[1/4,V2] zabbix_agentd: Update to v5.0.10 (LTS)

Message ID 20210407204455.450-2-robin.roevens@disroot.org
State New
Headers show
Series zabbix_agentd: new maintainer/summary | expand

Commit Message

Robin Roevens April 7, 2021, 8:44 p.m. UTC
- Update from 4.2.6 to latest LTS version 5.0.10
  See release notes: https://www.zabbix.com/rn/rn5.0.10

Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
---
 config/zabbix_agentd/zabbix_agentd.conf | 124 ++++++++++++++++++++++--
 lfs/zabbix_agentd                       |  11 ++-
 2 files changed, 121 insertions(+), 14 deletions(-)

Comments

Adolf Belka April 9, 2021, 7:25 p.m. UTC | #1
Hi Robin,

I am not knowledgeable enough about zabbix to make any comment about the conf file changes other than that I could follow your explanations of why they were being done.

The lfs file changes look perfect to me.

A general comment I would make is that when you want to do a v2 version then if you enter

git patch-format -v2 -o ..... then the patches will be created automatically as [PATCH v2 1/3].

Note it is lower case v

Regards,

Adolf

On 07/04/2021 22:44, Robin Roevens wrote:
> - Update from 4.2.6 to latest LTS version 5.0.10
>    See release notes: https://www.zabbix.com/rn/rn5.0.10
>
> Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
> ---
>   config/zabbix_agentd/zabbix_agentd.conf | 124 ++++++++++++++++++++++--
>   lfs/zabbix_agentd                       |  11 ++-
>   2 files changed, 121 insertions(+), 14 deletions(-)
>
> diff --git a/config/zabbix_agentd/zabbix_agentd.conf b/config/zabbix_agentd/zabbix_agentd.conf
> index 21b8e0122..4d6c4c154 100644
> --- a/config/zabbix_agentd/zabbix_agentd.conf
> +++ b/config/zabbix_agentd/zabbix_agentd.conf
> @@ -63,14 +63,33 @@ LogFileSize=0
>   # Default:
>   # SourceIP=
>   
> -### Option: EnableRemoteCommands
> -#	Whether remote commands from Zabbix server are allowed.
> -#	0 - not allowed
> -#	1 - allowed
> +### Option: AllowKey
> +#	Allow execution of item keys matching pattern.
> +#	Multiple keys matching rules may be defined in combination with DenyKey.
> +#	Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments.
> +#	Parameters are processed one by one according their appearance order.
> +#	If no AllowKey or DenyKey rules defined, all keys are allowed.
> +#
> +# Mandatory: no
> +
> +### Option: DenyKey
> +#	Deny execution of items keys matching pattern.
> +#	Multiple keys matching rules may be defined in combination with AllowKey.
> +#	Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments.
> +#	Parameters are processed one by one according their appearance order.
> +#	If no AllowKey or DenyKey rules defined, all keys are allowed.
> +#       Unless another system.run[*] rule is specified DenyKey=system.run[*] is added by default.
>   #
>   # Mandatory: no
>   # Default:
> -# EnableRemoteCommands=0
> +# DenyKey=system.run[*]
> +
> +### Option: EnableRemoteCommands - Deprecated, use AllowKey=system.run[*] or DenyKey=system.run[*] instead
> +#	Internal alias for AllowKey/DenyKey parameters depending on value:
> +#	0 - DenyKey=system.run[*]
> +#	1 - AllowKey=system.run[*]
> +#
> +# Mandatory: no
>   
>   ### Option: LogRemoteCommands
>   #	Enable logging of executed shell commands as warnings.
> @@ -177,6 +196,28 @@ ServerActive=127.0.0.1
>   # Default:
>   # HostMetadataItem=
>   
> +### Option: HostInterface
> +#	Optional parameter that defines host interface.
> +#	Host interface is used at host auto-registration process.
> +#	An agent will issue an error and not start if the value is over limit of 255 characters.
> +#	If not defined, value will be acquired from HostInterfaceItem.
> +#
> +# Mandatory: no
> +# Range: 0-255 characters
> +# Default:
> +# HostInterface=
> +
> +### Option: HostInterfaceItem
> +#	Optional parameter that defines an item used for getting host interface.
> +#	Host interface is used at host auto-registration process.
> +#	During an auto-registration request an agent will log a warning message if
> +#	the value returned by specified item is over limit of 255 characters.
> +#	This option is only used when HostInterface is not defined.
> +#
> +# Mandatory: no
> +# Default:
> +# HostInterfaceItem=
> +
>   ### Option: RefreshActiveChecks
>   #	How often list of active checks is refreshed, in seconds.
>   #
> @@ -265,7 +306,6 @@ ServerActive=127.0.0.1
>   
>   Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf
>   
> -
>   ####### USER-DEFINED MONITORED PARAMETERS #######
>   
>   ### Option: UnsafeUserParameters
> @@ -299,7 +339,7 @@ Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf
>   #
>   # Mandatory: no
>   # Default:
> -# LoadModulePath=/usr/lib/modules
> +# LoadModulePath=${libdir}/modules
>   
>   LoadModulePath=/usr/lib/zabbix
>   
> @@ -357,14 +397,14 @@ LoadModulePath=/usr/lib/zabbix
>   # TLSCRLFile=
>   
>   ### Option: TLSServerCertIssuer
> -#	Allowed server certificate issuer.
> +#		Allowed server certificate issuer.
>   #
>   # Mandatory: no
>   # Default:
>   # TLSServerCertIssuer=
>   
>   ### Option: TLSServerCertSubject
> -#	Allowed server certificate subject.
> +#		Allowed server certificate subject.
>   #
>   # Mandatory: no
>   # Default:
> @@ -397,3 +437,69 @@ LoadModulePath=/usr/lib/zabbix
>   # Mandatory: no
>   # Default:
>   # TLSPSKFile=
> +
> +####### For advanced users - TLS ciphersuite selection criteria #######
> +
> +### Option: TLSCipherCert13
> +#	Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3.
> +#	Override the default ciphersuite selection criteria for certificate-based encryption.
> +#
> +# Mandatory: no
> +# Default:
> +# TLSCipherCert13=
> +
> +### Option: TLSCipherCert
> +#	GnuTLS priority string or OpenSSL (TLS 1.2) cipher string.
> +#	Override the default ciphersuite selection criteria for certificate-based encryption.
> +#	Example for GnuTLS:
> +#		NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509
> +#	Example for OpenSSL:
> +#		EECDH+aRSA+AES128:RSA+aRSA+AES128
> +#
> +# Mandatory: no
> +# Default:
> +# TLSCipherCert=
> +
> +### Option: TLSCipherPSK13
> +#	Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3.
> +#	Override the default ciphersuite selection criteria for PSK-based encryption.
> +#	Example:
> +#		TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
> +#
> +# Mandatory: no
> +# Default:
> +# TLSCipherPSK13=
> +
> +### Option: TLSCipherPSK
> +#	GnuTLS priority string or OpenSSL (TLS 1.2) cipher string.
> +#	Override the default ciphersuite selection criteria for PSK-based encryption.
> +#	Example for GnuTLS:
> +#		NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL
> +#	Example for OpenSSL:
> +#		kECDHEPSK+AES128:kPSK+AES128
> +#
> +# Mandatory: no
> +# Default:
> +# TLSCipherPSK=
> +
> +### Option: TLSCipherAll13
> +#	Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3.
> +#	Override the default ciphersuite selection criteria for certificate- and PSK-based encryption.
> +#	Example:
> +#		TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
> +#
> +# Mandatory: no
> +# Default:
> +# TLSCipherAll13=
> +
> +### Option: TLSCipherAll
> +#	GnuTLS priority string or OpenSSL (TLS 1.2) cipher string.
> +#	Override the default ciphersuite selection criteria for certificate- and PSK-based encryption.
> +#	Example for GnuTLS:
> +#		NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509
> +#	Example for OpenSSL:
> +#		EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128
> +#
> +# Mandatory: no
> +# Default:
> +# TLSCipherAll=
> diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd
> index c69643a54..2d57b0dbe 100644
> --- a/lfs/zabbix_agentd
> +++ b/lfs/zabbix_agentd
> @@ -1,7 +1,7 @@
>   ###############################################################################
>   #                                                                             #
>   # IPFire.org - A linux based firewall                                         #
> -# Copyright (C) 2007-2019  IPFire Team  <info@ipfire.org>                     #
> +# Copyright (C) 2007-2021  IPFire Team  <info@ipfire.org>                     #
>   #                                                                             #
>   # This program is free software: you can redistribute it and/or modify        #
>   # it under the terms of the GNU General Public License as published by        #
> @@ -24,7 +24,7 @@
>   
>   include Config
>   
> -VER        = 4.2.6
> +VER        = 5.0.10
>   
>   THISAPP    = zabbix-$(VER)
>   DL_FILE    = $(THISAPP).tar.gz
> @@ -32,7 +32,7 @@ DL_FROM    = $(URL_IPFIRE)
>   DIR_APP    = $(DIR_SRC)/$(THISAPP)
>   TARGET     = $(DIR_INFO)/$(THISAPP)
>   PROG       = zabbix_agentd
> -PAK_VER    = 4
> +PAK_VER    = 5
>   DEPS       =
>   
>   ###############################################################################
> @@ -43,7 +43,7 @@ objects = $(DL_FILE)
>   
>   $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>   
> -$(DL_FILE)_MD5 = 6cd55cd743d416d9ffbf2e6fdee680ee
> +$(DL_FILE)_MD5 = 17403cce60266019f25ff53c72f0e212
>   
>   install : $(TARGET)
>   
> @@ -80,7 +80,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>   		--prefix=/usr \
>   		--enable-agent \
>   		--sysconfdir=/etc/zabbix_agentd \
> -		--with-openssl
> +		--with-openssl \
> +		--with-libcurl
>   
>   	cd $(DIR_APP) && make
>   	cd $(DIR_APP) && make install
Robin Roevens April 10, 2021, 9:05 p.m. UTC | #2
Hi Adolf

Thanks for your review. 
I didn't know about the -v2 parameter. Will use that in the future.

The conf file changes in this patch actually only reflect the changes
in the upstream source default zabbix_agentd.conf-file which I merged
with the customizations previously introduced by Alex. 

Robin

Adolf Belka schreef op vr 09-04-2021 om 21:25 [+0200]:
> Hi Robin,
> 
> I am not knowledgeable enough about zabbix to make any comment about
> the conf file changes other than that I could follow your
> explanations of why they were being done.
> 
> The lfs file changes look perfect to me.
> 
> A general comment I would make is that when you want to do a v2
> version then if you enter
> 
> git patch-format -v2 -o ..... then the patches will be created
> automatically as [PATCH v2 1/3].
> 
> Note it is lower case v
> 
> Regards,
> 
> Adolf
> 
> On 07/04/2021 22:44, Robin Roevens wrote:
> > - Update from 4.2.6 to latest LTS version 5.0.10
> >    See release notes: https://www.zabbix.com/rn/rn5.0.10
> > 
> > Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
> > ---
> >   config/zabbix_agentd/zabbix_agentd.conf | 124
> > ++++++++++++++++++++++--
> >   lfs/zabbix_agentd                       |  11 ++-
> >   2 files changed, 121 insertions(+), 14 deletions(-)
> > 
> > diff --git a/config/zabbix_agentd/zabbix_agentd.conf
> > b/config/zabbix_agentd/zabbix_agentd.conf
> > index 21b8e0122..4d6c4c154 100644
> > --- a/config/zabbix_agentd/zabbix_agentd.conf
> > +++ b/config/zabbix_agentd/zabbix_agentd.conf
> > @@ -63,14 +63,33 @@ LogFileSize=0
> >   # Default:
> >   # SourceIP=
> >   
> > -### Option: EnableRemoteCommands
> > -#      Whether remote commands from Zabbix server are allowed.
> > -#      0 - not allowed
> > -#      1 - allowed
> > +### Option: AllowKey
> > +#      Allow execution of item keys matching pattern.
> > +#      Multiple keys matching rules may be defined in combination
> > with DenyKey.
> > +#      Key pattern is wildcard expression, which support "*"
> > character to match any number of any characters in certain
> > position. It might be used in both key name and key arguments.
> > +#      Parameters are processed one by one according their
> > appearance order.
> > +#      If no AllowKey or DenyKey rules defined, all keys are
> > allowed.
> > +#
> > +# Mandatory: no
> > +
> > +### Option: DenyKey
> > +#      Deny execution of items keys matching pattern.
> > +#      Multiple keys matching rules may be defined in combination
> > with AllowKey.
> > +#      Key pattern is wildcard expression, which support "*"
> > character to match any number of any characters in certain
> > position. It might be used in both key name and key arguments.
> > +#      Parameters are processed one by one according their
> > appearance order.
> > +#      If no AllowKey or DenyKey rules defined, all keys are
> > allowed.
> > +#       Unless another system.run[*] rule is specified
> > DenyKey=system.run[*] is added by default.
> >   #
> >   # Mandatory: no
> >   # Default:
> > -# EnableRemoteCommands=0
> > +# DenyKey=system.run[*]
> > +
> > +### Option: EnableRemoteCommands - Deprecated, use
> > AllowKey=system.run[*] or DenyKey=system.run[*] instead
> > +#      Internal alias for AllowKey/DenyKey parameters depending on
> > value:
> > +#      0 - DenyKey=system.run[*]
> > +#      1 - AllowKey=system.run[*]
> > +#
> > +# Mandatory: no
> >   
> >   ### Option: LogRemoteCommands
> >   #     Enable logging of executed shell commands as warnings.
> > @@ -177,6 +196,28 @@ ServerActive=127.0.0.1
> >   # Default:
> >   # HostMetadataItem=
> >   
> > +### Option: HostInterface
> > +#      Optional parameter that defines host interface.
> > +#      Host interface is used at host auto-registration process.
> > +#      An agent will issue an error and not start if the value is
> > over limit of 255 characters.
> > +#      If not defined, value will be acquired from
> > HostInterfaceItem.
> > +#
> > +# Mandatory: no
> > +# Range: 0-255 characters
> > +# Default:
> > +# HostInterface=
> > +
> > +### Option: HostInterfaceItem
> > +#      Optional parameter that defines an item used for getting
> > host interface.
> > +#      Host interface is used at host auto-registration process.
> > +#      During an auto-registration request an agent will log a
> > warning message if
> > +#      the value returned by specified item is over limit of 255
> > characters.
> > +#      This option is only used when HostInterface is not defined.
> > +#
> > +# Mandatory: no
> > +# Default:
> > +# HostInterfaceItem=
> > +
> >   ### Option: RefreshActiveChecks
> >   #     How often list of active checks is refreshed, in seconds.
> >   #
> > @@ -265,7 +306,6 @@ ServerActive=127.0.0.1
> >   
> >   Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf
> >   
> > -
> >   ####### USER-DEFINED MONITORED PARAMETERS #######
> >   
> >   ### Option: UnsafeUserParameters
> > @@ -299,7 +339,7 @@
> > Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf
> >   #
> >   # Mandatory: no
> >   # Default:
> > -# LoadModulePath=/usr/lib/modules
> > +# LoadModulePath=${libdir}/modules
> >   
> >   LoadModulePath=/usr/lib/zabbix
> >   
> > @@ -357,14 +397,14 @@ LoadModulePath=/usr/lib/zabbix
> >   # TLSCRLFile=
> >   
> >   ### Option: TLSServerCertIssuer
> > -#      Allowed server certificate issuer.
> > +#              Allowed server certificate issuer.
> >   #
> >   # Mandatory: no
> >   # Default:
> >   # TLSServerCertIssuer=
> >   
> >   ### Option: TLSServerCertSubject
> > -#      Allowed server certificate subject.
> > +#              Allowed server certificate subject.
> >   #
> >   # Mandatory: no
> >   # Default:
> > @@ -397,3 +437,69 @@ LoadModulePath=/usr/lib/zabbix
> >   # Mandatory: no
> >   # Default:
> >   # TLSPSKFile=
> > +
> > +####### For advanced users - TLS ciphersuite selection criteria
> > #######
> > +
> > +### Option: TLSCipherCert13
> > +#      Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3.
> > +#      Override the default ciphersuite selection criteria for
> > certificate-based encryption.
> > +#
> > +# Mandatory: no
> > +# Default:
> > +# TLSCipherCert13=
> > +
> > +### Option: TLSCipherCert
> > +#      GnuTLS priority string or OpenSSL (TLS 1.2) cipher string.
> > +#      Override the default ciphersuite selection criteria for
> > certificate-based encryption.
> > +#      Example for GnuTLS:
> > +#              NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-
> > GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-
> > ALL:+CTYPE-X.509
> > +#      Example for OpenSSL:
> > +#              EECDH+aRSA+AES128:RSA+aRSA+AES128
> > +#
> > +# Mandatory: no
> > +# Default:
> > +# TLSCipherCert=
> > +
> > +### Option: TLSCipherPSK13
> > +#      Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3.
> > +#      Override the default ciphersuite selection criteria for
> > PSK-based encryption.
> > +#      Example:
> > +#              TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
> > +#
> > +# Mandatory: no
> > +# Default:
> > +# TLSCipherPSK13=
> > +
> > +### Option: TLSCipherPSK
> > +#      GnuTLS priority string or OpenSSL (TLS 1.2) cipher string.
> > +#      Override the default ciphersuite selection criteria for
> > PSK-based encryption.
> > +#      Example for GnuTLS:
> > +#              NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-
> > GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-
> > ALL
> > +#      Example for OpenSSL:
> > +#              kECDHEPSK+AES128:kPSK+AES128
> > +#
> > +# Mandatory: no
> > +# Default:
> > +# TLSCipherPSK=
> > +
> > +### Option: TLSCipherAll13
> > +#      Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3.
> > +#      Override the default ciphersuite selection criteria for
> > certificate- and PSK-based encryption.
> > +#      Example:
> > +#              TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
> > :TLS_AES_128_GCM_SHA256
> > +#
> > +# Mandatory: no
> > +# Default:
> > +# TLSCipherAll13=
> > +
> > +### Option: TLSCipherAll
> > +#      GnuTLS priority string or OpenSSL (TLS 1.2) cipher string.
> > +#      Override the default ciphersuite selection criteria for
> > certificate- and PSK-based encryption.
> > +#      Example for GnuTLS:
> > +#              NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-
> > PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-
> > ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509
> > +#      Example for OpenSSL:
> > +#              EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:
> > kPSK+AES128
> > +#
> > +# Mandatory: no
> > +# Default:
> > +# TLSCipherAll=
> > diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd
> > index c69643a54..2d57b0dbe 100644
> > --- a/lfs/zabbix_agentd
> > +++ b/lfs/zabbix_agentd
> > @@ -1,7 +1,7 @@
> >  
> > ###################################################################
> > ############
> >  
> > #                                                                  
> >            #
> >   # IPFire.org - A linux based
> > firewall                                         #
> > -# Copyright (C) 2007-2019  IPFire Team 
> > <info@ipfire.org>                     #
> > +# Copyright (C) 2007-2021  IPFire Team 
> > <info@ipfire.org>                     #
> >  
> > #                                                                  
> >            #
> >   # This program is free software: you can redistribute it and/or
> > modify        #
> >   # it under the terms of the GNU General Public License as
> > published by        #
> > @@ -24,7 +24,7 @@
> >   
> >   include Config
> >   
> > -VER        = 4.2.6
> > +VER        = 5.0.10
> >   
> >   THISAPP    = zabbix-$(VER)
> >   DL_FILE    = $(THISAPP).tar.gz
> > @@ -32,7 +32,7 @@ DL_FROM    = $(URL_IPFIRE)
> >   DIR_APP    = $(DIR_SRC)/$(THISAPP)
> >   TARGET     = $(DIR_INFO)/$(THISAPP)
> >   PROG       = zabbix_agentd
> > -PAK_VER    = 4
> > +PAK_VER    = 5
> >   DEPS       =
> >   
> >  
> > ###################################################################
> > ############
> > @@ -43,7 +43,7 @@ objects = $(DL_FILE)
> >   
> >   $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
> >   
> > -$(DL_FILE)_MD5 = 6cd55cd743d416d9ffbf2e6fdee680ee
> > +$(DL_FILE)_MD5 = 17403cce60266019f25ff53c72f0e212
> >   
> >   install : $(TARGET)
> >   
> > @@ -80,7 +80,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> >                 --prefix=/usr \
> >                 --enable-agent \
> >                 --sysconfdir=/etc/zabbix_agentd \
> > -               --with-openssl
> > +               --with-openssl \
> > +               --with-libcurl
> >   
> >         cd $(DIR_APP) && make
> >         cd $(DIR_APP) && make install
>
Michael Tremer April 12, 2021, 10:26 a.m. UTC | #3
Hello,

This looks all fine.

-Michael

> On 7 Apr 2021, at 21:44, Robin Roevens <robin.roevens@disroot.org> wrote:
> 
> - Update from 4.2.6 to latest LTS version 5.0.10
>  See release notes: https://www.zabbix.com/rn/rn5.0.10
> 
> Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
> ---
> config/zabbix_agentd/zabbix_agentd.conf | 124 ++++++++++++++++++++++--
> lfs/zabbix_agentd                       |  11 ++-
> 2 files changed, 121 insertions(+), 14 deletions(-)
> 
> diff --git a/config/zabbix_agentd/zabbix_agentd.conf b/config/zabbix_agentd/zabbix_agentd.conf
> index 21b8e0122..4d6c4c154 100644
> --- a/config/zabbix_agentd/zabbix_agentd.conf
> +++ b/config/zabbix_agentd/zabbix_agentd.conf
> @@ -63,14 +63,33 @@ LogFileSize=0
> # Default:
> # SourceIP=
> 
> -### Option: EnableRemoteCommands
> -#	Whether remote commands from Zabbix server are allowed.
> -#	0 - not allowed
> -#	1 - allowed
> +### Option: AllowKey
> +#	Allow execution of item keys matching pattern.
> +#	Multiple keys matching rules may be defined in combination with DenyKey.
> +#	Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments.
> +#	Parameters are processed one by one according their appearance order.
> +#	If no AllowKey or DenyKey rules defined, all keys are allowed.
> +#
> +# Mandatory: no
> +
> +### Option: DenyKey
> +#	Deny execution of items keys matching pattern.
> +#	Multiple keys matching rules may be defined in combination with AllowKey.
> +#	Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments.
> +#	Parameters are processed one by one according their appearance order.
> +#	If no AllowKey or DenyKey rules defined, all keys are allowed.
> +#       Unless another system.run[*] rule is specified DenyKey=system.run[*] is added by default.
> #
> # Mandatory: no
> # Default:
> -# EnableRemoteCommands=0
> +# DenyKey=system.run[*]
> +
> +### Option: EnableRemoteCommands - Deprecated, use AllowKey=system.run[*] or DenyKey=system.run[*] instead
> +#	Internal alias for AllowKey/DenyKey parameters depending on value:
> +#	0 - DenyKey=system.run[*]
> +#	1 - AllowKey=system.run[*]
> +#
> +# Mandatory: no
> 
> ### Option: LogRemoteCommands
> #	Enable logging of executed shell commands as warnings.
> @@ -177,6 +196,28 @@ ServerActive=127.0.0.1
> # Default:
> # HostMetadataItem=
> 
> +### Option: HostInterface
> +#	Optional parameter that defines host interface.
> +#	Host interface is used at host auto-registration process.
> +#	An agent will issue an error and not start if the value is over limit of 255 characters.
> +#	If not defined, value will be acquired from HostInterfaceItem.
> +#
> +# Mandatory: no
> +# Range: 0-255 characters
> +# Default:
> +# HostInterface=
> +
> +### Option: HostInterfaceItem
> +#	Optional parameter that defines an item used for getting host interface.
> +#	Host interface is used at host auto-registration process.
> +#	During an auto-registration request an agent will log a warning message if
> +#	the value returned by specified item is over limit of 255 characters.
> +#	This option is only used when HostInterface is not defined.
> +#
> +# Mandatory: no
> +# Default:
> +# HostInterfaceItem=
> +
> ### Option: RefreshActiveChecks
> #	How often list of active checks is refreshed, in seconds.
> #
> @@ -265,7 +306,6 @@ ServerActive=127.0.0.1
> 
> Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf
> 
> -
> ####### USER-DEFINED MONITORED PARAMETERS #######
> 
> ### Option: UnsafeUserParameters
> @@ -299,7 +339,7 @@ Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf
> #
> # Mandatory: no
> # Default:
> -# LoadModulePath=/usr/lib/modules
> +# LoadModulePath=${libdir}/modules
> 
> LoadModulePath=/usr/lib/zabbix
> 
> @@ -357,14 +397,14 @@ LoadModulePath=/usr/lib/zabbix
> # TLSCRLFile=
> 
> ### Option: TLSServerCertIssuer
> -#	Allowed server certificate issuer.
> +#		Allowed server certificate issuer.
> #
> # Mandatory: no
> # Default:
> # TLSServerCertIssuer=
> 
> ### Option: TLSServerCertSubject
> -#	Allowed server certificate subject.
> +#		Allowed server certificate subject.
> #
> # Mandatory: no
> # Default:
> @@ -397,3 +437,69 @@ LoadModulePath=/usr/lib/zabbix
> # Mandatory: no
> # Default:
> # TLSPSKFile=
> +
> +####### For advanced users - TLS ciphersuite selection criteria #######
> +
> +### Option: TLSCipherCert13
> +#	Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3.
> +#	Override the default ciphersuite selection criteria for certificate-based encryption.
> +#
> +# Mandatory: no
> +# Default:
> +# TLSCipherCert13=
> +
> +### Option: TLSCipherCert
> +#	GnuTLS priority string or OpenSSL (TLS 1.2) cipher string.
> +#	Override the default ciphersuite selection criteria for certificate-based encryption.
> +#	Example for GnuTLS:
> +#		NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509
> +#	Example for OpenSSL:
> +#		EECDH+aRSA+AES128:RSA+aRSA+AES128
> +#
> +# Mandatory: no
> +# Default:
> +# TLSCipherCert=
> +
> +### Option: TLSCipherPSK13
> +#	Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3.
> +#	Override the default ciphersuite selection criteria for PSK-based encryption.
> +#	Example:
> +#		TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
> +#
> +# Mandatory: no
> +# Default:
> +# TLSCipherPSK13=
> +
> +### Option: TLSCipherPSK
> +#	GnuTLS priority string or OpenSSL (TLS 1.2) cipher string.
> +#	Override the default ciphersuite selection criteria for PSK-based encryption.
> +#	Example for GnuTLS:
> +#		NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL
> +#	Example for OpenSSL:
> +#		kECDHEPSK+AES128:kPSK+AES128
> +#
> +# Mandatory: no
> +# Default:
> +# TLSCipherPSK=
> +
> +### Option: TLSCipherAll13
> +#	Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3.
> +#	Override the default ciphersuite selection criteria for certificate- and PSK-based encryption.
> +#	Example:
> +#		TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
> +#
> +# Mandatory: no
> +# Default:
> +# TLSCipherAll13=
> +
> +### Option: TLSCipherAll
> +#	GnuTLS priority string or OpenSSL (TLS 1.2) cipher string.
> +#	Override the default ciphersuite selection criteria for certificate- and PSK-based encryption.
> +#	Example for GnuTLS:
> +#		NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509
> +#	Example for OpenSSL:
> +#		EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128
> +#
> +# Mandatory: no
> +# Default:
> +# TLSCipherAll=
> diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd
> index c69643a54..2d57b0dbe 100644
> --- a/lfs/zabbix_agentd
> +++ b/lfs/zabbix_agentd
> @@ -1,7 +1,7 @@
> ###############################################################################
> #                                                                             #
> # IPFire.org - A linux based firewall                                         #
> -# Copyright (C) 2007-2019  IPFire Team  <info@ipfire.org>                     #
> +# Copyright (C) 2007-2021  IPFire Team  <info@ipfire.org>                     #
> #                                                                             #
> # This program is free software: you can redistribute it and/or modify        #
> # it under the terms of the GNU General Public License as published by        #
> @@ -24,7 +24,7 @@
> 
> include Config
> 
> -VER        = 4.2.6
> +VER        = 5.0.10
> 
> THISAPP    = zabbix-$(VER)
> DL_FILE    = $(THISAPP).tar.gz
> @@ -32,7 +32,7 @@ DL_FROM    = $(URL_IPFIRE)
> DIR_APP    = $(DIR_SRC)/$(THISAPP)
> TARGET     = $(DIR_INFO)/$(THISAPP)
> PROG       = zabbix_agentd
> -PAK_VER    = 4
> +PAK_VER    = 5
> DEPS       =
> 
> ###############################################################################
> @@ -43,7 +43,7 @@ objects = $(DL_FILE)
> 
> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
> 
> -$(DL_FILE)_MD5 = 6cd55cd743d416d9ffbf2e6fdee680ee
> +$(DL_FILE)_MD5 = 17403cce60266019f25ff53c72f0e212
> 
> install : $(TARGET)
> 
> @@ -80,7 +80,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> 		--prefix=/usr \
> 		--enable-agent \
> 		--sysconfdir=/etc/zabbix_agentd \
> -		--with-openssl
> +		--with-openssl \
> +		--with-libcurl
> 
> 	cd $(DIR_APP) && make
> 	cd $(DIR_APP) && make install
> -- 
> 2.30.2
> 
> 
> -- 
> Dit bericht is gescanned op virussen en andere gevaarlijke
> inhoud door MailScanner en lijkt schoon te zijn.
>
Michael Tremer April 12, 2021, 10:27 a.m. UTC | #4
Hello Adolf,

You can use the Reviewed-by: tag to mark a patch as reviewed by you:

  https://wiki.ipfire.org/devel/git/tags

-Michael

> On 9 Apr 2021, at 20:25, Adolf Belka <adolf.belka@ipfire.org> wrote:
> 
> Hi Robin,
> 
> I am not knowledgeable enough about zabbix to make any comment about the conf file changes other than that I could follow your explanations of why they were being done.
> 
> The lfs file changes look perfect to me.
> 
> A general comment I would make is that when you want to do a v2 version then if you enter
> 
> git patch-format -v2 -o ..... then the patches will be created automatically as [PATCH v2 1/3].
> 
> Note it is lower case v
> 
> Regards,
> 
> Adolf
> 
> On 07/04/2021 22:44, Robin Roevens wrote:
>> - Update from 4.2.6 to latest LTS version 5.0.10
>>   See release notes: https://www.zabbix.com/rn/rn5.0.10
>> 
>> Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
>> ---
>>  config/zabbix_agentd/zabbix_agentd.conf | 124 ++++++++++++++++++++++--
>>  lfs/zabbix_agentd                       |  11 ++-
>>  2 files changed, 121 insertions(+), 14 deletions(-)
>> 
>> diff --git a/config/zabbix_agentd/zabbix_agentd.conf b/config/zabbix_agentd/zabbix_agentd.conf
>> index 21b8e0122..4d6c4c154 100644
>> --- a/config/zabbix_agentd/zabbix_agentd.conf
>> +++ b/config/zabbix_agentd/zabbix_agentd.conf
>> @@ -63,14 +63,33 @@ LogFileSize=0
>>  # Default:
>>  # SourceIP=
>>  -### Option: EnableRemoteCommands
>> -#	Whether remote commands from Zabbix server are allowed.
>> -#	0 - not allowed
>> -#	1 - allowed
>> +### Option: AllowKey
>> +#	Allow execution of item keys matching pattern.
>> +#	Multiple keys matching rules may be defined in combination with DenyKey.
>> +#	Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments.
>> +#	Parameters are processed one by one according their appearance order.
>> +#	If no AllowKey or DenyKey rules defined, all keys are allowed.
>> +#
>> +# Mandatory: no
>> +
>> +### Option: DenyKey
>> +#	Deny execution of items keys matching pattern.
>> +#	Multiple keys matching rules may be defined in combination with AllowKey.
>> +#	Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments.
>> +#	Parameters are processed one by one according their appearance order.
>> +#	If no AllowKey or DenyKey rules defined, all keys are allowed.
>> +#       Unless another system.run[*] rule is specified DenyKey=system.run[*] is added by default.
>>  #
>>  # Mandatory: no
>>  # Default:
>> -# EnableRemoteCommands=0
>> +# DenyKey=system.run[*]
>> +
>> +### Option: EnableRemoteCommands - Deprecated, use AllowKey=system.run[*] or DenyKey=system.run[*] instead
>> +#	Internal alias for AllowKey/DenyKey parameters depending on value:
>> +#	0 - DenyKey=system.run[*]
>> +#	1 - AllowKey=system.run[*]
>> +#
>> +# Mandatory: no
>>    ### Option: LogRemoteCommands
>>  #	Enable logging of executed shell commands as warnings.
>> @@ -177,6 +196,28 @@ ServerActive=127.0.0.1
>>  # Default:
>>  # HostMetadataItem=
>>  +### Option: HostInterface
>> +#	Optional parameter that defines host interface.
>> +#	Host interface is used at host auto-registration process.
>> +#	An agent will issue an error and not start if the value is over limit of 255 characters.
>> +#	If not defined, value will be acquired from HostInterfaceItem.
>> +#
>> +# Mandatory: no
>> +# Range: 0-255 characters
>> +# Default:
>> +# HostInterface=
>> +
>> +### Option: HostInterfaceItem
>> +#	Optional parameter that defines an item used for getting host interface.
>> +#	Host interface is used at host auto-registration process.
>> +#	During an auto-registration request an agent will log a warning message if
>> +#	the value returned by specified item is over limit of 255 characters.
>> +#	This option is only used when HostInterface is not defined.
>> +#
>> +# Mandatory: no
>> +# Default:
>> +# HostInterfaceItem=
>> +
>>  ### Option: RefreshActiveChecks
>>  #	How often list of active checks is refreshed, in seconds.
>>  #
>> @@ -265,7 +306,6 @@ ServerActive=127.0.0.1
>>    Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf
>>  -
>>  ####### USER-DEFINED MONITORED PARAMETERS #######
>>    ### Option: UnsafeUserParameters
>> @@ -299,7 +339,7 @@ Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf
>>  #
>>  # Mandatory: no
>>  # Default:
>> -# LoadModulePath=/usr/lib/modules
>> +# LoadModulePath=${libdir}/modules
>>    LoadModulePath=/usr/lib/zabbix
>>  @@ -357,14 +397,14 @@ LoadModulePath=/usr/lib/zabbix
>>  # TLSCRLFile=
>>    ### Option: TLSServerCertIssuer
>> -#	Allowed server certificate issuer.
>> +#		Allowed server certificate issuer.
>>  #
>>  # Mandatory: no
>>  # Default:
>>  # TLSServerCertIssuer=
>>    ### Option: TLSServerCertSubject
>> -#	Allowed server certificate subject.
>> +#		Allowed server certificate subject.
>>  #
>>  # Mandatory: no
>>  # Default:
>> @@ -397,3 +437,69 @@ LoadModulePath=/usr/lib/zabbix
>>  # Mandatory: no
>>  # Default:
>>  # TLSPSKFile=
>> +
>> +####### For advanced users - TLS ciphersuite selection criteria #######
>> +
>> +### Option: TLSCipherCert13
>> +#	Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3.
>> +#	Override the default ciphersuite selection criteria for certificate-based encryption.
>> +#
>> +# Mandatory: no
>> +# Default:
>> +# TLSCipherCert13=
>> +
>> +### Option: TLSCipherCert
>> +#	GnuTLS priority string or OpenSSL (TLS 1.2) cipher string.
>> +#	Override the default ciphersuite selection criteria for certificate-based encryption.
>> +#	Example for GnuTLS:
>> +#		NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509
>> +#	Example for OpenSSL:
>> +#		EECDH+aRSA+AES128:RSA+aRSA+AES128
>> +#
>> +# Mandatory: no
>> +# Default:
>> +# TLSCipherCert=
>> +
>> +### Option: TLSCipherPSK13
>> +#	Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3.
>> +#	Override the default ciphersuite selection criteria for PSK-based encryption.
>> +#	Example:
>> +#		TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
>> +#
>> +# Mandatory: no
>> +# Default:
>> +# TLSCipherPSK13=
>> +
>> +### Option: TLSCipherPSK
>> +#	GnuTLS priority string or OpenSSL (TLS 1.2) cipher string.
>> +#	Override the default ciphersuite selection criteria for PSK-based encryption.
>> +#	Example for GnuTLS:
>> +#		NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL
>> +#	Example for OpenSSL:
>> +#		kECDHEPSK+AES128:kPSK+AES128
>> +#
>> +# Mandatory: no
>> +# Default:
>> +# TLSCipherPSK=
>> +
>> +### Option: TLSCipherAll13
>> +#	Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3.
>> +#	Override the default ciphersuite selection criteria for certificate- and PSK-based encryption.
>> +#	Example:
>> +#		TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
>> +#
>> +# Mandatory: no
>> +# Default:
>> +# TLSCipherAll13=
>> +
>> +### Option: TLSCipherAll
>> +#	GnuTLS priority string or OpenSSL (TLS 1.2) cipher string.
>> +#	Override the default ciphersuite selection criteria for certificate- and PSK-based encryption.
>> +#	Example for GnuTLS:
>> +#		NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509
>> +#	Example for OpenSSL:
>> +#		EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128
>> +#
>> +# Mandatory: no
>> +# Default:
>> +# TLSCipherAll=
>> diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd
>> index c69643a54..2d57b0dbe 100644
>> --- a/lfs/zabbix_agentd
>> +++ b/lfs/zabbix_agentd
>> @@ -1,7 +1,7 @@
>>  ###############################################################################
>>  #                                                                             #
>>  # IPFire.org - A linux based firewall                                         #
>> -# Copyright (C) 2007-2019  IPFire Team  <info@ipfire.org>                     #
>> +# Copyright (C) 2007-2021  IPFire Team  <info@ipfire.org>                     #
>>  #                                                                             #
>>  # This program is free software: you can redistribute it and/or modify        #
>>  # it under the terms of the GNU General Public License as published by        #
>> @@ -24,7 +24,7 @@
>>    include Config
>>  -VER        = 4.2.6
>> +VER        = 5.0.10
>>    THISAPP    = zabbix-$(VER)
>>  DL_FILE    = $(THISAPP).tar.gz
>> @@ -32,7 +32,7 @@ DL_FROM    = $(URL_IPFIRE)
>>  DIR_APP    = $(DIR_SRC)/$(THISAPP)
>>  TARGET     = $(DIR_INFO)/$(THISAPP)
>>  PROG       = zabbix_agentd
>> -PAK_VER    = 4
>> +PAK_VER    = 5
>>  DEPS       =
>>    ###############################################################################
>> @@ -43,7 +43,7 @@ objects = $(DL_FILE)
>>    $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>>  -$(DL_FILE)_MD5 = 6cd55cd743d416d9ffbf2e6fdee680ee
>> +$(DL_FILE)_MD5 = 17403cce60266019f25ff53c72f0e212
>>    install : $(TARGET)
>>  @@ -80,7 +80,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>>  		--prefix=/usr \
>>  		--enable-agent \
>>  		--sysconfdir=/etc/zabbix_agentd \
>> -		--with-openssl
>> +		--with-openssl \
>> +		--with-libcurl
>>    	cd $(DIR_APP) && make
>>  	cd $(DIR_APP) && make install
Adolf Belka April 12, 2021, 11:23 a.m. UTC | #5
Hi Michael,

On 12/04/2021 12:27, Michael Tremer wrote:
> Hello Adolf,
> 
> You can use the Reviewed-by: tag to mark a patch as reviewed by you:
> 
>    https://wiki.ipfire.org/devel/git/tags
I wasn't sure if I was OK for me to use the reviewed tag or if it was limited to specific people. I will use it in future now when I do a review of a patch.

Regards,
Adolf.
> 
> -Michael
> 
>> On 9 Apr 2021, at 20:25, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>
>> Hi Robin,
>>
>> I am not knowledgeable enough about zabbix to make any comment about the conf file changes other than that I could follow your explanations of why they were being done.
>>
>> The lfs file changes look perfect to me.
>>
>> A general comment I would make is that when you want to do a v2 version then if you enter
>>
>> git patch-format -v2 -o ..... then the patches will be created automatically as [PATCH v2 1/3].
>>
>> Note it is lower case v
>>
>> Regards,
>>
>> Adolf
>>
>> On 07/04/2021 22:44, Robin Roevens wrote:
>>> - Update from 4.2.6 to latest LTS version 5.0.10
>>>    See release notes: https://www.zabbix.com/rn/rn5.0.10
>>>
>>> Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
>>> ---
>>>   config/zabbix_agentd/zabbix_agentd.conf | 124 ++++++++++++++++++++++--
>>>   lfs/zabbix_agentd                       |  11 ++-
>>>   2 files changed, 121 insertions(+), 14 deletions(-)
>>>
>>> diff --git a/config/zabbix_agentd/zabbix_agentd.conf b/config/zabbix_agentd/zabbix_agentd.conf
>>> index 21b8e0122..4d6c4c154 100644
>>> --- a/config/zabbix_agentd/zabbix_agentd.conf
>>> +++ b/config/zabbix_agentd/zabbix_agentd.conf
>>> @@ -63,14 +63,33 @@ LogFileSize=0
>>>   # Default:
>>>   # SourceIP=
>>>   -### Option: EnableRemoteCommands
>>> -#	Whether remote commands from Zabbix server are allowed.
>>> -#	0 - not allowed
>>> -#	1 - allowed
>>> +### Option: AllowKey
>>> +#	Allow execution of item keys matching pattern.
>>> +#	Multiple keys matching rules may be defined in combination with DenyKey.
>>> +#	Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments.
>>> +#	Parameters are processed one by one according their appearance order.
>>> +#	If no AllowKey or DenyKey rules defined, all keys are allowed.
>>> +#
>>> +# Mandatory: no
>>> +
>>> +### Option: DenyKey
>>> +#	Deny execution of items keys matching pattern.
>>> +#	Multiple keys matching rules may be defined in combination with AllowKey.
>>> +#	Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments.
>>> +#	Parameters are processed one by one according their appearance order.
>>> +#	If no AllowKey or DenyKey rules defined, all keys are allowed.
>>> +#       Unless another system.run[*] rule is specified DenyKey=system.run[*] is added by default.
>>>   #
>>>   # Mandatory: no
>>>   # Default:
>>> -# EnableRemoteCommands=0
>>> +# DenyKey=system.run[*]
>>> +
>>> +### Option: EnableRemoteCommands - Deprecated, use AllowKey=system.run[*] or DenyKey=system.run[*] instead
>>> +#	Internal alias for AllowKey/DenyKey parameters depending on value:
>>> +#	0 - DenyKey=system.run[*]
>>> +#	1 - AllowKey=system.run[*]
>>> +#
>>> +# Mandatory: no
>>>     ### Option: LogRemoteCommands
>>>   #	Enable logging of executed shell commands as warnings.
>>> @@ -177,6 +196,28 @@ ServerActive=127.0.0.1
>>>   # Default:
>>>   # HostMetadataItem=
>>>   +### Option: HostInterface
>>> +#	Optional parameter that defines host interface.
>>> +#	Host interface is used at host auto-registration process.
>>> +#	An agent will issue an error and not start if the value is over limit of 255 characters.
>>> +#	If not defined, value will be acquired from HostInterfaceItem.
>>> +#
>>> +# Mandatory: no
>>> +# Range: 0-255 characters
>>> +# Default:
>>> +# HostInterface=
>>> +
>>> +### Option: HostInterfaceItem
>>> +#	Optional parameter that defines an item used for getting host interface.
>>> +#	Host interface is used at host auto-registration process.
>>> +#	During an auto-registration request an agent will log a warning message if
>>> +#	the value returned by specified item is over limit of 255 characters.
>>> +#	This option is only used when HostInterface is not defined.
>>> +#
>>> +# Mandatory: no
>>> +# Default:
>>> +# HostInterfaceItem=
>>> +
>>>   ### Option: RefreshActiveChecks
>>>   #	How often list of active checks is refreshed, in seconds.
>>>   #
>>> @@ -265,7 +306,6 @@ ServerActive=127.0.0.1
>>>     Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf
>>>   -
>>>   ####### USER-DEFINED MONITORED PARAMETERS #######
>>>     ### Option: UnsafeUserParameters
>>> @@ -299,7 +339,7 @@ Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf
>>>   #
>>>   # Mandatory: no
>>>   # Default:
>>> -# LoadModulePath=/usr/lib/modules
>>> +# LoadModulePath=${libdir}/modules
>>>     LoadModulePath=/usr/lib/zabbix
>>>   @@ -357,14 +397,14 @@ LoadModulePath=/usr/lib/zabbix
>>>   # TLSCRLFile=
>>>     ### Option: TLSServerCertIssuer
>>> -#	Allowed server certificate issuer.
>>> +#		Allowed server certificate issuer.
>>>   #
>>>   # Mandatory: no
>>>   # Default:
>>>   # TLSServerCertIssuer=
>>>     ### Option: TLSServerCertSubject
>>> -#	Allowed server certificate subject.
>>> +#		Allowed server certificate subject.
>>>   #
>>>   # Mandatory: no
>>>   # Default:
>>> @@ -397,3 +437,69 @@ LoadModulePath=/usr/lib/zabbix
>>>   # Mandatory: no
>>>   # Default:
>>>   # TLSPSKFile=
>>> +
>>> +####### For advanced users - TLS ciphersuite selection criteria #######
>>> +
>>> +### Option: TLSCipherCert13
>>> +#	Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3.
>>> +#	Override the default ciphersuite selection criteria for certificate-based encryption.
>>> +#
>>> +# Mandatory: no
>>> +# Default:
>>> +# TLSCipherCert13=
>>> +
>>> +### Option: TLSCipherCert
>>> +#	GnuTLS priority string or OpenSSL (TLS 1.2) cipher string.
>>> +#	Override the default ciphersuite selection criteria for certificate-based encryption.
>>> +#	Example for GnuTLS:
>>> +#		NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509
>>> +#	Example for OpenSSL:
>>> +#		EECDH+aRSA+AES128:RSA+aRSA+AES128
>>> +#
>>> +# Mandatory: no
>>> +# Default:
>>> +# TLSCipherCert=
>>> +
>>> +### Option: TLSCipherPSK13
>>> +#	Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3.
>>> +#	Override the default ciphersuite selection criteria for PSK-based encryption.
>>> +#	Example:
>>> +#		TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
>>> +#
>>> +# Mandatory: no
>>> +# Default:
>>> +# TLSCipherPSK13=
>>> +
>>> +### Option: TLSCipherPSK
>>> +#	GnuTLS priority string or OpenSSL (TLS 1.2) cipher string.
>>> +#	Override the default ciphersuite selection criteria for PSK-based encryption.
>>> +#	Example for GnuTLS:
>>> +#		NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL
>>> +#	Example for OpenSSL:
>>> +#		kECDHEPSK+AES128:kPSK+AES128
>>> +#
>>> +# Mandatory: no
>>> +# Default:
>>> +# TLSCipherPSK=
>>> +
>>> +### Option: TLSCipherAll13
>>> +#	Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3.
>>> +#	Override the default ciphersuite selection criteria for certificate- and PSK-based encryption.
>>> +#	Example:
>>> +#		TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
>>> +#
>>> +# Mandatory: no
>>> +# Default:
>>> +# TLSCipherAll13=
>>> +
>>> +### Option: TLSCipherAll
>>> +#	GnuTLS priority string or OpenSSL (TLS 1.2) cipher string.
>>> +#	Override the default ciphersuite selection criteria for certificate- and PSK-based encryption.
>>> +#	Example for GnuTLS:
>>> +#		NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509
>>> +#	Example for OpenSSL:
>>> +#		EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128
>>> +#
>>> +# Mandatory: no
>>> +# Default:
>>> +# TLSCipherAll=
>>> diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd
>>> index c69643a54..2d57b0dbe 100644
>>> --- a/lfs/zabbix_agentd
>>> +++ b/lfs/zabbix_agentd
>>> @@ -1,7 +1,7 @@
>>>   ###############################################################################
>>>   #                                                                             #
>>>   # IPFire.org - A linux based firewall                                         #
>>> -# Copyright (C) 2007-2019  IPFire Team  <info@ipfire.org>                     #
>>> +# Copyright (C) 2007-2021  IPFire Team  <info@ipfire.org>                     #
>>>   #                                                                             #
>>>   # This program is free software: you can redistribute it and/or modify        #
>>>   # it under the terms of the GNU General Public License as published by        #
>>> @@ -24,7 +24,7 @@
>>>     include Config
>>>   -VER        = 4.2.6
>>> +VER        = 5.0.10
>>>     THISAPP    = zabbix-$(VER)
>>>   DL_FILE    = $(THISAPP).tar.gz
>>> @@ -32,7 +32,7 @@ DL_FROM    = $(URL_IPFIRE)
>>>   DIR_APP    = $(DIR_SRC)/$(THISAPP)
>>>   TARGET     = $(DIR_INFO)/$(THISAPP)
>>>   PROG       = zabbix_agentd
>>> -PAK_VER    = 4
>>> +PAK_VER    = 5
>>>   DEPS       =
>>>     ###############################################################################
>>> @@ -43,7 +43,7 @@ objects = $(DL_FILE)
>>>     $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>>>   -$(DL_FILE)_MD5 = 6cd55cd743d416d9ffbf2e6fdee680ee
>>> +$(DL_FILE)_MD5 = 17403cce60266019f25ff53c72f0e212
>>>     install : $(TARGET)
>>>   @@ -80,7 +80,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>>>   		--prefix=/usr \
>>>   		--enable-agent \
>>>   		--sysconfdir=/etc/zabbix_agentd \
>>> -		--with-openssl
>>> +		--with-openssl \
>>> +		--with-libcurl
>>>     	cd $(DIR_APP) && make
>>>   	cd $(DIR_APP) && make install
>
Michael Tremer April 12, 2021, 1:48 p.m. UTC | #6
Hello,

No, if you have reviewed it you can add the tag. Just anywhere in an email and Patchwork will parse and add credit.

The reason why we are doing the tags is:

* To give credit (because it very often is not only one person who has worked on something, but Git only allows one author field)

* We know what has been reviewed

* And if something is broken, there is a list of people who have been working on this who can be shot… joking… who can be consulted about why something was solved in a certain way, etc.

You can also use Tested-by which is very helpful, too.

Best,
-Michael

> On 12 Apr 2021, at 12:23, Adolf Belka <adolf.belka@ipfire.org> wrote:
> 
> Hi Michael,
> 
> On 12/04/2021 12:27, Michael Tremer wrote:
>> Hello Adolf,
>> You can use the Reviewed-by: tag to mark a patch as reviewed by you:
>>   https://wiki.ipfire.org/devel/git/tags
> I wasn't sure if I was OK for me to use the reviewed tag or if it was limited to specific people. I will use it in future now when I do a review of a patch.
> 
> Regards,
> Adolf.
>> -Michael
>>> On 9 Apr 2021, at 20:25, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>> 
>>> Hi Robin,
>>> 
>>> I am not knowledgeable enough about zabbix to make any comment about the conf file changes other than that I could follow your explanations of why they were being done.
>>> 
>>> The lfs file changes look perfect to me.
>>> 
>>> A general comment I would make is that when you want to do a v2 version then if you enter
>>> 
>>> git patch-format -v2 -o ..... then the patches will be created automatically as [PATCH v2 1/3].
>>> 
>>> Note it is lower case v
>>> 
>>> Regards,
>>> 
>>> Adolf
>>> 
>>> On 07/04/2021 22:44, Robin Roevens wrote:
>>>> - Update from 4.2.6 to latest LTS version 5.0.10
>>>>   See release notes: https://www.zabbix.com/rn/rn5.0.10
>>>> 
>>>> Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
>>>> ---
>>>>  config/zabbix_agentd/zabbix_agentd.conf | 124 ++++++++++++++++++++++--
>>>>  lfs/zabbix_agentd                       |  11 ++-
>>>>  2 files changed, 121 insertions(+), 14 deletions(-)
>>>> 
>>>> diff --git a/config/zabbix_agentd/zabbix_agentd.conf b/config/zabbix_agentd/zabbix_agentd.conf
>>>> index 21b8e0122..4d6c4c154 100644
>>>> --- a/config/zabbix_agentd/zabbix_agentd.conf
>>>> +++ b/config/zabbix_agentd/zabbix_agentd.conf
>>>> @@ -63,14 +63,33 @@ LogFileSize=0
>>>>  # Default:
>>>>  # SourceIP=
>>>>  -### Option: EnableRemoteCommands
>>>> -#	Whether remote commands from Zabbix server are allowed.
>>>> -#	0 - not allowed
>>>> -#	1 - allowed
>>>> +### Option: AllowKey
>>>> +#	Allow execution of item keys matching pattern.
>>>> +#	Multiple keys matching rules may be defined in combination with DenyKey.
>>>> +#	Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments.
>>>> +#	Parameters are processed one by one according their appearance order.
>>>> +#	If no AllowKey or DenyKey rules defined, all keys are allowed.
>>>> +#
>>>> +# Mandatory: no
>>>> +
>>>> +### Option: DenyKey
>>>> +#	Deny execution of items keys matching pattern.
>>>> +#	Multiple keys matching rules may be defined in combination with AllowKey.
>>>> +#	Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments.
>>>> +#	Parameters are processed one by one according their appearance order.
>>>> +#	If no AllowKey or DenyKey rules defined, all keys are allowed.
>>>> +#       Unless another system.run[*] rule is specified DenyKey=system.run[*] is added by default.
>>>>  #
>>>>  # Mandatory: no
>>>>  # Default:
>>>> -# EnableRemoteCommands=0
>>>> +# DenyKey=system.run[*]
>>>> +
>>>> +### Option: EnableRemoteCommands - Deprecated, use AllowKey=system.run[*] or DenyKey=system.run[*] instead
>>>> +#	Internal alias for AllowKey/DenyKey parameters depending on value:
>>>> +#	0 - DenyKey=system.run[*]
>>>> +#	1 - AllowKey=system.run[*]
>>>> +#
>>>> +# Mandatory: no
>>>>    ### Option: LogRemoteCommands
>>>>  #	Enable logging of executed shell commands as warnings.
>>>> @@ -177,6 +196,28 @@ ServerActive=127.0.0.1
>>>>  # Default:
>>>>  # HostMetadataItem=
>>>>  +### Option: HostInterface
>>>> +#	Optional parameter that defines host interface.
>>>> +#	Host interface is used at host auto-registration process.
>>>> +#	An agent will issue an error and not start if the value is over limit of 255 characters.
>>>> +#	If not defined, value will be acquired from HostInterfaceItem.
>>>> +#
>>>> +# Mandatory: no
>>>> +# Range: 0-255 characters
>>>> +# Default:
>>>> +# HostInterface=
>>>> +
>>>> +### Option: HostInterfaceItem
>>>> +#	Optional parameter that defines an item used for getting host interface.
>>>> +#	Host interface is used at host auto-registration process.
>>>> +#	During an auto-registration request an agent will log a warning message if
>>>> +#	the value returned by specified item is over limit of 255 characters.
>>>> +#	This option is only used when HostInterface is not defined.
>>>> +#
>>>> +# Mandatory: no
>>>> +# Default:
>>>> +# HostInterfaceItem=
>>>> +
>>>>  ### Option: RefreshActiveChecks
>>>>  #	How often list of active checks is refreshed, in seconds.
>>>>  #
>>>> @@ -265,7 +306,6 @@ ServerActive=127.0.0.1
>>>>    Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf
>>>>  -
>>>>  ####### USER-DEFINED MONITORED PARAMETERS #######
>>>>    ### Option: UnsafeUserParameters
>>>> @@ -299,7 +339,7 @@ Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf
>>>>  #
>>>>  # Mandatory: no
>>>>  # Default:
>>>> -# LoadModulePath=/usr/lib/modules
>>>> +# LoadModulePath=${libdir}/modules
>>>>    LoadModulePath=/usr/lib/zabbix
>>>>  @@ -357,14 +397,14 @@ LoadModulePath=/usr/lib/zabbix
>>>>  # TLSCRLFile=
>>>>    ### Option: TLSServerCertIssuer
>>>> -#	Allowed server certificate issuer.
>>>> +#		Allowed server certificate issuer.
>>>>  #
>>>>  # Mandatory: no
>>>>  # Default:
>>>>  # TLSServerCertIssuer=
>>>>    ### Option: TLSServerCertSubject
>>>> -#	Allowed server certificate subject.
>>>> +#		Allowed server certificate subject.
>>>>  #
>>>>  # Mandatory: no
>>>>  # Default:
>>>> @@ -397,3 +437,69 @@ LoadModulePath=/usr/lib/zabbix
>>>>  # Mandatory: no
>>>>  # Default:
>>>>  # TLSPSKFile=
>>>> +
>>>> +####### For advanced users - TLS ciphersuite selection criteria #######
>>>> +
>>>> +### Option: TLSCipherCert13
>>>> +#	Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3.
>>>> +#	Override the default ciphersuite selection criteria for certificate-based encryption.
>>>> +#
>>>> +# Mandatory: no
>>>> +# Default:
>>>> +# TLSCipherCert13=
>>>> +
>>>> +### Option: TLSCipherCert
>>>> +#	GnuTLS priority string or OpenSSL (TLS 1.2) cipher string.
>>>> +#	Override the default ciphersuite selection criteria for certificate-based encryption.
>>>> +#	Example for GnuTLS:
>>>> +#		NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509
>>>> +#	Example for OpenSSL:
>>>> +#		EECDH+aRSA+AES128:RSA+aRSA+AES128
>>>> +#
>>>> +# Mandatory: no
>>>> +# Default:
>>>> +# TLSCipherCert=
>>>> +
>>>> +### Option: TLSCipherPSK13
>>>> +#	Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3.
>>>> +#	Override the default ciphersuite selection criteria for PSK-based encryption.
>>>> +#	Example:
>>>> +#		TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
>>>> +#
>>>> +# Mandatory: no
>>>> +# Default:
>>>> +# TLSCipherPSK13=
>>>> +
>>>> +### Option: TLSCipherPSK
>>>> +#	GnuTLS priority string or OpenSSL (TLS 1.2) cipher string.
>>>> +#	Override the default ciphersuite selection criteria for PSK-based encryption.
>>>> +#	Example for GnuTLS:
>>>> +#		NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL
>>>> +#	Example for OpenSSL:
>>>> +#		kECDHEPSK+AES128:kPSK+AES128
>>>> +#
>>>> +# Mandatory: no
>>>> +# Default:
>>>> +# TLSCipherPSK=
>>>> +
>>>> +### Option: TLSCipherAll13
>>>> +#	Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3.
>>>> +#	Override the default ciphersuite selection criteria for certificate- and PSK-based encryption.
>>>> +#	Example:
>>>> +#		TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
>>>> +#
>>>> +# Mandatory: no
>>>> +# Default:
>>>> +# TLSCipherAll13=
>>>> +
>>>> +### Option: TLSCipherAll
>>>> +#	GnuTLS priority string or OpenSSL (TLS 1.2) cipher string.
>>>> +#	Override the default ciphersuite selection criteria for certificate- and PSK-based encryption.
>>>> +#	Example for GnuTLS:
>>>> +#		NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509
>>>> +#	Example for OpenSSL:
>>>> +#		EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128
>>>> +#
>>>> +# Mandatory: no
>>>> +# Default:
>>>> +# TLSCipherAll=
>>>> diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd
>>>> index c69643a54..2d57b0dbe 100644
>>>> --- a/lfs/zabbix_agentd
>>>> +++ b/lfs/zabbix_agentd
>>>> @@ -1,7 +1,7 @@
>>>>  ###############################################################################
>>>>  #                                                                             #
>>>>  # IPFire.org - A linux based firewall                                         #
>>>> -# Copyright (C) 2007-2019  IPFire Team  <info@ipfire.org>                     #
>>>> +# Copyright (C) 2007-2021  IPFire Team  <info@ipfire.org>                     #
>>>>  #                                                                             #
>>>>  # This program is free software: you can redistribute it and/or modify        #
>>>>  # it under the terms of the GNU General Public License as published by        #
>>>> @@ -24,7 +24,7 @@
>>>>    include Config
>>>>  -VER        = 4.2.6
>>>> +VER        = 5.0.10
>>>>    THISAPP    = zabbix-$(VER)
>>>>  DL_FILE    = $(THISAPP).tar.gz
>>>> @@ -32,7 +32,7 @@ DL_FROM    = $(URL_IPFIRE)
>>>>  DIR_APP    = $(DIR_SRC)/$(THISAPP)
>>>>  TARGET     = $(DIR_INFO)/$(THISAPP)
>>>>  PROG       = zabbix_agentd
>>>> -PAK_VER    = 4
>>>> +PAK_VER    = 5
>>>>  DEPS       =
>>>>    ###############################################################################
>>>> @@ -43,7 +43,7 @@ objects = $(DL_FILE)
>>>>    $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>>>>  -$(DL_FILE)_MD5 = 6cd55cd743d416d9ffbf2e6fdee680ee
>>>> +$(DL_FILE)_MD5 = 17403cce60266019f25ff53c72f0e212
>>>>    install : $(TARGET)
>>>>  @@ -80,7 +80,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>>>>  		--prefix=/usr \
>>>>  		--enable-agent \
>>>>  		--sysconfdir=/etc/zabbix_agentd \
>>>> -		--with-openssl
>>>> +		--with-openssl \
>>>> +		--with-libcurl
>>>>    	cd $(DIR_APP) && make
>>>>  	cd $(DIR_APP) && make install

Patch

diff --git a/config/zabbix_agentd/zabbix_agentd.conf b/config/zabbix_agentd/zabbix_agentd.conf
index 21b8e0122..4d6c4c154 100644
--- a/config/zabbix_agentd/zabbix_agentd.conf
+++ b/config/zabbix_agentd/zabbix_agentd.conf
@@ -63,14 +63,33 @@  LogFileSize=0
 # Default:
 # SourceIP=
 
-### Option: EnableRemoteCommands
-#	Whether remote commands from Zabbix server are allowed.
-#	0 - not allowed
-#	1 - allowed
+### Option: AllowKey
+#	Allow execution of item keys matching pattern.
+#	Multiple keys matching rules may be defined in combination with DenyKey.
+#	Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments.
+#	Parameters are processed one by one according their appearance order.
+#	If no AllowKey or DenyKey rules defined, all keys are allowed.
+#
+# Mandatory: no
+
+### Option: DenyKey
+#	Deny execution of items keys matching pattern.
+#	Multiple keys matching rules may be defined in combination with AllowKey.
+#	Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments.
+#	Parameters are processed one by one according their appearance order.
+#	If no AllowKey or DenyKey rules defined, all keys are allowed.
+#       Unless another system.run[*] rule is specified DenyKey=system.run[*] is added by default.
 #
 # Mandatory: no
 # Default:
-# EnableRemoteCommands=0
+# DenyKey=system.run[*]
+
+### Option: EnableRemoteCommands - Deprecated, use AllowKey=system.run[*] or DenyKey=system.run[*] instead
+#	Internal alias for AllowKey/DenyKey parameters depending on value:
+#	0 - DenyKey=system.run[*]
+#	1 - AllowKey=system.run[*]
+#
+# Mandatory: no
 
 ### Option: LogRemoteCommands
 #	Enable logging of executed shell commands as warnings.
@@ -177,6 +196,28 @@  ServerActive=127.0.0.1
 # Default:
 # HostMetadataItem=
 
+### Option: HostInterface
+#	Optional parameter that defines host interface.
+#	Host interface is used at host auto-registration process.
+#	An agent will issue an error and not start if the value is over limit of 255 characters.
+#	If not defined, value will be acquired from HostInterfaceItem.
+#
+# Mandatory: no
+# Range: 0-255 characters
+# Default:
+# HostInterface=
+
+### Option: HostInterfaceItem
+#	Optional parameter that defines an item used for getting host interface.
+#	Host interface is used at host auto-registration process.
+#	During an auto-registration request an agent will log a warning message if
+#	the value returned by specified item is over limit of 255 characters.
+#	This option is only used when HostInterface is not defined.
+#
+# Mandatory: no
+# Default:
+# HostInterfaceItem=
+
 ### Option: RefreshActiveChecks
 #	How often list of active checks is refreshed, in seconds.
 #
@@ -265,7 +306,6 @@  ServerActive=127.0.0.1
 
 Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf
 
-
 ####### USER-DEFINED MONITORED PARAMETERS #######
 
 ### Option: UnsafeUserParameters
@@ -299,7 +339,7 @@  Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf
 #
 # Mandatory: no
 # Default:
-# LoadModulePath=/usr/lib/modules
+# LoadModulePath=${libdir}/modules
 
 LoadModulePath=/usr/lib/zabbix
 
@@ -357,14 +397,14 @@  LoadModulePath=/usr/lib/zabbix
 # TLSCRLFile=
 
 ### Option: TLSServerCertIssuer
-#	Allowed server certificate issuer.
+#		Allowed server certificate issuer.
 #
 # Mandatory: no
 # Default:
 # TLSServerCertIssuer=
 
 ### Option: TLSServerCertSubject
-#	Allowed server certificate subject.
+#		Allowed server certificate subject.
 #
 # Mandatory: no
 # Default:
@@ -397,3 +437,69 @@  LoadModulePath=/usr/lib/zabbix
 # Mandatory: no
 # Default:
 # TLSPSKFile=
+
+####### For advanced users - TLS ciphersuite selection criteria #######
+
+### Option: TLSCipherCert13
+#	Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3.
+#	Override the default ciphersuite selection criteria for certificate-based encryption.
+#
+# Mandatory: no
+# Default:
+# TLSCipherCert13=
+
+### Option: TLSCipherCert
+#	GnuTLS priority string or OpenSSL (TLS 1.2) cipher string.
+#	Override the default ciphersuite selection criteria for certificate-based encryption.
+#	Example for GnuTLS:
+#		NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509
+#	Example for OpenSSL:
+#		EECDH+aRSA+AES128:RSA+aRSA+AES128
+#
+# Mandatory: no
+# Default:
+# TLSCipherCert=
+
+### Option: TLSCipherPSK13
+#	Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3.
+#	Override the default ciphersuite selection criteria for PSK-based encryption.
+#	Example:
+#		TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
+#
+# Mandatory: no
+# Default:
+# TLSCipherPSK13=
+
+### Option: TLSCipherPSK
+#	GnuTLS priority string or OpenSSL (TLS 1.2) cipher string.
+#	Override the default ciphersuite selection criteria for PSK-based encryption.
+#	Example for GnuTLS:
+#		NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL
+#	Example for OpenSSL:
+#		kECDHEPSK+AES128:kPSK+AES128
+#
+# Mandatory: no
+# Default:
+# TLSCipherPSK=
+
+### Option: TLSCipherAll13
+#	Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3.
+#	Override the default ciphersuite selection criteria for certificate- and PSK-based encryption.
+#	Example:
+#		TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
+#
+# Mandatory: no
+# Default:
+# TLSCipherAll13=
+
+### Option: TLSCipherAll
+#	GnuTLS priority string or OpenSSL (TLS 1.2) cipher string.
+#	Override the default ciphersuite selection criteria for certificate- and PSK-based encryption.
+#	Example for GnuTLS:
+#		NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509
+#	Example for OpenSSL:
+#		EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128
+#
+# Mandatory: no
+# Default:
+# TLSCipherAll=
diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd
index c69643a54..2d57b0dbe 100644
--- a/lfs/zabbix_agentd
+++ b/lfs/zabbix_agentd
@@ -1,7 +1,7 @@ 
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2019  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2021  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -24,7 +24,7 @@ 
 
 include Config
 
-VER        = 4.2.6
+VER        = 5.0.10
 
 THISAPP    = zabbix-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -32,7 +32,7 @@  DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = zabbix_agentd
-PAK_VER    = 4
+PAK_VER    = 5
 DEPS       =
 
 ###############################################################################
@@ -43,7 +43,7 @@  objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = 6cd55cd743d416d9ffbf2e6fdee680ee
+$(DL_FILE)_MD5 = 17403cce60266019f25ff53c72f0e212
 
 install : $(TARGET)
 
@@ -80,7 +80,8 @@  $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 		--prefix=/usr \
 		--enable-agent \
 		--sysconfdir=/etc/zabbix_agentd \
-		--with-openssl
+		--with-openssl \
+		--with-libcurl
 
 	cd $(DIR_APP) && make
 	cd $(DIR_APP) && make install