From patchwork Thu Mar 3 21:02:48 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Robin Roevens X-Patchwork-Id: 10 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4K8k3s6lgLz3xK1 for ; Thu, 3 Mar 2022 21:03:37 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4K8k3s3qr0z5Zy; Thu, 3 Mar 2022 21:03:37 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4K8k3s3YyYz30GR; Thu, 3 Mar 2022 21:03:37 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4K8k3r1cnqz2yRM for ; Thu, 3 Mar 2022 21:03:36 +0000 (UTC) Received: from knopi.disroot.org (knopi.disroot.org [178.21.23.139]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPS id 4K8k3q3Z6Yz5Zy for ; Thu, 3 Mar 2022 21:03:35 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by disroot.org (Postfix) with ESMTP id E66328DB99 for ; Thu, 3 Mar 2022 22:03:34 +0100 (CET) X-Virus-Scanned: SPAM Filter at disroot.org Received: from knopi.disroot.org ([127.0.0.1]) by localhost (disroot.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oFJDIlJAcEJi for ; Thu, 3 Mar 2022 22:03:33 +0100 (CET) Received: from chojin.sicho.home (amaterasu.sicho.home [192.168.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (no client certificate requested) (Authenticated sender) by hachiman (MailScanner Milter) with SMTP id 0AAE9184C5 for ; Thu, 3 Mar 2022 22:03:04 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1646341411; bh=umLZ3l7SNeCbl90qnaLPozMgCR9IHd2j/1bcTIfplcI=; h=From:To:Subject:Date; b=JnABP6AmQhkkYEH3FRYSHiBst/ckqINuVcpBrGCM0yQDVGwll1lmzM9/QMtAPj3/h xeQbiMEBbP6rXebVxEEdyP7DQ5zmQ/Y407RHSPwp8LroDr/dKMIzpacHFG0ej+80P2 XaYdugGQd6OioOdtSycPIlaijScLGKyFZjrEg4Rdp70acL3CR7RTd8O9vlVWruj+06 p2pNTNE0bMhz4BJCLeunhQobLsz1ScJNWcoQYYpQpGE7gTxIN+pccv+wUcH+wwX/AR MIYyV3Qd/0UbKMH+RVR8nynVIDFkOyxoTklXyEPEc4rBcOvmETGJ6oyJLx2T9h+6gV mITa9hGKX3C/A== From: Robin Roevens To: development@lists.ipfire.org Subject: [PATCH v4 0/6] zabbix_agentd: Update to v5.0.21 (LTS) Date: Thu, 3 Mar 2022 22:02:48 +0100 Message-Id: <20220303210254.3116-1-robin.roevens@disroot.org> Mime-Version: 1.0 X-sicho-MailScanner-ID: 0AAE9184C5.A2AA4 X-sicho-MailScanner: Found to be clean X-sicho-MailScanner-From: robin.roevens@disroot.org X-sicho-MailScanner-Watermark: 1646946189.39685@ofhVgd00tJLc7syZPzS90Q ARC-Seal: i=1; s=202003rsa; d=lists.ipfire.org; t=1646341415; a=rsa-sha256; cv=none; b=C2hnemr5ykjtQXGoBRG3nuhNB2oYJ8HtSvXBVmXSG19VLvAgGgJTI/CZ+KhPwMIgR+okQ+ DTC6QmNVaQPlyeF5pWiHlMpmE9ave5zdoGrsiwpLya9k1/bJZP7V4rZw+yZ3NHija2A1d9 7X3PcGFjKI4n10wDNgPuMsKboPx1sDndoHOf/Gwta5/h2Pr0wR7gKe20qvU0jlmBVrrY5d tjL3MLlCAnzy1r6b2JiTii3TZitBkxtJ/4rsAqHT87IffcDfy2hCq4tJKxEb3Xsqb2ecf+ eUqh5Xeayo/heff8OjRb1UHY/3HvPpLTXar5LdF7sHYFAWFT34OOnw5uOUBNvQ== ARC-Authentication-Results: i=1; mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b=JnABP6Am; dmarc=pass (policy=quarantine) header.from=disroot.org; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.ipfire.org; s=202003rsa; t=1646341415; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:dkim-signature; bh=eZyjmgDwCs/eLCecnpwuG5Rc+gSMDIXKPxeHhK/7GnQ=; b=p+QIoHfSt/asPIQxw8Z6T5jJ+TLwtfugj0kgwJryWeVqlEOioSDozs0aIMmQTYbabZFJtt Hnlhr3imbLVWscmwlJaxVa5iIrVqHxt1/9Ci5kT35RgvV+QRJCdyNzVnjZRXrh8YfC9+fz C4m1TQh9UCGelSAybLctg7+wvObJfPLaMonSuQuMmsvTAnaAC81iH7HFLRq/FEV2LN06cJ TLEjDYfMNkiQwqdo99VB8jc1QSGxSM3fsBbfSNx1M8AzlTbAEzkBCVwG46+uSrtys1tHoE 9dAmzTSoOTx9Q52J/WjyWNQVoBKeisfcLZ/xQ518RE0qHGNfkeGpv9NKmtpfZg== Authentication-Results: mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b=JnABP6Am; dmarc=pass (policy=quarantine) header.from=disroot.org; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org X-Rspamd-Server: mail01.haj.ipfire.org X-Spamd-Result: default: False [-4.28 / 11.00]; BAYES_HAM(-2.46)[97.56%]; IP_REPUTATION_HAM(-1.16)[asn: 50673(-0.33), country: NL(-0.01), ip: 178.21.23.139(-0.82)]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-1.00)[-0.995]; SPF_REPUTATION_HAM(-0.65)[-0.65416954833609]; R_MISSING_CHARSET(0.50)[]; DMARC_POLICY_ALLOW(-0.50)[disroot.org,quarantine]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+a:c]; R_DKIM_ALLOW(-0.20)[disroot.org:s=mail]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; RCVD_TLS_LAST(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ARC_SIGNED(0.00)[lists.ipfire.org:s=202003rsa:i=1]; TO_MATCH_ENVRCPT_ALL(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[development@lists.ipfire.org]; FROM_HAS_DN(0.00)[]; DKIM_TRACE(0.00)[disroot.org:+]; TO_DN_NONE(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; RCPT_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:50673, ipnet:178.21.23.0/24, country:NL]; ARC_NA(0.00)[] X-Rspamd-Queue-Id: 4K8k3q3Z6Yz5Zy X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Hi All Another new version of this patchset, hopefulle removing all Michael's concerns about the earlier configfile handling. In the meantime yet another version of Zabbix was released, so the first patch is again a plain software update, now to v5.0.21. Second patch fixes a few small bugs from current pak like not backing up the modules dir that can contain user supplied binary modules. Nothing changed here. Third patch reorganizes how the Zabbix agent config files are installed on IPFire to ease future IPFire customizations seperately from user added configurations. - The main config file is now a custom one from IPFire, only containing the bare minimal config required. - Introduced a "mandatory" IPFire specific Zabbix configfile with settings required for correct integration of the agent in IPFire that should never be modified by the user. (pidfile, logfile, logrotation, location of user-managed directories) - Moved IPFire provided custom "userparameters" to /var/ipfire/... to make /etc/zabbix_agentd/zabbix_agentd.d completely user-managed. - Up to date vendor supplied configfile (with lots of documentation in it) is now deployed and overwritten on every install/update as 'zabbix_agentd.conf.example' as reference for the user. During an update, the current zabbix main config will remain as is, but "Include" lines will be added at the end to include the new IPFire configfiles. Also settings now moved to the IPFire managed "mandatory" config file are stripped from the current "user"-config. The fourth patch reorganizes how the sudoers files are installed. Previously there was one file 'zabbix' with sudo-rights required for the IPFire specific "userparameter" (pakfire status). And the user was encouraged both in the file and on the wiki to use that file if he wants to add commands himself for the agent to run as root. This prevents us, or at least makes it more dificult for us to add or modify command in the future without touching the user added commands. Now there are 2 sudoers files installed: - 'zabbix_agentd' - managed by IPFire with comment for user not to touch that file. And - 'zabbix_agent_user' - initially empty apart from comments, for users to add their own custom commands. As there where only ever 2 versions of the original sudoers file 'zabbix', during update it is checked if an existing 'zabbix' (or even older 'zabbix.user' file) is still original and untouched by the user (using md5). If so, it is plain removed as functionality is now in the new 'zabbix_agentd' sudoers file. If the file was ever modified by the user it is renamed to 'zabbix_agentd_user' so that user added commands will remain working. The fifth patch configured new zabbix_agentd installs to only listen on the GREEN interface. Don't see an immediate reason to let the agent listen on all interfaces as it does by default. Changes are the largest the the user will have his Zabbix server running somewhere in the GREEN network. And if not, this will at least let the user think about where to let the agent listen. The sixth patch adds additional IPFire specific metrics to the agent for the Zabbix Server to retrieve. Those will be documented on the wiki after this patch is accepted. Regards Robin