======Applications - Network Monitor - Zabbix - Notes - Template App MySQL======

// Tested with Zabbix 3.4.11 on CentOS 7.5.1804 with SELinux set to Enforcing. // \\
// Check https://github.com/zabbix/zabbix/tree/master/templates/db/mysql_agent for the latest information. //

Zabbix provides a template for basic MySQL monitoring since Zabbix 2.2.0 with the Template App MySQL that is provided on a fresh install or on [[http://www.zabbix.org/wiki/Zabbix_Templates/Official_Templates/2.2|Zabbix.org - Zabbix Templates/Official Templates/2.2]] when upgrading.

A few preparations need to be made on the MySQL host before the template will work after assigning it to the host:
  * A MySQL login with at least USAGE grant needs to be added to the MySQL server.
  * A .my.cnf file with the MySQL login with USAGE grant needs to be created for the zabbix user.
  * Connecting to MySQL via Zabbix agent needs to be enabled in SELinux.

// Zabbix 3.4(.11) already provides the required userparameter_mysql.conf needed as /etc/zabbix/zabbix_agentd.d/userparameter_mysql.conf which is included by default in /etc/zabbix/zabbix_agentd.conf. //

Use the following steps to configure:
  - Log into the Zabbix server via SSH.
  - Log into MySQL:<code>mysql -u root -p</code>
  - Execute the following SQL statement to create the zabbix-agent@localhost user with a password:<code>GRANT USAGE ON *.* TO 'zabbix-agent'@'localhost' IDENTIFIED BY 'PASSSWORD';
FLUSH PRIVILEGES;</code> // Change the PASSWORD to the chosen (generated) password. //
  - Exit MySQL:<code>\q</code>
  - The configured home directory for the zabbix user is /var/lib/zabbix/. This is also the directory where the default userparameter_mysql.conf expects to find the .my.cnf file. This directory does not exist by default, so create it now:<code>sudo mkdir /var/lib/zabbix/</code>
  - Create .my.cnf with a text editor (in this case vi):<code>vi /var/lib/zabbix/.my.cnf</code>
  - Fill .my.cnf with:<code>[client]
user = zabbix-agent
password = PASSWORD
</code> // Change the PASSWORD to the chosen (generated) password. //
  - Correct the permissions on /var/lib/zabbix/:<code>sudo chown -R zabbix:zabbix /var/lib/zabbix/
sudo chmod 0750 /var/lib/zabbix/</code>
  - Label /var/lib/zabbix/ as SELinux type user_home_t:<code>sudo chcon -Rt user_home_t /var/lib/zabbix/</code>
  - Now SELinux needs to be adjusted to allow connecting to MySQL from Zabbix agent.
  - Save the following as "zabbix_agent_mysql.te":<code>module zabbix_agent_mysql 1.0;

require {
        type mysqld_etc_t;
        type mysqld_t;
        type user_home_t;
        type zabbix_agent_t;
        class unix_stream_socket connectto;
        class file { read open };
}

#============= zabbix_agent_t ==============
allow zabbix_agent_t mysqld_etc_t:file { read open };

#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
allow zabbix_agent_t mysqld_t:unix_stream_socket connectto;
allow zabbix_agent_t user_home_t:file { read open };</code>
  - Compile the .te file to an SELinux binary policy module:<code>checkmodule -M -m -o zabbix_agent_mysql.mod zabbix_agent_mysql.te

# checkmodule:
# -M,--mls
#       Enable the MLS/MCS support when checking and compiling the policy module.
# -m     Generate a non-base policy module.
# -o,--output filename
#       Write a binary policy module file to the specified filename.  Otherwise, 
#       checkmodule will only check the syntax of the module source file  and  will  not  generate  a
#       binary module at all.</code>
  - Turn the binary policy module into a policy package:<code>semodule_package  -m zabbix_agent_mysql.mod -o zabbix_agent_mysql.pp

#semodule_package
# -m --module <Module file>
#       Policy module file to be included in the package.
# -o --outfile <output file>
#       Policy module package file generated by this tool.</code>
  - Install the policy package:<code>semodule -i zabbix_agent_mysql.pp

# semodule:
# -i,--install=MODULE_PKG
#       install/replace a module package</code>
  - Import the latest version of the Zabbix template Template App MySQL on the Zabbix server.
    - On 2018-07-27 that is Template_App_MySQL-2.2.0.xml from [[http://www.zabbix.org/wiki/Zabbix_Templates/Official_Templates/2.2|Zabbix.org - Zabbix Templates/Official Templates/2.2]].
  - Attach the Template App MySQL to the host to monitor.
  - Wait a few minutes and check if the 2 MySQL graphs on that host show data.

Sources:
  * [[https://stackoverflow.com/questions/34917887/template-mysql-didnt-get-result-in-zabbix|Stack Overflow - Template MySQL didn't get result in Zabbix]]
  * [[https://www.zabbix.com/forum/zabbix-help/52734-mysql-items-not-working|ZABBIX Forums - mysql items not working]]
  * A cleaned up .te file after 'sudo audit2allow -a -M zabbix_agent_mysql'.
  * [[https://support.zabbix.com/browse/ZBX-10782|Zabbix Bugs and Issues - [ZBX-10782] EL7 zabbix-agent package mysql userparameter needs SELinux policy]]