In my environment, I was able to create a socket with the same permissions by restarting the service without restarting the OS or manually changing the permissions. Did you just happen to be unable to connect due to the order and timing of startup?

I've tried several different service startup orders and I always get the same issue. The only ways I get that "+" in the permissions is to reboot.

What config file is used to grant permission to zabbix.sock? I looked around and didn't find one that dealt with permissions.

Digging a little deeper I found out that the user 'apache' is removed from the permissions after the service restart. Do you know what might be causing that?

Hi!

"+" means that you are using ACL, you have to check ACL settings:

if nessesary use the command to change your ACL and fix your issue:

I tried that last code block and it didn't add a new user. I was trying to add apache, but also tried zabbix and neither was added.

Please check permissions for the directory:

It's root:root for the whole file path.

check code:


/var/opt/rh/rh-php72/run/php-fpm/

Your environment may have requirements that meant you had to deploy on RHEL 7, but in general RHEL 8 would have been a better choice for a new Zabbix install. The Zabbix developers stopped supporting RHEL 7 as a Zabbix server (it's still supported for the agent) in the 5.2.x series, so your upgrade path to later versions is going to be complicated.

My site is using a similar environment to you (RHEL 7, Zabbix 5.0.24, php 7.2.24 (not 7.2.34) from SCL, MariaDB 10.2.33 from SCL) because we ran earlier versions of Zabbix on RHEL 7. I'll have to rebuild this server as RHEL 8 before I consider upgrading to Zabbix 6.0.x LTS.

The PHP-FPM pool configuration controls whether you're using a port or a socket, and permissions on the socket. You want to look at the conf file in /etc/opt/rh/rh-php72/php-fpm.d/ . It's probably called 'zabbix.conf', but depending upon how you did the install, it might be something different.

You want to look at the settings after 'listen' (which defines whether you're using a port or a socket), in particular listen.owner, listen.group, listen.mode and listen.acl_users.

Two more things, unrelated to your question:

1. the rh-php72 SCL distribution seems to have a memory leak. My site has seen it with other software using rh-php72, and others on these forums have seen it with the Zabbix front-end. You may want to look at the 'pm.max_requests' setting in the pool config file, setting it to something in the 200-1000 range to cause the PHP-FPM workers to die off periodically, after they've served N number of connections.
2. the Zabbix software requirements guide probably says something like "MariaDB 10.1 or later", but considering how recent MariaDB 10.7.x is, it's not widely tested with Zabbix 5.0. I think it just got validated with Zabbix 6.0 or 6.2, but I would have to look to be sure. All this is to say that for Zabbix 5.0 LTS, you might have an easier time with an older version of MariaDB. If 10.7.x is working for you, great! But you might run into unexpected issues down the road.

I'm still having permission issues with the zabbix.sock file.

1. I edited /usr/lib/systemd/system/rh-php72-php-fpm.service to add user=apache and group=apache.
2. I edited /etc/opt/rh/rh-php72/php-fpm.d/www.conf to use apache for user and groups.
3. I edited /etc/opt/rh/rh-php72/php-fpm.d/zabbix.conf to include apache for user and groups.

After running "systemctl daemon-reload" and restarting the services "systemctl restart zabbix-server zabbix-agent httpd rh-php72-php-fpm" I still get the same issue with apache being removed from the permissions of var/opt/rh/rh-php72/run/php-fpm/zabbix.sock.

The only way I get the correct permissions on the .sock file is if I reboot the system. I can't figure out how the .sock file is created on reboot, but then created differently just from restarting the services. I've run out of ideas of what to check. I've gone through all the logs I can think of and nothing pops out to me.

Sorry you're still encountering this issue. It's possible you're running into some weird bug or SCL issue that's causing this. With the earlier PHP 7.x releases (7.0, 7.1, and to some extent 7.2), the UNIX socket path method wasn't as well-tested as the TCP port method (i.e. 'listen = 127.0.0.1:9000"). The Red Hat default for rh-php72-php-fpm is to use a TCP port, not a UNIX socket path. With PHP 7.3 and later, I think the default changed to the UNIX socket method (which is much faster, which is preferred for busy sites but doesn't make much difference for low-traffic sites).

Doing some testing, I can reproduce your issue.

Try this as a workaround, to see if it fixes it for you:

1. Remove the 'user=apache' and 'group=apache' from the rh-php72-php-fpm.service systemd service file. That may cause other problems, and it's not fixing the issue here. Note that if you need to modify a systemd service file in the future, don't edit the file directly, instead use 'systemctl edit whatever.service'. That automatically creates an override file for you, so your customizations are preserved even if the /usr/lib/systemd/system/whatever.service is updated.
2. In /etc/opt/rh/rh-php72/php-fpm.d/zabbix.conf, make the following changes:
   1. Your settings for user and group are good, leave them as they are
   2. comment out your settings for 'listen.acl_users', 'listen.acl_groups', and especially 'listen.allowed_clients'. The 'listen.allowed_clients' is only supposed to be used when you're using a network port. It's not needed if you're using a unix socket. Having it set shouldn't be doing any harm, but as I said above, the UNIX socket method wasn't well-tested in earlier versions of PHP-FPM, so it's better to just leave it commented out.
   3. add the settings (if your file has comments and a list of available statements, these two lines would be just above the 'listen.acl_users' and 'listen.acl_group' that you commented out in step 2):

You don't need to uncomment or set 'listen.mode', the default of 0660 should be what you want.

Now try your reboot and your service restart, and see if you reliably get the socket permissions you want.

Thank you, that worked!!!