Debian, Ansible & zabbix Part I

Merging Ansible with Zabbix under Debian 10.

I recenty rediscovered Ansible and wondered if I could use Ansible to create trigger actions and scripts to maintain my home lab. It turns out you can with some adjustments to the Zabbix server.

As an example I use Zabbix to monitor the available updates on my Debian vm’s. When updates are detected, I fire up my dedicated Ansible vm and run my update playbook, which works fine. The only downside is that I must boot the dedicated Ansible server and run the playbooks against the “to be updated” hosts. This is a bit time consumming and wondered if I could update the vm using Zabbix.

What if I could run the playbooks directly from within the Zabbix instance? Mmmm!

I went on the net looking for examples of such howto’s, but wasn’t able to find any. Guess I had to make my own then.

Howto Start?

There are a few facts you need to know about my lab. First of all, Zabbix Server and its webinterface are running on the same host using the PPA from Zabbix SIA. Zabbix server runs under the user “zabbix” and the webinterface under user “www-data” which is fine. But, when calling “ansible-playbook” the zabbix user does not have the rights to execute the playbook which is normal behaviour. We can solve this by installing and using “sudo“. Debian doesn’t install “sudo” by default so do a quick installation on the Zabbix server:

apt install sudo

Ofcourse we want to use Ansible so make sure you did install it on the Zabbix server. Read the Ansible on Debian installation instruction here! Futhermore, make sure you copy the root public key on all the servers you want to control with Ansible, (which is worst practice offcourse, not going in to that in this article, you have been warned), and add the servers hostnames into the “/etc/ansible/hosts” file. Do a dry run on the Zabbix server and make sure the connections are ok.

#ansible all -m ping
HOST-01 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}
HOSTL-02 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}

As I mentioned before Zabbix runs under de user “zabbix” and as we want to run Ansible playbooks within the Zabbix interface we must make sure the “zabbix” user has the correct rights to do so. Fire up “visudo” and add the next two lines in the “/etc/sudoers” file:

Cmnd_Alias ANSIBLE = /usr/bin/ansible-playbook
zabbix  ALL=(ALL) NOPASSWD: ANSIBLE

As we want to be as secure as we can we firstly define a command alias. This way we can restrict the “sudo” usage to just one or two commands. Secondly we make sure the “zabbix” user can use the ANSIBLE alias without using a password. You could use just a single line, but I like it better this way, specially when you use multiple groups, users and commands.

Next we create a playbook which will update the servers once a update is available.

---
- hosts: debianinfra
  become: true
  become_user: root
  tasks:
    - name: Update apt repo and cache on all Debian Servers
      apt: update_cache=yes force_apt_get=yes cache_valid_time=3600

    - name: Upgrade all packages on servers
      apt: upgrade=dist force_apt_get=yes

It’s a rather small example but we don’t need more for this instance. Put the file somewhere where the “zabbix” user has access rights. I use the external script directory of Zabbix and create a sub-directory in it. In Debian, you can find it in “/usr/lib/zabbix/externalscripts/“. My complete playbook path looks like this: “/usr/lib/zabbix/externalscripts/playbooks/update-debian.yml“. Make sure when creating the directory to adjust the read rights for the “zabbix” user (eg, chown -R zabbix:zabbix /usr/lib/zabbix/externalscripts/playbooks).

Next stop Zabbix

Now that we have the Ansible environment ready, it’s time to put it to the test. We could create a trigger action now and wait till there is a problem, or, we can create a script using the Zabbix Scripts function. This way we can fire up the playbook directly at any server within Zabbix.
Go to “Administration -> Scripts

Menu

And click on the “Create Script” button. Fill in the form as shown below.

Make sure you want to run the script on the Zabbix server. Host groups are not mandatory, same for the Menu path. Click “Add” to save the script!

Done? Almost!
Go to the Monitoring Menu and click on Hosts. Left click on one of the servers and click on the popup menu “ANSIBLE -> PLAYBOOKS -> SOFTWARE -> Update Debian Server“. A new popup will appear, and after a few moments you will see the result window:

That’s what I call a success :). Remember, you could do the same for “trigger actions” which I will cover in Part 2.

Leave a Reply

Your email address will not be published. Required fields are marked *