Ad Widget

Collapse

Connection from <host IP> rejected, allowed hosts: "<zabbix 6 servers>"

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • nickeshc
    Junior Member
    • Apr 2023
    • 4
    #1

    Connection from <host IP> rejected, allowed hosts: "<zabbix 6 servers>"

    Hey all,

    I'm trying to connect a Zabbix agent running in Kubernetes, to a couple of active-passive external Zabbix 6 servers, but I'm not having any luck.
    The checks are passive only.

    From kubectl logs, I get this error message:
    Code:
    2023/06/19 14:45:40.964412 failed to accept an incoming connection: connection from "172.31.72.130" rejected, allowed hosts: "zabbix-server,zabap1.man.company.lan,zabap2.brd.company.lan"
​
    From the Server, the status is Unknown:
    Click image for larger version Name: image.png Views: 3770 Size: 19.5 KB ID: 466186​​

    Here is a copy of my Helm zabbix_values.yaml, let me know if something isn't right here.
    Code:
    ## nameOverride -- Override name of app
nameOverride: ""
## fullnameOverride -- Override the full qualified app name
fullnameOverride: ""
## kube-state-metrics.enabled -- If true, deploys the kube-state-metrics deployment
kube-state-metrics:
  enabled: true

## Service accoun for Kubernetes API
rbac:
  ## rbac.create  Specifies whether the RBAC resources should be created
  create: true
  additionalRulesForClusterRole: []
  ##  - apiGroups: [ "" ]
  ##    resources:
  ##      - nodes/proxy
  ##    verbs: [ "get", "list", "watch" ]
serviceAccount:
  ## serviceAccount.create  Specifies whether a service account should be created
  create: true
  ## serviceAccount.name  The name of the service account to use. If not set name is generated using the fullname template
  name: zabbix-service-account


##  **Zabbix proxy** configurations
zabbixProxy:
  ## Enables use of **Zabbix proxy**
  enabled: false
  containerSecurityContext: {}
  resources: {}
  image:
    ## Zabbix proxy Docker image name
    repository: zabbix/zabbix-proxy-sqlite3
    ## Tag of Docker image of Zabbix proxy
    tag: alpine-6.0.18
    pullPolicy: IfNotPresent
    ## List of dockerconfig secrets names to use when pulling images. Secrets must be manually created in the namespace.
    ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
    ##      https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry
    pullSecrets: []

  env:
    ## The variable allows to switch Zabbix proxy mode. By default, value is 0 - active proxy. Allowed values are 0 and 1.
    - name: ZBX_PROXYMODE
      value: 0
    ## Zabbix proxy hostname
    - name: ZBX_HOSTNAME
      value: zabbix-proxy
    ## Zabbix server host
    ## If ProxyMode is set to active mode:
    ## IP address or DNS name of Zabbix server to get configuration data from and send data to.

    ## If ProxyMode is set to passive mode:
    ## List of comma delimited IP addresses, optionally in CIDR notation, or DNS names of Zabbix server. Incoming connections will be accepted only from the addresses listed here. If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', '::ffff:127.0.0.1' are treated equally and '::/0' will allow any IPv4 or IPv6 address. '0.0.0.0/0' can be used to allow any IPv4 address.
    ## Example: Server=127.0.0.1,192.168.1.0/24,::1,2001:db8::/32,zabbix.example.com

    ## Note that since version 6.0 the variable ZBX_SERVER_PORT is not supported anymore. Instead, add a colon (:) followed by the port number to the end of ZBX_SERVER_HOST value.
    - name: ZBX_SERVER_HOST
      value: "127.0.0.1"
    ## The variable is used to specify debug level. By default, value is 3
    - name: ZBX_DEBUGLEVEL
      value: 3
    ## Cache size
    - name: ZBX_CACHESIZE
      value: 128M
    ## The variable enable communication with Zabbix Java Gateway to collect Java related checks
    - name: ZBX_JAVAGATEWAY_ENABLE
      value: false
    ## How often proxy retrieves configuration data from Zabbix server in seconds. Active proxy parameter. Ignored for passive proxies.
    - name: ZBX_CONFIGFREQUENCY
      value: 60
    ## List can be extended with other environment variables listed here: https://github.com/zabbix/zabbix-docker/tree/6.0/Dockerfiles/proxy-sqlite3/alpine#other-variables
    ## For example:
    ## The variable is list of comma separated loadable Zabbix modules.
    ## - name: ZBX_LOADMODULE
    ##   value : dummy1.so,dummy2.so


  service:
    annotations: {}
    labels: {}
    ## Type of service for Zabbix proxy
    type: ClusterIP
    ## Port to expose service
    port: 10051
    ## Port of application pod
    targetPort: 10051
    ## Zabbix proxy Ingress externalIPs with optional path
    ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips
    ## Must be provided if ProxyMode is set to passive mode
    externalIPs: []
    ## Loadbalancer IP
    ## Only use if service.type is "LoadBalancer"
    ##
    loadBalancerIP: ""
    loadBalancerSourceRanges: []


  ## Node selector for Zabbix proxy
  nodeSelector: {}

  ## Tolerations configurations for Zabbix proxy
  tolerations: {}

  ## Affinity configurations for Zabbix proxy
  affinity: {}

  persistentVolume:
    ## If true, Zabbix proxy will create/use a Persistent Volume Claim
    ##
    enabled: false

    ## Zabbix proxy data Persistent Volume access modes
    ## Must match those of existing PV or dynamic provisioner
    ## Ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
    ##
    accessModes:
      - ReadWriteOnce

    ## Zabbix proxy data Persistent Volume Claim annotations
    ##
    annotations: {}

    ## Zabbix proxy data Persistent Volume existing claim name
    ## Requires zabbixProxy.persistentVolume.enabled: true
    ## If defined, PVC must be created manually before volume will be bound
    existingClaim: ""

    ## Zabbix proxy data Persistent Volume mount root path
    ##
    mountPath: /data

    ## Zabbix proxy data Persistent Volume size
    ##
    size: 2Gi

    ## Zabbix proxy data Persistent Volume Storage Class
    ## If defined, storageClassName: <storageClass>
    ## If set to "-", storageClassName: "", which disables dynamic provisioning
    ## If undefined (the default) or set to null, no storageClassName spec is
    ##   set, choosing the default provisioner.  (gp2 on AWS, standard on
    ##   GKE, AWS & OpenStack)
    ##
    storageClass: "-"

    ## Zabbix proxy data Persistent Volume Binding Mode
    ## If defined, volumeBindingMode: <volumeBindingMode>
    ## If undefined (the default) or set to null, no volumeBindingMode spec is
    ##   set, choosing the default mode.
    ##
    volumeBindingMode: ""

    ## Subdirectory of Zabbix proxy data Persistent Volume to mount
    ## Useful if the volume's root directory is not empty
    ##
    subPath: ""

## **Zabbix agent** configurations
zabbixAgent:
  ## Enables use of Zabbix agent
  enabled: true
  resources: {}
      ##  requests:
      ##   cpu: 100m
      ##   memory: 54Mi
      ##  limits:
      ##   cpu: 100m
      ##   memory: 54Mi

  securityContext: {}
    # fsGroup: 65534
    # runAsGroup: 65534
    # runAsNonRoot: true
    # runAsUser: 65534

  containerSecurityContext: {}
    ## capabilities:
    ##   add:
    ##   - SYS_TIME

  ## Expose the service to the host network
  hostNetwork: true

  # Specify dns configuration options for agent containers e.g ndots
  ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config
  dnsConfig: {}
  #  options:
  #  - name: ndots
  #    value: "1"

  ## Share the host process ID namespace
  hostPID: true
  ## If true, agent pods mounts host / at /host/root
  ##
  hostRootFsMount: true
  extraHostVolumeMounts: []
  ##  - name: <mountName>
  ##    hostPath: <hostPath>
  ##    mountPath: <mountPath>
  ##    readOnly: true|false
  ##    mountPropagation: None|HostToContainer|Bidirectional
  image:
    ## Zabbix agent Docker image name
    repository: zabbix/zabbix-agent2
    ## Tag of Docker image of Zabbix agent
    tag: alpine-6.0.18
    pullPolicy: IfNotPresent
    ## List of dockerconfig secrets names to use when pulling images. Secrets must be manually created in the namespace.
    ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
    ##      https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry
    pullSecrets: []
  env:
      ## Zabbix server host
    #- name: ZBX_SERVER_HOST
      #value: 0.0.0.0/0
      ## Zabbix server port
    - name: ZBX_SERVER_PORT
      value: 10051
      ## This variable is boolean (true or false) and enables or disables feature of passive checks. By default, value is true
    - name: ZBX_PASSIVE_ALLOW
      value: true
      ## This variable is boolean (true or false) and enables or disables feature of active checks
    - name: ZBX_ACTIVE_ALLOW
      value: false
      ## The variable is used to specify debug level, from 0 to 5
    - name: ZBX_DEBUGLEVEL
      value: 5
      ## The variable is used to specify timeout for processing checks. By default, value is 4.
    - name: ZBX_TIMEOUT
      value: 4
    ## List can be extended with other environment variables listed here: https://github.com/zabbix/zabbix-docker/tree/6.0/Dockerfiles/agent2/alpine#other-variables
    ## For example:
    ## The variable is comma separated list of allowed Zabbix server or proxy hosts for connections to Zabbix agent 2 container. You may specify port of Zabbix server or Zabbix proxy in such syntax: zabbix-server:10061,zabbix-proxy:10072
    ##  - name: ZBX_ACTIVESERVERS
    ##    value: zabap1.man.company.lan,zabap2.brd.company.lan
    ## The variable is comma separated list of allowed Zabbix server or proxy hosts for connections to Zabbix agent 2 container.
    - name: ZBX_PASSIVESERVERS
      value: zabap1.man.company.lan,zabap2.brd.company.lan
    ## The variable is list of comma separated loadable Zabbix modules. It works with volume /var/lib/zabbix/modules.
    ## - name: ZBX_LOADMODULE
    ##   value: ''

  ## Node selector for Agent. Only supports Linux.
  nodeSelector:
    kubernetes.io/os: linux

  ## Tolerations configurations
  tolerations:
    - effect: NoSchedule
      key: node-role.kubernetes.io/control-plane
  ## Affinity configurations
  affinity: {}
  serviceAccount:
    ## Specifies whether a ServiceAccount should be created
    create: true
    ## The name of the ServiceAccount to use.
    ## If not set and create is true, a name is generated using the fullname template
    name: zabbix-agent-service-account
    annotations: {}
    imagePullSecrets: []
    automountServiceAccountToken: false

  service:
    type: ClusterIP
    port: 10050
    targetPort: 10050
    nodePort: 10050
    portName: zabbix-agent
    listenOnAllInterfaces: true
    annotations:
      agent.zabbix/monitor: "true"

  rbac:
    ## If true, create & use RBAC resources
    ##
    create: true
    ## If true, create & use Pod Security Policy resources
    ## https://kubernetes.io/docs/concepts/policy/pod-security-policy/
    ## PodSecurityPolicies disabled by default because they are deprecated in Kubernetes 1.21 and will be removed in Kubernetes 1.25.
    ## If you are using PodSecurityPolicies you can enable the previous behaviour by setting `rbac.pspEnabled: true`
    pspEnabled: false
    pspAnnotations: {}
​
    Attached Files
    Tags: discovery, helm, kubernetes
    • vishal3108
      Junior Member
      • Aug 2023
      • 3
      #2
      hey..did you find any solution for it...i am also facing same problem.

      Zabbix Agents ( Passive) 6.0.4
      Zabbix Proxy (Active Mode)v6.0.4

      Zabbix Agent env-

      - env:
      - name: ZBX_HOSTNAME
      valueFrom:
      fieldRef:
      apiVersion: v1
      fieldPath: spec.nodeName
      - name: ZBX_PASSIVESERVERS
      value: x.x.x.x
      - name: ZBX_SOURCEIP
      value: 0.0.0.0
      - name: ZBX_SERVER_PORT
      value: "10051"
      - name: ZBX_DEBUGLEVEL
      value: "5"
      - name: ZBX_TIMEOUT
      value: "10"
      - name: ZBX_PASSIVE_ALLOW
      value: "true"
      - name: ZBX_ACTIVE_ALLOW
      value: "false"
      image: zabbix/zabbix-agent2:alpine-6.0.4

      Zabbix Proxy env-
      - env:
      - name: ZBX_PROXYMODE
      value: "0"
      - name: ZBX_SOURCEIP
      value: 0.0.0.0
      - name: ZBX_HOSTNAME
      value: abcd
      - name: ZBX_SERVER_HOST
      value: x.x.x.x:31011
      - name: ZBX_DEBUGLEVEL
      value: "5"
      - name: ZBX_CACHESIZE
      value: 256M
      - name: ZBX_JAVAGATEWAY_ENABLE
      value: "false"
      - name: ZBX_CONFIGFREQUENCY
      value: "60"
      - name: ZBX_VALUECACHESIZE
      value: 128M
      image: zabbix/zabbix-proxy-sqlite3:alpine-6.0.4


      We have multiple servers on which zabbix agents are running as kubernetes daemonsets

      Zabbix agents (running as kubernetes daemonsets pods) are running but unable to accept incoming connections from zabbix proxy pod.

      2023/08/29 05:58:51.784103 starting manager
      2023/08/29 05:58:51.784287 [0] starting listener for '0.0.0.0:10050'
      2023/08/29 05:58:51.787962 listening for control connections on /tmp/agent.sock
      2023/08/29 05:59:05.488563 cannot accept incoming connection for peer: x.x.x.x
      2023/08/29 05:59:10.465123 cannot accept incoming connection for peer: x.x.x.x


      Above error is reporting in zabbix agent logs and x.x.x.x is particular node IP on which respective agent pod is running.
      All agent pods are giving same errors.

      Zabbix agent and proxy are on same kubernetes cluster, still it is not accepting incoming connection.

      Please advise.​

        Comment

        • spostma73
          Junior Member
          • Mar 2024
          • 2
          #3
          That's coming from this one:
          kubectl edit daemonset zabbix-agent
          livenessProbe:
          failureThreshold: 3
          periodSeconds: 90
          successThreshold: 1
          tcpSocket:
          port: 10050
          timeoutSeconds: 3
          To double-check you can increase periodSeconds to I.E. 90 and the messages should come every 90 seconds
          Last edited by spostma73; 21-03-2024, 10:02.

            Comment

            • zohair.raza
              Junior Member
              • Oct 2024
              • 2
              #4
              anyone else looking for a solution:

              you can define network range in server settings under agent configuration

              Server=192.168.1.0/24,192.168.2.0/24

                Comment

                Previous template Next
                Working...