Hi,I've been working on a significant rework of the zabbix split package [1] over the past few days, introducing a fair amount of changes and improvements.
One key change consists of replacing the multiple sysusers historically created for each zabbix components with a single shared "zabbix" user:
- It aligns better with the intended upstream standard and the way other distributions does this (see [2] for more details).
- The previous historical approach was somewhat *hacky*, e.g. relying on unnecessarily static UID:GID for each user and running some `chown` during `package()` rather than relying on systemd sysusers.d / tmpfiles.d.
That said, this change *may* require manual intervention from users.While I'm aware that Zabbix component usage on Arch Linux might be relatively low, I believe that monitoring components are critical enough to warrant a news entry about this change and the potential impact it implies. Of course, feel free to let me know if you think otherwise.
News draft below. Pad available at [3]. ---------- # zabbix >= 7.4.1-2 may requires manual interventionStarting withi `7.4.1-2`, the following Zabbix system users (previously shipped by their related packages) will no longer be used. Instead, all Zabbix components will now rely on a shared `zabbix` user (as originally [intended by upstream](https://www.zabbix.com/documentation/current/en/manual/installation/install#create-user-account) and done by other distributions):
- zabbix-server - zabbix-proxy - zabbix-agent *(also used by the `zabbix-agent2` package)* - zabbix-web-serviceThis shared `zabbix` user is provided by the newly introduced `zabbix-common` *split* package, which is a now a dependency for all relevant `zabbix-*` packages.
The switch to the new user is handled automatically in the corresponding `systemd` service units.
However, **manual intervention may be required** if you have custom files or configurations referencing / being owned by the above deprecated users, for example:
- `PSK` files used for encrypted communication - Custom scripts for metrics collections / report generations - `sudoers` rules to metrics requiring elevated privileges to be collected - ...Those should therefore be updated to refer to / be owned by the new `zabbix` user, otherwise some services may fail to start properly (if not at all).
Once migrated, you may optionally remove the obsolete users and their primary groups from your system (see the [related Arch Wiki page](https://wiki.archlinux.org/title/Users_and_groups) for details).
---------- [1] https://gitlab.archlinux.org/archlinux/packaging/packages/zabbix[2] https://gitlab.archlinux.org/archlinux/packaging/packages/zabbix/-/issues/12#note_291657
[3] https://md.archlinux.org/YjsLnkzRRoeMa7BP3gxYKw# -- Regards, Robin Candau / Antiz
OpenPGP_0xFDC3040B92ACA748.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
