Zabbix You do not have the SUPER privilege and binary logging is enabled
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Zabbix You do not have the SUPER privilege and binary logging is enabled相关的知识,希望对你有一定的参考价值。
背景:
服务器:Linux Centos 7
服务版本:mysql 8.0 ,zabbix-proxy 6.0
事件:
在执行 systemctl restart zabbix-proxy.service 报错
Job for zabbix-proxy.service failed because the control process exited with error code.
See "systemctl status zabbix-proxy.service" and "journalctl -xe" for details.
根据提示查看报错信息
# journalctl -xe
--
-- The unit zabbix-proxy.service has entered the failed state with result protocol.
Feb 2 03:40:20 systemd[1]: Failed to start Zabbix Proxy.
-- Subject: Unit zabbix-proxy.service has failed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit zabbix-proxy.service has failed.
--
-- The result is failed.
Feb 2 03:40:22 setroubleshoot[192927]: SELinux is preventing mysqld from create access on the sock_file mysqlx.sock. For comp>
Feb 2 03:40:22 setroubleshoot[192927]: SELinux is preventing mysqld from create access on the sock_file mysqlx.sock.
***** Plugin catchall_labels (83.8 confidence) suggests *******************
If you want to allow mysqld to have create access on the mysqlx.sock sock_file
Then you need to change the label on mysqlx.sock
Do
# semanage fcontext -a -t FILE_TYPE mysqlx.sock
where FILE_TYPE is one of the following: mysqld_db_t, mysqld_var_run_t.
Then execute:
restorecon -v mysqlx.sock
***** Plugin catchall (17.1 confidence) suggests **************************
If you believe that mysqld should be allowed create access on the mysqlx.sock sock_fil>
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c mysqld --raw | audit2allow -M my-mysqld
# semodule -X 300 -i my-mysqld.pp
Feb 2 03:40:22 setroubleshoot[192927]: AnalyzeThread.run(): Set alarm timeout to 10
根据提示执行下面步骤
# ausearch -c mysqld --raw | audit2allow -M my-mysqld
# semodule -X 300 -i my-mysqld.pp
尝试启动zabbix-proxy,启动失败
查看数据库状态,发现数据库也down了
# systemctl status mysql.service
● mysql.service - MySQL Community Server
Loaded: loaded (/lib/systemd/system/mysql.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Sat Feb 2 03:40:23 -05; 1min 44s ago
Docs: man:mysqld(8)
http://dev.mysql.com/doc/refman/en/using-systemd.html
Process: 1619 ExecStart=/usr/sbin/mysqld (code=exited, status=2)
Process: 1602 ExecStartPre=/usr/share/mysql-8.0/mysql-systemd-start pre (code=exited, status=0/SUCCESS)
Main PID: 1619 (code=exited, status=2)
Status: "Server startup in progress"
Feb 2 03:40:22 asus2016-vb01 systemd[1]: mysql.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Feb 2 03:40:22 asus2016-vb01 systemd[1]: mysql.service: Failed with result exit-code.
Feb 2 03:40:22 asus2016-vb01 systemd[1]: Failed to start MySQL Community Server.
Feb 2 03:40:23 asus2016-vb01 systemd[1]: mysql.service: Service hold-off time over, scheduling restart.
Feb 2 03:40:23 asus2016-vb01 systemd[1]: mysql.service: Scheduled restart job, restart counter is at 9.
Feb 2 03:40:23 asus2016-vb01 systemd[1]: Stopped MySQL Community Server.
Feb 2 03:40:23 asus2016-vb01 systemd[1]: mysql.service: Start request repeated too quickly.
Feb 2 03:40:23 asus2016-vb01 systemd[1]: mysql.service: Failed with result exit-code.
Feb 2 03:40:23 asus2016-vb01 systemd[1]: Failed to start MySQL Community Server.
尝试启动mysql,启动失败
看了一下journalctl -xe,发现是selinux的原因,导致数据库启动失败
#查看一下selinux的状态
# getenforce
Enforcing
#临时关闭selinux
# selinux 0
再次尝试启动mysql,成功启动!
尝试启动zabbix-proxy,启动失败
查看zabbix-proxy.log发现报错
query failed: [1419] you do not have the super privilege and binary logging is enabled (you *might* want to use the less safe log_bin_trust_function_creators variable) [create trigger hosts_name_upper_insert。。。进入mysql修改zabbix权限
# mysql -uroot
mysql> SHOW VARIABLES LIKE log_bin_trust_function_creators;
+---------------------------------+-------+
| Variable_name | Value |
+---------------------------------+-------+
| log_bin_trust_function_creators | OFF |
+---------------------------------+-------+
1 row in set (0.00 sec)
mysql> SET GLOBAL log_bin_trust_function_creators = 1;
Query OK, 0 rows affected (0.00 sec)
mysql> SHOW VARIABLES LIKE log_bin_trust_function_creators;
+---------------------------------+-------+
| Variable_name | Value |
+---------------------------------+-------+
| log_bin_trust_function_creators | ON |
+---------------------------------+-------+
1 row in set (0.00 sec)
mysql> SELECT Host,User,Super_priv FROM mysql.user;
+-----------+------------------+------------+
| Host | User | Super_priv |
+-----------+------------------+------------+
| % | zabbix_monitor | N |
| localhost | mysql.infoschema | N |
| localhost | mysql.session | Y |
| localhost | mysql.sys | N |
| localhost | root | Y |
| localhost | zabbix | N |
+-----------+------------------+------------+
6 rows in set (0.00 sec)
mysql> UPDATE mysql.user SET Super_Priv=Y WHERE user=zabbix_monitor AND host=%;
Query OK, 0 rows affected (0.00 sec)
mysql> SELECT Host,User,Super_priv FROM mysql.user;
+-----------+------------------+------------+
| Host | User | Super_priv |
+-----------+------------------+------------+
| % | zabbix_monitor | Y |
| localhost | mysql.infoschema | N |
| localhost | mysql.session | Y |
| localhost | mysql.sys | N |
| localhost | root | Y |
| localhost | zabbix | N |
+-----------+------------------+------------+
6 rows in set (0.00 sec)
mysql> exit
此时尝试启动zabbix-proxy,启动成功!
!!!重点!!!⬇️
之前做的修改需要恢复到之前的状态
数据库权限恢复
# mysql -uroot
mysql> SET GLOBAL log_bin_trust_function_creators = 0;
Query OK, 0 rows affected (0.00 sec)
mysql> UPDATE mysql.user SET Super_Priv=N WHERE user=zabbix_monitor AND host=%;
Query OK, 0 rows affected (0.00 sec)
mysql> SHOW VARIABLES LIKE log_bin_trust_function_creators;
+---------------------------------+-------+
| Variable_name | Value |
+---------------------------------+-------+
| log_bin_trust_function_creators | OFF |
+---------------------------------+-------+
1 row in set (0.00 sec)
mysql> SELECT Host,User,Super_priv FROM mysql.user;
+-----------+------------------+------------+
| Host | User | Super_priv |
+-----------+------------------+------------+
| % | zabbix_monitor | N |
| localhost | mysql.infoschema | N |
| localhost | mysql.session | Y |
| localhost | mysql.sys | N |
| localhost | root | Y |
| localhost | zabbix | N |
+-----------+------------------+------------+
6 rows in set (0.00 sec)
mysql> exit
selinux状态恢复
# selinux 1经验总结:
zabbix-proxy启动失败有两个原因:
1.selinux没关,导致服务启动失败。
2.数据库中zabbix没有 SUPER 权限并且启用了二进制日志记录,这个需要细心检查才能发现。
⚠️ 由于安全问题,刚刚做的selinux以SUPER权限在解决完问题后需要恢复原状!!!
以上是关于Zabbix You do not have the SUPER privilege and binary logging is enabled的主要内容,如果未能解决你的问题,请参考以下文章