| Message ID | 20220209232631.14673-2-robin.roevens@disroot.org |
|---|---|
| State | Superseded |
| Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4JvGNn4bxrz3wgk for <patchwork@web04.haj.ipfire.org>; Wed, 9 Feb 2022 23:31:37 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4JvGNh70RKz5Lj; Wed, 9 Feb 2022 23:31:32 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4JvGNh6DzMz2xkv; Wed, 9 Feb 2022 23:31:32 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4JvGNf0TsSz2yDs for <development@lists.ipfire.org>; Wed, 9 Feb 2022 23:31:30 +0000 (UTC) Received: from knopi.disroot.org (knopi.disroot.org [178.21.23.139]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPS id 4JvGNd4RyKz3rY for <development@lists.ipfire.org>; Wed, 9 Feb 2022 23:31:29 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by disroot.org (Postfix) with ESMTP id 6683C8EB10 for <development@lists.ipfire.org>; Thu, 10 Feb 2022 00:31:29 +0100 (CET) X-Virus-Scanned: SPAM Filter at disroot.org Received: from knopi.disroot.org ([127.0.0.1]) by localhost (disroot.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WNaxEsiSM2DG for <development@lists.ipfire.org>; Thu, 10 Feb 2022 00:31:27 +0100 (CET) Received: from chojin.sicho.home (amaterasu.sicho.home [192.168.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (no client certificate requested) (Authenticated sender) by hachiman (MailScanner Milter) with SMTP id 3DA8DEF67; Thu, 10 Feb 2022 00:30:53 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1644449484; bh=DyhMPjXhwIsDke0B8jq7LUdNEy0mv7QCakLLGWY4gS0=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=WdjTTpubIWR6WDFRqb4jxy/UHwpG7iH8aW0hr5qYtnGcFnaNKn09TdRlrTA1xmU6L F7ThumybZfANCv10ArxJoUiZsCVICWAFoGKqXrFdQjCwGoYJrM0JRXl4sWvmjOQpbr WyvJH4hbNCYLmjGjqdiyHBikjh66diE6yWKKpuEyj+Khtq/uGbyWS+LMJTNJa/rOPo FqojCO3lMSQyh9s67v1mBeMoIy3Ay+BLFJ5JJf+NXeKKtfA8JUPB8Jz+kgcZ1Dre2y chlrmr+6b+Z24zuFR6WiGam9tmOBxR5hzrSL1xY8g+M/WDErdgv7DNPAIBjucEcQjQ MWsh4uK83Pd2A== From: Robin Roevens <robin.roevens@disroot.org> To: development@lists.ipfire.org Subject: [PATCH v3 1/5] zabbix_agentd: Update to v5.0.20 (LTS) Date: Thu, 10 Feb 2022 00:26:27 +0100 Message-Id: <20220209232631.14673-2-robin.roevens@disroot.org> In-Reply-To: <20220209232631.14673-1-robin.roevens@disroot.org> References: <20220209232631.14673-1-robin.roevens@disroot.org> Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-sicho-MailScanner-ID: 3DA8DEF67.A8A80 X-sicho-MailScanner: Found to be clean X-sicho-MailScanner-From: robin.roevens@disroot.org X-sicho-MailScanner-Watermark: 1645054254.23353@fZBLp0DmVZJABwF10e3BxQ ARC-Seal: i=1; s=202003rsa; d=lists.ipfire.org; t=1644449489; a=rsa-sha256; cv=none; b=xipfQw5SHwz/uZbSxI4XevBeMBHCRXhQJIK+TPtLIsSPlIwEHPqLcHCgoRIgJt/SzodXfQ sxEVHtBzl7Inq3zfpM2t3KFbzdpjLyZZ50UKgkqlpxwqmWUofetcO7upSKuSj+lXVLvE8o P8R8GT6eTQgq41IYRzM4TfxHxtU6iRLk1Hodw960T5Lcc59nQaAilYnkCxyRKXO+viwlIU Tkaehw7zrOBwVAWYmEI0c1+XUNFR5XAni3WXWjWCxqY4G/cxtomcqCWtKgvDJC0GR7bNln +sUhpj7xHIw/Me84DUFIujCs/+tvzyMDKm0GpmjbZLimo4weYR/uP0nKQsBRjA== ARC-Authentication-Results: i=1; mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b=WdjTTpub; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org; dmarc=pass (policy=quarantine) header.from=disroot.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.ipfire.org; s=202003rsa; t=1644449489; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=4QUtg2ukYVK62yNeeYWh5JerftW8Iy5LuXFmDWfiEOU=; b=d28Py3Y5O0hbgByU7xsIXEyLwBYPj8yAP0r7eYlUYkS2jelDM3hb6URTL5VWtuZ00iDoTP i5Wj92IA3O+Qb0Njck4wMFXZkakSGtYiD9GEjQt4cXyxuqgZvFpfkZ4za7I/xWaRppfRMZ tNnkLxziT93chnog2yRYAgxpyHwBKh2f4o6pjmVdujh/DMgfCpVkle6cQqXStsHOG4YHlE JV6r6frHN4V92DFWnQhjgZcR96PnMQ3+KWOeA0h8JxuA20kF0SP2CCtbuLqq8HEptkD1aX aly63zBCfg31Xc68XvfbSTP6e8vuCHPVj8U0ME1QxQnS67s1CRQqAzyXkGGJ6A== Authentication-Results: mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b=WdjTTpub; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org; dmarc=pass (policy=quarantine) header.from=disroot.org X-Rspamd-Server: mail01.haj.ipfire.org X-Spamd-Result: default: False [-4.36 / 11.00]; BAYES_HAM(-3.00)[99.99%]; IP_REPUTATION_HAM(-1.12)[asn: 50673(-0.32), country: NL(-0.01), ip: 178.21.23.139(-0.80)]; MID_CONTAINS_FROM(1.00)[]; SPF_REPUTATION_HAM(-0.70)[-0.70437937615597]; NEURAL_HAM(-0.52)[-0.521]; MV_CASE(0.50)[]; R_MISSING_CHARSET(0.50)[]; DMARC_POLICY_ALLOW(-0.50)[disroot.org,quarantine]; R_SPF_ALLOW(-0.20)[+a:c]; R_DKIM_ALLOW(-0.20)[disroot.org:s=mail]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; FROM_EQ_ENVFROM(0.00)[]; ARC_SIGNED(0.00)[lists.ipfire.org:s=202003rsa:i=1]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+]; FROM_HAS_DN(0.00)[]; DKIM_TRACE(0.00)[disroot.org:+]; ASN(0.00)[asn:50673, ipnet:178.21.23.0/24, country:NL]; TO_DN_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; PREVIOUSLY_DELIVERED(0.00)[development@lists.ipfire.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; ARC_NA(0.00)[] X-Rspamd-Queue-Id: 4JvGNd4RyKz3rY X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
| Series |
zabbix_agentd: Update to v5.0.20 (LTS) and more
|
|
Commit Message
Robin Roevens
Feb. 9, 2022, 11:26 p.m. UTC
- Update from 4.2.6 to latest LTS version 5.0.20
See release notes: https://www.zabbix.com/rn/rn5.0.20
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
---
config/zabbix_agentd/zabbix_agentd.conf | 135 ++++++++++++++++++++++--
lfs/zabbix_agentd | 11 +-
2 files changed, 132 insertions(+), 14 deletions(-)
Comments
Hello Robin, Thank you for working on Zabbix and integrating it better into IPFire. I am very happy with this, but I have my reservations about the mechanism with the “new” configuration file. I do not quite see the necessity for this since we have a package management system which will allow you to start again from scratch if you want by uninstalling the package, throwing away the backup and then installing the package again. It would also create some unique feature around one package, but not for others which is probably more confusing than helpful. What is your motivation for this? -Michael > On 9 Feb 2022, at 23:26, Robin Roevens <robin.roevens@disroot.org> wrote: > > - Update from 4.2.6 to latest LTS version 5.0.20 > See release notes: https://www.zabbix.com/rn/rn5.0.20 > > Signed-off-by: Robin Roevens <robin.roevens@disroot.org> > --- > config/zabbix_agentd/zabbix_agentd.conf | 135 ++++++++++++++++++++++-- > lfs/zabbix_agentd | 11 +- > 2 files changed, 132 insertions(+), 14 deletions(-) > > diff --git a/config/zabbix_agentd/zabbix_agentd.conf b/config/zabbix_agentd/zabbix_agentd.conf > index 21b8e0122..aa8b899dc 100644 > --- a/config/zabbix_agentd/zabbix_agentd.conf > +++ b/config/zabbix_agentd/zabbix_agentd.conf > @@ -63,14 +63,33 @@ LogFileSize=0 > # Default: > # SourceIP= > > -### Option: EnableRemoteCommands > -# Whether remote commands from Zabbix server are allowed. > -# 0 - not allowed > -# 1 - allowed > +### Option: AllowKey > +# Allow execution of item keys matching pattern. > +# Multiple keys matching rules may be defined in combination with DenyKey. > +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. > +# Parameters are processed one by one according their appearance order. > +# If no AllowKey or DenyKey rules defined, all keys are allowed. > +# > +# Mandatory: no > + > +### Option: DenyKey > +# Deny execution of items keys matching pattern. > +# Multiple keys matching rules may be defined in combination with AllowKey. > +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. > +# Parameters are processed one by one according their appearance order. > +# If no AllowKey or DenyKey rules defined, all keys are allowed. > +# Unless another system.run[*] rule is specified DenyKey=system.run[*] is added by default. > # > # Mandatory: no > # Default: > -# EnableRemoteCommands=0 > +# DenyKey=system.run[*] > + > +### Option: EnableRemoteCommands - Deprecated, use AllowKey=system.run[*] or DenyKey=system.run[*] instead > +# Internal alias for AllowKey/DenyKey parameters depending on value: > +# 0 - DenyKey=system.run[*] > +# 1 - AllowKey=system.run[*] > +# > +# Mandatory: no > > ### Option: LogRemoteCommands > # Enable logging of executed shell commands as warnings. > @@ -177,6 +196,28 @@ ServerActive=127.0.0.1 > # Default: > # HostMetadataItem= > > +### Option: HostInterface > +# Optional parameter that defines host interface. > +# Host interface is used at host auto-registration process. > +# An agent will issue an error and not start if the value is over limit of 255 characters. > +# If not defined, value will be acquired from HostInterfaceItem. > +# > +# Mandatory: no > +# Range: 0-255 characters > +# Default: > +# HostInterface= > + > +### Option: HostInterfaceItem > +# Optional parameter that defines an item used for getting host interface. > +# Host interface is used at host auto-registration process. > +# During an auto-registration request an agent will log a warning message if > +# the value returned by specified item is over limit of 255 characters. > +# This option is only used when HostInterface is not defined. > +# > +# Mandatory: no > +# Default: > +# HostInterfaceItem= > + > ### Option: RefreshActiveChecks > # How often list of active checks is refreshed, in seconds. > # > @@ -265,7 +306,6 @@ ServerActive=127.0.0.1 > > Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf > > - > ####### USER-DEFINED MONITORED PARAMETERS ####### > > ### Option: UnsafeUserParameters > @@ -299,7 +339,7 @@ Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf > # > # Mandatory: no > # Default: > -# LoadModulePath=/usr/lib/modules > +# LoadModulePath=${libdir}/modules > > LoadModulePath=/usr/lib/zabbix > > @@ -357,14 +397,14 @@ LoadModulePath=/usr/lib/zabbix > # TLSCRLFile= > > ### Option: TLSServerCertIssuer > -# Allowed server certificate issuer. > +# Allowed server certificate issuer. > # > # Mandatory: no > # Default: > # TLSServerCertIssuer= > > ### Option: TLSServerCertSubject > -# Allowed server certificate subject. > +# Allowed server certificate subject. > # > # Mandatory: no > # Default: > @@ -397,3 +437,80 @@ LoadModulePath=/usr/lib/zabbix > # Mandatory: no > # Default: > # TLSPSKFile= > + > +####### For advanced users - TLS ciphersuite selection criteria ####### > + > +### Option: TLSCipherCert13 > +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. > +# Override the default ciphersuite selection criteria for certificate-based encryption. > +# > +# Mandatory: no > +# Default: > +# TLSCipherCert13= > + > +### Option: TLSCipherCert > +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. > +# Override the default ciphersuite selection criteria for certificate-based encryption. > +# Example for GnuTLS: > +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 > +# Example for OpenSSL: > +# EECDH+aRSA+AES128:RSA+aRSA+AES128 > +# > +# Mandatory: no > +# Default: > +# TLSCipherCert= > + > +### Option: TLSCipherPSK13 > +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. > +# Override the default ciphersuite selection criteria for PSK-based encryption. > +# Example: > +# TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 > +# > +# Mandatory: no > +# Default: > +# TLSCipherPSK13= > + > +### Option: TLSCipherPSK > +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. > +# Override the default ciphersuite selection criteria for PSK-based encryption. > +# Example for GnuTLS: > +# NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL > +# Example for OpenSSL: > +# kECDHEPSK+AES128:kPSK+AES128 > +# > +# Mandatory: no > +# Default: > +# TLSCipherPSK= > + > +### Option: TLSCipherAll13 > +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. > +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. > +# Example: > +# TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 > +# > +# Mandatory: no > +# Default: > +# TLSCipherAll13= > + > +### Option: TLSCipherAll > +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. > +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. > +# Example for GnuTLS: > +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 > +# Example for OpenSSL: > +# EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128 > +# > +# Mandatory: no > +# Default: > +# TLSCipherAll= > + > +####### For advanced users - TCP-related fine-tuning parameters ####### > + > +## Option: ListenBacklog > +# The maximum number of pending connections in the queue. This parameter is passed to > +# listen() function as argument 'backlog' (see "man listen"). > +# > +# Mandatory: no > +# Range: 0 - INT_MAX (depends on system, too large values may be silently truncated to implementation-specified maximum) > +# Default: SOMAXCONN (hard-coded constant, depends on system) > +# ListenBacklog= > diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd > index c69643a54..28fe97b4f 100644 > --- a/lfs/zabbix_agentd > +++ b/lfs/zabbix_agentd > @@ -1,7 +1,7 @@ > ############################################################################### > # # > # IPFire.org - A linux based firewall # > -# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> # > +# Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> # > # # > # This program is free software: you can redistribute it and/or modify # > # it under the terms of the GNU General Public License as published by # > @@ -24,7 +24,7 @@ > > include Config > > -VER = 4.2.6 > +VER = 5.0.20 > > THISAPP = zabbix-$(VER) > DL_FILE = $(THISAPP).tar.gz > @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) > DIR_APP = $(DIR_SRC)/$(THISAPP) > TARGET = $(DIR_INFO)/$(THISAPP) > PROG = zabbix_agentd > -PAK_VER = 4 > +PAK_VER = 5 > DEPS = > > ############################################################################### > @@ -43,7 +43,7 @@ objects = $(DL_FILE) > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > -$(DL_FILE)_MD5 = 6cd55cd743d416d9ffbf2e6fdee680ee > +$(DL_FILE)_MD5 = 52df25394f9a4cf83ff55278b23e6295 > > install : $(TARGET) > > @@ -80,7 +80,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > --prefix=/usr \ > --enable-agent \ > --sysconfdir=/etc/zabbix_agentd \ > - --with-openssl > + --with-openssl \ > + --with-libcurl > > cd $(DIR_APP) && make > cd $(DIR_APP) && make install > -- > 2.34.1 > > > -- > Dit bericht is gescanned op virussen en andere gevaarlijke > inhoud door MailScanner en lijkt schoon te zijn. >
Hi Michael Michael Tremer schreef op di 15-02-2022 om 13:22 [+0000]: > Hello Robin, > > Thank you for working on Zabbix and integrating it better into > IPFire. > > I am very happy with this, but I have my reservations about the > mechanism with the “new” configuration file. I do not quite see the > necessity for this since we have a package management system which > will allow you to start again from scratch if you want by > uninstalling the package, throwing away the backup and then > installing the package again. > > It would also create some unique feature around one package, but not > for others which is probably more confusing than helpful. > > What is your motivation for this? I do understand your concerns and agree that handling the config of this pak differently than configs of other paks is bothersome. However, I understand now that you can start over by removing the package and the backup but up until I started contributing, I never knew the config of an addon was backed up automatically on uninstall and restored on re-install. I would have expected that if I didn't find the config anymore after an uninstall it would be gone and a re-install would give me a fresh config. So I would probably be utterly confused if I found my old config back after a re-install. Is this documented somewhere where I could have known this behaviour as a normal average user ? The problem I'm having with the current way is that when an addon is updated, a new version of the config is just discarded due to the restore of the previous config during install (even if that config was never changed by the user). So if settings in the config are added, deprecated or even no longer valid, the user will never know until a version would no longer start up or no longer behave as expected due to the old config. And even if a user would think about checking config changes on an update he would have to go search the internet for a config example for this version of the addon. In this specific case, as we update from a rather old version of zabbix agent, there are quite a few interesting config changes that can harden the security of the agent, which I would not want the user to miss out on. Also one option is deprecated, is currently still supported, but in the next version it probably will no longer work, possibly breaking some users' monitoring or causing the agent to fail starting. For the sudoers file it is even more problematic; the user can of course modify that file to add additional commands he requires the agent to execute as root, but possible future additions to the ipfire specific monitoring that I or other contributors in the future may add, may also need extra commands in that file to work. (for example the upcoming services monitoring that would require some form of addonctrl status) But I can't update that file with the current behaviour.. or I would have to try to implement some sed magic after the restore in install.sh hoping not to damage the file if it has user customizations in it. So I'm not sure on how to handle this differently at the moment. I was thinking for the main config maybe just installing a ".example" version of the latest config so that a user would not have to go search for it on internet ? And in that case even remove all comments and defaults from the actual config (on a fresh install) as that is then provided in the ".example" version as documentation. But that still leaves the sudoers file. The only other possibility I see there is that we don't add this file to the backup and add a comment in it that a user should not modify it as it will get overwritten on update. He can then always still create his own sudoers- file with his own custom rights for the agent. Of course all this can be solved by managing the config using the webgui.. and I'm still planning to create a webgui config page for the agent someday. But we are not there yet :-) Regards Robin > > -Michael > > > On 9 Feb 2022, at 23:26, Robin Roevens <robin.roevens@disroot.org> > > wrote: > > > > - Update from 4.2.6 to latest LTS version 5.0.20 > > See release notes: https://www.zabbix.com/rn/rn5.0.20 > > > > Signed-off-by: Robin Roevens <robin.roevens@disroot.org> > > --- > > config/zabbix_agentd/zabbix_agentd.conf | 135 > > ++++++++++++++++++++++-- > > lfs/zabbix_agentd | 11 +- > > 2 files changed, 132 insertions(+), 14 deletions(-) > > > > diff --git a/config/zabbix_agentd/zabbix_agentd.conf > > b/config/zabbix_agentd/zabbix_agentd.conf > > index 21b8e0122..aa8b899dc 100644 > > --- a/config/zabbix_agentd/zabbix_agentd.conf > > +++ b/config/zabbix_agentd/zabbix_agentd.conf > > @@ -63,14 +63,33 @@ LogFileSize=0 > > # Default: > > # SourceIP= > > > > -### Option: EnableRemoteCommands > > -# Whether remote commands from Zabbix server are allowed. > > -# 0 - not allowed > > -# 1 - allowed > > +### Option: AllowKey > > +# Allow execution of item keys matching pattern. > > +# Multiple keys matching rules may be defined in combination > > with DenyKey. > > +# Key pattern is wildcard expression, which support "*" > > character to match any number of any characters in certain > > position. It might be used in both key name and key arguments. > > +# Parameters are processed one by one according their > > appearance order. > > +# If no AllowKey or DenyKey rules defined, all keys are > > allowed. > > +# > > +# Mandatory: no > > + > > +### Option: DenyKey > > +# Deny execution of items keys matching pattern. > > +# Multiple keys matching rules may be defined in combination > > with AllowKey. > > +# Key pattern is wildcard expression, which support "*" > > character to match any number of any characters in certain > > position. It might be used in both key name and key arguments. > > +# Parameters are processed one by one according their > > appearance order. > > +# If no AllowKey or DenyKey rules defined, all keys are > > allowed. > > +# Unless another system.run[*] rule is specified > > DenyKey=system.run[*] is added by default. > > # > > # Mandatory: no > > # Default: > > -# EnableRemoteCommands=0 > > +# DenyKey=system.run[*] > > + > > +### Option: EnableRemoteCommands - Deprecated, use > > AllowKey=system.run[*] or DenyKey=system.run[*] instead > > +# Internal alias for AllowKey/DenyKey parameters depending on > > value: > > +# 0 - DenyKey=system.run[*] > > +# 1 - AllowKey=system.run[*] > > +# > > +# Mandatory: no > > > > ### Option: LogRemoteCommands > > # Enable logging of executed shell commands as warnings. > > @@ -177,6 +196,28 @@ ServerActive=127.0.0.1 > > # Default: > > # HostMetadataItem= > > > > +### Option: HostInterface > > +# Optional parameter that defines host interface. > > +# Host interface is used at host auto-registration process. > > +# An agent will issue an error and not start if the value is > > over limit of 255 characters. > > +# If not defined, value will be acquired from > > HostInterfaceItem. > > +# > > +# Mandatory: no > > +# Range: 0-255 characters > > +# Default: > > +# HostInterface= > > + > > +### Option: HostInterfaceItem > > +# Optional parameter that defines an item used for getting > > host interface. > > +# Host interface is used at host auto-registration process. > > +# During an auto-registration request an agent will log a > > warning message if > > +# the value returned by specified item is over limit of 255 > > characters. > > +# This option is only used when HostInterface is not defined. > > +# > > +# Mandatory: no > > +# Default: > > +# HostInterfaceItem= > > + > > ### Option: RefreshActiveChecks > > # How often list of active checks is refreshed, in seconds. > > # > > @@ -265,7 +306,6 @@ ServerActive=127.0.0.1 > > > > Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf > > > > - > > ####### USER-DEFINED MONITORED PARAMETERS ####### > > > > ### Option: UnsafeUserParameters > > @@ -299,7 +339,7 @@ > > Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf > > # > > # Mandatory: no > > # Default: > > -# LoadModulePath=/usr/lib/modules > > +# LoadModulePath=${libdir}/modules > > > > LoadModulePath=/usr/lib/zabbix > > > > @@ -357,14 +397,14 @@ LoadModulePath=/usr/lib/zabbix > > # TLSCRLFile= > > > > ### Option: TLSServerCertIssuer > > -# Allowed server certificate issuer. > > +# Allowed server certificate issuer. > > # > > # Mandatory: no > > # Default: > > # TLSServerCertIssuer= > > > > ### Option: TLSServerCertSubject > > -# Allowed server certificate subject. > > +# Allowed server certificate subject. > > # > > # Mandatory: no > > # Default: > > @@ -397,3 +437,80 @@ LoadModulePath=/usr/lib/zabbix > > # Mandatory: no > > # Default: > > # TLSPSKFile= > > + > > +####### For advanced users - TLS ciphersuite selection criteria > > ####### > > + > > +### Option: TLSCipherCert13 > > +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. > > +# Override the default ciphersuite selection criteria for > > certificate-based encryption. > > +# > > +# Mandatory: no > > +# Default: > > +# TLSCipherCert13= > > + > > +### Option: TLSCipherCert > > +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. > > +# Override the default ciphersuite selection criteria for > > certificate-based encryption. > > +# Example for GnuTLS: > > +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128- > > GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN- > > ALL:+CTYPE-X.509 > > +# Example for OpenSSL: > > +# EECDH+aRSA+AES128:RSA+aRSA+AES128 > > +# > > +# Mandatory: no > > +# Default: > > +# TLSCipherCert= > > + > > +### Option: TLSCipherPSK13 > > +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. > > +# Override the default ciphersuite selection criteria for > > PSK-based encryption. > > +# Example: > > +# TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 > > +# > > +# Mandatory: no > > +# Default: > > +# TLSCipherPSK13= > > + > > +### Option: TLSCipherPSK > > +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. > > +# Override the default ciphersuite selection criteria for > > PSK-based encryption. > > +# Example for GnuTLS: > > +# NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128- > > GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN- > > ALL > > +# Example for OpenSSL: > > +# kECDHEPSK+AES128:kPSK+AES128 > > +# > > +# Mandatory: no > > +# Default: > > +# TLSCipherPSK= > > + > > +### Option: TLSCipherAll13 > > +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. > > +# Override the default ciphersuite selection criteria for > > certificate- and PSK-based encryption. > > +# Example: > > +# TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 > > :TLS_AES_128_GCM_SHA256 > > +# > > +# Mandatory: no > > +# Default: > > +# TLSCipherAll13= > > + > > +### Option: TLSCipherAll > > +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. > > +# Override the default ciphersuite selection criteria for > > certificate- and PSK-based encryption. > > +# Example for GnuTLS: > > +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE- > > PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE- > > ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 > > +# Example for OpenSSL: > > +# EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128: > > kPSK+AES128 > > +# > > +# Mandatory: no > > +# Default: > > +# TLSCipherAll= > > + > > +####### For advanced users - TCP-related fine-tuning parameters > > ####### > > + > > +## Option: ListenBacklog > > +# The maximum number of pending connections in the queue. > > This parameter is passed to > > +# listen() function as argument 'backlog' (see "man > > listen"). > > +# > > +# Mandatory: no > > +# Range: 0 - INT_MAX (depends on system, too large values may be > > silently truncated to implementation-specified maximum) > > +# Default: SOMAXCONN (hard-coded constant, depends on system) > > +# ListenBacklog= > > diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd > > index c69643a54..28fe97b4f 100644 > > --- a/lfs/zabbix_agentd > > +++ b/lfs/zabbix_agentd > > @@ -1,7 +1,7 @@ > > ################################################################### > > ############ > > # > > # > > # IPFire.org - A linux based > > firewall # > > -# Copyright (C) 2007-2019 IPFire Team > > <info@ipfire.org> # > > +# Copyright (C) 2007-2022 IPFire Team > > <info@ipfire.org> # > > # > > # > > # This program is free software: you can redistribute it and/or > > modify # > > # it under the terms of the GNU General Public License as published > > by # > > @@ -24,7 +24,7 @@ > > > > include Config > > > > -VER = 4.2.6 > > +VER = 5.0.20 > > > > THISAPP = zabbix-$(VER) > > DL_FILE = $(THISAPP).tar.gz > > @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) > > DIR_APP = $(DIR_SRC)/$(THISAPP) > > TARGET = $(DIR_INFO)/$(THISAPP) > > PROG = zabbix_agentd > > -PAK_VER = 4 > > +PAK_VER = 5 > > DEPS = > > > > ################################################################### > > ############ > > @@ -43,7 +43,7 @@ objects = $(DL_FILE) > > > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > > > -$(DL_FILE)_MD5 = 6cd55cd743d416d9ffbf2e6fdee680ee > > +$(DL_FILE)_MD5 = 52df25394f9a4cf83ff55278b23e6295 > > > > install : $(TARGET) > > > > @@ -80,7 +80,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > > --prefix=/usr \ > > --enable-agent \ > > --sysconfdir=/etc/zabbix_agentd \ > > - --with-openssl > > + --with-openssl \ > > + --with-libcurl > > > > cd $(DIR_APP) && make > > cd $(DIR_APP) && make install > > -- > > 2.34.1 > > > > > > -- > > Dit bericht is gescanned op virussen en andere gevaarlijke > > inhoud door MailScanner en lijkt schoon te zijn. > > > >
Hello Robin, > On 16 Feb 2022, at 23:35, Robin Roevens <robin.roevens@disroot.org> wrote: > > Hi Michael > > Michael Tremer schreef op di 15-02-2022 om 13:22 [+0000]: >> Hello Robin, >> >> Thank you for working on Zabbix and integrating it better into >> IPFire. >> >> I am very happy with this, but I have my reservations about the >> mechanism with the “new” configuration file. I do not quite see the >> necessity for this since we have a package management system which >> will allow you to start again from scratch if you want by >> uninstalling the package, throwing away the backup and then >> installing the package again. >> >> It would also create some unique feature around one package, but not >> for others which is probably more confusing than helpful. >> >> What is your motivation for this? > > I do understand your concerns and agree that handling the config of > this pak differently than configs of other paks is bothersome. > > However, I understand now that you can start over by removing the > package and the backup but up until I started contributing, I never > knew the config of an addon was backed up automatically on uninstall > and restored on re-install. I would have expected that if I didn't find > the config anymore after an uninstall it would be gone and a re-install > would give me a fresh config. So I would probably be utterly confused > if I found my old config back after a re-install. > Is this documented somewhere where I could have known this behaviour as > a normal average user ? The reason why pakfire is doing this is because it is simply a wrapper around tar. It is not that sophisticated of a package management system because it wasn’t designed for this scale. In order to avoid overwriting any existing configuration, we backup everything, extract the new package which will then overwrite the existing configuration files and then restore the backup to have the old configuration again. We could have built something that avoids overwriting the files in the first place which is what pakfire in IPFire 3 does. Lots of other distributions work in a similar way where they rename the existing configuration files and might rename them back again. > The problem I'm having with the current way is that when an addon is > updated, a new version of the config is just discarded due to the > restore of the previous config during install (even if that config was > never changed by the user). > So if settings in the config are added, deprecated or even no longer > valid, the user will never know until a version would no longer start > up or no longer behave as expected due to the old config. > And even if a user would think about checking config changes on an > update he would have to go search the internet for a config example for > this version of the addon. Yes, this is a huge problem for us all. The question there is to answer is: Do we know better than the user? Answering that with a yes means that we would make decisions on their behalf and that might potentially go wrong. Answering that with a no means that the user needs to invest a lot of time into the configuration of each part of the distribution and the reason why we have a nice shiny web user interface is that they don’t have to do this. The correct answer is probably somewhere in the middle. What we do in practise is: We keep systems consistent with their previous behaviour. An update should never change that (there are of course exceptions to every rule). New features might only be activated on new systems. > In this specific case, as we update from a rather old version of zabbix > agent, there are quite a few interesting config changes that can harden > the security of the agent, which I would not want the user to miss out > on. Also one option is deprecated, is currently still supported, but in > the next version it probably will no longer work, possibly breaking > some users' monitoring or causing the agent to fail starting. Is this an add-on that generally requires configuration on the console? We do we not build a page on the web UI for this so that people can enable the things they want? Would that be overkill for the possible options? > For the sudoers file it is even more problematic; the user can of > course modify that file to add additional commands he requires the > agent to execute as root, but possible future additions to the ipfire > specific monitoring that I or other contributors in the future may add, > may also need extra commands in that file to work. (for example the > upcoming services monitoring that would require some form of addonctrl > status) > But I can't update that file with the current behaviour.. or I would > have to try to implement some sed magic after the restore in install.sh > hoping not to damage the file if it has user customizations in it. This is not a configuration file in my eyes. It technically is one of course, but we call these files a “system configuration file”. It will be overwritten because what is in it is necessary for the system to work. It does not contain any choices by the user at all. For that reason, this file should not be backed up and overwritten by every package update. > So I'm not sure on how to handle this differently at the moment. > I was thinking for the main config maybe just installing a ".example" > version of the latest config so that a user would not have to go search > for it on internet ? And in that case even remove all comments and > defaults from the actual config (on a fresh install) as that is then > provided in the ".example" version as documentation. Having some example configuration in a location the user would normally not look at is probably not helpful. If you want them to configure things themselves, why not provide good documentation on the wiki? > But that still leaves the sudoers file. The only other possibility I > see there is that we don't add this file to the backup and add a > comment in it that a user should not modify it as it will get > overwritten on update. He can then always still create his own sudoers- > file with his own custom rights for the agent. This is the way to go. In many cases, we have extra files that end on “.user” or “.local” to make it clear that users should make their own changes here. > Of course all this can be solved by managing the config using the > webgui.. and I'm still planning to create a webgui config page for the > agent someday. But we are not there yet :-) -Michael > > Regards > > Robin > >> >> -Michael >> >>> On 9 Feb 2022, at 23:26, Robin Roevens <robin.roevens@disroot.org> >>> wrote: >>> >>> - Update from 4.2.6 to latest LTS version 5.0.20 >>> See release notes: https://www.zabbix.com/rn/rn5.0.20 >>> >>> Signed-off-by: Robin Roevens <robin.roevens@disroot.org> >>> --- >>> config/zabbix_agentd/zabbix_agentd.conf | 135 >>> ++++++++++++++++++++++-- >>> lfs/zabbix_agentd | 11 +- >>> 2 files changed, 132 insertions(+), 14 deletions(-) >>> >>> diff --git a/config/zabbix_agentd/zabbix_agentd.conf >>> b/config/zabbix_agentd/zabbix_agentd.conf >>> index 21b8e0122..aa8b899dc 100644 >>> --- a/config/zabbix_agentd/zabbix_agentd.conf >>> +++ b/config/zabbix_agentd/zabbix_agentd.conf >>> @@ -63,14 +63,33 @@ LogFileSize=0 >>> # Default: >>> # SourceIP= >>> >>> -### Option: EnableRemoteCommands >>> -# Whether remote commands from Zabbix server are allowed. >>> -# 0 - not allowed >>> -# 1 - allowed >>> +### Option: AllowKey >>> +# Allow execution of item keys matching pattern. >>> +# Multiple keys matching rules may be defined in combination >>> with DenyKey. >>> +# Key pattern is wildcard expression, which support "*" >>> character to match any number of any characters in certain >>> position. It might be used in both key name and key arguments. >>> +# Parameters are processed one by one according their >>> appearance order. >>> +# If no AllowKey or DenyKey rules defined, all keys are >>> allowed. >>> +# >>> +# Mandatory: no >>> + >>> +### Option: DenyKey >>> +# Deny execution of items keys matching pattern. >>> +# Multiple keys matching rules may be defined in combination >>> with AllowKey. >>> +# Key pattern is wildcard expression, which support "*" >>> character to match any number of any characters in certain >>> position. It might be used in both key name and key arguments. >>> +# Parameters are processed one by one according their >>> appearance order. >>> +# If no AllowKey or DenyKey rules defined, all keys are >>> allowed. >>> +# Unless another system.run[*] rule is specified >>> DenyKey=system.run[*] is added by default. >>> # >>> # Mandatory: no >>> # Default: >>> -# EnableRemoteCommands=0 >>> +# DenyKey=system.run[*] >>> + >>> +### Option: EnableRemoteCommands - Deprecated, use >>> AllowKey=system.run[*] or DenyKey=system.run[*] instead >>> +# Internal alias for AllowKey/DenyKey parameters depending on >>> value: >>> +# 0 - DenyKey=system.run[*] >>> +# 1 - AllowKey=system.run[*] >>> +# >>> +# Mandatory: no >>> >>> ### Option: LogRemoteCommands >>> # Enable logging of executed shell commands as warnings. >>> @@ -177,6 +196,28 @@ ServerActive=127.0.0.1 >>> # Default: >>> # HostMetadataItem= >>> >>> +### Option: HostInterface >>> +# Optional parameter that defines host interface. >>> +# Host interface is used at host auto-registration process. >>> +# An agent will issue an error and not start if the value is >>> over limit of 255 characters. >>> +# If not defined, value will be acquired from >>> HostInterfaceItem. >>> +# >>> +# Mandatory: no >>> +# Range: 0-255 characters >>> +# Default: >>> +# HostInterface= >>> + >>> +### Option: HostInterfaceItem >>> +# Optional parameter that defines an item used for getting >>> host interface. >>> +# Host interface is used at host auto-registration process. >>> +# During an auto-registration request an agent will log a >>> warning message if >>> +# the value returned by specified item is over limit of 255 >>> characters. >>> +# This option is only used when HostInterface is not defined. >>> +# >>> +# Mandatory: no >>> +# Default: >>> +# HostInterfaceItem= >>> + >>> ### Option: RefreshActiveChecks >>> # How often list of active checks is refreshed, in seconds. >>> # >>> @@ -265,7 +306,6 @@ ServerActive=127.0.0.1 >>> >>> Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf >>> >>> - >>> ####### USER-DEFINED MONITORED PARAMETERS ####### >>> >>> ### Option: UnsafeUserParameters >>> @@ -299,7 +339,7 @@ >>> Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf >>> # >>> # Mandatory: no >>> # Default: >>> -# LoadModulePath=/usr/lib/modules >>> +# LoadModulePath=${libdir}/modules >>> >>> LoadModulePath=/usr/lib/zabbix >>> >>> @@ -357,14 +397,14 @@ LoadModulePath=/usr/lib/zabbix >>> # TLSCRLFile= >>> >>> ### Option: TLSServerCertIssuer >>> -# Allowed server certificate issuer. >>> +# Allowed server certificate issuer. >>> # >>> # Mandatory: no >>> # Default: >>> # TLSServerCertIssuer= >>> >>> ### Option: TLSServerCertSubject >>> -# Allowed server certificate subject. >>> +# Allowed server certificate subject. >>> # >>> # Mandatory: no >>> # Default: >>> @@ -397,3 +437,80 @@ LoadModulePath=/usr/lib/zabbix >>> # Mandatory: no >>> # Default: >>> # TLSPSKFile= >>> + >>> +####### For advanced users - TLS ciphersuite selection criteria >>> ####### >>> + >>> +### Option: TLSCipherCert13 >>> +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. >>> +# Override the default ciphersuite selection criteria for >>> certificate-based encryption. >>> +# >>> +# Mandatory: no >>> +# Default: >>> +# TLSCipherCert13= >>> + >>> +### Option: TLSCipherCert >>> +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. >>> +# Override the default ciphersuite selection criteria for >>> certificate-based encryption. >>> +# Example for GnuTLS: >>> +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128- >>> GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN- >>> ALL:+CTYPE-X.509 >>> +# Example for OpenSSL: >>> +# EECDH+aRSA+AES128:RSA+aRSA+AES128 >>> +# >>> +# Mandatory: no >>> +# Default: >>> +# TLSCipherCert= >>> + >>> +### Option: TLSCipherPSK13 >>> +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. >>> +# Override the default ciphersuite selection criteria for >>> PSK-based encryption. >>> +# Example: >>> +# TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 >>> +# >>> +# Mandatory: no >>> +# Default: >>> +# TLSCipherPSK13= >>> + >>> +### Option: TLSCipherPSK >>> +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. >>> +# Override the default ciphersuite selection criteria for >>> PSK-based encryption. >>> +# Example for GnuTLS: >>> +# NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128- >>> GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN- >>> ALL >>> +# Example for OpenSSL: >>> +# kECDHEPSK+AES128:kPSK+AES128 >>> +# >>> +# Mandatory: no >>> +# Default: >>> +# TLSCipherPSK= >>> + >>> +### Option: TLSCipherAll13 >>> +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. >>> +# Override the default ciphersuite selection criteria for >>> certificate- and PSK-based encryption. >>> +# Example: >>> +# TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 >>> :TLS_AES_128_GCM_SHA256 >>> +# >>> +# Mandatory: no >>> +# Default: >>> +# TLSCipherAll13= >>> + >>> +### Option: TLSCipherAll >>> +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. >>> +# Override the default ciphersuite selection criteria for >>> certificate- and PSK-based encryption. >>> +# Example for GnuTLS: >>> +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE- >>> PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE- >>> ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 >>> +# Example for OpenSSL: >>> +# EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128: >>> kPSK+AES128 >>> +# >>> +# Mandatory: no >>> +# Default: >>> +# TLSCipherAll= >>> + >>> +####### For advanced users - TCP-related fine-tuning parameters >>> ####### >>> + >>> +## Option: ListenBacklog >>> +# The maximum number of pending connections in the queue. >>> This parameter is passed to >>> +# listen() function as argument 'backlog' (see "man >>> listen"). >>> +# >>> +# Mandatory: no >>> +# Range: 0 - INT_MAX (depends on system, too large values may be >>> silently truncated to implementation-specified maximum) >>> +# Default: SOMAXCONN (hard-coded constant, depends on system) >>> +# ListenBacklog= >>> diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd >>> index c69643a54..28fe97b4f 100644 >>> --- a/lfs/zabbix_agentd >>> +++ b/lfs/zabbix_agentd >>> @@ -1,7 +1,7 @@ >>> ################################################################### >>> ############ >>> # >>> # >>> # IPFire.org - A linux based >>> firewall # >>> -# Copyright (C) 2007-2019 IPFire Team >>> <info@ipfire.org> # >>> +# Copyright (C) 2007-2022 IPFire Team >>> <info@ipfire.org> # >>> # >>> # >>> # This program is free software: you can redistribute it and/or >>> modify # >>> # it under the terms of the GNU General Public License as published >>> by # >>> @@ -24,7 +24,7 @@ >>> >>> include Config >>> >>> -VER = 4.2.6 >>> +VER = 5.0.20 >>> >>> THISAPP = zabbix-$(VER) >>> DL_FILE = $(THISAPP).tar.gz >>> @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) >>> DIR_APP = $(DIR_SRC)/$(THISAPP) >>> TARGET = $(DIR_INFO)/$(THISAPP) >>> PROG = zabbix_agentd >>> -PAK_VER = 4 >>> +PAK_VER = 5 >>> DEPS = >>> >>> ################################################################### >>> ############ >>> @@ -43,7 +43,7 @@ objects = $(DL_FILE) >>> >>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE) >>> >>> -$(DL_FILE)_MD5 = 6cd55cd743d416d9ffbf2e6fdee680ee >>> +$(DL_FILE)_MD5 = 52df25394f9a4cf83ff55278b23e6295 >>> >>> install : $(TARGET) >>> >>> @@ -80,7 +80,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >>> --prefix=/usr \ >>> --enable-agent \ >>> --sysconfdir=/etc/zabbix_agentd \ >>> - --with-openssl >>> + --with-openssl \ >>> + --with-libcurl >>> >>> cd $(DIR_APP) && make >>> cd $(DIR_APP) && make install >>> -- >>> 2.34.1 >>> >>> >>> -- >>> Dit bericht is gescanned op virussen en andere gevaarlijke >>> inhoud door MailScanner en lijkt schoon te zijn. >>> >> >> > > -- > Dit bericht is gescanned op virussen en andere gevaarlijke > inhoud door MailScanner en lijkt schoon te zijn.
Hi Michael Michael Tremer schreef op zo 20-02-2022 om 18:10 [+0000]: > > > The reason why pakfire is doing this is because it is simply a > wrapper around tar. It is not that sophisticated of a package > management system because it wasn’t designed for this scale. > > In order to avoid overwriting any existing configuration, we backup > everything, extract the new package which will then overwrite the > existing configuration files and then restore the backup to have the > old configuration again. We could have built something that avoids > overwriting the files in the first place which is what pakfire in > IPFire 3 does. The current method indeed is probably the best possible considering the way pakfire currently works when updating an addon. But for as far as I currently understand it, when you uninstall an addon, all config files are backed up and then are removed (due to being in the rootfile). For the user the addon is gone on the system. If the user opts to install the addon again, say about half a year or a year later, the install will restore the backup of the config it took during uninstall half a year ago. I think this will cause confusion in many cases? Is this implemented this way for a good reason? or just to accommodate the update procedure without much further thought? I myself (if I didn't know how pakfire worked internally) would expect that if I uninstalled an addon, checked and removed potentially left- over config files, that a new install would give me a fresh install which I would have to configure manually again. If pakfire worked that way, the user could make a copy of his config himself, uninstall and re-install an addon to have a fresh config which he then could merge himself with his old config-copy to make the addon work again. So if there is no real reason to always backup on uninstall I would like to propose to perform the backup restore in the actual update- script instead of in the install and uninstall scripts? This way there is a quite logical way for the average user to start over with a fresh install of an addon. That would feel much more 'natural' to me. Anyway this discussion about pakfire working is maybe worth its own thread as it is not really zabbix-agent specific. > > Lots of other distributions work in a similar way where they rename > the existing configuration files and might rename them back again. > > > The problem I'm having with the current way is that when an addon > > is > > updated, a new version of the config is just discarded due to the > > restore of the previous config during install (even if that config > > was > > never changed by the user). > > So if settings in the config are added, deprecated or even no > > longer > > valid, the user will never know until a version would no longer > > start > > up or no longer behave as expected due to the old config. > > And even if a user would think about checking config changes on an > > update he would have to go search the internet for a config example > > for > > this version of the addon. > > Yes, this is a huge problem for us all. The question there is to > answer is: > > Do we know better than the user? > > Answering that with a yes means that we would make decisions on their > behalf and that might potentially go wrong. Answering that with a no > means that the user needs to invest a lot of time into the > configuration of each part of the distribution and the reason why we > have a nice shiny web user interface is that they don’t have to do > this. The correct answer is probably somewhere in the middle. > > What we do in practise is: We keep systems consistent with their > previous behaviour. An update should never change that (there are of > course exceptions to every rule). New features might only be > activated on new systems. The problem I see with this is that if software provided by an addon is for example deprecating one or more config-options. Keeping the systems constistent would mean - not providing any newer version for that addon anymore, which I don't think is what we want. Or - trying to 'convert' the possibly user-changed deprecated config- setting in the config file using sed, which I can see failing in may ways :-) Or - providing the user with a straight forward way to reinstall an addon completely afresh, and/or - what I'm trying to do here, provide the user with the new config in some easily accessible way (currently .ipfirenew, but could be a simpler .example, see below), keeping his old config active possibly making the new addon version fail to work, but giving him the possibility to manually merge his deprecated config to what the current version of the addon-software expects. > > > In this specific case, as we update from a rather old version of > > zabbix > > agent, there are quite a few interesting config changes that can > > harden > > the security of the agent, which I would not want the user to miss > > out > > on. Also one option is deprecated, is currently still supported, > > but in > > the next version it probably will no longer work, possibly breaking > > some users' monitoring or causing the agent to fail starting. > > Is this an add-on that generally requires configuration on the > console? > > We do we not build a page on the web UI for this so that people can > enable the things they want? Would that be overkill for the possible > options? As I said before, I would indeed prefer a web ui for the config of the addon. That way we are in complete control of the config file. And I plan to build such a page (I have already put some effort in it, but it is not even nearly ready for now). The page should give the user access to all possible configuration options. If not, we could handicap/limit the use of the agent or force the advanced user to still manually tinker with the config file. But the zabbix agent has many options including defining certificates and encryption keys for communication and a web ui should do sanity checking on all options as well as provide methods to upload and/or generate those certs/keys so it is not a page that is easily designed overnight. But it is coming sooner or later. > > > For the sudoers file it is even more problematic; the user can of > > course modify that file to add additional commands he requires the > > agent to execute as root, but possible future additions to the > > ipfire > > specific monitoring that I or other contributors in the future may > > add, > > may also need extra commands in that file to work. (for example the > > upcoming services monitoring that would require some form of > > addonctrl > > status) > > But I can't update that file with the current behaviour.. or I > > would > > have to try to implement some sed magic after the restore in > > install.sh > > hoping not to damage the file if it has user customizations in it. > > This is not a configuration file in my eyes. It technically is one of > course, but we call these files a “system configuration file”. It > will be overwritten because what is in it is necessary for the system > to work. It does not contain any choices by the user at all. > > For that reason, this file should not be backed up and overwritten by > every package update. > > > So I'm not sure on how to handle this differently at the moment. > > I was thinking for the main config maybe just installing a > > ".example" > > version of the latest config so that a user would not have to go > > search > > for it on internet ? And in that case even remove all comments and > > defaults from the actual config (on a fresh install) as that is > > then > > provided in the ".example" version as documentation. > > Having some example configuration in a location the user would > normally not look at is probably not helpful. I agree with the "location the user would normally not look at". But as I currently see it, I would like to add the the config example next to the actual config. (I see this happen in many software packages in other linux distro's too. Granted, most of the time it is the vendor itself that provides that example config, not the distro. But since we don't have config merging or '.rpmnew' systems as those distro's do have, I see this as some kind of middle way) So /etc/zabbix_agentd/ in a fresh install would contain - zabbix_agentd.conf.example - the config as shipped with the zabbix source, but renamed to '.example' during build. (with all options in it accompanied with option documentation as comments.) - zabbix_agentd.conf - the active config, provided by us, with only the bare minimum of options required for the agent to run (secure). - this config will not be altered by us after initial install due to the backup/restore. This way the example config is automatically accurate for the current version of the addon. And the user stays in complete control of his own config in the same way it is in other addons. Until the web ui is finished.. > > If you want them to configure things themselves, why not provide good > documentation on the wiki? I do not 'want' them to configure things themselves.. but if they want to actually use the agent they have to at least point the agent to their zabbix server. So minimal manual configuration is required, and that is also already documented on the wiki. But the agent has many options and possibilities and I don't think it is our job to provide extensive non-IPFire specific configuration documentation as that is the job of the vendor (and in case of Zabbix the docs are there and very clear). But I do am convinced that we should provide a straight-forward way for the more advanced user to get a version of the default config as it is shipped with the current release of the software, especially when it is as verbose in documentation comments as provided by Zabbix. > > > But that still leaves the sudoers file. The only other possibility > > I > > see there is that we don't add this file to the backup and add a > > comment in it that a user should not modify it as it will get > > overwritten on update. He can then always still create his own > > sudoers- > > file with his own custom rights for the agent. > > This is the way to go. In many cases, we have extra files that end on > “.user” or “.local” to make it clear that users should make their own > changes here. Ok, for the sudoers, I will go this route then. Robin > > > Of course all this can be solved by managing the config using the > > webgui.. and I'm still planning to create a webgui config page for > > the > > agent someday. But we are not there yet :-) > > -Michael > > > > > Regards > > > > Robin > > > > > > > > -Michael > > > > > > > On 9 Feb 2022, at 23:26, Robin Roevens > > > > <robin.roevens@disroot.org> > > > > wrote: > > > > > > > > - Update from 4.2.6 to latest LTS version 5.0.20 > > > > See release notes: https://www.zabbix.com/rn/rn5.0.20 > > > > > > > > Signed-off-by: Robin Roevens <robin.roevens@disroot.org> > > > > --- > > > > config/zabbix_agentd/zabbix_agentd.conf | 135 > > > > ++++++++++++++++++++++-- > > > > lfs/zabbix_agentd | 11 +- > > > > 2 files changed, 132 insertions(+), 14 deletions(-) > > > > > > > > diff --git a/config/zabbix_agentd/zabbix_agentd.conf > > > > b/config/zabbix_agentd/zabbix_agentd.conf > > > > index 21b8e0122..aa8b899dc 100644 > > > > --- a/config/zabbix_agentd/zabbix_agentd.conf > > > > +++ b/config/zabbix_agentd/zabbix_agentd.conf > > > > @@ -63,14 +63,33 @@ LogFileSize=0 > > > > # Default: > > > > # SourceIP= > > > > > > > > -### Option: EnableRemoteCommands > > > > -# Whether remote commands from Zabbix server are allowed. > > > > -# 0 - not allowed > > > > -# 1 - allowed > > > > +### Option: AllowKey > > > > +# Allow execution of item keys matching pattern. > > > > +# Multiple keys matching rules may be defined in > > > > combination > > > > with DenyKey. > > > > +# Key pattern is wildcard expression, which support "*" > > > > character to match any number of any characters in certain > > > > position. It might be used in both key name and key arguments. > > > > +# Parameters are processed one by one according their > > > > appearance order. > > > > +# If no AllowKey or DenyKey rules defined, all keys are > > > > allowed. > > > > +# > > > > +# Mandatory: no > > > > + > > > > +### Option: DenyKey > > > > +# Deny execution of items keys matching pattern. > > > > +# Multiple keys matching rules may be defined in > > > > combination > > > > with AllowKey. > > > > +# Key pattern is wildcard expression, which support "*" > > > > character to match any number of any characters in certain > > > > position. It might be used in both key name and key arguments. > > > > +# Parameters are processed one by one according their > > > > appearance order. > > > > +# If no AllowKey or DenyKey rules defined, all keys are > > > > allowed. > > > > +# Unless another system.run[*] rule is specified > > > > DenyKey=system.run[*] is added by default. > > > > # > > > > # Mandatory: no > > > > # Default: > > > > -# EnableRemoteCommands=0 > > > > +# DenyKey=system.run[*] > > > > + > > > > +### Option: EnableRemoteCommands - Deprecated, use > > > > AllowKey=system.run[*] or DenyKey=system.run[*] instead > > > > +# Internal alias for AllowKey/DenyKey parameters > > > > depending on > > > > value: > > > > +# 0 - DenyKey=system.run[*] > > > > +# 1 - AllowKey=system.run[*] > > > > +# > > > > +# Mandatory: no > > > > > > > > ### Option: LogRemoteCommands > > > > # Enable logging of executed shell commands as warnings. > > > > @@ -177,6 +196,28 @@ ServerActive=127.0.0.1 > > > > # Default: > > > > # HostMetadataItem= > > > > > > > > +### Option: HostInterface > > > > +# Optional parameter that defines host interface. > > > > +# Host interface is used at host auto-registration > > > > process. > > > > +# An agent will issue an error and not start if the value > > > > is > > > > over limit of 255 characters. > > > > +# If not defined, value will be acquired from > > > > HostInterfaceItem. > > > > +# > > > > +# Mandatory: no > > > > +# Range: 0-255 characters > > > > +# Default: > > > > +# HostInterface= > > > > + > > > > +### Option: HostInterfaceItem > > > > +# Optional parameter that defines an item used for > > > > getting > > > > host interface. > > > > +# Host interface is used at host auto-registration > > > > process. > > > > +# During an auto-registration request an agent will log a > > > > warning message if > > > > +# the value returned by specified item is over limit of > > > > 255 > > > > characters. > > > > +# This option is only used when HostInterface is not > > > > defined. > > > > +# > > > > +# Mandatory: no > > > > +# Default: > > > > +# HostInterfaceItem= > > > > + > > > > ### Option: RefreshActiveChecks > > > > # How often list of active checks is refreshed, in > > > > seconds. > > > > # > > > > @@ -265,7 +306,6 @@ ServerActive=127.0.0.1 > > > > > > > > Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf > > > > > > > > - > > > > ####### USER-DEFINED MONITORED PARAMETERS ####### > > > > > > > > ### Option: UnsafeUserParameters > > > > @@ -299,7 +339,7 @@ > > > > Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf > > > > # > > > > # Mandatory: no > > > > # Default: > > > > -# LoadModulePath=/usr/lib/modules > > > > +# LoadModulePath=${libdir}/modules > > > > > > > > LoadModulePath=/usr/lib/zabbix > > > > > > > > @@ -357,14 +397,14 @@ LoadModulePath=/usr/lib/zabbix > > > > # TLSCRLFile= > > > > > > > > ### Option: TLSServerCertIssuer > > > > -# Allowed server certificate issuer. > > > > +# Allowed server certificate issuer. > > > > # > > > > # Mandatory: no > > > > # Default: > > > > # TLSServerCertIssuer= > > > > > > > > ### Option: TLSServerCertSubject > > > > -# Allowed server certificate subject. > > > > +# Allowed server certificate subject. > > > > # > > > > # Mandatory: no > > > > # Default: > > > > @@ -397,3 +437,80 @@ LoadModulePath=/usr/lib/zabbix > > > > # Mandatory: no > > > > # Default: > > > > # TLSPSKFile= > > > > + > > > > +####### For advanced users - TLS ciphersuite selection > > > > criteria > > > > ####### > > > > + > > > > +### Option: TLSCipherCert13 > > > > +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. > > > > +# Override the default ciphersuite selection criteria for > > > > certificate-based encryption. > > > > +# > > > > +# Mandatory: no > > > > +# Default: > > > > +# TLSCipherCert13= > > > > + > > > > +### Option: TLSCipherCert > > > > +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher > > > > string. > > > > +# Override the default ciphersuite selection criteria for > > > > certificate-based encryption. > > > > +# Example for GnuTLS: > > > > +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128- > > > > GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP- > > > > NULL:+SIGN- > > > > ALL:+CTYPE-X.509 > > > > +# Example for OpenSSL: > > > > +# EECDH+aRSA+AES128:RSA+aRSA+AES128 > > > > +# > > > > +# Mandatory: no > > > > +# Default: > > > > +# TLSCipherCert= > > > > + > > > > +### Option: TLSCipherPSK13 > > > > +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. > > > > +# Override the default ciphersuite selection criteria for > > > > PSK-based encryption. > > > > +# Example: > > > > +# > > > > TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 > > > > +# > > > > +# Mandatory: no > > > > +# Default: > > > > +# TLSCipherPSK13= > > > > + > > > > +### Option: TLSCipherPSK > > > > +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher > > > > string. > > > > +# Override the default ciphersuite selection criteria for > > > > PSK-based encryption. > > > > +# Example for GnuTLS: > > > > +# NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128- > > > > GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP- > > > > NULL:+SIGN- > > > > ALL > > > > +# Example for OpenSSL: > > > > +# kECDHEPSK+AES128:kPSK+AES128 > > > > +# > > > > +# Mandatory: no > > > > +# Default: > > > > +# TLSCipherPSK= > > > > + > > > > +### Option: TLSCipherAll13 > > > > +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. > > > > +# Override the default ciphersuite selection criteria for > > > > certificate- and PSK-based encryption. > > > > +# Example: > > > > +# > > > > TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 > > > > :TLS_AES_128_GCM_SHA256 > > > > +# > > > > +# Mandatory: no > > > > +# Default: > > > > +# TLSCipherAll13= > > > > + > > > > +### Option: TLSCipherAll > > > > +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher > > > > string. > > > > +# Override the default ciphersuite selection criteria for > > > > certificate- and PSK-based encryption. > > > > +# Example for GnuTLS: > > > > +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE- > > > > PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE- > > > > ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 > > > > +# Example for OpenSSL: > > > > +# > > > > EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128: > > > > kPSK+AES128 > > > > +# > > > > +# Mandatory: no > > > > +# Default: > > > > +# TLSCipherAll= > > > > + > > > > +####### For advanced users - TCP-related fine-tuning > > > > parameters > > > > ####### > > > > + > > > > +## Option: ListenBacklog > > > > +# The maximum number of pending connections in the > > > > queue. > > > > This parameter is passed to > > > > +# listen() function as argument 'backlog' (see "man > > > > listen"). > > > > +# > > > > +# Mandatory: no > > > > +# Range: 0 - INT_MAX (depends on system, too large values may > > > > be > > > > silently truncated to implementation-specified maximum) > > > > +# Default: SOMAXCONN (hard-coded constant, depends on system) > > > > +# ListenBacklog= > > > > diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd > > > > index c69643a54..28fe97b4f 100644 > > > > --- a/lfs/zabbix_agentd > > > > +++ b/lfs/zabbix_agentd > > > > @@ -1,7 +1,7 @@ > > > > ############################################################### > > > > #### > > > > ############ > > > > # > > > > > > > > # > > > > # IPFire.org - A linux based > > > > firewall # > > > > -# Copyright (C) 2007-2019 IPFire Team > > > > <info@ipfire.org> # > > > > +# Copyright (C) 2007-2022 IPFire Team > > > > <info@ipfire.org> # > > > > # > > > > > > > > # > > > > # This program is free software: you can redistribute it and/or > > > > modify # > > > > # it under the terms of the GNU General Public License as > > > > published > > > > by # > > > > @@ -24,7 +24,7 @@ > > > > > > > > include Config > > > > > > > > -VER = 4.2.6 > > > > +VER = 5.0.20 > > > > > > > > THISAPP = zabbix-$(VER) > > > > DL_FILE = $(THISAPP).tar.gz > > > > @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) > > > > DIR_APP = $(DIR_SRC)/$(THISAPP) > > > > TARGET = $(DIR_INFO)/$(THISAPP) > > > > PROG = zabbix_agentd > > > > -PAK_VER = 4 > > > > +PAK_VER = 5 > > > > DEPS = > > > > > > > > ############################################################### > > > > #### > > > > ############ > > > > @@ -43,7 +43,7 @@ objects = $(DL_FILE) > > > > > > > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > > > > > > > -$(DL_FILE)_MD5 = 6cd55cd743d416d9ffbf2e6fdee680ee > > > > +$(DL_FILE)_MD5 = 52df25394f9a4cf83ff55278b23e6295 > > > > > > > > install : $(TARGET) > > > > > > > > @@ -80,7 +80,8 @@ $(TARGET) : $(patsubst > > > > %,$(DIR_DL)/%,$(objects)) > > > > --prefix=/usr \ > > > > --enable-agent \ > > > > --sysconfdir=/etc/zabbix_agentd \ > > > > - --with-openssl > > > > + --with-openssl \ > > > > + --with-libcurl > > > > > > > > cd $(DIR_APP) && make > > > > cd $(DIR_APP) && make install > > > > -- > > > > 2.34.1 > > > > > > > > > > > > -- > > > > Dit bericht is gescanned op virussen en andere gevaarlijke > > > > inhoud door MailScanner en lijkt schoon te zijn. > > > > > > > > > > > > > > -- > > Dit bericht is gescanned op virussen en andere gevaarlijke > > inhoud door MailScanner en lijkt schoon te zijn. > >
Hello, > On 20 Feb 2022, at 22:18, Robin Roevens <robin.roevens@disroot.org> wrote: > > Hi Michael > > Michael Tremer schreef op zo 20-02-2022 om 18:10 [+0000]: >> >> >> The reason why pakfire is doing this is because it is simply a >> wrapper around tar. It is not that sophisticated of a package >> management system because it wasn’t designed for this scale. >> >> In order to avoid overwriting any existing configuration, we backup >> everything, extract the new package which will then overwrite the >> existing configuration files and then restore the backup to have the >> old configuration again. We could have built something that avoids >> overwriting the files in the first place which is what pakfire in >> IPFire 3 does. > The current method indeed is probably the best possible considering the > way pakfire currently works when updating an addon. But for as far as I > currently understand it, when you uninstall an addon, all config files > are backed up and then are removed (due to being in the rootfile). For > the user the addon is gone on the system. > If the user opts to install the addon again, say about half a year or a > year later, the install will restore the backup of the config it took > during uninstall half a year ago. I think this will cause confusion in > many cases? > Is this implemented this way for a good reason? or just to accommodate > the update procedure without much further thought? I am not if this is for the best reason, but it prevents that people will lose their configuration for any reason and there is an easy option to drop configuration if you want to. Although it might not be the best, it is a good solution. > I myself (if I didn't know how pakfire worked internally) would expect > that if I uninstalled an addon, checked and removed potentially left- > over config files, that a new install would give me a fresh install > which I would have to configure manually again. > > If pakfire worked that way, the user could make a copy of his config > himself, uninstall and re-install an addon to have a fresh config which > he then could merge himself with his old config-copy to make the addon > work again. > > So if there is no real reason to always backup on uninstall I would > like to propose to perform the backup restore in the actual update- > script instead of in the install and uninstall scripts? This way there > is a quite logical way for the average user to start over with a fresh > install of an addon. That would feel much more 'natural' to me. There is the reason, that there is no other way at the moment than backing it up and restoring it. Otherwise the configuration will always be overwritten which is not what we want at all. Additionally, I would want all packages to behave the same. If we change this for Zabbix, we will have to change this for everything else, too. > Anyway this discussion about pakfire working is maybe worth its own > thread as it is not really zabbix-agent specific. > >> >> Lots of other distributions work in a similar way where they rename >> the existing configuration files and might rename them back again. >> >>> The problem I'm having with the current way is that when an addon >>> is >>> updated, a new version of the config is just discarded due to the >>> restore of the previous config during install (even if that config >>> was >>> never changed by the user). >>> So if settings in the config are added, deprecated or even no >>> longer >>> valid, the user will never know until a version would no longer >>> start >>> up or no longer behave as expected due to the old config. >>> And even if a user would think about checking config changes on an >>> update he would have to go search the internet for a config example >>> for >>> this version of the addon. >> >> Yes, this is a huge problem for us all. The question there is to >> answer is: >> >> Do we know better than the user? >> >> Answering that with a yes means that we would make decisions on their >> behalf and that might potentially go wrong. Answering that with a no >> means that the user needs to invest a lot of time into the >> configuration of each part of the distribution and the reason why we >> have a nice shiny web user interface is that they don’t have to do >> this. The correct answer is probably somewhere in the middle. >> >> What we do in practise is: We keep systems consistent with their >> previous behaviour. An update should never change that (there are of >> course exceptions to every rule). New features might only be >> activated on new systems. > > The problem I see with this is that if software provided by an addon is > for example deprecating one or more config-options. Keeping the systems > constistent would mean > - not providing any newer version for that addon anymore, which I don't > think is what we want. Or > - trying to 'convert' the possibly user-changed deprecated config- > setting in the config file using sed, which I can see failing in may > ways :-) Or This is what we do quite regularly and it has never failed. Ultimately, if upstream decides to discontinue support for something, there isn’t much else that we can do. > - providing the user with a straight forward way to reinstall an addon > completely afresh, and/or > - what I'm trying to do here, provide the user with the new config in > some easily accessible way (currently .ipfirenew, but could be a > simpler .example, see below), keeping his old config active possibly > making the new addon version fail to work, but giving him the > possibility to manually merge his deprecated config to what the current > version of the addon-software expects. I am not sure how they should know about those changes. Showing a diff is probably hard to understand for many users and showing that diff on the UI is even more difficult. I am not against *what* you are trying to achieve at all. I am just not sure if the *how* is the best. How about just copying the configuration and put it next to the configuration file with a “.sample” suffix? Then people are still on their own, but I would consider a sample suffix more clear than a .ipfirenew because that doesn’t tell me much about what I should be doing with it. >> >>> In this specific case, as we update from a rather old version of >>> zabbix >>> agent, there are quite a few interesting config changes that can >>> harden >>> the security of the agent, which I would not want the user to miss >>> out >>> on. Also one option is deprecated, is currently still supported, >>> but in >>> the next version it probably will no longer work, possibly breaking >>> some users' monitoring or causing the agent to fail starting. >> >> Is this an add-on that generally requires configuration on the >> console? >> >> We do we not build a page on the web UI for this so that people can >> enable the things they want? Would that be overkill for the possible >> options? > > As I said before, I would indeed prefer a web ui for the config of the > addon. That way we are in complete control of the config file. And I > plan to build such a page (I have already put some effort in it, but it > is not even nearly ready for now). > The page should give the user access to all possible configuration > options. If not, we could handicap/limit the use of the agent or force > the advanced user to still manually tinker with the config file. > > But the zabbix agent has many options including defining certificates > and encryption keys for communication and a web ui should do sanity > checking on all options as well as provide methods to upload and/or > generate those certs/keys so it is not a page that is easily designed > overnight. But it is coming sooner or later. Wouldn’t the system automatically generate any keys for the agent? Scrolling through the configuration, I do not see anything the user would want to change. Do you have an example for me to understand this better? > >> >>> For the sudoers file it is even more problematic; the user can of >>> course modify that file to add additional commands he requires the >>> agent to execute as root, but possible future additions to the >>> ipfire >>> specific monitoring that I or other contributors in the future may >>> add, >>> may also need extra commands in that file to work. (for example the >>> upcoming services monitoring that would require some form of >>> addonctrl >>> status) >>> But I can't update that file with the current behaviour.. or I >>> would >>> have to try to implement some sed magic after the restore in >>> install.sh >>> hoping not to damage the file if it has user customizations in it. >> >> This is not a configuration file in my eyes. It technically is one of >> course, but we call these files a “system configuration file”. It >> will be overwritten because what is in it is necessary for the system >> to work. It does not contain any choices by the user at all. >> >> For that reason, this file should not be backed up and overwritten by >> every package update. >> >>> So I'm not sure on how to handle this differently at the moment. >>> I was thinking for the main config maybe just installing a >>> ".example" >>> version of the latest config so that a user would not have to go >>> search >>> for it on internet ? And in that case even remove all comments and >>> defaults from the actual config (on a fresh install) as that is >>> then >>> provided in the ".example" version as documentation. >> >> Having some example configuration in a location the user would >> normally not look at is probably not helpful. > I agree with the "location the user would normally not look at". But as > I currently see it, I would like to add the the config example next to > the actual config. (I see this happen in many software packages in > other linux distro's too. Granted, most of the time it is the vendor > itself that provides that example config, not the distro. But since we > don't have config merging or '.rpmnew' systems as those distro's do > have, I see this as some kind of middle way) > > So /etc/zabbix_agentd/ in a fresh install would contain > - zabbix_agentd.conf.example - the config as shipped with the zabbix > source, but renamed to '.example' during build. (with all options in it > accompanied with option documentation as comments.) Okay. I can live with this. > - zabbix_agentd.conf - the active config, provided by us, with only the > bare minimum of options required for the agent to run (secure). - this > config will not be altered by us after initial install due to the > backup/restore. Unless we need to remove any deprecated options, etc. Agreed. > This way the example config is automatically accurate for the current > version of the addon. And the user stays in complete control of his own > config in the same way it is in other addons. > > Until the web ui is finished.. That sounds good to me. >> >> If you want them to configure things themselves, why not provide good >> documentation on the wiki? > I do not 'want' them to configure things themselves.. but if they want > to actually use the agent they have to at least point the agent to > their zabbix server. So minimal manual configuration is required, and > that is also already documented on the wiki. But the agent has many > options and possibilities and I don't think it is our job to provide > extensive non-IPFire specific configuration documentation as that is > the job of the vendor (and in case of Zabbix the docs are there and > very clear). No, that would just be duplicating documentation. -Michael > But I do am convinced that we should provide a straight-forward way for > the more advanced user to get a version of the default config as it is > shipped with the current release of the software, especially when it is > as verbose in documentation comments as provided by Zabbix. > >> >>> But that still leaves the sudoers file. The only other possibility >>> I >>> see there is that we don't add this file to the backup and add a >>> comment in it that a user should not modify it as it will get >>> overwritten on update. He can then always still create his own >>> sudoers- >>> file with his own custom rights for the agent. >> >> This is the way to go. In many cases, we have extra files that end on >> “.user” or “.local” to make it clear that users should make their own >> changes here. > Ok, for the sudoers, I will go this route then. > > > Robin > >> >>> Of course all this can be solved by managing the config using the >>> webgui.. and I'm still planning to create a webgui config page for >>> the >>> agent someday. But we are not there yet :-) >> >> -Michael >> >>> >>> Regards >>> >>> Robin >>> >>>> >>>> -Michael >>>> >>>>> On 9 Feb 2022, at 23:26, Robin Roevens >>>>> <robin.roevens@disroot.org> >>>>> wrote: >>>>> >>>>> - Update from 4.2.6 to latest LTS version 5.0.20 >>>>> See release notes: https://www.zabbix.com/rn/rn5.0.20 >>>>> >>>>> Signed-off-by: Robin Roevens <robin.roevens@disroot.org> >>>>> --- >>>>> config/zabbix_agentd/zabbix_agentd.conf | 135 >>>>> ++++++++++++++++++++++-- >>>>> lfs/zabbix_agentd | 11 +- >>>>> 2 files changed, 132 insertions(+), 14 deletions(-) >>>>> >>>>> diff --git a/config/zabbix_agentd/zabbix_agentd.conf >>>>> b/config/zabbix_agentd/zabbix_agentd.conf >>>>> index 21b8e0122..aa8b899dc 100644 >>>>> --- a/config/zabbix_agentd/zabbix_agentd.conf >>>>> +++ b/config/zabbix_agentd/zabbix_agentd.conf >>>>> @@ -63,14 +63,33 @@ LogFileSize=0 >>>>> # Default: >>>>> # SourceIP= >>>>> >>>>> -### Option: EnableRemoteCommands >>>>> -# Whether remote commands from Zabbix server are allowed. >>>>> -# 0 - not allowed >>>>> -# 1 - allowed >>>>> +### Option: AllowKey >>>>> +# Allow execution of item keys matching pattern. >>>>> +# Multiple keys matching rules may be defined in >>>>> combination >>>>> with DenyKey. >>>>> +# Key pattern is wildcard expression, which support "*" >>>>> character to match any number of any characters in certain >>>>> position. It might be used in both key name and key arguments. >>>>> +# Parameters are processed one by one according their >>>>> appearance order. >>>>> +# If no AllowKey or DenyKey rules defined, all keys are >>>>> allowed. >>>>> +# >>>>> +# Mandatory: no >>>>> + >>>>> +### Option: DenyKey >>>>> +# Deny execution of items keys matching pattern. >>>>> +# Multiple keys matching rules may be defined in >>>>> combination >>>>> with AllowKey. >>>>> +# Key pattern is wildcard expression, which support "*" >>>>> character to match any number of any characters in certain >>>>> position. It might be used in both key name and key arguments. >>>>> +# Parameters are processed one by one according their >>>>> appearance order. >>>>> +# If no AllowKey or DenyKey rules defined, all keys are >>>>> allowed. >>>>> +# Unless another system.run[*] rule is specified >>>>> DenyKey=system.run[*] is added by default. >>>>> # >>>>> # Mandatory: no >>>>> # Default: >>>>> -# EnableRemoteCommands=0 >>>>> +# DenyKey=system.run[*] >>>>> + >>>>> +### Option: EnableRemoteCommands - Deprecated, use >>>>> AllowKey=system.run[*] or DenyKey=system.run[*] instead >>>>> +# Internal alias for AllowKey/DenyKey parameters >>>>> depending on >>>>> value: >>>>> +# 0 - DenyKey=system.run[*] >>>>> +# 1 - AllowKey=system.run[*] >>>>> +# >>>>> +# Mandatory: no >>>>> >>>>> ### Option: LogRemoteCommands >>>>> # Enable logging of executed shell commands as warnings. >>>>> @@ -177,6 +196,28 @@ ServerActive=127.0.0.1 >>>>> # Default: >>>>> # HostMetadataItem= >>>>> >>>>> +### Option: HostInterface >>>>> +# Optional parameter that defines host interface. >>>>> +# Host interface is used at host auto-registration >>>>> process. >>>>> +# An agent will issue an error and not start if the value >>>>> is >>>>> over limit of 255 characters. >>>>> +# If not defined, value will be acquired from >>>>> HostInterfaceItem. >>>>> +# >>>>> +# Mandatory: no >>>>> +# Range: 0-255 characters >>>>> +# Default: >>>>> +# HostInterface= >>>>> + >>>>> +### Option: HostInterfaceItem >>>>> +# Optional parameter that defines an item used for >>>>> getting >>>>> host interface. >>>>> +# Host interface is used at host auto-registration >>>>> process. >>>>> +# During an auto-registration request an agent will log a >>>>> warning message if >>>>> +# the value returned by specified item is over limit of >>>>> 255 >>>>> characters. >>>>> +# This option is only used when HostInterface is not >>>>> defined. >>>>> +# >>>>> +# Mandatory: no >>>>> +# Default: >>>>> +# HostInterfaceItem= >>>>> + >>>>> ### Option: RefreshActiveChecks >>>>> # How often list of active checks is refreshed, in >>>>> seconds. >>>>> # >>>>> @@ -265,7 +306,6 @@ ServerActive=127.0.0.1 >>>>> >>>>> Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf >>>>> >>>>> - >>>>> ####### USER-DEFINED MONITORED PARAMETERS ####### >>>>> >>>>> ### Option: UnsafeUserParameters >>>>> @@ -299,7 +339,7 @@ >>>>> Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf >>>>> # >>>>> # Mandatory: no >>>>> # Default: >>>>> -# LoadModulePath=/usr/lib/modules >>>>> +# LoadModulePath=${libdir}/modules >>>>> >>>>> LoadModulePath=/usr/lib/zabbix >>>>> >>>>> @@ -357,14 +397,14 @@ LoadModulePath=/usr/lib/zabbix >>>>> # TLSCRLFile= >>>>> >>>>> ### Option: TLSServerCertIssuer >>>>> -# Allowed server certificate issuer. >>>>> +# Allowed server certificate issuer. >>>>> # >>>>> # Mandatory: no >>>>> # Default: >>>>> # TLSServerCertIssuer= >>>>> >>>>> ### Option: TLSServerCertSubject >>>>> -# Allowed server certificate subject. >>>>> +# Allowed server certificate subject. >>>>> # >>>>> # Mandatory: no >>>>> # Default: >>>>> @@ -397,3 +437,80 @@ LoadModulePath=/usr/lib/zabbix >>>>> # Mandatory: no >>>>> # Default: >>>>> # TLSPSKFile= >>>>> + >>>>> +####### For advanced users - TLS ciphersuite selection >>>>> criteria >>>>> ####### >>>>> + >>>>> +### Option: TLSCipherCert13 >>>>> +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. >>>>> +# Override the default ciphersuite selection criteria for >>>>> certificate-based encryption. >>>>> +# >>>>> +# Mandatory: no >>>>> +# Default: >>>>> +# TLSCipherCert13= >>>>> + >>>>> +### Option: TLSCipherCert >>>>> +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher >>>>> string. >>>>> +# Override the default ciphersuite selection criteria for >>>>> certificate-based encryption. >>>>> +# Example for GnuTLS: >>>>> +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128- >>>>> GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP- >>>>> NULL:+SIGN- >>>>> ALL:+CTYPE-X.509 >>>>> +# Example for OpenSSL: >>>>> +# EECDH+aRSA+AES128:RSA+aRSA+AES128 >>>>> +# >>>>> +# Mandatory: no >>>>> +# Default: >>>>> +# TLSCipherCert= >>>>> + >>>>> +### Option: TLSCipherPSK13 >>>>> +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. >>>>> +# Override the default ciphersuite selection criteria for >>>>> PSK-based encryption. >>>>> +# Example: >>>>> +# >>>>> TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 >>>>> +# >>>>> +# Mandatory: no >>>>> +# Default: >>>>> +# TLSCipherPSK13= >>>>> + >>>>> +### Option: TLSCipherPSK >>>>> +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher >>>>> string. >>>>> +# Override the default ciphersuite selection criteria for >>>>> PSK-based encryption. >>>>> +# Example for GnuTLS: >>>>> +# NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128- >>>>> GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP- >>>>> NULL:+SIGN- >>>>> ALL >>>>> +# Example for OpenSSL: >>>>> +# kECDHEPSK+AES128:kPSK+AES128 >>>>> +# >>>>> +# Mandatory: no >>>>> +# Default: >>>>> +# TLSCipherPSK= >>>>> + >>>>> +### Option: TLSCipherAll13 >>>>> +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. >>>>> +# Override the default ciphersuite selection criteria for >>>>> certificate- and PSK-based encryption. >>>>> +# Example: >>>>> +# >>>>> TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 >>>>> :TLS_AES_128_GCM_SHA256 >>>>> +# >>>>> +# Mandatory: no >>>>> +# Default: >>>>> +# TLSCipherAll13= >>>>> + >>>>> +### Option: TLSCipherAll >>>>> +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher >>>>> string. >>>>> +# Override the default ciphersuite selection criteria for >>>>> certificate- and PSK-based encryption. >>>>> +# Example for GnuTLS: >>>>> +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE- >>>>> PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE- >>>>> ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 >>>>> +# Example for OpenSSL: >>>>> +# >>>>> EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128: >>>>> kPSK+AES128 >>>>> +# >>>>> +# Mandatory: no >>>>> +# Default: >>>>> +# TLSCipherAll= >>>>> + >>>>> +####### For advanced users - TCP-related fine-tuning >>>>> parameters >>>>> ####### >>>>> + >>>>> +## Option: ListenBacklog >>>>> +# The maximum number of pending connections in the >>>>> queue. >>>>> This parameter is passed to >>>>> +# listen() function as argument 'backlog' (see "man >>>>> listen"). >>>>> +# >>>>> +# Mandatory: no >>>>> +# Range: 0 - INT_MAX (depends on system, too large values may >>>>> be >>>>> silently truncated to implementation-specified maximum) >>>>> +# Default: SOMAXCONN (hard-coded constant, depends on system) >>>>> +# ListenBacklog= >>>>> diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd >>>>> index c69643a54..28fe97b4f 100644 >>>>> --- a/lfs/zabbix_agentd >>>>> +++ b/lfs/zabbix_agentd >>>>> @@ -1,7 +1,7 @@ >>>>> ############################################################### >>>>> #### >>>>> ############ >>>>> # >>>>> >>>>> # >>>>> # IPFire.org - A linux based >>>>> firewall # >>>>> -# Copyright (C) 2007-2019 IPFire Team >>>>> <info@ipfire.org> # >>>>> +# Copyright (C) 2007-2022 IPFire Team >>>>> <info@ipfire.org> # >>>>> # >>>>> >>>>> # >>>>> # This program is free software: you can redistribute it and/or >>>>> modify # >>>>> # it under the terms of the GNU General Public License as >>>>> published >>>>> by # >>>>> @@ -24,7 +24,7 @@ >>>>> >>>>> include Config >>>>> >>>>> -VER = 4.2.6 >>>>> +VER = 5.0.20 >>>>> >>>>> THISAPP = zabbix-$(VER) >>>>> DL_FILE = $(THISAPP).tar.gz >>>>> @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) >>>>> DIR_APP = $(DIR_SRC)/$(THISAPP) >>>>> TARGET = $(DIR_INFO)/$(THISAPP) >>>>> PROG = zabbix_agentd >>>>> -PAK_VER = 4 >>>>> +PAK_VER = 5 >>>>> DEPS = >>>>> >>>>> ############################################################### >>>>> #### >>>>> ############ >>>>> @@ -43,7 +43,7 @@ objects = $(DL_FILE) >>>>> >>>>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE) >>>>> >>>>> -$(DL_FILE)_MD5 = 6cd55cd743d416d9ffbf2e6fdee680ee >>>>> +$(DL_FILE)_MD5 = 52df25394f9a4cf83ff55278b23e6295 >>>>> >>>>> install : $(TARGET) >>>>> >>>>> @@ -80,7 +80,8 @@ $(TARGET) : $(patsubst >>>>> %,$(DIR_DL)/%,$(objects)) >>>>> --prefix=/usr \ >>>>> --enable-agent \ >>>>> --sysconfdir=/etc/zabbix_agentd \ >>>>> - --with-openssl >>>>> + --with-openssl \ >>>>> + --with-libcurl >>>>> >>>>> cd $(DIR_APP) && make >>>>> cd $(DIR_APP) && make install >>>>> -- >>>>> 2.34.1 >>>>> >>>>> >>>>> -- >>>>> Dit bericht is gescanned op virussen en andere gevaarlijke >>>>> inhoud door MailScanner en lijkt schoon te zijn. >>>>> >>>> >>>> >>> >>> -- >>> Dit bericht is gescanned op virussen en andere gevaarlijke >>> inhoud door MailScanner en lijkt schoon te zijn. >> >> > > -- > Dit bericht is gescanned op virussen en andere gevaarlijke > inhoud door MailScanner en lijkt schoon te zijn.
Hi Michael I was implementing the changes as we discussed here. But I came up with a few extra questions, where I'm not sure if you agree or on how to best handle them: Currently the whole /etc/zabbix_agentd directory is included in the backup. But, as discussed, we will now add a .example config file and Alex has added the custom zabbix_agentd.d/userparameters_pakfire.conf file previously (which is currently already in the backup). And more userparameters files are added in this patchset. This makes this directory a hybrid with both user + ipfire managed files. I was thinking to - only include - /etc/zabbix_agentd/zabbix_agentd.conf - /etc/zabbix_agentd/zabbix_agentd.d/* - /etc/zabbix_agentd/scripts/* in the backup instead of the whole /etc/zabbix_agentd/* That would remove the need to handle the new zabbix_agentd.conf.example file in the (un)install scripts preventing it from landing inside the backup. - In the zabbix_agentd.conf file - which is managed by the user, I would add an Include= line to include a new location, specific for the IPFire added configfile(s). I was thinking '/var/ipfire/zabbix_agentd/userparameters' ? This would ease the correct management of the backups and give the user the option to easily disable the IPFire provided customization by commenting out that include line in the config. I think this would be much cleaner now and in the future when possible more IPfire-specific customizations are added. But if we decide to do that. How should I then handle old installs that will be upgraded? - The current zabbix_agentd.d/userparameters_pakfire.conf would then need to be removed. (as a new one will be installed somewhere else) But up until now it was included in the backup, and it is possible that a user has changed that file on his installation (I think chances are rather low.. but theoretically it is possible) Should I just remove the file ? - How should I add the new Include= line now in an already existing config? I was thinking maybe, just add it during install, and also create (for example) a '/var/ipfire/zabbix_agentd/config_migrated' file so that I know the config was once changed and subsequent upgrades will no longer try to add that line again. (To prevent that if the user comments it out to disable our customizations, it would be added again on next upgrade) A bit of the same story for the sudoers file. Up until now the file was included in the backup. And the user may have modified the file. I was thinking of performing a check on an existing sudoers.d/zabbix- file if it is still unmodified, and if so remove it. Otherwise rename it to sudoers.d/zabbix_agentd_user (and include that one in backup) and add a new sudoers.d/zabbix_agentd file that is not included in the backup and is not supposed to be modified by the user. Would that be a feasible solution ? Regards Robin Michael Tremer schreef op ma 21-02-2022 om 11:41 [+0000]: > Hello, > > > On 20 Feb 2022, at 22:18, Robin Roevens <robin.roevens@disroot.org> > > wrote: > > > > Hi Michael > > > > Michael Tremer schreef op zo 20-02-2022 om 18:10 [+0000]: > > > > > > > > > The reason why pakfire is doing this is because it is simply a > > > wrapper around tar. It is not that sophisticated of a package > > > management system because it wasn’t designed for this scale. > > > > > > In order to avoid overwriting any existing configuration, we > > > backup > > > everything, extract the new package which will then overwrite the > > > existing configuration files and then restore the backup to have > > > the > > > old configuration again. We could have built something that > > > avoids > > > overwriting the files in the first place which is what pakfire in > > > IPFire 3 does. > > The current method indeed is probably the best possible considering > > the > > way pakfire currently works when updating an addon. But for as far > > as I > > currently understand it, when you uninstall an addon, all config > > files > > are backed up and then are removed (due to being in the rootfile). > > For > > the user the addon is gone on the system. > > If the user opts to install the addon again, say about half a year > > or a > > year later, the install will restore the backup of the config it > > took > > during uninstall half a year ago. I think this will cause confusion > > in > > many cases? > > Is this implemented this way for a good reason? or just to > > accommodate > > the update procedure without much further thought? > > I am not if this is for the best reason, but it prevents that people > will lose their configuration for any reason and there is an easy > option to drop configuration if you want to. > > Although it might not be the best, it is a good solution. > > > I myself (if I didn't know how pakfire worked internally) would > > expect > > that if I uninstalled an addon, checked and removed potentially > > left- > > over config files, that a new install would give me a fresh install > > which I would have to configure manually again. > > > > If pakfire worked that way, the user could make a copy of his > > config > > himself, uninstall and re-install an addon to have a fresh config > > which > > he then could merge himself with his old config-copy to make the > > addon > > work again. > > > > So if there is no real reason to always backup on uninstall I would > > like to propose to perform the backup restore in the actual update- > > script instead of in the install and uninstall scripts? This way > > there > > is a quite logical way for the average user to start over with a > > fresh > > install of an addon. That would feel much more 'natural' to me. > > There is the reason, that there is no other way at the moment than > backing it up and restoring it. Otherwise the configuration will > always be overwritten which is not what we want at all. > > Additionally, I would want all packages to behave the same. If we > change this for Zabbix, we will have to change this for everything > else, too. > > > Anyway this discussion about pakfire working is maybe worth its own > > thread as it is not really zabbix-agent specific. > > > > > > > > Lots of other distributions work in a similar way where they > > > rename > > > the existing configuration files and might rename them back > > > again. > > > > > > > The problem I'm having with the current way is that when an > > > > addon > > > > is > > > > updated, a new version of the config is just discarded due to > > > > the > > > > restore of the previous config during install (even if that > > > > config > > > > was > > > > never changed by the user). > > > > So if settings in the config are added, deprecated or even no > > > > longer > > > > valid, the user will never know until a version would no longer > > > > start > > > > up or no longer behave as expected due to the old config. > > > > And even if a user would think about checking config changes on > > > > an > > > > update he would have to go search the internet for a config > > > > example > > > > for > > > > this version of the addon. > > > > > > Yes, this is a huge problem for us all. The question there is to > > > answer is: > > > > > > Do we know better than the user? > > > > > > Answering that with a yes means that we would make decisions on > > > their > > > behalf and that might potentially go wrong. Answering that with a > > > no > > > means that the user needs to invest a lot of time into the > > > configuration of each part of the distribution and the reason why > > > we > > > have a nice shiny web user interface is that they don’t have to > > > do > > > this. The correct answer is probably somewhere in the middle. > > > > > > What we do in practise is: We keep systems consistent with their > > > previous behaviour. An update should never change that (there are > > > of > > > course exceptions to every rule). New features might only be > > > activated on new systems. > > > > The problem I see with this is that if software provided by an > > addon is > > for example deprecating one or more config-options. Keeping the > > systems > > constistent would mean > > - not providing any newer version for that addon anymore, which I > > don't > > think is what we want. Or > > - trying to 'convert' the possibly user-changed deprecated config- > > setting in the config file using sed, which I can see failing in > > may > > ways :-) Or > > This is what we do quite regularly and it has never failed. > > Ultimately, if upstream decides to discontinue support for something, > there isn’t much else that we can do. > > > - providing the user with a straight forward way to reinstall an > > addon > > completely afresh, and/or > > - what I'm trying to do here, provide the user with the new config > > in > > some easily accessible way (currently .ipfirenew, but could be a > > simpler .example, see below), keeping his old config active > > possibly > > making the new addon version fail to work, but giving him the > > possibility to manually merge his deprecated config to what the > > current > > version of the addon-software expects. > > I am not sure how they should know about those changes. > > Showing a diff is probably hard to understand for many users and > showing that diff on the UI is even more difficult. > > I am not against *what* you are trying to achieve at all. I am just > not sure if the *how* is the best. > > How about just copying the configuration and put it next to the > configuration file with a “.sample” suffix? Then people are still on > their own, but I would consider a sample suffix more clear than a > .ipfirenew because that doesn’t tell me much about what I should be > doing with it. > > > > > > > > In this specific case, as we update from a rather old version > > > > of > > > > zabbix > > > > agent, there are quite a few interesting config changes that > > > > can > > > > harden > > > > the security of the agent, which I would not want the user to > > > > miss > > > > out > > > > on. Also one option is deprecated, is currently still > > > > supported, > > > > but in > > > > the next version it probably will no longer work, possibly > > > > breaking > > > > some users' monitoring or causing the agent to fail starting. > > > > > > Is this an add-on that generally requires configuration on the > > > console? > > > > > > We do we not build a page on the web UI for this so that people > > > can > > > enable the things they want? Would that be overkill for the > > > possible > > > options? > > > > As I said before, I would indeed prefer a web ui for the config of > > the > > addon. That way we are in complete control of the config file. And > > I > > plan to build such a page (I have already put some effort in it, > > but it > > is not even nearly ready for now). > > The page should give the user access to all possible configuration > > options. If not, we could handicap/limit the use of the agent or > > force > > the advanced user to still manually tinker with the config file. > > > > But the zabbix agent has many options including defining > > certificates > > and encryption keys for communication and a web ui should do sanity > > checking on all options as well as provide methods to upload and/or > > generate those certs/keys so it is not a page that is easily > > designed > > overnight. But it is coming sooner or later. > > Wouldn’t the system automatically generate any keys for the agent? > > Scrolling through the configuration, I do not see anything the user > would want to change. Do you have an example for me to understand > this better? > > > > > > > > > > For the sudoers file it is even more problematic; the user can > > > > of > > > > course modify that file to add additional commands he requires > > > > the > > > > agent to execute as root, but possible future additions to the > > > > ipfire > > > > specific monitoring that I or other contributors in the future > > > > may > > > > add, > > > > may also need extra commands in that file to work. (for example > > > > the > > > > upcoming services monitoring that would require some form of > > > > addonctrl > > > > status) > > > > But I can't update that file with the current behaviour.. or I > > > > would > > > > have to try to implement some sed magic after the restore in > > > > install.sh > > > > hoping not to damage the file if it has user customizations in > > > > it. > > > > > > This is not a configuration file in my eyes. It technically is > > > one of > > > course, but we call these files a “system configuration file”. It > > > will be overwritten because what is in it is necessary for the > > > system > > > to work. It does not contain any choices by the user at all. > > > > > > For that reason, this file should not be backed up and > > > overwritten by > > > every package update. > > > > > > > So I'm not sure on how to handle this differently at the > > > > moment. > > > > I was thinking for the main config maybe just installing a > > > > ".example" > > > > version of the latest config so that a user would not have to > > > > go > > > > search > > > > for it on internet ? And in that case even remove all comments > > > > and > > > > defaults from the actual config (on a fresh install) as that is > > > > then > > > > provided in the ".example" version as documentation. > > > > > > Having some example configuration in a location the user would > > > normally not look at is probably not helpful. > > I agree with the "location the user would normally not look at". > > But as > > I currently see it, I would like to add the the config example next > > to > > the actual config. (I see this happen in many software packages in > > other linux distro's too. Granted, most of the time it is the > > vendor > > itself that provides that example config, not the distro. But since > > we > > don't have config merging or '.rpmnew' systems as those distro's do > > have, I see this as some kind of middle way) > > > > So /etc/zabbix_agentd/ in a fresh install would contain > > - zabbix_agentd.conf.example - the config as shipped with the > > zabbix > > source, but renamed to '.example' during build. (with all options > > in it > > accompanied with option documentation as comments.) > > Okay. I can live with this. > > > - zabbix_agentd.conf - the active config, provided by us, with only > > the > > bare minimum of options required for the agent to run (secure). - > > this > > config will not be altered by us after initial install due to the > > backup/restore. > > Unless we need to remove any deprecated options, etc. Agreed. > > > This way the example config is automatically accurate for the > > current > > version of the addon. And the user stays in complete control of his > > own > > config in the same way it is in other addons. > > > > Until the web ui is finished.. > > That sounds good to me. > > > > > > > If you want them to configure things themselves, why not provide > > > good > > > documentation on the wiki? > > I do not 'want' them to configure things themselves.. but if they > > want > > to actually use the agent they have to at least point the agent to > > their zabbix server. So minimal manual configuration is required, > > and > > that is also already documented on the wiki. But the agent has many > > options and possibilities and I don't think it is our job to > > provide > > extensive non-IPFire specific configuration documentation as that > > is > > the job of the vendor (and in case of Zabbix the docs are there and > > very clear). > > No, that would just be duplicating documentation. > > -Michael > > > But I do am convinced that we should provide a straight-forward way > > for > > the more advanced user to get a version of the default config as it > > is > > shipped with the current release of the software, especially when > > it is > > as verbose in documentation comments as provided by Zabbix. > > > > > > > > > But that still leaves the sudoers file. The only other > > > > possibility > > > > I > > > > see there is that we don't add this file to the backup and add > > > > a > > > > comment in it that a user should not modify it as it will get > > > > overwritten on update. He can then always still create his own > > > > sudoers- > > > > file with his own custom rights for the agent. > > > > > > This is the way to go. In many cases, we have extra files that > > > end on > > > “.user” or “.local” to make it clear that users should make their > > > own > > > changes here. > > Ok, for the sudoers, I will go this route then. > > > > > > Robin > > > > > > > > > Of course all this can be solved by managing the config using > > > > the > > > > webgui.. and I'm still planning to create a webgui config page > > > > for > > > > the > > > > agent someday. But we are not there yet :-) > > > > > > -Michael > > > > > > > > > > > Regards > > > > > > > > Robin > > > > > > > > > > > > > > -Michael > > > > > > > > > > > On 9 Feb 2022, at 23:26, Robin Roevens > > > > > > <robin.roevens@disroot.org> > > > > > > wrote: > > > > > > > > > > > > - Update from 4.2.6 to latest LTS version 5.0.20 > > > > > > See release notes: https://www.zabbix.com/rn/rn5.0.20 > > > > > > > > > > > > Signed-off-by: Robin Roevens <robin.roevens@disroot.org> > > > > > > --- > > > > > > config/zabbix_agentd/zabbix_agentd.conf | 135 > > > > > > ++++++++++++++++++++++-- > > > > > > lfs/zabbix_agentd | 11 +- > > > > > > 2 files changed, 132 insertions(+), 14 deletions(-) > > > > > > > > > > > > diff --git a/config/zabbix_agentd/zabbix_agentd.conf > > > > > > b/config/zabbix_agentd/zabbix_agentd.conf > > > > > > index 21b8e0122..aa8b899dc 100644 > > > > > > --- a/config/zabbix_agentd/zabbix_agentd.conf > > > > > > +++ b/config/zabbix_agentd/zabbix_agentd.conf > > > > > > @@ -63,14 +63,33 @@ LogFileSize=0 > > > > > > # Default: > > > > > > # SourceIP= > > > > > > > > > > > > -### Option: EnableRemoteCommands > > > > > > -# Whether remote commands from Zabbix server are > > > > > > allowed. > > > > > > -# 0 - not allowed > > > > > > -# 1 - allowed > > > > > > +### Option: AllowKey > > > > > > +# Allow execution of item keys matching pattern. > > > > > > +# Multiple keys matching rules may be defined in > > > > > > combination > > > > > > with DenyKey. > > > > > > +# Key pattern is wildcard expression, which support > > > > > > "*" > > > > > > character to match any number of any characters in certain > > > > > > position. It might be used in both key name and key > > > > > > arguments. > > > > > > +# Parameters are processed one by one according their > > > > > > appearance order. > > > > > > +# If no AllowKey or DenyKey rules defined, all keys > > > > > > are > > > > > > allowed. > > > > > > +# > > > > > > +# Mandatory: no > > > > > > + > > > > > > +### Option: DenyKey > > > > > > +# Deny execution of items keys matching pattern. > > > > > > +# Multiple keys matching rules may be defined in > > > > > > combination > > > > > > with AllowKey. > > > > > > +# Key pattern is wildcard expression, which support > > > > > > "*" > > > > > > character to match any number of any characters in certain > > > > > > position. It might be used in both key name and key > > > > > > arguments. > > > > > > +# Parameters are processed one by one according their > > > > > > appearance order. > > > > > > +# If no AllowKey or DenyKey rules defined, all keys > > > > > > are > > > > > > allowed. > > > > > > +# Unless another system.run[*] rule is specified > > > > > > DenyKey=system.run[*] is added by default. > > > > > > # > > > > > > # Mandatory: no > > > > > > # Default: > > > > > > -# EnableRemoteCommands=0 > > > > > > +# DenyKey=system.run[*] > > > > > > + > > > > > > +### Option: EnableRemoteCommands - Deprecated, use > > > > > > AllowKey=system.run[*] or DenyKey=system.run[*] instead > > > > > > +# Internal alias for AllowKey/DenyKey parameters > > > > > > depending on > > > > > > value: > > > > > > +# 0 - DenyKey=system.run[*] > > > > > > +# 1 - AllowKey=system.run[*] > > > > > > +# > > > > > > +# Mandatory: no > > > > > > > > > > > > ### Option: LogRemoteCommands > > > > > > # Enable logging of executed shell commands as > > > > > > warnings. > > > > > > @@ -177,6 +196,28 @@ ServerActive=127.0.0.1 > > > > > > # Default: > > > > > > # HostMetadataItem= > > > > > > > > > > > > +### Option: HostInterface > > > > > > +# Optional parameter that defines host interface. > > > > > > +# Host interface is used at host auto-registration > > > > > > process. > > > > > > +# An agent will issue an error and not start if the > > > > > > value > > > > > > is > > > > > > over limit of 255 characters. > > > > > > +# If not defined, value will be acquired from > > > > > > HostInterfaceItem. > > > > > > +# > > > > > > +# Mandatory: no > > > > > > +# Range: 0-255 characters > > > > > > +# Default: > > > > > > +# HostInterface= > > > > > > + > > > > > > +### Option: HostInterfaceItem > > > > > > +# Optional parameter that defines an item used for > > > > > > getting > > > > > > host interface. > > > > > > +# Host interface is used at host auto-registration > > > > > > process. > > > > > > +# During an auto-registration request an agent will > > > > > > log a > > > > > > warning message if > > > > > > +# the value returned by specified item is over limit > > > > > > of > > > > > > 255 > > > > > > characters. > > > > > > +# This option is only used when HostInterface is not > > > > > > defined. > > > > > > +# > > > > > > +# Mandatory: no > > > > > > +# Default: > > > > > > +# HostInterfaceItem= > > > > > > + > > > > > > ### Option: RefreshActiveChecks > > > > > > # How often list of active checks is refreshed, in > > > > > > seconds. > > > > > > # > > > > > > @@ -265,7 +306,6 @@ ServerActive=127.0.0.1 > > > > > > > > > > > > Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf > > > > > > > > > > > > - > > > > > > ####### USER-DEFINED MONITORED PARAMETERS ####### > > > > > > > > > > > > ### Option: UnsafeUserParameters > > > > > > @@ -299,7 +339,7 @@ > > > > > > Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf > > > > > > # > > > > > > # Mandatory: no > > > > > > # Default: > > > > > > -# LoadModulePath=/usr/lib/modules > > > > > > +# LoadModulePath=${libdir}/modules > > > > > > > > > > > > LoadModulePath=/usr/lib/zabbix > > > > > > > > > > > > @@ -357,14 +397,14 @@ LoadModulePath=/usr/lib/zabbix > > > > > > # TLSCRLFile= > > > > > > > > > > > > ### Option: TLSServerCertIssuer > > > > > > -# Allowed server certificate issuer. > > > > > > +# Allowed server certificate issuer. > > > > > > # > > > > > > # Mandatory: no > > > > > > # Default: > > > > > > # TLSServerCertIssuer= > > > > > > > > > > > > ### Option: TLSServerCertSubject > > > > > > -# Allowed server certificate subject. > > > > > > +# Allowed server certificate subject. > > > > > > # > > > > > > # Mandatory: no > > > > > > # Default: > > > > > > @@ -397,3 +437,80 @@ LoadModulePath=/usr/lib/zabbix > > > > > > # Mandatory: no > > > > > > # Default: > > > > > > # TLSPSKFile= > > > > > > + > > > > > > +####### For advanced users - TLS ciphersuite selection > > > > > > criteria > > > > > > ####### > > > > > > + > > > > > > +### Option: TLSCipherCert13 > > > > > > +# Cipher string for OpenSSL 1.1.1 or newer in TLS > > > > > > 1.3. > > > > > > +# Override the default ciphersuite selection criteria > > > > > > for > > > > > > certificate-based encryption. > > > > > > +# > > > > > > +# Mandatory: no > > > > > > +# Default: > > > > > > +# TLSCipherCert13= > > > > > > + > > > > > > +### Option: TLSCipherCert > > > > > > +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher > > > > > > string. > > > > > > +# Override the default ciphersuite selection criteria > > > > > > for > > > > > > certificate-based encryption. > > > > > > +# Example for GnuTLS: > > > > > > +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128- > > > > > > GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP- > > > > > > NULL:+SIGN- > > > > > > ALL:+CTYPE-X.509 > > > > > > +# Example for OpenSSL: > > > > > > +# EECDH+aRSA+AES128:RSA+aRSA+AES128 > > > > > > +# > > > > > > +# Mandatory: no > > > > > > +# Default: > > > > > > +# TLSCipherCert= > > > > > > + > > > > > > +### Option: TLSCipherPSK13 > > > > > > +# Cipher string for OpenSSL 1.1.1 or newer in TLS > > > > > > 1.3. > > > > > > +# Override the default ciphersuite selection criteria > > > > > > for > > > > > > PSK-based encryption. > > > > > > +# Example: > > > > > > +# > > > > > > TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 > > > > > > +# > > > > > > +# Mandatory: no > > > > > > +# Default: > > > > > > +# TLSCipherPSK13= > > > > > > + > > > > > > +### Option: TLSCipherPSK > > > > > > +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher > > > > > > string. > > > > > > +# Override the default ciphersuite selection criteria > > > > > > for > > > > > > PSK-based encryption. > > > > > > +# Example for GnuTLS: > > > > > > +# NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128- > > > > > > GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP- > > > > > > NULL:+SIGN- > > > > > > ALL > > > > > > +# Example for OpenSSL: > > > > > > +# kECDHEPSK+AES128:kPSK+AES128 > > > > > > +# > > > > > > +# Mandatory: no > > > > > > +# Default: > > > > > > +# TLSCipherPSK= > > > > > > + > > > > > > +### Option: TLSCipherAll13 > > > > > > +# Cipher string for OpenSSL 1.1.1 or newer in TLS > > > > > > 1.3. > > > > > > +# Override the default ciphersuite selection criteria > > > > > > for > > > > > > certificate- and PSK-based encryption. > > > > > > +# Example: > > > > > > +# > > > > > > TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 > > > > > > :TLS_AES_128_GCM_SHA256 > > > > > > +# > > > > > > +# Mandatory: no > > > > > > +# Default: > > > > > > +# TLSCipherAll13= > > > > > > + > > > > > > +### Option: TLSCipherAll > > > > > > +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher > > > > > > string. > > > > > > +# Override the default ciphersuite selection criteria > > > > > > for > > > > > > certificate- and PSK-based encryption. > > > > > > +# Example for GnuTLS: > > > > > > +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE- > > > > > > PSK:+PSK:+AES-128-GCM:+AES-128- > > > > > > CBC:+AEAD:+SHA256:+SHA1:+CURVE- > > > > > > ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 > > > > > > +# Example for OpenSSL: > > > > > > +# > > > > > > EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128: > > > > > > kPSK+AES128 > > > > > > +# > > > > > > +# Mandatory: no > > > > > > +# Default: > > > > > > +# TLSCipherAll= > > > > > > + > > > > > > +####### For advanced users - TCP-related fine-tuning > > > > > > parameters > > > > > > ####### > > > > > > + > > > > > > +## Option: ListenBacklog > > > > > > +# The maximum number of pending connections in the > > > > > > queue. > > > > > > This parameter is passed to > > > > > > +# listen() function as argument 'backlog' (see "man > > > > > > listen"). > > > > > > +# > > > > > > +# Mandatory: no > > > > > > +# Range: 0 - INT_MAX (depends on system, too large values > > > > > > may > > > > > > be > > > > > > silently truncated to implementation-specified maximum) > > > > > > +# Default: SOMAXCONN (hard-coded constant, depends on > > > > > > system) > > > > > > +# ListenBacklog= > > > > > > diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd > > > > > > index c69643a54..28fe97b4f 100644 > > > > > > --- a/lfs/zabbix_agentd > > > > > > +++ b/lfs/zabbix_agentd > > > > > > @@ -1,7 +1,7 @@ > > > > > > ########################################################### > > > > > > #### > > > > > > #### > > > > > > ############ > > > > > > # > > > > > > > > > > > > > > > > > > # > > > > > > # IPFire.org - A linux based > > > > > > firewall # > > > > > > -# Copyright (C) 2007-2019 IPFire Team > > > > > > <info@ipfire.org> # > > > > > > +# Copyright (C) 2007-2022 IPFire Team > > > > > > <info@ipfire.org> # > > > > > > # > > > > > > > > > > > > > > > > > > # > > > > > > # This program is free software: you can redistribute it > > > > > > and/or > > > > > > modify # > > > > > > # it under the terms of the GNU General Public License as > > > > > > published > > > > > > by # > > > > > > @@ -24,7 +24,7 @@ > > > > > > > > > > > > include Config > > > > > > > > > > > > -VER = 4.2.6 > > > > > > +VER = 5.0.20 > > > > > > > > > > > > THISAPP = zabbix-$(VER) > > > > > > DL_FILE = $(THISAPP).tar.gz > > > > > > @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) > > > > > > DIR_APP = $(DIR_SRC)/$(THISAPP) > > > > > > TARGET = $(DIR_INFO)/$(THISAPP) > > > > > > PROG = zabbix_agentd > > > > > > -PAK_VER = 4 > > > > > > +PAK_VER = 5 > > > > > > DEPS = > > > > > > > > > > > > ########################################################### > > > > > > #### > > > > > > #### > > > > > > ############ > > > > > > @@ -43,7 +43,7 @@ objects = $(DL_FILE) > > > > > > > > > > > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > > > > > > > > > > > -$(DL_FILE)_MD5 = 6cd55cd743d416d9ffbf2e6fdee680ee > > > > > > +$(DL_FILE)_MD5 = 52df25394f9a4cf83ff55278b23e6295 > > > > > > > > > > > > install : $(TARGET) > > > > > > > > > > > > @@ -80,7 +80,8 @@ $(TARGET) : $(patsubst > > > > > > %,$(DIR_DL)/%,$(objects)) > > > > > > --prefix=/usr \ > > > > > > --enable-agent \ > > > > > > --sysconfdir=/etc/zabbix_agentd \ > > > > > > - --with-openssl > > > > > > + --with-openssl \ > > > > > > + --with-libcurl > > > > > > > > > > > > cd $(DIR_APP) && make > > > > > > cd $(DIR_APP) && make install > > > > > > -- > > > > > > 2.34.1 > > > > > > > > > > > > > > > > > > -- > > > > > > Dit bericht is gescanned op virussen en andere gevaarlijke > > > > > > inhoud door MailScanner en lijkt schoon te zijn. > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > Dit bericht is gescanned op virussen en andere gevaarlijke > > > > inhoud door MailScanner en lijkt schoon te zijn. > > > > > > > > > > -- > > Dit bericht is gescanned op virussen en andere gevaarlijke > > inhoud door MailScanner en lijkt schoon te zijn. > >
Hello, > On 21 Feb 2022, at 23:48, Robin Roevens <robin.roevens@disroot.org> wrote: > > Hi Michael > > I was implementing the changes as we discussed here. But I came up with > a few extra questions, where I'm not sure if you agree or on how to > best handle them: > > Currently the whole /etc/zabbix_agentd directory is included in the > backup. But, as discussed, we will now add a .example config file and > Alex has added the custom zabbix_agentd.d/userparameters_pakfire.conf > file previously (which is currently already in the backup). And more > userparameters files are added in this patchset. > This makes this directory a hybrid with both user + ipfire managed > files. > > I was thinking to > - only include > - /etc/zabbix_agentd/zabbix_agentd.conf > - /etc/zabbix_agentd/zabbix_agentd.d/* > - /etc/zabbix_agentd/scripts/* > in the backup instead of the whole /etc/zabbix_agentd/* > That would remove the need to handle the new zabbix_agentd.conf.example > file in the (un)install scripts preventing it from landing inside the > backup. Yes, I would agree with this. > - In the zabbix_agentd.conf file - which is managed by the user, I > would add an Include= line to include a new location, specific for the > IPFire added configfile(s). I was thinking > '/var/ipfire/zabbix_agentd/userparameters' ? > > This would ease the correct management of the backups and give the user > the option to easily disable the IPFire provided customization by > commenting out that include line in the config. > I think this would be much cleaner now and in the future when possible > more IPfire-specific customizations are added. *IPFire. With a capital F :) > But if we decide to do that. How should I then handle old installs that > will be upgraded? > - The current zabbix_agentd.d/userparameters_pakfire.conf would then > need to be removed. (as a new one will be installed somewhere else) > But up until now it was included in the backup, and it is possible that > a user has changed that file on his installation (I think chances are > rather low.. but theoretically it is possible) Should I just remove the > file ? I wouldn’t just remove it, but rename it and make it clear that it just there as a backup. It can then be around for users to grab their custom changes if they want to. We can add a line to the change log that manual action is required. Indeed I don’t expect anyone to run into this. > - How should I add the new Include= line now in an already existing > config? I was thinking maybe, just add it during install, and also > create (for example) a '/var/ipfire/zabbix_agentd/config_migrated' file > so that I know the config was once changed and subsequent upgrades will > no longer try to add that line again. (To prevent that if the user > comments it out to disable our customizations, it would be added again > on next upgrade) Yes, you could just add this in the install.sh script of the package. That would work for me. > A bit of the same story for the sudoers file. Up until now the file was > included in the backup. And the user may have modified the file. > I was thinking of performing a check on an existing sudoers.d/zabbix- > file if it is still unmodified, and if so remove it. Otherwise rename > it to sudoers.d/zabbix_agentd_user (and include that one in backup) > and add a new sudoers.d/zabbix_agentd file that is not included in the > backup and is not supposed to be modified by the user. > Would that be a feasible solution ? I would do the save as above. Rename it to something that it is going to be inactive. sudo shouldn’t read it. That way it is consistent, and users who have set up Zabbix like this, will have done things manually anyways and should know how to carry those changes over. Hope this helps. -Michael > > Regards > Robin > > Michael Tremer schreef op ma 21-02-2022 om 11:41 [+0000]: >> Hello, >> >>> On 20 Feb 2022, at 22:18, Robin Roevens <robin.roevens@disroot.org> >>> wrote: >>> >>> Hi Michael >>> >>> Michael Tremer schreef op zo 20-02-2022 om 18:10 [+0000]: >>>> >>>> >>>> The reason why pakfire is doing this is because it is simply a >>>> wrapper around tar. It is not that sophisticated of a package >>>> management system because it wasn’t designed for this scale. >>>> >>>> In order to avoid overwriting any existing configuration, we >>>> backup >>>> everything, extract the new package which will then overwrite the >>>> existing configuration files and then restore the backup to have >>>> the >>>> old configuration again. We could have built something that >>>> avoids >>>> overwriting the files in the first place which is what pakfire in >>>> IPFire 3 does. >>> The current method indeed is probably the best possible considering >>> the >>> way pakfire currently works when updating an addon. But for as far >>> as I >>> currently understand it, when you uninstall an addon, all config >>> files >>> are backed up and then are removed (due to being in the rootfile). >>> For >>> the user the addon is gone on the system. >>> If the user opts to install the addon again, say about half a year >>> or a >>> year later, the install will restore the backup of the config it >>> took >>> during uninstall half a year ago. I think this will cause confusion >>> in >>> many cases? >>> Is this implemented this way for a good reason? or just to >>> accommodate >>> the update procedure without much further thought? >> >> I am not if this is for the best reason, but it prevents that people >> will lose their configuration for any reason and there is an easy >> option to drop configuration if you want to. >> >> Although it might not be the best, it is a good solution. >> >>> I myself (if I didn't know how pakfire worked internally) would >>> expect >>> that if I uninstalled an addon, checked and removed potentially >>> left- >>> over config files, that a new install would give me a fresh install >>> which I would have to configure manually again. >>> >>> If pakfire worked that way, the user could make a copy of his >>> config >>> himself, uninstall and re-install an addon to have a fresh config >>> which >>> he then could merge himself with his old config-copy to make the >>> addon >>> work again. >>> >>> So if there is no real reason to always backup on uninstall I would >>> like to propose to perform the backup restore in the actual update- >>> script instead of in the install and uninstall scripts? This way >>> there >>> is a quite logical way for the average user to start over with a >>> fresh >>> install of an addon. That would feel much more 'natural' to me. >> >> There is the reason, that there is no other way at the moment than >> backing it up and restoring it. Otherwise the configuration will >> always be overwritten which is not what we want at all. >> >> Additionally, I would want all packages to behave the same. If we >> change this for Zabbix, we will have to change this for everything >> else, too. >> >>> Anyway this discussion about pakfire working is maybe worth its own >>> thread as it is not really zabbix-agent specific. >>> >>>> >>>> Lots of other distributions work in a similar way where they >>>> rename >>>> the existing configuration files and might rename them back >>>> again. >>>> >>>>> The problem I'm having with the current way is that when an >>>>> addon >>>>> is >>>>> updated, a new version of the config is just discarded due to >>>>> the >>>>> restore of the previous config during install (even if that >>>>> config >>>>> was >>>>> never changed by the user). >>>>> So if settings in the config are added, deprecated or even no >>>>> longer >>>>> valid, the user will never know until a version would no longer >>>>> start >>>>> up or no longer behave as expected due to the old config. >>>>> And even if a user would think about checking config changes on >>>>> an >>>>> update he would have to go search the internet for a config >>>>> example >>>>> for >>>>> this version of the addon. >>>> >>>> Yes, this is a huge problem for us all. The question there is to >>>> answer is: >>>> >>>> Do we know better than the user? >>>> >>>> Answering that with a yes means that we would make decisions on >>>> their >>>> behalf and that might potentially go wrong. Answering that with a >>>> no >>>> means that the user needs to invest a lot of time into the >>>> configuration of each part of the distribution and the reason why >>>> we >>>> have a nice shiny web user interface is that they don’t have to >>>> do >>>> this. The correct answer is probably somewhere in the middle. >>>> >>>> What we do in practise is: We keep systems consistent with their >>>> previous behaviour. An update should never change that (there are >>>> of >>>> course exceptions to every rule). New features might only be >>>> activated on new systems. >>> >>> The problem I see with this is that if software provided by an >>> addon is >>> for example deprecating one or more config-options. Keeping the >>> systems >>> constistent would mean >>> - not providing any newer version for that addon anymore, which I >>> don't >>> think is what we want. Or >>> - trying to 'convert' the possibly user-changed deprecated config- >>> setting in the config file using sed, which I can see failing in >>> may >>> ways :-) Or >> >> This is what we do quite regularly and it has never failed. >> >> Ultimately, if upstream decides to discontinue support for something, >> there isn’t much else that we can do. >> >>> - providing the user with a straight forward way to reinstall an >>> addon >>> completely afresh, and/or >>> - what I'm trying to do here, provide the user with the new config >>> in >>> some easily accessible way (currently .ipfirenew, but could be a >>> simpler .example, see below), keeping his old config active >>> possibly >>> making the new addon version fail to work, but giving him the >>> possibility to manually merge his deprecated config to what the >>> current >>> version of the addon-software expects. >> >> I am not sure how they should know about those changes. >> >> Showing a diff is probably hard to understand for many users and >> showing that diff on the UI is even more difficult. >> >> I am not against *what* you are trying to achieve at all. I am just >> not sure if the *how* is the best. >> >> How about just copying the configuration and put it next to the >> configuration file with a “.sample” suffix? Then people are still on >> their own, but I would consider a sample suffix more clear than a >> .ipfirenew because that doesn’t tell me much about what I should be >> doing with it. >> >>>> >>>>> In this specific case, as we update from a rather old version >>>>> of >>>>> zabbix >>>>> agent, there are quite a few interesting config changes that >>>>> can >>>>> harden >>>>> the security of the agent, which I would not want the user to >>>>> miss >>>>> out >>>>> on. Also one option is deprecated, is currently still >>>>> supported, >>>>> but in >>>>> the next version it probably will no longer work, possibly >>>>> breaking >>>>> some users' monitoring or causing the agent to fail starting. >>>> >>>> Is this an add-on that generally requires configuration on the >>>> console? >>>> >>>> We do we not build a page on the web UI for this so that people >>>> can >>>> enable the things they want? Would that be overkill for the >>>> possible >>>> options? >>> >>> As I said before, I would indeed prefer a web ui for the config of >>> the >>> addon. That way we are in complete control of the config file. And >>> I >>> plan to build such a page (I have already put some effort in it, >>> but it >>> is not even nearly ready for now). >>> The page should give the user access to all possible configuration >>> options. If not, we could handicap/limit the use of the agent or >>> force >>> the advanced user to still manually tinker with the config file. >>> >>> But the zabbix agent has many options including defining >>> certificates >>> and encryption keys for communication and a web ui should do sanity >>> checking on all options as well as provide methods to upload and/or >>> generate those certs/keys so it is not a page that is easily >>> designed >>> overnight. But it is coming sooner or later. >> >> Wouldn’t the system automatically generate any keys for the agent? >> >> Scrolling through the configuration, I do not see anything the user >> would want to change. Do you have an example for me to understand >> this better? >> >>> >>>> >>>>> For the sudoers file it is even more problematic; the user can >>>>> of >>>>> course modify that file to add additional commands he requires >>>>> the >>>>> agent to execute as root, but possible future additions to the >>>>> ipfire >>>>> specific monitoring that I or other contributors in the future >>>>> may >>>>> add, >>>>> may also need extra commands in that file to work. (for example >>>>> the >>>>> upcoming services monitoring that would require some form of >>>>> addonctrl >>>>> status) >>>>> But I can't update that file with the current behaviour.. or I >>>>> would >>>>> have to try to implement some sed magic after the restore in >>>>> install.sh >>>>> hoping not to damage the file if it has user customizations in >>>>> it. >>>> >>>> This is not a configuration file in my eyes. It technically is >>>> one of >>>> course, but we call these files a “system configuration file”. It >>>> will be overwritten because what is in it is necessary for the >>>> system >>>> to work. It does not contain any choices by the user at all. >>>> >>>> For that reason, this file should not be backed up and >>>> overwritten by >>>> every package update. >>>> >>>>> So I'm not sure on how to handle this differently at the >>>>> moment. >>>>> I was thinking for the main config maybe just installing a >>>>> ".example" >>>>> version of the latest config so that a user would not have to >>>>> go >>>>> search >>>>> for it on internet ? And in that case even remove all comments >>>>> and >>>>> defaults from the actual config (on a fresh install) as that is >>>>> then >>>>> provided in the ".example" version as documentation. >>>> >>>> Having some example configuration in a location the user would >>>> normally not look at is probably not helpful. >>> I agree with the "location the user would normally not look at". >>> But as >>> I currently see it, I would like to add the the config example next >>> to >>> the actual config. (I see this happen in many software packages in >>> other linux distro's too. Granted, most of the time it is the >>> vendor >>> itself that provides that example config, not the distro. But since >>> we >>> don't have config merging or '.rpmnew' systems as those distro's do >>> have, I see this as some kind of middle way) >>> >>> So /etc/zabbix_agentd/ in a fresh install would contain >>> - zabbix_agentd.conf.example - the config as shipped with the >>> zabbix >>> source, but renamed to '.example' during build. (with all options >>> in it >>> accompanied with option documentation as comments.) >> >> Okay. I can live with this. >> >>> - zabbix_agentd.conf - the active config, provided by us, with only >>> the >>> bare minimum of options required for the agent to run (secure). - >>> this >>> config will not be altered by us after initial install due to the >>> backup/restore. >> >> Unless we need to remove any deprecated options, etc. Agreed. >> >>> This way the example config is automatically accurate for the >>> current >>> version of the addon. And the user stays in complete control of his >>> own >>> config in the same way it is in other addons. >>> >>> Until the web ui is finished.. >> >> That sounds good to me. >> >>>> >>>> If you want them to configure things themselves, why not provide >>>> good >>>> documentation on the wiki? >>> I do not 'want' them to configure things themselves.. but if they >>> want >>> to actually use the agent they have to at least point the agent to >>> their zabbix server. So minimal manual configuration is required, >>> and >>> that is also already documented on the wiki. But the agent has many >>> options and possibilities and I don't think it is our job to >>> provide >>> extensive non-IPFire specific configuration documentation as that >>> is >>> the job of the vendor (and in case of Zabbix the docs are there and >>> very clear). >> >> No, that would just be duplicating documentation. >> >> -Michael >> >>> But I do am convinced that we should provide a straight-forward way >>> for >>> the more advanced user to get a version of the default config as it >>> is >>> shipped with the current release of the software, especially when >>> it is >>> as verbose in documentation comments as provided by Zabbix. >>> >>>> >>>>> But that still leaves the sudoers file. The only other >>>>> possibility >>>>> I >>>>> see there is that we don't add this file to the backup and add >>>>> a >>>>> comment in it that a user should not modify it as it will get >>>>> overwritten on update. He can then always still create his own >>>>> sudoers- >>>>> file with his own custom rights for the agent. >>>> >>>> This is the way to go. In many cases, we have extra files that >>>> end on >>>> “.user” or “.local” to make it clear that users should make their >>>> own >>>> changes here. >>> Ok, for the sudoers, I will go this route then. >>> >>> >>> Robin >>> >>>> >>>>> Of course all this can be solved by managing the config using >>>>> the >>>>> webgui.. and I'm still planning to create a webgui config page >>>>> for >>>>> the >>>>> agent someday. But we are not there yet :-) >>>> >>>> -Michael >>>> >>>>> >>>>> Regards >>>>> >>>>> Robin >>>>> >>>>>> >>>>>> -Michael >>>>>> >>>>>>> On 9 Feb 2022, at 23:26, Robin Roevens >>>>>>> <robin.roevens@disroot.org> >>>>>>> wrote: >>>>>>> >>>>>>> - Update from 4.2.6 to latest LTS version 5.0.20 >>>>>>> See release notes: https://www.zabbix.com/rn/rn5.0.20 >>>>>>> >>>>>>> Signed-off-by: Robin Roevens <robin.roevens@disroot.org> >>>>>>> --- >>>>>>> config/zabbix_agentd/zabbix_agentd.conf | 135 >>>>>>> ++++++++++++++++++++++-- >>>>>>> lfs/zabbix_agentd | 11 +- >>>>>>> 2 files changed, 132 insertions(+), 14 deletions(-) >>>>>>> >>>>>>> diff --git a/config/zabbix_agentd/zabbix_agentd.conf >>>>>>> b/config/zabbix_agentd/zabbix_agentd.conf >>>>>>> index 21b8e0122..aa8b899dc 100644 >>>>>>> --- a/config/zabbix_agentd/zabbix_agentd.conf >>>>>>> +++ b/config/zabbix_agentd/zabbix_agentd.conf >>>>>>> @@ -63,14 +63,33 @@ LogFileSize=0 >>>>>>> # Default: >>>>>>> # SourceIP= >>>>>>> >>>>>>> -### Option: EnableRemoteCommands >>>>>>> -# Whether remote commands from Zabbix server are >>>>>>> allowed. >>>>>>> -# 0 - not allowed >>>>>>> -# 1 - allowed >>>>>>> +### Option: AllowKey >>>>>>> +# Allow execution of item keys matching pattern. >>>>>>> +# Multiple keys matching rules may be defined in >>>>>>> combination >>>>>>> with DenyKey. >>>>>>> +# Key pattern is wildcard expression, which support >>>>>>> "*" >>>>>>> character to match any number of any characters in certain >>>>>>> position. It might be used in both key name and key >>>>>>> arguments. >>>>>>> +# Parameters are processed one by one according their >>>>>>> appearance order. >>>>>>> +# If no AllowKey or DenyKey rules defined, all keys >>>>>>> are >>>>>>> allowed. >>>>>>> +# >>>>>>> +# Mandatory: no >>>>>>> + >>>>>>> +### Option: DenyKey >>>>>>> +# Deny execution of items keys matching pattern. >>>>>>> +# Multiple keys matching rules may be defined in >>>>>>> combination >>>>>>> with AllowKey. >>>>>>> +# Key pattern is wildcard expression, which support >>>>>>> "*" >>>>>>> character to match any number of any characters in certain >>>>>>> position. It might be used in both key name and key >>>>>>> arguments. >>>>>>> +# Parameters are processed one by one according their >>>>>>> appearance order. >>>>>>> +# If no AllowKey or DenyKey rules defined, all keys >>>>>>> are >>>>>>> allowed. >>>>>>> +# Unless another system.run[*] rule is specified >>>>>>> DenyKey=system.run[*] is added by default. >>>>>>> # >>>>>>> # Mandatory: no >>>>>>> # Default: >>>>>>> -# EnableRemoteCommands=0 >>>>>>> +# DenyKey=system.run[*] >>>>>>> + >>>>>>> +### Option: EnableRemoteCommands - Deprecated, use >>>>>>> AllowKey=system.run[*] or DenyKey=system.run[*] instead >>>>>>> +# Internal alias for AllowKey/DenyKey parameters >>>>>>> depending on >>>>>>> value: >>>>>>> +# 0 - DenyKey=system.run[*] >>>>>>> +# 1 - AllowKey=system.run[*] >>>>>>> +# >>>>>>> +# Mandatory: no >>>>>>> >>>>>>> ### Option: LogRemoteCommands >>>>>>> # Enable logging of executed shell commands as >>>>>>> warnings. >>>>>>> @@ -177,6 +196,28 @@ ServerActive=127.0.0.1 >>>>>>> # Default: >>>>>>> # HostMetadataItem= >>>>>>> >>>>>>> +### Option: HostInterface >>>>>>> +# Optional parameter that defines host interface. >>>>>>> +# Host interface is used at host auto-registration >>>>>>> process. >>>>>>> +# An agent will issue an error and not start if the >>>>>>> value >>>>>>> is >>>>>>> over limit of 255 characters. >>>>>>> +# If not defined, value will be acquired from >>>>>>> HostInterfaceItem. >>>>>>> +# >>>>>>> +# Mandatory: no >>>>>>> +# Range: 0-255 characters >>>>>>> +# Default: >>>>>>> +# HostInterface= >>>>>>> + >>>>>>> +### Option: HostInterfaceItem >>>>>>> +# Optional parameter that defines an item used for >>>>>>> getting >>>>>>> host interface. >>>>>>> +# Host interface is used at host auto-registration >>>>>>> process. >>>>>>> +# During an auto-registration request an agent will >>>>>>> log a >>>>>>> warning message if >>>>>>> +# the value returned by specified item is over limit >>>>>>> of >>>>>>> 255 >>>>>>> characters. >>>>>>> +# This option is only used when HostInterface is not >>>>>>> defined. >>>>>>> +# >>>>>>> +# Mandatory: no >>>>>>> +# Default: >>>>>>> +# HostInterfaceItem= >>>>>>> + >>>>>>> ### Option: RefreshActiveChecks >>>>>>> # How often list of active checks is refreshed, in >>>>>>> seconds. >>>>>>> # >>>>>>> @@ -265,7 +306,6 @@ ServerActive=127.0.0.1 >>>>>>> >>>>>>> Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf >>>>>>> >>>>>>> - >>>>>>> ####### USER-DEFINED MONITORED PARAMETERS ####### >>>>>>> >>>>>>> ### Option: UnsafeUserParameters >>>>>>> @@ -299,7 +339,7 @@ >>>>>>> Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf >>>>>>> # >>>>>>> # Mandatory: no >>>>>>> # Default: >>>>>>> -# LoadModulePath=/usr/lib/modules >>>>>>> +# LoadModulePath=${libdir}/modules >>>>>>> >>>>>>> LoadModulePath=/usr/lib/zabbix >>>>>>> >>>>>>> @@ -357,14 +397,14 @@ LoadModulePath=/usr/lib/zabbix >>>>>>> # TLSCRLFile= >>>>>>> >>>>>>> ### Option: TLSServerCertIssuer >>>>>>> -# Allowed server certificate issuer. >>>>>>> +# Allowed server certificate issuer. >>>>>>> # >>>>>>> # Mandatory: no >>>>>>> # Default: >>>>>>> # TLSServerCertIssuer= >>>>>>> >>>>>>> ### Option: TLSServerCertSubject >>>>>>> -# Allowed server certificate subject. >>>>>>> +# Allowed server certificate subject. >>>>>>> # >>>>>>> # Mandatory: no >>>>>>> # Default: >>>>>>> @@ -397,3 +437,80 @@ LoadModulePath=/usr/lib/zabbix >>>>>>> # Mandatory: no >>>>>>> # Default: >>>>>>> # TLSPSKFile= >>>>>>> + >>>>>>> +####### For advanced users - TLS ciphersuite selection >>>>>>> criteria >>>>>>> ####### >>>>>>> + >>>>>>> +### Option: TLSCipherCert13 >>>>>>> +# Cipher string for OpenSSL 1.1.1 or newer in TLS >>>>>>> 1.3. >>>>>>> +# Override the default ciphersuite selection criteria >>>>>>> for >>>>>>> certificate-based encryption. >>>>>>> +# >>>>>>> +# Mandatory: no >>>>>>> +# Default: >>>>>>> +# TLSCipherCert13= >>>>>>> + >>>>>>> +### Option: TLSCipherCert >>>>>>> +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher >>>>>>> string. >>>>>>> +# Override the default ciphersuite selection criteria >>>>>>> for >>>>>>> certificate-based encryption. >>>>>>> +# Example for GnuTLS: >>>>>>> +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128- >>>>>>> GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP- >>>>>>> NULL:+SIGN- >>>>>>> ALL:+CTYPE-X.509 >>>>>>> +# Example for OpenSSL: >>>>>>> +# EECDH+aRSA+AES128:RSA+aRSA+AES128 >>>>>>> +# >>>>>>> +# Mandatory: no >>>>>>> +# Default: >>>>>>> +# TLSCipherCert= >>>>>>> + >>>>>>> +### Option: TLSCipherPSK13 >>>>>>> +# Cipher string for OpenSSL 1.1.1 or newer in TLS >>>>>>> 1.3. >>>>>>> +# Override the default ciphersuite selection criteria >>>>>>> for >>>>>>> PSK-based encryption. >>>>>>> +# Example: >>>>>>> +# >>>>>>> TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 >>>>>>> +# >>>>>>> +# Mandatory: no >>>>>>> +# Default: >>>>>>> +# TLSCipherPSK13= >>>>>>> + >>>>>>> +### Option: TLSCipherPSK >>>>>>> +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher >>>>>>> string. >>>>>>> +# Override the default ciphersuite selection criteria >>>>>>> for >>>>>>> PSK-based encryption. >>>>>>> +# Example for GnuTLS: >>>>>>> +# NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128- >>>>>>> GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP- >>>>>>> NULL:+SIGN- >>>>>>> ALL >>>>>>> +# Example for OpenSSL: >>>>>>> +# kECDHEPSK+AES128:kPSK+AES128 >>>>>>> +# >>>>>>> +# Mandatory: no >>>>>>> +# Default: >>>>>>> +# TLSCipherPSK= >>>>>>> + >>>>>>> +### Option: TLSCipherAll13 >>>>>>> +# Cipher string for OpenSSL 1.1.1 or newer in TLS >>>>>>> 1.3. >>>>>>> +# Override the default ciphersuite selection criteria >>>>>>> for >>>>>>> certificate- and PSK-based encryption. >>>>>>> +# Example: >>>>>>> +# >>>>>>> TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 >>>>>>> :TLS_AES_128_GCM_SHA256 >>>>>>> +# >>>>>>> +# Mandatory: no >>>>>>> +# Default: >>>>>>> +# TLSCipherAll13= >>>>>>> + >>>>>>> +### Option: TLSCipherAll >>>>>>> +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher >>>>>>> string. >>>>>>> +# Override the default ciphersuite selection criteria >>>>>>> for >>>>>>> certificate- and PSK-based encryption. >>>>>>> +# Example for GnuTLS: >>>>>>> +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE- >>>>>>> PSK:+PSK:+AES-128-GCM:+AES-128- >>>>>>> CBC:+AEAD:+SHA256:+SHA1:+CURVE- >>>>>>> ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 >>>>>>> +# Example for OpenSSL: >>>>>>> +# >>>>>>> EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128: >>>>>>> kPSK+AES128 >>>>>>> +# >>>>>>> +# Mandatory: no >>>>>>> +# Default: >>>>>>> +# TLSCipherAll= >>>>>>> + >>>>>>> +####### For advanced users - TCP-related fine-tuning >>>>>>> parameters >>>>>>> ####### >>>>>>> + >>>>>>> +## Option: ListenBacklog >>>>>>> +# The maximum number of pending connections in the >>>>>>> queue. >>>>>>> This parameter is passed to >>>>>>> +# listen() function as argument 'backlog' (see "man >>>>>>> listen"). >>>>>>> +# >>>>>>> +# Mandatory: no >>>>>>> +# Range: 0 - INT_MAX (depends on system, too large values >>>>>>> may >>>>>>> be >>>>>>> silently truncated to implementation-specified maximum) >>>>>>> +# Default: SOMAXCONN (hard-coded constant, depends on >>>>>>> system) >>>>>>> +# ListenBacklog= >>>>>>> diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd >>>>>>> index c69643a54..28fe97b4f 100644 >>>>>>> --- a/lfs/zabbix_agentd >>>>>>> +++ b/lfs/zabbix_agentd >>>>>>> @@ -1,7 +1,7 @@ >>>>>>> ########################################################### >>>>>>> #### >>>>>>> #### >>>>>>> ############ >>>>>>> # >>>>>>> >>>>>>> >>>>>>> # >>>>>>> # IPFire.org - A linux based >>>>>>> firewall # >>>>>>> -# Copyright (C) 2007-2019 IPFire Team >>>>>>> <info@ipfire.org> # >>>>>>> +# Copyright (C) 2007-2022 IPFire Team >>>>>>> <info@ipfire.org> # >>>>>>> # >>>>>>> >>>>>>> >>>>>>> # >>>>>>> # This program is free software: you can redistribute it >>>>>>> and/or >>>>>>> modify # >>>>>>> # it under the terms of the GNU General Public License as >>>>>>> published >>>>>>> by # >>>>>>> @@ -24,7 +24,7 @@ >>>>>>> >>>>>>> include Config >>>>>>> >>>>>>> -VER = 4.2.6 >>>>>>> +VER = 5.0.20 >>>>>>> >>>>>>> THISAPP = zabbix-$(VER) >>>>>>> DL_FILE = $(THISAPP).tar.gz >>>>>>> @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) >>>>>>> DIR_APP = $(DIR_SRC)/$(THISAPP) >>>>>>> TARGET = $(DIR_INFO)/$(THISAPP) >>>>>>> PROG = zabbix_agentd >>>>>>> -PAK_VER = 4 >>>>>>> +PAK_VER = 5 >>>>>>> DEPS = >>>>>>> >>>>>>> ########################################################### >>>>>>> #### >>>>>>> #### >>>>>>> ############ >>>>>>> @@ -43,7 +43,7 @@ objects = $(DL_FILE) >>>>>>> >>>>>>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE) >>>>>>> >>>>>>> -$(DL_FILE)_MD5 = 6cd55cd743d416d9ffbf2e6fdee680ee >>>>>>> +$(DL_FILE)_MD5 = 52df25394f9a4cf83ff55278b23e6295 >>>>>>> >>>>>>> install : $(TARGET) >>>>>>> >>>>>>> @@ -80,7 +80,8 @@ $(TARGET) : $(patsubst >>>>>>> %,$(DIR_DL)/%,$(objects)) >>>>>>> --prefix=/usr \ >>>>>>> --enable-agent \ >>>>>>> --sysconfdir=/etc/zabbix_agentd \ >>>>>>> - --with-openssl >>>>>>> + --with-openssl \ >>>>>>> + --with-libcurl >>>>>>> >>>>>>> cd $(DIR_APP) && make >>>>>>> cd $(DIR_APP) && make install >>>>>>> -- >>>>>>> 2.34.1 >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Dit bericht is gescanned op virussen en andere gevaarlijke >>>>>>> inhoud door MailScanner en lijkt schoon te zijn. >>>>>>> >>>>>> >>>>>> >>>>> >>>>> -- >>>>> Dit bericht is gescanned op virussen en andere gevaarlijke >>>>> inhoud door MailScanner en lijkt schoon te zijn. >>>> >>>> >>> >>> -- >>> Dit bericht is gescanned op virussen en andere gevaarlijke >>> inhoud door MailScanner en lijkt schoon te zijn. >> >> > > -- > Dit bericht is gescanned op virussen en andere gevaarlijke > inhoud door MailScanner en lijkt schoon te zijn. >
diff --git a/config/zabbix_agentd/zabbix_agentd.conf b/config/zabbix_agentd/zabbix_agentd.conf index 21b8e0122..aa8b899dc 100644 --- a/config/zabbix_agentd/zabbix_agentd.conf +++ b/config/zabbix_agentd/zabbix_agentd.conf @@ -63,14 +63,33 @@ LogFileSize=0 # Default: # SourceIP= -### Option: EnableRemoteCommands -# Whether remote commands from Zabbix server are allowed. -# 0 - not allowed -# 1 - allowed +### Option: AllowKey +# Allow execution of item keys matching pattern. +# Multiple keys matching rules may be defined in combination with DenyKey. +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. +# Parameters are processed one by one according their appearance order. +# If no AllowKey or DenyKey rules defined, all keys are allowed. +# +# Mandatory: no + +### Option: DenyKey +# Deny execution of items keys matching pattern. +# Multiple keys matching rules may be defined in combination with AllowKey. +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. +# Parameters are processed one by one according their appearance order. +# If no AllowKey or DenyKey rules defined, all keys are allowed. +# Unless another system.run[*] rule is specified DenyKey=system.run[*] is added by default. # # Mandatory: no # Default: -# EnableRemoteCommands=0 +# DenyKey=system.run[*] + +### Option: EnableRemoteCommands - Deprecated, use AllowKey=system.run[*] or DenyKey=system.run[*] instead +# Internal alias for AllowKey/DenyKey parameters depending on value: +# 0 - DenyKey=system.run[*] +# 1 - AllowKey=system.run[*] +# +# Mandatory: no ### Option: LogRemoteCommands # Enable logging of executed shell commands as warnings. @@ -177,6 +196,28 @@ ServerActive=127.0.0.1 # Default: # HostMetadataItem= +### Option: HostInterface +# Optional parameter that defines host interface. +# Host interface is used at host auto-registration process. +# An agent will issue an error and not start if the value is over limit of 255 characters. +# If not defined, value will be acquired from HostInterfaceItem. +# +# Mandatory: no +# Range: 0-255 characters +# Default: +# HostInterface= + +### Option: HostInterfaceItem +# Optional parameter that defines an item used for getting host interface. +# Host interface is used at host auto-registration process. +# During an auto-registration request an agent will log a warning message if +# the value returned by specified item is over limit of 255 characters. +# This option is only used when HostInterface is not defined. +# +# Mandatory: no +# Default: +# HostInterfaceItem= + ### Option: RefreshActiveChecks # How often list of active checks is refreshed, in seconds. # @@ -265,7 +306,6 @@ ServerActive=127.0.0.1 Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf - ####### USER-DEFINED MONITORED PARAMETERS ####### ### Option: UnsafeUserParameters @@ -299,7 +339,7 @@ Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf # # Mandatory: no # Default: -# LoadModulePath=/usr/lib/modules +# LoadModulePath=${libdir}/modules LoadModulePath=/usr/lib/zabbix @@ -357,14 +397,14 @@ LoadModulePath=/usr/lib/zabbix # TLSCRLFile= ### Option: TLSServerCertIssuer -# Allowed server certificate issuer. +# Allowed server certificate issuer. # # Mandatory: no # Default: # TLSServerCertIssuer= ### Option: TLSServerCertSubject -# Allowed server certificate subject. +# Allowed server certificate subject. # # Mandatory: no # Default: @@ -397,3 +437,80 @@ LoadModulePath=/usr/lib/zabbix # Mandatory: no # Default: # TLSPSKFile= + +####### For advanced users - TLS ciphersuite selection criteria ####### + +### Option: TLSCipherCert13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# +# Mandatory: no +# Default: +# TLSCipherCert13= + +### Option: TLSCipherCert +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128 +# +# Mandatory: no +# Default: +# TLSCipherCert= + +### Option: TLSCipherPSK13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example: +# TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherPSK13= + +### Option: TLSCipherPSK +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL +# Example for OpenSSL: +# kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherPSK= + +### Option: TLSCipherAll13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example: +# TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherAll13= + +### Option: TLSCipherAll +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherAll= + +####### For advanced users - TCP-related fine-tuning parameters ####### + +## Option: ListenBacklog +# The maximum number of pending connections in the queue. This parameter is passed to +# listen() function as argument 'backlog' (see "man listen"). +# +# Mandatory: no +# Range: 0 - INT_MAX (depends on system, too large values may be silently truncated to implementation-specified maximum) +# Default: SOMAXCONN (hard-coded constant, depends on system) +# ListenBacklog= diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd index c69643a54..28fe97b4f 100644 --- a/lfs/zabbix_agentd +++ b/lfs/zabbix_agentd @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> # +# Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 4.2.6 +VER = 5.0.20 THISAPP = zabbix-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = zabbix_agentd -PAK_VER = 4 +PAK_VER = 5 DEPS = ############################################################################### @@ -43,7 +43,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 6cd55cd743d416d9ffbf2e6fdee680ee +$(DL_FILE)_MD5 = 52df25394f9a4cf83ff55278b23e6295 install : $(TARGET) @@ -80,7 +80,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --prefix=/usr \ --enable-agent \ --sysconfdir=/etc/zabbix_agentd \ - --with-openssl + --with-openssl \ + --with-libcurl cd $(DIR_APP) && make cd $(DIR_APP) && make install