[v4,0/6] zabbix_agentd: Update to v5.0.21 (LTS)

Message ID	20220303210254.3116-1-robin.roevens@disroot.org
Headers	From: Robin Roevens <robin.roevens@disroot.org> To: development@lists.ipfire.org Subject: [PATCH v4 0/6] zabbix_agentd: Update to v5.0.21 (LTS) Date: Thu, 3 Mar 2022 22:02:48 +0100 Message-Id: <20220303210254.3116-1-robin.roevens@disroot.org> Mime-Version: 1.0 Content-Transfer-Encoding: 8bit country: NL(-0.01), ip: 178.21.23.139(-0.82)]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-1.00)[-0.995]; SPF_REPUTATION_HAM(-0.65)[-0.65416954833609]; R_MISSING_CHARSET(0.50)[]; DMARC_POLICY_ALLOW(-0.50)[disroot.org,quarantine]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+a:c]; R_DKIM_ALLOW(-0.20)[disroot.org:s=mail]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; RCVD_TLS_LAST(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ARC_SIGNED(0.00)[lists.ipfire.org:s=202003rsa:i=1]; TO_MATCH_ENVRCPT_ALL(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[development@lists.ipfire.org]; FROM_HAS_DN(0.00)[]; DKIM_TRACE(0.00)[disroot.org:+]; TO_DN_NONE(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; RCPT_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:50673, ipnet:178.21.23.0/24, country:NL]; ARC_NA(0.00)[] Precedence: list Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org>
Series	zabbix_agentd: Update to v5.0.21 (LTS) \| [v4,0/6] zabbix_agentd: Update to v5.0.21 (LTS) [v4,1/6] zabbix_agentd: Update to v5.0.21 (LTS) [v4,2/6] zabbix_agentd: Fix agent modules dir and few minor bugs [v4,3/6] zabbix_agentd: Configfile reorganization [v4,4/6] zabbix_agentd: Sudoers file reorganization [v4,5/6] zabbix_agentd: By default only listen on GREEN ip [v4,6/6] zabbix_agentd: Add IPFire specific userparameters

Message ID

20220303210254.3116-1-robin.roevens@disroot.org

Headers

From: Robin Roevens <robin.roevens@disroot.org>
To: development@lists.ipfire.org
Subject: [PATCH v4 0/6] zabbix_agentd: Update to v5.0.21 (LTS)
Date: Thu,  3 Mar 2022 22:02:48 +0100
Message-Id: <20220303210254.3116-1-robin.roevens@disroot.org>
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: list
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

Series

zabbix_agentd: Update to v5.0.21 (LTS) |

Message

Robin Roevens March 3, 2022, 9:02 p.m. UTC

  Hi All

Another new version of this patchset, hopefulle removing all 
Michael's concerns about the earlier configfile handling.

In the meantime yet another version of Zabbix was released, so the first
patch is again a plain software update, now to v5.0.21.

Second patch fixes a few small bugs from current pak like not backing up
the modules dir that can contain user supplied binary modules. 
Nothing changed here.

Third patch reorganizes how the Zabbix agent config files are installed
on IPFire to ease future IPFire customizations seperately from user added
configurations.
- The main config file is now a custom one from IPFire, only containing
  the bare minimal config required. 
- Introduced a "mandatory" IPFire specific Zabbix configfile with
  settings required for correct integration of the agent in IPFire
  that should never be modified by the user.
  (pidfile, logfile, logrotation, location of user-managed directories)
- Moved IPFire provided custom "userparameters" to /var/ipfire/... to 
  make /etc/zabbix_agentd/zabbix_agentd.d completely user-managed.
- Up to date vendor supplied configfile (with lots of documentation in it)
  is now deployed and overwritten on every install/update as 
  'zabbix_agentd.conf.example' as reference for the user.
During an update, the current zabbix main config will remain as is, but
"Include" lines will be added at the end to include the new IPFire 
configfiles. Also settings now moved to the IPFire managed "mandatory"
config file are stripped from the current "user"-config.

The fourth patch reorganizes how the sudoers files are installed.
Previously there was one file 'zabbix' with sudo-rights required for the
IPFire specific "userparameter" (pakfire status). And the user was 
encouraged both in the file and on the wiki to use that file if he wants
to add commands himself for the agent to run as root.
This prevents us, or at least makes it more dificult for us to add or 
modify command in the future without touching the user added commands.
Now there are 2 sudoers files installed: 
- 'zabbix_agentd' - managed by IPFire with comment for user not to 
                    touch that file. And
- 'zabbix_agent_user' - initially empty apart from comments, for users
                        to add their own custom commands.
As there where only ever 2 versions of the original sudoers file 'zabbix',
during update it is checked if an existing 'zabbix' 
(or even older 'zabbix.user' file) is still original and untouched by the
user (using md5). If so, it is plain removed as functionality is now in
the new 'zabbix_agentd' sudoers file. If the file was ever modified by 
the user it is renamed to 'zabbix_agentd_user' so that user added
commands will remain working.

The fifth patch configured new zabbix_agentd installs to only listen on 
the GREEN interface. Don't see an immediate reason to let the agent 
listen on all interfaces as it does by default. Changes are the largest
the the user will have his Zabbix server running somewhere in the GREEN
network. And if not, this will at least let the user think about where
to let the agent listen.

The sixth patch adds additional IPFire specific metrics to the agent
for the Zabbix Server to retrieve. Those will be documented on the wiki
after this patch is accepted.

Regards

Robin