| Message ID | 20210407204455.450-1-robin.roevens@disroot.org |
|---|---|
| Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4FFxHj2N6Xz3yBV for <patchwork@web04.haj.ipfire.org>; Wed, 7 Apr 2021 20:45:53 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4FFxHh1CMJzfQ; Wed, 7 Apr 2021 20:45:52 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4FFxHg6yLzz2xkF; Wed, 7 Apr 2021 20:45:51 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4FFxHf1Mc8z2xJw for <development@lists.ipfire.org>; Wed, 7 Apr 2021 20:45:50 +0000 (UTC) Received: from knopi.disroot.org (knopi.disroot.org [178.21.23.139]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPS id 4FFxHc5vdYzfQ for <development@lists.ipfire.org>; Wed, 7 Apr 2021 20:45:48 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by disroot.org (Postfix) with ESMTP id 8130D50D96 for <development@lists.ipfire.org>; Wed, 7 Apr 2021 22:45:47 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at disroot.org Received: from knopi.disroot.org ([127.0.0.1]) by localhost (disroot.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DxWkgzCFP1iD for <development@lists.ipfire.org>; Wed, 7 Apr 2021 22:45:46 +0200 (CEST) Received: from amaterasu.sicho.home ([192.168.0.1] helo=chojin.sicho.home) by filekeeper.sicho.home with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <robin.roevens@disroot.org>) id 1lUF39-0003Zi-EE for development@lists.ipfire.org; Wed, 07 Apr 2021 22:45:19 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1617828334; bh=/2y38mIL150twp3Yh+yzOTaVirBwNaHrW4dfL7iDotA=; h=From:To:Subject:Date; b=D7Xo/izAqrJsG2Qfsx5DpIpTfzTNoWZTdXqAVIfFJBP2bIQqTSdqaJgTxc+Vza5Kz BrwmWBwzSP49vMSN1PoI0/x4CoAyEwEzpQIA/cmI3EC5VzU9br+wLEgLMKjWMZvWG5 pn5UY9UwvTojZiUDWaW9OIM0FujQOMr7lwJLpt7XBA3U9HkNy/AcbV3yWW3Jrf2kAR pFeSQusfw5m54yGtQI7LSV8PsbH5UhV8gVySnsc7fMVNDVgbO6U4HF24OWF7QXX6eb U+f/dFazINNto6kuZwAVCCzFFfQjzqnLoODZKlPB+1BErUm0JJFRglZreEvzXO7Gg0 hcL0MIYTTW9RA== From: Robin Roevens <robin.roevens@disroot.org> To: development@lists.ipfire.org Subject: [PATCH 0/4] [V2] zabbix_agentd: new maintainer/summary Date: Wed, 7 Apr 2021 22:44:52 +0200 Message-Id: <20210407204455.450-1-robin.roevens@disroot.org> Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-filekeeper-MailScanner-ID: 1lUF39-0003Zi-EE X-filekeeper-MailScanner: Found to be clean X-filekeeper-MailScanner-From: robin.roevens@disroot.org X-filekeeper-MailScanner-Watermark: 1618433126.68881@ftnn2kV76wT8S0LTLrE8KQ ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.ipfire.org; s=202003rsa; t=1617828349; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:dkim-signature; bh=Av75hYx0evdr44Ea1Q1/ou9lMNDBnmPTNu5mcQnibdk=; b=Z6uUFASFPQSFT+z8rzOAivDxuwyPqo8B7By6WJJLQEp1flUVAOyUUjCZuEH6exFwOBBlJa hKrj1WdfB2pK5w52X+ZVJAZEms0eFpB58bn4CmBn9GHDTN81taK6lh8s6IJq3eCXqtSMHo RS22rLDBNK9q76HV7Aj5wLNAoyuneZgwmxGnGxwE0mkm7bmL/2pZGLs5xU/eB3R1cui9XV YWNPcXz2N03JftQ9XF/2yk5qBTzRUIKKPrDZfdkSK2Ynef5we3aevphVdCzg0DAt9HSUmI /V7NND8nWEImS1Y+i47L1u87kbY9mQh8RgGY8WlN8/BuIqfBs/96xFLp5RmN2w== ARC-Seal: i=1; s=202003rsa; d=lists.ipfire.org; t=1617828349; a=rsa-sha256; cv=none; b=AUN6FAMdAbQyxzLKL8hK/btex+b/B4790gdfWcyexprEEzS3u5I+PDt7mHY1NRPAQ4Kd2H N7iNCuXYhLnakQl8JhFFMugFzrBALkvVprsg3I5GRoURlPq/QSkkVH+f5iLeqJEEqa/5np Y+FD1I0ALWAWSbp9s2BHYcptv8211ilYwHYz0MM3/2wWcLW5++8k5Nx0BKSUiLtpdxsxAP 5UDLhd+Oe6WVhpwHBqtL8THdNTH15+JfCb0iO/2SfMis0mGvP5cwnVHdXALRaopompQg9d 2DZHU3DE/XHGud37rCYCYGl+apSD2/ZBJCmTrA1kUF30lgwVczdNVUQdQrjWnA== ARC-Authentication-Results: i=1; mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b="D7Xo/izA"; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org X-Rspamd-Queue-Id: 4FFxHc5vdYzfQ Authentication-Results: mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b="D7Xo/izA"; dmarc=pass (policy=quarantine) header.from=disroot.org; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org X-Rspamd-Server: mail01.haj.ipfire.org X-Spamd-Result: default: False [2.22 / 11.00]; ARC_NA(0.00)[]; R_SPF_ALLOW(-0.20)[+a]; R_DKIM_ALLOW(-0.20)[disroot.org:s=mail]; FROM_HAS_DN(0.00)[]; MV_CASE(0.50)[]; R_MISSING_CHARSET(2.50)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[development@lists.ipfire.org]; BROKEN_CONTENT_TYPE(1.50)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_THREE(0.00)[4]; TO_DN_NONE(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DKIM_TRACE(0.00)[disroot.org:+]; DMARC_POLICY_ALLOW(-0.50)[disroot.org,quarantine]; MID_CONTAINS_FROM(1.00)[]; IP_REPUTATION_HAM(-2.27)[asn: 50673(-0.32), country: NL(-0.01), ip: 178.21.23.139(-0.81)]; ARC_SIGNED(0.00)[lists.ipfire.org:s=202003rsa:i=1]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:50673, ipnet:178.21.23.0/24, country:NL]; BAYES_HAM(-0.00)[42.53%] X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
| Series | zabbix_agentd: new maintainer/summary | |
Message
Robin Roevens
April 7, 2021, 8:44 p.m. UTC
Since a new version of Zabbix Agent 5 LTS was released before the previous patch-set was reviewed, I resubmit my patchset as a V2 updating current zabbix_agentd 4.2.6 to 5.0.10 as opposed to v5.0.9 in my previous submission. The other 3 patches in the set remain unchanged. For reference I'll include the summary again: This set of patches does not only update the binaries (well, the first patch only does that) but also fixes some things that I see as problematic in previous version: - /usr/lib/zabbix is created for users to drop custom agent modules in, however that dir was removed and recreated on update as it was not in the backup. I added it to the backup and prevented deletion of the directory if it is not empty upon uninstall, so user-added content would not disapear when the package is removed. - Sometimes a new version of the agent will introduce new configuration parameters. In general the Zabbix Agent config file(s) should remain compatible, but we never know what the future will bring us; and the user may miss out on new features introduced with new parameters in the config file. However we don't want to plain overwrite the configfile as the user may (probably has) have changed it. Currently on upgrade configfiles are backed up, removed, new are installed, then overwritten by the old ones from the backup. Ending with the old config and the new agent. I didn't find an example of another package doing something similar, so I chose to save the new configfile(s) as .ipfirenew-files like RPM-based distro's do with .rpmnew-files. If the original config file is absent the install script will automatically strip the .ipfirenew extension. And if the new config file does not differ from the currently installed one, the .ipfirenew-file is removed. The install-script will also issue warning messages if such .ipfirenew-files are left on the filesystem, requesting the user to manually investigate and possibly merge the configfile. I hope those warnings are visible in the pakfire output. A side effect is that the config files are also not removed when the package is uninstalled. I don't see a problem here for the zabbix own config-files. But it may pose a risk concerning the sudoers-file? - I added a few IPFire specific monitoring items to the agent config which can be used for more in-depth monitoring of the IPFire installation. The user is of course free to use my template available on share.zabbix.com or github to monitor those items, or create their own template. Thanks for considering this patch-set. Please be honest but gentle commenting on it :-). Regards Robin
Comments
Hello Robin, Welcome to the list and thank you for working on this. Generally I am very happy for you to take on Zabbix which needs some more love in IPFire. But I am not sure what to make with all the custom tooling that comes in this patch series. It is a lot of code that might not be suitable for all users and probably would be hard work to extend (a few more details below). Could you go more into detail why this is required? Doesn’t zabbix have any builtin tools to show running services? Maybe it is a better idea to add a configuration template to the wiki (minus the code)?! -Michael > On 7 Apr 2021, at 21:44, Robin Roevens <robin.roevens@disroot.org> wrote: > > Since a new version of Zabbix Agent 5 LTS was released before the > previous patch-set was reviewed, I resubmit my patchset as a V2 updating > current zabbix_agentd 4.2.6 to 5.0.10 as opposed to v5.0.9 in my > previous submission. > The other 3 patches in the set remain unchanged. > > For reference I'll include the summary again: > > This set of patches does not only update the binaries (well, > the first patch only does that) but also fixes some things > that I see as problematic in previous version: > - /usr/lib/zabbix is created for users to drop custom agent > modules in, however that dir was removed and recreated > on update as it was not in the backup. I added it to the > backup and prevented deletion of the directory if it is > not empty upon uninstall, so user-added content would > not disapear when the package is removed. > - Sometimes a new version of the agent will introduce > new configuration parameters. In general the Zabbix Agent > config file(s) should remain compatible, but we never > know what the future will bring us; and the user may > miss out on new features introduced with new parameters > in the config file. However we don't want to plain overwrite > the configfile as the user may (probably has) have changed > it. > Currently on upgrade configfiles are backed up, removed, > new are installed, then overwritten by the old ones from > the backup. Ending with the old config and the new agent. > I didn't find an example of another package doing something > similar, so I chose to save the new configfile(s) as > .ipfirenew-files like RPM-based distro's do with > .rpmnew-files. If the original config file is absent > the install script will automatically strip the .ipfirenew > extension. And if the new config file does not differ from > the currently installed one, the .ipfirenew-file is removed. > The install-script will also issue warning messages if > such .ipfirenew-files are left on the filesystem, requesting > the user to manually investigate and possibly merge the > configfile. I hope those warnings are visible in the pakfire > output. > A side effect is that the config files are also not removed > when the package is uninstalled. I don't see a problem here > for the zabbix own config-files. But it may pose a risk > concerning the sudoers-file? > - I added a few IPFire specific monitoring items to the agent > config which can be used for more in-depth monitoring of > the IPFire installation. The user is of course free to > use my template available on share.zabbix.com or github > to monitor those items, or create their own template. > > Thanks for considering this patch-set. Please be honest but gentle > commenting on it :-). > > Regards > Robin > > > > > -- > Dit bericht is gescanned op virussen en andere gevaarlijke > inhoud door MailScanner en lijkt schoon te zijn. >
Hi Michael Michael Tremer schreef op ma 12-04-2021 om 11:32 [+0100]: > Hello Robin, > > Welcome to the list and thank you for working on this. > > Generally I am very happy for you to take on Zabbix which needs some > more love in IPFire. Thanks! I will try to do my best :-) > > But I am not sure what to make with all the custom tooling that comes > in this patch series. It is a lot of code that might not be suitable > for all users and probably would be hard work to extend (a few more > details below). Zabbix provides default templates for monitoring a generic Linux host where it checks cpu, memory, disk space and all that. But on a sysv init system, it has no built-in way to dynamically monitor services (see below). By providing this custom code as a default in IPFire's zabbix_agentd, it allows the user to easily monitor the services important specifically to IPFire- and addon functionality without the need for the user to find out which services he actually has to monitor manually (or look up in a wiki). So, I think this is a great addition in user experience, providing an easy method for monitoring IPFire specific metrics. As this is a firewall distro and not a general purpose generic distro, I'm only assuming a user installing the zabbix_agentd addon on it, will actually want to monitor these metrics. And if for some reason, they don't want that, then they just don't configure their Zabbix server to monitor those metrics, and in that case all that code will never even be called. If they would want to monitor extra services besides the ones the script provides, they can just configure those on their server (also more on this later).. or for more advanced checks add additional script(s) and/or config-files. Actually there is no need for a user to change anything I provided here to be able to monitor things differently or additionally; but they can, if they want to.. I'm just providing easily accessible metrics as seen on the webgui. > > Could you go more into detail why this is required? Doesn’t zabbix > have any builtin tools to show running services? If IPFire would use systemd and we would deploy zabbix_agent2 (a Go version of the agent with a few different capabilities, which I currently didn't see much of a purpose for on IPFire), one could check service states more easily using built-in checks. In the current case, there are only running processes that happen to be started on system startup due to the existence of an initscript. But initscripts are not all the starting of services. Zabbix (or the user for that matter) has to know which processes to monitor and for as far as I know, the only place to find a list of built-in services is in the services.cgi file of the webgui. Once Zabbix can retrieve a list of services to monitor, it can check if those process(es) are running and how much CPU/memory they consume using built-in agent functionality without the need of any script. So actually the checking if the service is up and retrieving the memory and/or cpu usage of the service could be done without the use of the script I added. However, I currently opted for this script as I wanted to perform the checks on the available services exactly as the webgui does, to minimize the risk of possibly causing different values in zabbix than currently visible in the webgui due to different checking methods. Checking if a service is up in zabbix would be performed by counting the number of active processes with a certain name and/or cmdline params. And the case that this result would differ with the way the script (and the webgui) currently checks built-in services is probably minimal, but for addon-services the webgui and thus the script also, use 'addonctrl <addon> status' which I assume calls '<initscript> status', hence could theoretically perform any kind of custom checks beside the simple check to see if the pid exists to determine if the service is up and running. I have not checked up on all initscripts of all addons, so I don't know if there is such a case.. but if it is not, it still could be in the future, I figured. And due to this I've put the whole services-status retrieval, both for built-in and addon-services to normalize retrieval of the list, in a script to be certain that all information about IPFire in Zabbix will match the information in the webgui exactly. Another benefit of this is that the services discovery and each of the metrics are all sent to the Zabbix server in one go, minimizing network traffic and load on the server which otherwise would have to retrieve each metric separately, possibly important in embedded systems, but for this amount of information maybe not making that much of a difference. > > Maybe it is a better idea to add a configuration template to the wiki > (minus the code)?! We could ship a vanilla agent, if this is what you meant?, without my additional ipfire specific 'extension'; adding instructions to the wiki on how to configure the agent to be able to generate metrics like on the webgui but without an easy method to get at least a list of available services as displayed in the webgui, the user will have to manually configure each possible metric (currently state, pid, memory) for each possible service separately. And once again every time he installs a new addon with a service. (Or I have to maintain this in a Zabbix template the user can install on their server, but I can't do so for all possible addon-services). So either in the end the user will end up configuring a lot manually or still installing this or another script to provide this info to Zabbix but requesting a lot more effort and knowledge of the user. If IPFire would have some easy generic method of obtaining this information instead of inside the webgui code. The webgui, zabbix_agentd or any other monitoring tool could check that instead without resorting to so much custom code. But currently I don't see a way to retrieve the list of services (both built-in and addon, as displayed on the webgui) other than the current method. (Theoretically I could let the agent read out the services.cgi script as text and get the list from that code using some regex.. Or even scrape the page as it is returned by the webserver, but that would create an extra dependency on a correctly running webserver. And possibly break if services.cgi would change in the future. And then I still have to get a list of addon-services some way.. So that was not a feasible path for me) Of course in the current case, I have to maintain the list in the script to have it in sync with services.cgi. But I'm assuming this list is not that regularly changing ? Until there is a more generic way available on IPFire to get this list.. And maybe I will think about submitting such a rework in the future, but it would require for me to be much more comfortable in Perl as I'm now; and it is a bit too much 'in the core' of IPFire for me at this moment. But I'm open to suggestions on how to improve this. I may not have a complete view on the internals of IPfire yet. Regards Robin > > -Michael > > > On 7 Apr 2021, at 21:44, Robin Roevens <robin.roevens@disroot.org> > > wrote: > > > > Since a new version of Zabbix Agent 5 LTS was released before the > > previous patch-set was reviewed, I resubmit my patchset as a V2 > > updating > > current zabbix_agentd 4.2.6 to 5.0.10 as opposed to v5.0.9 in my > > previous submission. > > The other 3 patches in the set remain unchanged. > > > > For reference I'll include the summary again: > > > > This set of patches does not only update the binaries (well, > > the first patch only does that) but also fixes some things > > that I see as problematic in previous version: > > - /usr/lib/zabbix is created for users to drop custom agent > > modules in, however that dir was removed and recreated > > on update as it was not in the backup. I added it to the > > backup and prevented deletion of the directory if it is > > not empty upon uninstall, so user-added content would > > not disapear when the package is removed. > > - Sometimes a new version of the agent will introduce > > new configuration parameters. In general the Zabbix Agent > > config file(s) should remain compatible, but we never > > know what the future will bring us; and the user may > > miss out on new features introduced with new parameters > > in the config file. However we don't want to plain overwrite > > the configfile as the user may (probably has) have changed > > it. > > Currently on upgrade configfiles are backed up, removed, > > new are installed, then overwritten by the old ones from > > the backup. Ending with the old config and the new agent. > > I didn't find an example of another package doing something > > similar, so I chose to save the new configfile(s) as > > .ipfirenew-files like RPM-based distro's do with > > .rpmnew-files. If the original config file is absent > > the install script will automatically strip the .ipfirenew > > extension. And if the new config file does not differ from > > the currently installed one, the .ipfirenew-file is removed. > > The install-script will also issue warning messages if > > such .ipfirenew-files are left on the filesystem, requesting > > the user to manually investigate and possibly merge the > > configfile. I hope those warnings are visible in the pakfire > > output. > > A side effect is that the config files are also not removed > > when the package is uninstalled. I don't see a problem here > > for the zabbix own config-files. But it may pose a risk > > concerning the sudoers-file? > > - I added a few IPFire specific monitoring items to the agent > > config which can be used for more in-depth monitoring of > > the IPFire installation. The user is of course free to > > use my template available on share.zabbix.com or github > > to monitor those items, or create their own template. > > > > Thanks for considering this patch-set. Please be honest but gentle > > commenting on it :-). > > > > Regards > > Robin > > > > > > > > > > -- > > Dit bericht is gescanned op virussen en andere gevaarlijke > > inhoud door MailScanner en lijkt schoon te zijn. > > > >