localdomain polkitd[804]: Unregistered Authentication Agent for unix-process:6787:8831344 (system bus name
1月 07 15:21:24 localhost.localdomain polkitd[804]: Registered Authentication Agent for unix-process:6797:8832061 (system bus name :
1月 07 15:21:27 localhost.localdomain systemd[1]: zabbix-server.service holdoff time over, scheduling restart.
1月 07 15:21:27 localhost.localdomain systemd[1]: Starting Zabbix Server...
-- Subject: Unit zabbix-server.service has begun start-up
-- Defined-By: systemd
-- Support:?http://lists.freedesktop.org/mailman/listinfo/systemd-devel

-- Unit zabbix-server.service has begun starting up.
1月 07 15:21:27 localhost.localdomain systemd[1]: PID file /run/zabbix/zabbix_server.pid not readable (yet?) after start.
1月 07 15:21:27 localhost.localdomain systemd[1]: zabbix-server.service never wrote its PID file. Failing.
1月 07 15:21:27 localhost.localdomain systemd[1]: Failed to start Zabbix Server.
-- Subject: Unit zabbix-server.service has failed
-- Defined-By: systemd
-- Support:?http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--?
-- Unit zabbix-server.service has failed.
--?
-- The result is failed.
1月 07 15:21:27 localhost.localdomain systemd[1]: Unit zabbix-server.service entered failed state.
1月 07 15:21:27 localhost.localdomain systemd[1]: zabbix-server.service failed.
1月 07 15:21:27 localhost.localdomain polkitd[804]: Unregistered Authentication Agent for unix-process:6797:8832061 (system bus name
lines 1907-1944/1944 (END)
Last login: Tue Jan 7 23:24:43 2020 from 10.100.81.67

查看 zabbix 日志分析：
發現日志提示權限問題：

5966:20200107:145500.376 using configuration file: /etc/zabbix/zabbix_server.conf
5966:20200107:145500.376 cannot set resource limit: [13] Permission denied
5966:20200107:145500.376 cannot disable core dump, exiting...
5976:20200107:145506.314 Starting Zabbix Server. Zabbix 4.4.4 (revision 3131fdac04

問題根源分析：

??[root@localhost logs]# getenforce
Enforcing------這時發現selinux的配置是Enforcing
[root@localhost logs]# sestatus
SELinux status: ? ? ? ? ? ? ? ? enabled
SELinuxfs mount: ? ? ? ? ? ? ? ?/sys/fs/selinux
SELinux root directory: ? ? ? ? /etc/selinux
Loaded policy name: ? ? ? ? ? ? targeted
Current mode: ? ? ? ? ? ? ? ? ? enforcing
Mode from config file: ? ? ? ? ?enforcing
Policy MLS status: ? ? ? ? ? ? ?enabled
Policy deny_unknown status: ? ? allowed
Max kernel policy version: ? ? ?28
[root@localhost logs]# cd /etc/selinux
[root@localhost selinux]# ls
config ?final ?semanage.conf ?targeted ?tmp

直接把selinux 關掉如下：
[root@localhost selinux]# vi config?

This file controls the state of SELinux on the system.
SELINUX= can take one of these three values:
? ? enforcing - SELinux security policy is enforced.
? ? permissive - SELinux prints warnings instead of enforcing.
? ? disabled - No SELinux policy is loaded.
SELINUX=disabled
SELINUXTYPE= can take one of three two values:
? ? targeted - Targeted processes are protected,
? ? minimum - Modification of targeted policy. Only selected processes are protected.
? ? mls - Multi Level Security protection.
SELINUXTYPE=targeted

優化修改SELINUX=disabled?
[root@localhost selinux]# vi config

#This file controls the state of SELinux on the system.
#SELINUX= can take one of these three values:
#enforcing - SELinux security policy is enforced.
#permissive - SELinux prints warnings instead of enforcing.
#disabled - No SELinux policy is loaded.
SELINUX=disabled
#SELINUXTYPE= can take one of three two values:
#targeted - Targeted processes are protected,
#minimum - Modification of targeted policy. Only selected #processes are protected.
#mls - Multi Level Security protection.
SELINUXTYPE=targeted

重新啟動：

[root@localhost ~]# systemctl start zabbix-server.service
[root@localhost ~]# systemctl status zabbix-server.service
● zabbix-server.service - Zabbix Server
Loaded: loaded (/usr/lib/systemd/system/zabbix-server.service; disabled; vendor preset: disabled)
Active: active (running) since 二 2020-01-07 15:26:56 CST; 6s ago
Process: 1529 ExecStart=/usr/sbin/zabbix_server -c $CONFFILE (code=exited, status=0/SUCCESS)
Main PID: 1531 (zabbix_server)
CGroup: /system.slice/zabbix-server.service
└─1531 /usr/sbin/zabbix_server -c /etc/zabbix/zabbix_server.conf

1月 07 15:26:56 localhost.localdomain systemd[1]: Starting Zabbix Server...
1月 07 15:26:56 localhost.localdomain systemd[1]: zabbix-server.service: Supervising process 1531 which is not our child. ...exits.
1月 07 15:26:56 localhost.localdomain systemd[1]: Started Zabbix Server.
Hint: Some lines were ellipsized, use -l to show in full.
[root@localhost ~]#

因此，一般在安裝一些開源軟件，如MYSQL、POSTGRES、zabbix、openshift等，在安裝前先檢查下系統對應版本是否與需安裝的軟件兼容性、在檢查下下，防火墻、安全等是否開啟，如下：
1、iptables開啟和關閉
2、SELinux開啟和關閉
3、CentOS 6和CentOS 7 firewalld防火墻的開與關等