From patchwork Thu Mar 3 21:02:51 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Robin Roevens X-Patchwork-Id: 5313 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4K8k3v1BWqz3xlR for ; Thu, 3 Mar 2022 21:03:39 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4K8k3t4hTzz4fT; Thu, 3 Mar 2022 21:03:38 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4K8k3t4Rqzz30D9; Thu, 3 Mar 2022 21:03:38 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4K8k3s308hz2yV8 for ; Thu, 3 Mar 2022 21:03:37 +0000 (UTC) Received: from knopi.disroot.org (knopi.disroot.org [178.21.23.139]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPS id 4K8k3r5Qd4z5Y8 for ; Thu, 3 Mar 2022 21:03:36 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by disroot.org (Postfix) with ESMTP id 8DF818EB9B for ; Thu, 3 Mar 2022 22:03:31 +0100 (CET) X-Virus-Scanned: SPAM Filter at disroot.org Received: from knopi.disroot.org ([127.0.0.1]) by localhost (disroot.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l0kMagRUkpWP for ; Thu, 3 Mar 2022 22:03:28 +0100 (CET) Received: from chojin.sicho.home (amaterasu.sicho.home [192.168.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (no client certificate requested) (Authenticated sender) by hachiman (MailScanner Milter) with SMTP id 57CCE184CE; Thu, 3 Mar 2022 22:03:04 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1646341407; bh=JXe29R8w7LsaBg1jJrVkazZqQUL2n8aukbzHo1NNUjE=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=KtME0rskzy3pOYdLNYaJrHFIdRWmWcB+HhLjM7zp3KUdisL2WadJ+sZUnXBYmvmfP dZbpLPhsANd7YnZ4h0xLMYWJ+TseK7WNB6b8I89EUay1tTTe80iOvdumvUbtExSN8X OuGGAF8SYl94Lcec5S5q9Uwi5V3RFrF/zbirU+OMOKKPj5CEiAoguSxE3HlpanXXmL FM7o9wdKqrliDKd0jVWJ032U7BxvYhqrWDie/P3VkLeSS7KfrTZyS7UH0mUR4UbMNz nqemT4dG85N9PyeWfpAdp+lPGz5h/GNJaHW8RMYRRR7lmOiX8OkagAp4YK5UDzMnKY 3NqtBSCNPwGVQ== From: Robin Roevens To: development@lists.ipfire.org Subject: [PATCH v4 3/6] zabbix_agentd: Configfile reorganization Date: Thu, 3 Mar 2022 22:02:51 +0100 Message-Id: <20220303210254.3116-4-robin.roevens@disroot.org> In-Reply-To: <20220303210254.3116-1-robin.roevens@disroot.org> References: <20220303210254.3116-1-robin.roevens@disroot.org> Mime-Version: 1.0 X-sicho-MailScanner-ID: 57CCE184CE.A8A80 X-sicho-MailScanner: Found to be clean X-sicho-MailScanner-From: robin.roevens@disroot.org X-sicho-MailScanner-Watermark: 1646946187.53355@A2cdYVM7p0uzTrj7iV/pJQ ARC-Seal: i=1; s=202003rsa; d=lists.ipfire.org; t=1646341416; a=rsa-sha256; cv=none; b=fo96v58li6DUuD2m76YbKg7N8DGTObOVNEtVgtHV7CWUlPFbhs0NCFBPsqgUrR5+ZtHOYZ DJS7mPUNk4HXdFlcrYfqaKIakfVE7DlYaVtJWia7MzZD/rZ/uI+ueDdWAwBfb/BeKqHBh/ aI3RhQEhInaBu6k+7RaqZCmZ3hjt7foAuVhKWmjiv4qeMVhynDqW41h/8FQLaGJjL2lxAy ZKsoIlTG5hF8ABA1M1kz8NVf82hXgfbf2QJwMpOi10VBl/ztnyGgb5BWT7yCbQOPYYxRyg EnnolDQ5VytkFpZEhpAJI2P98N401ZfrXPrN30TImKqo/q1DiFT0UnId55hr7Q== ARC-Authentication-Results: i=1; mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b=KtME0rsk; dmarc=pass (policy=quarantine) header.from=disroot.org; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.ipfire.org; s=202003rsa; t=1646341416; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=bgNmK37kB2soRECCwI+5YNtQhlS1GRByfEbOsjm0if0=; b=Vag/FD7tOJmoWttZGJxbUehPttV+iUn6x0uYkbz5BflBuUoDQW1LWcK3DfvVNek3ZlW45K X2L4mX1c136Q77tfPA74Lu2irtZ/NZC24E9Tkf5X1yWAmd+N3AEeVDHEn/2itxBwDsiXgx pcJsZ0H78fcyWXvY2sY5OXOjZjo+Loh++bg7Twva8ZsYEhem+K3XYHvrLS2KYzKmpquWIC 2BlQcYlIIeEHBoM74zehTx9HV6EQHPHsOAMqQX0KC8DN7w40lyAOMu+HGfgRolfE3esyZN PEgvyo4yAo2cP5SV0zvC6Pn2DQrQSrAsWf1DPiEdbXKVqupWzIPXx0Cd0CsNaw== Authentication-Results: mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b=KtME0rsk; dmarc=pass (policy=quarantine) header.from=disroot.org; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org X-Rspamd-Server: mail01.haj.ipfire.org X-Spamd-Result: default: False [-4.81 / 11.00]; BAYES_HAM(-3.00)[99.99%]; IP_REPUTATION_HAM(-1.16)[asn: 50673(-0.33), country: NL(-0.01), ip: 178.21.23.139(-0.82)]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-0.99)[-0.990]; SPF_REPUTATION_HAM(-0.65)[-0.65417028382239]; MV_CASE(0.50)[]; R_MISSING_CHARSET(0.50)[]; DMARC_POLICY_ALLOW(-0.50)[disroot.org,quarantine]; R_SPF_ALLOW(-0.20)[+a:c]; R_DKIM_ALLOW(-0.20)[disroot.org:s=mail]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; FROM_EQ_ENVFROM(0.00)[]; ARC_SIGNED(0.00)[lists.ipfire.org:s=202003rsa:i=1]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+]; FROM_HAS_DN(0.00)[]; DKIM_TRACE(0.00)[disroot.org:+]; ASN(0.00)[asn:50673, ipnet:178.21.23.0/24, country:NL]; TO_DN_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; PREVIOUSLY_DELIVERED(0.00)[development@lists.ipfire.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; ARC_NA(0.00)[] X-Rspamd-Queue-Id: 4K8k3r5Qd4z5Y8 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" - Restrict default main config to only the bare minimum options and add upstream provided config as example file. - Remove /etc/zabbix_agentd from backup and instead add only zabbix_agentd.conf and subdirs 'scripts' and 'zabbix_agentd.d' to the backup. - Move ipfire managed userparameter_pakfire.conf from user managed dir /etc/zabbix_agentd/zabbix_agent.d to ipfire managed dir /var/ipfire/zabbix_agentd/userparameters - Add Include line to existing zabbix_agentd.conf to include the new ipfire managed config dir /var/ipfire/zabbix_agentd/... - Add and include mandatory IPFire specific agent configuration which should never be changed by the user. Signed-off-by: Robin Roevens --- config/backup/includes/zabbix_agentd | 4 +- config/rootfiles/packages/zabbix_agentd | 5 +- config/zabbix_agentd/zabbix_agentd.conf | 521 +----------------- .../zabbix_agentd_ipfire_mandatory.conf | 11 + lfs/zabbix_agentd | 11 +- src/paks/zabbix_agentd/install.sh | 33 ++ 6 files changed, 75 insertions(+), 510 deletions(-) create mode 100644 config/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf diff --git a/config/backup/includes/zabbix_agentd b/config/backup/includes/zabbix_agentd index d3305cb96..4be365297 100644 --- a/config/backup/includes/zabbix_agentd +++ b/config/backup/includes/zabbix_agentd @@ -1,3 +1,5 @@ /etc/sudoers.d/zabbix -/etc/zabbix_agentd/ +/etc/zabbix_agentd/zabbix_agentd.conf +/etc/zabbix_agentd/scripts/ +/etc/zabbix_agentd/zabbix_agentd.d/ /usr/lib/zabbix/ diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/packages/zabbix_agentd index d9bbc3ccf..66a1087cf 100644 --- a/config/rootfiles/packages/zabbix_agentd +++ b/config/rootfiles/packages/zabbix_agentd @@ -5,7 +5,6 @@ etc/zabbix_agentd etc/zabbix_agentd/scripts etc/zabbix_agentd/zabbix_agentd.conf etc/zabbix_agentd/zabbix_agentd.d -etc/zabbix_agentd/zabbix_agentd.d/userparameter_pakfire.conf usr/bin/zabbix_get usr/bin/zabbix_sender #usr/lib/modules @@ -15,4 +14,8 @@ usr/sbin/zabbix_agentd #usr/share/man/man1/zabbix_sender.1 #usr/share/man/man8/zabbix_agentd.8 var/ipfire/backup/addons/includes/zabbix_agentd +var/ipfire/zabbix_agentd +var/ipfire/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf +var/ipfire/zabbix_agentd/userparameters +var/ipfire/zabbix_agentd/userparameters/userparameter_pakfire.conf #var/log/zabbix diff --git a/config/zabbix_agentd/zabbix_agentd.conf b/config/zabbix_agentd/zabbix_agentd.conf index aa8b899dc..76cd87528 100644 --- a/config/zabbix_agentd/zabbix_agentd.conf +++ b/config/zabbix_agentd/zabbix_agentd.conf @@ -1,516 +1,23 @@ # This is a configuration file for Zabbix agent daemon (Unix) # To get more information about Zabbix, visit http://www.zabbix.com - -############ GENERAL PARAMETERS ################# - -### Option: PidFile -# Name of PID file. -# -# Mandatory: no -# Default: -# PidFile=/tmp/zabbix_agentd.pid - -PidFile=/var/run/zabbix/zabbix_agentd.pid - -### Option: LogType -# Specifies where log messages are written to: -# system - syslog -# file - file specified with LogFile parameter -# console - standard output -# -# Mandatory: no -# Default: -# LogType=file - -### Option: LogFile -# Log file name for LogType 'file' parameter. # -# Mandatory: yes, if LogType is set to file, otherwise no -# Default: -# LogFile= +# For possible configuration options, +# see /etc/zabbix_agentd/zabbix_agentd.conf.example -LogFile=/var/log/zabbix/zabbix_agentd.log - -### Option: LogFileSize -# Maximum size of log file in MB. -# 0 - disable automatic log rotation. -# -# Mandatory: no -# Range: 0-1024 -# Default: -# LogFileSize=1 - -LogFileSize=0 - -### Option: DebugLevel -# Specifies debug level: -# 0 - basic information about starting and stopping of Zabbix processes -# 1 - critical information -# 2 - error information -# 3 - warnings -# 4 - for debugging (produces lots of information) -# 5 - extended debugging (produces even more information) -# -# Mandatory: no -# Range: 0-5 -# Default: -# DebugLevel=3 - -### Option: SourceIP -# Source IP address for outgoing connections. -# -# Mandatory: no -# Default: -# SourceIP= - -### Option: AllowKey -# Allow execution of item keys matching pattern. -# Multiple keys matching rules may be defined in combination with DenyKey. -# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. -# Parameters are processed one by one according their appearance order. -# If no AllowKey or DenyKey rules defined, all keys are allowed. -# -# Mandatory: no - -### Option: DenyKey -# Deny execution of items keys matching pattern. -# Multiple keys matching rules may be defined in combination with AllowKey. -# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. -# Parameters are processed one by one according their appearance order. -# If no AllowKey or DenyKey rules defined, all keys are allowed. -# Unless another system.run[*] rule is specified DenyKey=system.run[*] is added by default. -# -# Mandatory: no -# Default: -# DenyKey=system.run[*] - -### Option: EnableRemoteCommands - Deprecated, use AllowKey=system.run[*] or DenyKey=system.run[*] instead -# Internal alias for AllowKey/DenyKey parameters depending on value: -# 0 - DenyKey=system.run[*] -# 1 - AllowKey=system.run[*] -# -# Mandatory: no - -### Option: LogRemoteCommands -# Enable logging of executed shell commands as warnings. -# 0 - disabled -# 1 - enabled -# -# Mandatory: no -# Default: -# LogRemoteCommands=0 - -##### Passive checks related - -### Option: Server -# List of comma delimited IP addresses, optionally in CIDR notation, or DNS names of Zabbix servers and Zabbix proxies. -# Incoming connections will be accepted only from the hosts listed here. -# If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', '::ffff:127.0.0.1' are treated equally -# and '::/0' will allow any IPv4 or IPv6 address. -# '0.0.0.0/0' can be used to allow any IPv4 address. -# Example: Server=127.0.0.1,192.168.1.0/24,::1,2001:db8::/32,zabbix.example.com -# -# Mandatory: yes, if StartAgents is not explicitly set to 0 -# Default: -# Server= +# To make sure all Zabbix configuration is correctly included in IPFire backups: +# - Put custom userparameters in /etc/zabbix_agentd/zabbix_agentd.d/*.conf +# - Put custom scripts in /etc/zabbix_agentd/scripts +# - Put custom modules in /usr/lib/zabbix +# Set your Zabbix Server IP or hostname here (Passive and/or Active): Server=127.0.0.1 - -### Option: ListenPort -# Agent will listen on this port for connections from the server. -# -# Mandatory: no -# Range: 1024-32767 -# Default: -# ListenPort=10050 - -### Option: ListenIP -# List of comma delimited IP addresses that the agent should listen on. -# First IP address is sent to Zabbix server if connecting to it to retrieve list of active checks. -# -# Mandatory: no -# Default: -# ListenIP=0.0.0.0 - -### Option: StartAgents -# Number of pre-forked instances of zabbix_agentd that process passive checks. -# If set to 0, disables passive checks and the agent will not listen on any TCP port. -# -# Mandatory: no -# Range: 0-100 -# Default: -# StartAgents=3 - -##### Active checks related - -### Option: ServerActive -# List of comma delimited IP:port (or DNS name:port) pairs of Zabbix servers and Zabbix proxies for active checks. -# If port is not specified, default port is used. -# IPv6 addresses must be enclosed in square brackets if port for that host is specified. -# If port is not specified, square brackets for IPv6 addresses are optional. -# If this parameter is not specified, active checks are disabled. -# Example: ServerActive=127.0.0.1:20051,zabbix.domain,[::1]:30051,::1,[12fc::1] -# -# Mandatory: no -# Default: -# ServerActive= - ServerActive=127.0.0.1 -### Option: Hostname -# Unique, case sensitive hostname. -# Required for active checks and must match hostname as configured on the server. -# Value is acquired from HostnameItem if undefined. -# -# Mandatory: no -# Default: -# Hostname= - -### Option: HostnameItem -# Item used for generating Hostname if it is undefined. Ignored if Hostname is defined. -# Does not support UserParameters or aliases. -# -# Mandatory: no -# Default: -# HostnameItem=system.hostname - -### Option: HostMetadata -# Optional parameter that defines host metadata. -# Host metadata is used at host auto-registration process. -# An agent will issue an error and not start if the value is over limit of 255 characters. -# If not defined, value will be acquired from HostMetadataItem. -# -# Mandatory: no -# Range: 0-255 characters -# Default: -# HostMetadata= - -### Option: HostMetadataItem -# Optional parameter that defines an item used for getting host metadata. -# Host metadata is used at host auto-registration process. -# During an auto-registration request an agent will log a warning message if -# the value returned by specified item is over limit of 255 characters. -# This option is only used when HostMetadata is not defined. -# -# Mandatory: no -# Default: -# HostMetadataItem= - -### Option: HostInterface -# Optional parameter that defines host interface. -# Host interface is used at host auto-registration process. -# An agent will issue an error and not start if the value is over limit of 255 characters. -# If not defined, value will be acquired from HostInterfaceItem. -# -# Mandatory: no -# Range: 0-255 characters -# Default: -# HostInterface= - -### Option: HostInterfaceItem -# Optional parameter that defines an item used for getting host interface. -# Host interface is used at host auto-registration process. -# During an auto-registration request an agent will log a warning message if -# the value returned by specified item is over limit of 255 characters. -# This option is only used when HostInterface is not defined. -# -# Mandatory: no -# Default: -# HostInterfaceItem= - -### Option: RefreshActiveChecks -# How often list of active checks is refreshed, in seconds. -# -# Mandatory: no -# Range: 60-3600 -# Default: -# RefreshActiveChecks=120 - -### Option: BufferSend -# Do not keep data longer than N seconds in buffer. -# -# Mandatory: no -# Range: 1-3600 -# Default: -# BufferSend=5 - -### Option: BufferSize -# Maximum number of values in a memory buffer. The agent will send -# all collected data to Zabbix Server or Proxy if the buffer is full. -# -# Mandatory: no -# Range: 2-65535 -# Default: -# BufferSize=100 - -### Option: MaxLinesPerSecond -# Maximum number of new lines the agent will send per second to Zabbix Server -# or Proxy processing 'log' and 'logrt' active checks. -# The provided value will be overridden by the parameter 'maxlines', -# provided in 'log' or 'logrt' item keys. -# -# Mandatory: no -# Range: 1-1000 -# Default: -# MaxLinesPerSecond=20 - -############ ADVANCED PARAMETERS ################# - -### Option: Alias -# Sets an alias for an item key. It can be used to substitute long and complex item key with a smaller and simpler one. -# Multiple Alias parameters may be present. Multiple parameters with the same Alias key are not allowed. -# Different Alias keys may reference the same item key. -# For example, to retrieve the ID of user 'zabbix': -# Alias=zabbix.userid:vfs.file.regexp[/etc/passwd,^zabbix:.:([0-9]+),,,,\1] -# Now shorthand key zabbix.userid may be used to retrieve data. -# Aliases can be used in HostMetadataItem but not in HostnameItem parameters. -# -# Mandatory: no -# Range: -# Default: +# This line activates IPFire specific userparameters. See IPFire wiki for details. +# To deactivate them: Comment this line out. +# (DO NOT REMOVE OR ALTER IT as then it will be re-added on next upgrade) +Include=/var/ipfire/zabbix_agentd/userparameters/*.conf -### Option: Timeout -# Spend no more than Timeout seconds on processing -# -# Mandatory: no -# Range: 1-30 -# Default: -# Timeout=3 - -### Option: AllowRoot -# Allow the agent to run as 'root'. If disabled and the agent is started by 'root', the agent -# will try to switch to the user specified by the User configuration option instead. -# Has no effect if started under a regular user. -# 0 - do not allow -# 1 - allow -# -# Mandatory: no -# Default: -# AllowRoot=0 - -### Option: User -# Drop privileges to a specific, existing user on the system. -# Only has effect if run as 'root' and AllowRoot is disabled. -# -# Mandatory: no -# Default: -# User=zabbix - -### Option: Include -# You may include individual files or all files in a directory in the configuration file. -# Installing Zabbix will create include directory in /usr/local/etc, unless modified during the compile time. -# -# Mandatory: no -# Default: -# Include= - -Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf - -####### USER-DEFINED MONITORED PARAMETERS ####### - -### Option: UnsafeUserParameters -# Allow all characters to be passed in arguments to user-defined parameters. -# The following characters are not allowed: -# \ ' " ` * ? [ ] { } ~ $ ! & ; ( ) < > | # @ -# Additionally, newline characters are not allowed. -# 0 - do not allow -# 1 - allow -# -# Mandatory: no -# Range: 0-1 -# Default: -# UnsafeUserParameters=0 - -### Option: UserParameter -# User-defined parameter to monitor. There can be several user-defined parameters. -# Format: UserParameter=, -# See 'zabbix_agentd' directory for examples. -# -# Mandatory: no -# Default: -# UserParameter= - -####### LOADABLE MODULES ####### - -### Option: LoadModulePath -# Full path to location of agent modules. -# Default depends on compilation options. -# To see the default path run command "zabbix_agentd --help". -# -# Mandatory: no -# Default: -# LoadModulePath=${libdir}/modules - -LoadModulePath=/usr/lib/zabbix - -### Option: LoadModule -# Module to load at agent startup. Modules are used to extend functionality of the agent. -# Formats: -# LoadModule= -# LoadModule= -# LoadModule= -# Either the module must be located in directory specified by LoadModulePath or the path must precede the module name. -# If the preceding path is absolute (starts with '/') then LoadModulePath is ignored. -# It is allowed to include multiple LoadModule parameters. -# -# Mandatory: no -# Default: -# LoadModule= - -####### TLS-RELATED PARAMETERS ####### - -### Option: TLSConnect -# How the agent should connect to server or proxy. Used for active checks. -# Only one value can be specified: -# unencrypted - connect without encryption -# psk - connect using TLS and a pre-shared key -# cert - connect using TLS and a certificate -# -# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection) -# Default: -# TLSConnect=unencrypted - -### Option: TLSAccept -# What incoming connections to accept. -# Multiple values can be specified, separated by comma: -# unencrypted - accept connections without encryption -# psk - accept connections secured with TLS and a pre-shared key -# cert - accept connections secured with TLS and a certificate -# -# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection) -# Default: -# TLSAccept=unencrypted - -### Option: TLSCAFile -# Full pathname of a file containing the top-level CA(s) certificates for -# peer certificate verification. -# -# Mandatory: no -# Default: -# TLSCAFile= - -### Option: TLSCRLFile -# Full pathname of a file containing revoked certificates. -# -# Mandatory: no -# Default: -# TLSCRLFile= - -### Option: TLSServerCertIssuer -# Allowed server certificate issuer. -# -# Mandatory: no -# Default: -# TLSServerCertIssuer= - -### Option: TLSServerCertSubject -# Allowed server certificate subject. -# -# Mandatory: no -# Default: -# TLSServerCertSubject= - -### Option: TLSCertFile -# Full pathname of a file containing the agent certificate or certificate chain. -# -# Mandatory: no -# Default: -# TLSCertFile= - -### Option: TLSKeyFile -# Full pathname of a file containing the agent private key. -# -# Mandatory: no -# Default: -# TLSKeyFile= - -### Option: TLSPSKIdentity -# Unique, case sensitive string used to identify the pre-shared key. -# -# Mandatory: no -# Default: -# TLSPSKIdentity= - -### Option: TLSPSKFile -# Full pathname of a file containing the pre-shared key. -# -# Mandatory: no -# Default: -# TLSPSKFile= - -####### For advanced users - TLS ciphersuite selection criteria ####### - -### Option: TLSCipherCert13 -# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. -# Override the default ciphersuite selection criteria for certificate-based encryption. -# -# Mandatory: no -# Default: -# TLSCipherCert13= - -### Option: TLSCipherCert -# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. -# Override the default ciphersuite selection criteria for certificate-based encryption. -# Example for GnuTLS: -# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 -# Example for OpenSSL: -# EECDH+aRSA+AES128:RSA+aRSA+AES128 -# -# Mandatory: no -# Default: -# TLSCipherCert= - -### Option: TLSCipherPSK13 -# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. -# Override the default ciphersuite selection criteria for PSK-based encryption. -# Example: -# TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 -# -# Mandatory: no -# Default: -# TLSCipherPSK13= - -### Option: TLSCipherPSK -# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. -# Override the default ciphersuite selection criteria for PSK-based encryption. -# Example for GnuTLS: -# NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL -# Example for OpenSSL: -# kECDHEPSK+AES128:kPSK+AES128 -# -# Mandatory: no -# Default: -# TLSCipherPSK= - -### Option: TLSCipherAll13 -# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. -# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. -# Example: -# TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 -# -# Mandatory: no -# Default: -# TLSCipherAll13= - -### Option: TLSCipherAll -# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. -# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. -# Example for GnuTLS: -# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 -# Example for OpenSSL: -# EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128 -# -# Mandatory: no -# Default: -# TLSCipherAll= - -####### For advanced users - TCP-related fine-tuning parameters ####### - -## Option: ListenBacklog -# The maximum number of pending connections in the queue. This parameter is passed to -# listen() function as argument 'backlog' (see "man listen"). -# -# Mandatory: no -# Range: 0 - INT_MAX (depends on system, too large values may be silently truncated to implementation-specified maximum) -# Default: SOMAXCONN (hard-coded constant, depends on system) -# ListenBacklog= +# Mandatory Zabbix Agent configuration to start and run on IPFire correctly +# DO NOT REMOVE OR MODIFY THIS LINE: +Include=/var/ipfire/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf \ No newline at end of file diff --git a/config/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf b/config/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf new file mode 100644 index 000000000..c6be948be --- /dev/null +++ b/config/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf @@ -0,0 +1,11 @@ +PidFile=/var/run/zabbix/zabbix_agentd.pid + +# Log rotation is managed by logrotate +LogFile=/var/log/zabbix/zabbix_agentd.log +LogFileSize=0 + +# These paths are included in the IPFire backups. Do not put user modules +# or configuration files in other locations if you want them included in the +# backups. +LoadModulePath=/usr/lib/zabbix +Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf \ No newline at end of file diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd index 5ee1b94e5..6e995f40b 100644 --- a/lfs/zabbix_agentd +++ b/lfs/zabbix_agentd @@ -94,10 +94,19 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) -rmdir /etc/zabbix_agentd/zabbix_agentd.conf.d -mkdir -pv /etc/zabbix_agentd/zabbix_agentd.d -mkdir -pv /etc/zabbix_agentd/scripts + # Move upstream supplied config out of the way for reference + # and install our own version of the config. + -mv /etc/zabbix_agentd/zabbix_agentd.conf \ + /etc/zabbix_agentd/zabbix_agentd.conf.example install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/zabbix_agentd.conf \ /etc/zabbix_agentd/zabbix_agentd.conf + + # Install IPFire-specific Zabbix Agent config + -mkdir -pv /var/ipfire/zabbix_agentd/userparameters + install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf \ + /var/ipfire/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/userparameter_pakfire.conf \ - /etc/zabbix_agentd/zabbix_agentd.d/userparameter_pakfire.conf + /var/ipfire/zabbix_agentd/userparameters/userparameter_pakfire.conf # Create directory for additional agent modules -mkdir -pv /usr/lib/zabbix diff --git a/src/paks/zabbix_agentd/install.sh b/src/paks/zabbix_agentd/install.sh index cf435918d..d9130dfb4 100644 --- a/src/paks/zabbix_agentd/install.sh +++ b/src/paks/zabbix_agentd/install.sh @@ -43,4 +43,37 @@ ln -sf ../init.d/zabbix_agentd /etc/rc.d/rc6.d/K02zabbix_agentd [ -d /usr/lib/zabbix ] || ( mkdir -pv /usr/lib/zabbix && chown zabbix.zabbix /usr/lib/zabbix ) restore_backup ${NAME} + +# Check if old IPFire specifc userparameters exist and move out of the way +if [ -f /etc/zabbix_agentd/zabbix_agentd.d/userparameter_pakfire.conf ]; then + mv /etc/zabbix_agentd/zabbix_agentd.d/userparameter_pakfire.conf \ + /etc/zabbix_agentd/zabbix_agentd.d/userparameter_pakfire.conf.save +fi + +# Check if new IPFire specific config is included in restored config +# and add if required. +grep -q "Include=/var/ipfire/zabbix_agentd/userparameters/\*.conf" /etc/zabbix_agentd/zabbix_agentd.conf +if [ $? -eq 1 ]; then + echo "" >> /etc/zabbix_agentd/zabbix_agentd.conf + echo "# This line activates IPFire specific userparameters. See IPFire wiki for details." >> /etc/zabbix_agentd/zabbix_agentd.conf + echo "# To deactivate them: Comment this line out." >> /etc/zabbix_agentd/zabbix_agentd.conf + echo "# (DO NOT REMOVE OR ALTER IT as then it will be re-added on next upgrade)" >> /etc/zabbix_agentd/zabbix_agentd.conf + echo "Include=/var/ipfire/zabbix_agentd/userparameters/*.conf" >> /etc/zabbix_agentd/zabbix_agentd.conf +fi + +grep -q "Include=/var/ipfire/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf" /etc/zabbix_agentd/zabbix_agentd.conf +if [ $? -eq 1 ]; then + # Remove settings that are now in our own config + sed -i -e "\|^PidFile=.*$|d" /etc/zabbix_agentd/zabbix_agentd.conf + sed -i -e "\|^LogFile=.*$|d" /etc/zabbix_agentd/zabbix_agentd.conf + sed -i -e "\|^LogFileSize=.*$|d" /etc/zabbix_agentd/zabbix_agentd.conf + sed -i -e "\|^LoadModulePath=.*$|d" /etc/zabbix_agentd/zabbix_agentd.conf + sed -i -e "\|^Include=/etc/zabbix_agentd/zabbix_agentd\.d/\*\.conf$|d" /etc/zabbix_agentd/zabbix_agentd.conf + # Include our own config in main config + echo "" >> /etc/zabbix_agentd/zabbix_agentd.conf + echo "# Mandatory Zabbix Agent configuration to start and run on IPFire correctly" >> /etc/zabbix_agentd/zabbix_agentd.conf + echo "# DO NOT REMOVE OR MODIFY THIS LINE:" >> /etc/zabbix_agentd/zabbix_agentd.conf + echo "Include=/var/ipfire/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf" >> /etc/zabbix_agentd/zabbix_agentd.conf +fi + start_service --background ${NAME}