From patchwork Thu Jun 30 10:15:50 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Robin Roevens X-Patchwork-Id: 5711 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4LYZ4X0tlzz40TL for ; Thu, 30 Jun 2022 10:16:44 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4LYZ4S6wHJz1fM; Thu, 30 Jun 2022 10:16:40 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4LYZ4S6YTfz2yWQ; Thu, 30 Jun 2022 10:16:40 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4LYZ4R11C3z2yWP for ; Thu, 30 Jun 2022 10:16:39 +0000 (UTC) Received: from knopi.disroot.org (knopi.disroot.org [178.21.23.139]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPS id 4LYZ4Q3mNjzqL for ; Thu, 30 Jun 2022 10:16:38 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by disroot.org (Postfix) with ESMTP id 49DEB459A0 for ; Thu, 30 Jun 2022 12:16:38 +0200 (CEST) X-Virus-Scanned: SPAM Filter at disroot.org Received: from knopi.disroot.org ([127.0.0.1]) by localhost (disroot.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vSI82qmbfT1o for ; Thu, 30 Jun 2022 12:16:36 +0200 (CEST) Received: from chojin.sicho.home (amaterasu.sicho.home [192.168.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (no client certificate requested) (Authenticated sender) by hachiman (MailScanner Milter) with SMTP id 56EA04B9E5; Thu, 30 Jun 2022 12:16:11 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1656584195; bh=cnx89qjW7NIJIseTS/f8uoDBXJNjRCEExGF9SA9VzaQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=Y92OZ9LYF86OJUyBIyRTcXYcw0KCECNDlWvzAzRUIvUjMNyucw8+iErkEkEBzLWHI IS5r45tFuONlG1/DeR10v/vnTNHTtwbj3+ADavc5UauPFiRCQwB0OD8HcUBJeTi34u 0IpBKtNjK41zn+QRhQX4/Q5FLEZy5lfMUUTs+Cosm7XVxX+HS42YUIDox1IG4yKTG+ B75seVtGHjBhFw4VOSwT3AqbbPEpHME0gZ/LmQvDBM0rUtaldGefB9JyQ5efpnVYRF SPmzppCeT7cZEEqYD7jBg7s6eaomhdGy5w/u7thvakvK245AIncgt8AtMOLB2CRvtJ qeBEtYyGE+4Aw== From: Robin Roevens To: development@lists.ipfire.org Subject: [PATCH v5 1/6] zabbix_agentd: Update to v6.0.6 (LTS) Date: Thu, 30 Jun 2022 12:15:50 +0200 Message-Id: <20220630101555.13438-2-robin.roevens@disroot.org> In-Reply-To: <20220630101555.13438-1-robin.roevens@disroot.org> References: <20220630101555.13438-1-robin.roevens@disroot.org> Mime-Version: 1.0 X-sicho-MailScanner-ID: 56EA04B9E5.A8A80 X-sicho-MailScanner: Found to be clean X-sicho-MailScanner-From: robin.roevens@disroot.org X-sicho-MailScanner-Watermark: 1657188971.67409@b3bJdXAn6Q5SVI2IRmynGw ARC-Seal: i=1; s=202003rsa; d=lists.ipfire.org; t=1656584198; a=rsa-sha256; cv=none; b=eEuXIXWChHEp4ngqPlZqoxd7O6PUaJqwcVAxr6frtiWemPuvDJNWa/B8OuKbiFU1IE6Tu8 0q5Ei+6FXH1vHCKEyBJ86zU2xkYwEuOJy992KeUEGNiP+rv+cm4eY2UnDVIa+Y/ykDkTQM dVISwXP1oYNbF5rvU9tiXbdgDXZP5WfwXW2G8g8H9Kgb/tZu86wqf4DqijHv8RUxh+mBQd NEKYdeg2ERQDg/So2u0mDA6rup6m44shqM6pgNketDE1iUngoa1L5RwiM3ddsjfEaoRGXq 49CQpUKVGwQ/wDLpjmaIQGWVmzr8B0e02uwQ5IScoVFoGdqeo2ReWvlWQET2tw== ARC-Authentication-Results: i=1; mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b=Y92OZ9LY; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org; dmarc=pass (policy=quarantine) header.from=disroot.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.ipfire.org; s=202003rsa; t=1656584198; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=zG18qN451ZCvuLXKHEUNBfVgZ8fofJRDC6KXhcNJCYI=; b=xbIJzbla99AqaThvKFFg4dolgoojzHNQn8GTSzsCFOpNT02EFWT80MK3h2+ryUKd1+E8n+ O7uLo+uOT1HW+7Tv2fpoZ9FN72ZA1a4n39JJ3r+iIExo3S271JePdYaQXtHAGY5Efqs/7H 9V05ipWhoHw617zPDhjfT0rfkqsNXwDDS803fbyJSYKRSSjKdaxMF/Dpc8e6X5vaep9Q1h gFEFe+cMQj2l1JwflsIfa/sCaWDdQCfhEOYQ/p/qHO/uAUnfVScniSVV+vO/yC6qIp/xiM gyvY5JwH904Uc0pqarLSmkLfGsi5+sue+VWvELzY995ixmHyjuvG0lts8AWucw== X-Spamd-Result: default: False [-3.80 / 11.00]; BAYES_HAM(-3.00)[99.99%]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-1.00)[-1.000]; SPF_REPUTATION_HAM(-0.78)[-0.78380183537263]; R_MISSING_CHARSET(0.50)[]; MV_CASE(0.50)[]; DMARC_POLICY_ALLOW(-0.50)[disroot.org,quarantine]; R_SPF_ALLOW(-0.20)[+a:c]; R_DKIM_ALLOW(-0.20)[disroot.org:s=mail]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; IP_REPUTATION_HAM(-0.01)[asn: 50673(0.00), country: NL(-0.01), ip: 178.21.23.139(0.00)]; ASN(0.00)[asn:50673, ipnet:178.21.23.0/24, country:NL]; FROM_EQ_ENVFROM(0.00)[]; ARC_SIGNED(0.00)[lists.ipfire.org:s=202003rsa:i=1]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_HAS_DN(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[development@lists.ipfire.org]; DKIM_TRACE(0.00)[disroot.org:+]; TO_DN_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; RCVD_COUNT_THREE(0.00)[4]; ARC_NA(0.00)[] Authentication-Results: mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b=Y92OZ9LY; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org; dmarc=pass (policy=quarantine) header.from=disroot.org X-Rspamd-Queue-Id: 4LYZ4Q3mNjzqL X-Rspamd-Server: mail01.haj.ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" - Update from 4.2.6 to latest LTS version 6.0.6 See release notes: https://www.zabbix.com/rn/rn6.0.6 Signed-off-by: Robin Roevens --- config/zabbix_agentd/zabbix_agentd.conf | 135 ++++++++++++++++++++++-- lfs/zabbix_agentd | 11 +- 2 files changed, 132 insertions(+), 14 deletions(-) diff --git a/config/zabbix_agentd/zabbix_agentd.conf b/config/zabbix_agentd/zabbix_agentd.conf index 21b8e0122..aa8b899dc 100644 --- a/config/zabbix_agentd/zabbix_agentd.conf +++ b/config/zabbix_agentd/zabbix_agentd.conf @@ -63,14 +63,33 @@ LogFileSize=0 # Default: # SourceIP= -### Option: EnableRemoteCommands -# Whether remote commands from Zabbix server are allowed. -# 0 - not allowed -# 1 - allowed +### Option: AllowKey +# Allow execution of item keys matching pattern. +# Multiple keys matching rules may be defined in combination with DenyKey. +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. +# Parameters are processed one by one according their appearance order. +# If no AllowKey or DenyKey rules defined, all keys are allowed. +# +# Mandatory: no + +### Option: DenyKey +# Deny execution of items keys matching pattern. +# Multiple keys matching rules may be defined in combination with AllowKey. +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. +# Parameters are processed one by one according their appearance order. +# If no AllowKey or DenyKey rules defined, all keys are allowed. +# Unless another system.run[*] rule is specified DenyKey=system.run[*] is added by default. # # Mandatory: no # Default: -# EnableRemoteCommands=0 +# DenyKey=system.run[*] + +### Option: EnableRemoteCommands - Deprecated, use AllowKey=system.run[*] or DenyKey=system.run[*] instead +# Internal alias for AllowKey/DenyKey parameters depending on value: +# 0 - DenyKey=system.run[*] +# 1 - AllowKey=system.run[*] +# +# Mandatory: no ### Option: LogRemoteCommands # Enable logging of executed shell commands as warnings. @@ -177,6 +196,28 @@ ServerActive=127.0.0.1 # Default: # HostMetadataItem= +### Option: HostInterface +# Optional parameter that defines host interface. +# Host interface is used at host auto-registration process. +# An agent will issue an error and not start if the value is over limit of 255 characters. +# If not defined, value will be acquired from HostInterfaceItem. +# +# Mandatory: no +# Range: 0-255 characters +# Default: +# HostInterface= + +### Option: HostInterfaceItem +# Optional parameter that defines an item used for getting host interface. +# Host interface is used at host auto-registration process. +# During an auto-registration request an agent will log a warning message if +# the value returned by specified item is over limit of 255 characters. +# This option is only used when HostInterface is not defined. +# +# Mandatory: no +# Default: +# HostInterfaceItem= + ### Option: RefreshActiveChecks # How often list of active checks is refreshed, in seconds. # @@ -265,7 +306,6 @@ ServerActive=127.0.0.1 Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf - ####### USER-DEFINED MONITORED PARAMETERS ####### ### Option: UnsafeUserParameters @@ -299,7 +339,7 @@ Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf # # Mandatory: no # Default: -# LoadModulePath=/usr/lib/modules +# LoadModulePath=${libdir}/modules LoadModulePath=/usr/lib/zabbix @@ -357,14 +397,14 @@ LoadModulePath=/usr/lib/zabbix # TLSCRLFile= ### Option: TLSServerCertIssuer -# Allowed server certificate issuer. +# Allowed server certificate issuer. # # Mandatory: no # Default: # TLSServerCertIssuer= ### Option: TLSServerCertSubject -# Allowed server certificate subject. +# Allowed server certificate subject. # # Mandatory: no # Default: @@ -397,3 +437,80 @@ LoadModulePath=/usr/lib/zabbix # Mandatory: no # Default: # TLSPSKFile= + +####### For advanced users - TLS ciphersuite selection criteria ####### + +### Option: TLSCipherCert13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# +# Mandatory: no +# Default: +# TLSCipherCert13= + +### Option: TLSCipherCert +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128 +# +# Mandatory: no +# Default: +# TLSCipherCert= + +### Option: TLSCipherPSK13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example: +# TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherPSK13= + +### Option: TLSCipherPSK +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL +# Example for OpenSSL: +# kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherPSK= + +### Option: TLSCipherAll13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example: +# TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherAll13= + +### Option: TLSCipherAll +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherAll= + +####### For advanced users - TCP-related fine-tuning parameters ####### + +## Option: ListenBacklog +# The maximum number of pending connections in the queue. This parameter is passed to +# listen() function as argument 'backlog' (see "man listen"). +# +# Mandatory: no +# Range: 0 - INT_MAX (depends on system, too large values may be silently truncated to implementation-specified maximum) +# Default: SOMAXCONN (hard-coded constant, depends on system) +# ListenBacklog= diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd index 63566c1a7..1b7932007 100644 --- a/lfs/zabbix_agentd +++ b/lfs/zabbix_agentd @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2019 IPFire Team # +# Copyright (C) 2007-2022 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -26,7 +26,7 @@ include Config SUMMARY = Zabbix Agent -VER = 4.2.6 +VER = 6.0.6 THISAPP = zabbix-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = zabbix_agentd -PAK_VER = 4 +PAK_VER = 5 DEPS = SERVICES = zabbix_agentd @@ -47,7 +47,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 644bb9fd3afaa26c572f97018039d564a7ce156d0bf8d2449a1d3d04fdfaca05087d71e6a5ddcf3ed13a5719256865780f180dd3488bab470816dac7af70ff09 +$(DL_FILE)_BLAKE2 = f9d07ca8938ae4e5e47048c32872644caeda0ecdef17513c63c63d1ce2aaa4ac0c92e6c70932bc598ff908419dae05bab32924f5973a5528b5668f7c7c2c5a17 install : $(TARGET) @@ -84,7 +84,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --prefix=/usr \ --enable-agent \ --sysconfdir=/etc/zabbix_agentd \ - --with-openssl + --with-openssl \ + --with-libcurl cd $(DIR_APP) && make cd $(DIR_APP) && make install From patchwork Thu Jun 30 10:15:51 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Robin Roevens X-Patchwork-Id: 5715 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4LYZ4c5YfVz40TL for ; Thu, 30 Jun 2022 10:16:48 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4LYZ4X4YRlz1Xt; Thu, 30 Jun 2022 10:16:44 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4LYZ4X26vZz302b; Thu, 30 Jun 2022 10:16:44 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4LYZ4W5Yfmz2yWQ for ; Thu, 30 Jun 2022 10:16:43 +0000 (UTC) Received: from knopi.disroot.org (knopi.disroot.org [178.21.23.139]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPS id 4LYZ4V35n8z1Xt for ; Thu, 30 Jun 2022 10:16:42 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by disroot.org (Postfix) with ESMTP id 376AE459B8 for ; Thu, 30 Jun 2022 12:16:42 +0200 (CEST) X-Virus-Scanned: SPAM Filter at disroot.org Received: from knopi.disroot.org ([127.0.0.1]) by localhost (disroot.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OppIpTyBboFN for ; Thu, 30 Jun 2022 12:16:40 +0200 (CEST) Received: from chojin.sicho.home (amaterasu.sicho.home [192.168.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (no client certificate requested) (Authenticated sender) by hachiman (MailScanner Milter) with SMTP id 5ADE04B9E8; Thu, 30 Jun 2022 12:16:11 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1656584195; bh=f8XkDKQneRrDCCvJ+GIBT3C0Boa25nTnsEhLcDPiNhM=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=RgdMPY7aq24mJ/bQbbzrtlAVvKF+tJmd3yXNEYDRX4WEhwAcJg080BrZ0OVC4J2Pw +evbkZ1rByofSBsfPLoBV4mnY96JPBLPR4RQwH5LqbxSZ9CbJXdsDl/Tqrkw4ku2Bx ZRESyAU+FTb2uNFRI3nJlZtD3KLdTX8XRkadKNdN1UoGaLLylOsnc4731onFpZx6P/ xiQPbsYgnKSwqD6nBOooEs/ZMBSIe31KozusMhqqh24aO0K+CCCist1ua7BKRMKndc QSNrUml2R+jO2lfX3T0ACi8thWP//NKursQekMXqnPZZI2jrYC0BDn2w3XFOvKSpKJ tzmmYLXBeLcjg== From: Robin Roevens To: development@lists.ipfire.org Subject: [PATCH v5 2/6] zabbix_agentd: Fix agent modules dir and few minor bugs Date: Thu, 30 Jun 2022 12:15:51 +0200 Message-Id: <20220630101555.13438-3-robin.roevens@disroot.org> In-Reply-To: <20220630101555.13438-1-robin.roevens@disroot.org> References: <20220630101555.13438-1-robin.roevens@disroot.org> Mime-Version: 1.0 X-sicho-MailScanner-ID: 5ADE04B9E8.A8A80 X-sicho-MailScanner: Found to be clean X-sicho-MailScanner-From: robin.roevens@disroot.org X-sicho-MailScanner-Watermark: 1657188971.74527@Q2UUr+UtuqghXKEsNq/jlw ARC-Seal: i=1; s=202003rsa; d=lists.ipfire.org; t=1656584202; a=rsa-sha256; cv=none; b=DGBSxDUE9BUYN0EkPsmdyiCq9iL/apYlXekAohXnybmcdnkWDvHxE39LlBNRk9BMC3+LWZ +X6tUmiKjQLbDh7OiHiUk9SN5mj6CoM0XqmQFCkYoSFr9mY1A0/+RVxxXiecfAr+VXeiaV uVjwB3SdaJTDTvCy76MZUE4LF406svsnpRvpDAS17to8ZQPiR+YwF29G4aZZAFdNWy6aFa EMB19AUmCaYDk8N175B82rv9m9ZXP93PaNWRaYg7nYV3tEF9h/0MaW5GoiZBNxfv94NEU0 kdUr9m9am+uHhCf17RgTVoY0nX/FnbMoWGBqiK23TnPBVcs1hBc0+OzKlduAnw== ARC-Authentication-Results: i=1; mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b=RgdMPY7a; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org; dmarc=pass (policy=quarantine) header.from=disroot.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.ipfire.org; s=202003rsa; t=1656584202; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=k9BfLJB5wL/3mCqgdjRHMBfgIC1Xxf9odhDKHdlfGuQ=; b=Psk/C3YEeaWSgn5WHKuWz1WurB/aP+G2ghGPfbz2hCbFVlQ45ipW/1gorQot8WAuRQ1MEo Ap0jFPuxOcFKUiu9JEBydjbpTuyppmq+lA+e/4c7DaO+33mrooVQV5xBiEKz6f8KbHDDl/ LOTP89QhO1qPzFLRnDBCHJI0wJSoQHaSlxYL2LEbjppO1T4OhEANbiA4yo+4PZq0iZ2zp+ 3PMywVbPiN3n2M7tu9B+Ffif2t2uVVJodW8UaR4vvCFZSX9hd2CnFQ2VZcs9IkNl6+cWFv cu1nYTl/39V1VodSVK1Fcj6llL3JTAJAlvcNDpVPsB6snaxHNbVARiSTL/K2OQ== X-Spamd-Result: default: False [-6.39 / 11.00]; REPLY(-4.00)[]; BAYES_HAM(-2.99)[99.96%]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-1.00)[-1.000]; SPF_REPUTATION_HAM(-0.78)[-0.78380193243943]; R_MISSING_CHARSET(0.50)[]; BAD_REP_POLICIES(0.50)[]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; URIBL_PBL(0.01)[121.152.53.14:update.sh:url]; MX_GOOD(-0.01)[]; IP_REPUTATION_HAM(-0.01)[asn: 50673(0.00), country: NL(-0.01), ip: 178.21.23.139(0.00)]; R_DKIM_ALLOW(0.00)[disroot.org:s=mail]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[development@lists.ipfire.org]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ARC_SIGNED(0.00)[lists.ipfire.org:s=202003rsa:i=1]; RCVD_COUNT_THREE(0.00)[4]; R_SPF_ALLOW(0.00)[+a:c]; ASN(0.00)[asn:50673, ipnet:178.21.23.0/24, country:NL]; DKIM_TRACE(0.00)[disroot.org:+]; DMARC_POLICY_ALLOW(0.00)[disroot.org,quarantine]; RCPT_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; TO_DN_SOME(0.00)[] Authentication-Results: mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b=RgdMPY7a; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org; dmarc=pass (policy=quarantine) header.from=disroot.org X-Rspamd-Queue-Id: 4LYZ4V35n8z1Xt X-Rspamd-Server: mail01.haj.ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" - Add agent modules-dir to backup - Remove original, not used agent modules dir from rootfile - Create modules-dir during install if it not already exists - bugfix: Add existence check before creating log-dir, avoiding error messages if it already exists from a previous install - bugfix: add extract_backup_includes to update.sh script to make sure backup includes exist when backup is taken. Signed-off-by: Robin Roevens --- config/backup/includes/zabbix_agentd | 3 ++- config/rootfiles/packages/zabbix_agentd | 2 +- src/paks/zabbix_agentd/install.sh | 4 ++-- src/paks/zabbix_agentd/update.sh | 1 + 4 files changed, 6 insertions(+), 4 deletions(-) diff --git a/config/backup/includes/zabbix_agentd b/config/backup/includes/zabbix_agentd index cba18d772..d3305cb96 100644 --- a/config/backup/includes/zabbix_agentd +++ b/config/backup/includes/zabbix_agentd @@ -1,2 +1,3 @@ /etc/sudoers.d/zabbix -/etc/zabbix_agentd/* +/etc/zabbix_agentd/ +/usr/lib/zabbix/ diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/packages/zabbix_agentd index 4420bda05..d9bbc3ccf 100644 --- a/config/rootfiles/packages/zabbix_agentd +++ b/config/rootfiles/packages/zabbix_agentd @@ -8,7 +8,7 @@ etc/zabbix_agentd/zabbix_agentd.d etc/zabbix_agentd/zabbix_agentd.d/userparameter_pakfire.conf usr/bin/zabbix_get usr/bin/zabbix_sender -usr/lib/modules +#usr/lib/modules usr/lib/zabbix usr/sbin/zabbix_agentd #usr/share/man/man1/zabbix_get.1 diff --git a/src/paks/zabbix_agentd/install.sh b/src/paks/zabbix_agentd/install.sh index e1450a1d8..cf435918d 100644 --- a/src/paks/zabbix_agentd/install.sh +++ b/src/paks/zabbix_agentd/install.sh @@ -39,8 +39,8 @@ ln -sf ../init.d/zabbix_agentd /etc/rc.d/rc0.d/K02zabbix_agentd ln -sf ../init.d/zabbix_agentd /etc/rc.d/rc6.d/K02zabbix_agentd # Create additonal directories and set permissions -mkdir -pv /var/log/zabbix -chown zabbix.zabbix /var/log/zabbix +[ -d /var/log/zabbix ] || ( mkdir -pv /var/log/zabbix && chown zabbix.zabbix /var/log/zabbix ) +[ -d /usr/lib/zabbix ] || ( mkdir -pv /usr/lib/zabbix && chown zabbix.zabbix /usr/lib/zabbix ) restore_backup ${NAME} start_service --background ${NAME} diff --git a/src/paks/zabbix_agentd/update.sh b/src/paks/zabbix_agentd/update.sh index 7fc1c96fb..68bba4f80 100644 --- a/src/paks/zabbix_agentd/update.sh +++ b/src/paks/zabbix_agentd/update.sh @@ -22,6 +22,7 @@ ############################################################################ # . /opt/pakfire/lib/functions.sh +extract_backup_includes ./uninstall.sh ./install.sh From patchwork Thu Jun 30 10:15:52 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Robin Roevens X-Patchwork-Id: 5712 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4LYZ4Y5TDtz40TL for ; Thu, 30 Jun 2022 10:16:45 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4LYZ4W0k5Bz1T9; Thu, 30 Jun 2022 10:16:43 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4LYZ4W0NWZz2yXK; Thu, 30 Jun 2022 10:16:43 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4LYZ4S0nL7z2yWQ for ; Thu, 30 Jun 2022 10:16:40 +0000 (UTC) Received: from knopi.disroot.org (knopi.disroot.org [178.21.23.139]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPS id 4LYZ4R3Rb5zqL for ; Thu, 30 Jun 2022 10:16:39 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by disroot.org (Postfix) with ESMTP id E31DC45A5E for ; Thu, 30 Jun 2022 12:16:38 +0200 (CEST) X-Virus-Scanned: SPAM Filter at disroot.org Received: from knopi.disroot.org ([127.0.0.1]) by localhost (disroot.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NrqoJ0CV6R2i for ; Thu, 30 Jun 2022 12:16:36 +0200 (CEST) Received: from chojin.sicho.home (amaterasu.sicho.home [192.168.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (no client certificate requested) (Authenticated sender) by hachiman (MailScanner Milter) with SMTP id 692F04B9EB; Thu, 30 Jun 2022 12:16:11 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1656584195; bh=1bSblC2IwkwStexKIvTCdQCEkEzLVwoJVpO991Gdng0=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=aLJFD4kKF+dCk9Zm2WIKaDMcQbDmm7KpOGc66ZLhi/o87fRaBTkUaskmETThKuvkM fDkqibrZn12CmM2xCLHQ8Ccd0aKzh93DdLKsCOe0j29azfEAVxPjyin9zFqrgOb4Di YSKLLkS78nuYI1sYK/VSmiQLkJV//59QgoSowRRTwG+gl3We8OepuRDlGmRrZOf8cj q1MXlF5nBrfwZYIglg4E0/XP2rLNeuSuBHwRA7kFVqJkQcyGo4cHm/Jg5uR9lm3IVB lFo1vmjNipm5pCjl0ol8dXLH+EJuS1+0ZM+oAythsPbHLYOTiYDt0s5QTHOncwRG4i jsZCvfyPj776Q== From: Robin Roevens To: development@lists.ipfire.org Subject: [PATCH v5 3/6] zabbix_agentd: Configfile reorganization Date: Thu, 30 Jun 2022 12:15:52 +0200 Message-Id: <20220630101555.13438-4-robin.roevens@disroot.org> In-Reply-To: <20220630101555.13438-1-robin.roevens@disroot.org> References: <20220630101555.13438-1-robin.roevens@disroot.org> Mime-Version: 1.0 X-sicho-MailScanner-ID: 692F04B9EB.A8A80 X-sicho-MailScanner: Found to be clean X-sicho-MailScanner-From: robin.roevens@disroot.org X-sicho-MailScanner-Watermark: 1657188971.83851@32+2wlF/d3445/xxR8jvKA ARC-Seal: i=1; s=202003rsa; d=lists.ipfire.org; t=1656584199; a=rsa-sha256; cv=none; b=DvAzSYJDPH/v9v2j26wvBZALNyjzupu8KLOtlC0WN9XqKSYSzzhjx21ZxjUZOXrZk2XiPt 5Ah4luB8+dp1xsBinKPvxoLknzS5qOHyU2vlf+V2Ix2A5M7LHpJ78RaWhLeW/vZiyAqoq8 g57Y2gk0eLJS/l9B49Ef/WD2or9bKhZoNBaRR2yA9H/RJTB4wIH35kZQZBNf912c0FBGV6 VFj70/JHZlSl7otiXVvAwhpJADkblQHy0+p7U61MWX6pAWr53RO22hdj7EZ+jmPAj3D6rP 7rIYOQH7QNl9oqtlarq+R6S315YmQSG+70CCGlrJ1it97YUIfFnXHG1kLtc74w== ARC-Authentication-Results: i=1; mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b=aLJFD4kK; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org; dmarc=pass (policy=quarantine) header.from=disroot.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.ipfire.org; s=202003rsa; t=1656584199; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=WF2u+zThHFX8Sww6q7kOkoQHjgPkcGXLYEQEfvQIuAE=; b=n+M133lZaFLHP7Ld7lcaK9YT9zBizdFG0qEGRLI1YF6kYxeVBfzVHvY0mSqVuO32o3KKV5 Fvdpg1ah2b++e46pC6dfiUk6evOkF90RgaTOcvIU8mDVVTwUQ0nzQmJbPELbtdhCNrOgDX vH/UOTb1EnB69aRUAvWU3/0uYC/SsAkegumbm4QIZHJdXkbeziFovROC09wN8V0q7XVQu1 0st06R+2UXja1zqUYnxy/V34ulclIGSJSYodO6KNldzg3fnLuNZfcjPK5ZSIdl/OI4YVIW hba3vFoJ86mrtT9dQc9UtInRYdUqKVwQ2oWh7gZL76gCHJ/DscxkP1sE+FNvrg== X-Spamd-Result: default: False [-3.80 / 11.00]; BAYES_HAM(-3.00)[99.99%]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-1.00)[-1.000]; SPF_REPUTATION_HAM(-0.78)[-0.78380183444205]; R_MISSING_CHARSET(0.50)[]; MV_CASE(0.50)[]; DMARC_POLICY_ALLOW(-0.50)[disroot.org,quarantine]; R_SPF_ALLOW(-0.20)[+a:c]; R_DKIM_ALLOW(-0.20)[disroot.org:s=mail]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; IP_REPUTATION_HAM(-0.01)[asn: 50673(0.00), country: NL(-0.01), ip: 178.21.23.139(0.00)]; ASN(0.00)[asn:50673, ipnet:178.21.23.0/24, country:NL]; FROM_EQ_ENVFROM(0.00)[]; ARC_SIGNED(0.00)[lists.ipfire.org:s=202003rsa:i=1]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_HAS_DN(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[development@lists.ipfire.org]; DKIM_TRACE(0.00)[disroot.org:+]; TO_DN_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; RCVD_COUNT_THREE(0.00)[4]; ARC_NA(0.00)[] Authentication-Results: mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b=aLJFD4kK; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org; dmarc=pass (policy=quarantine) header.from=disroot.org X-Rspamd-Queue-Id: 4LYZ4R3Rb5zqL X-Rspamd-Server: mail01.haj.ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" - Restrict default main config to only the bare minimum options and add upstream provided config as example file. - Remove /etc/zabbix_agentd from backup and instead add only zabbix_agentd.conf and subdirs 'scripts' and 'zabbix_agentd.d' to the backup. - Move ipfire managed userparameter_pakfire.conf from user managed dir /etc/zabbix_agentd/zabbix_agent.d to ipfire managed dir /var/ipfire/zabbix_agentd/userparameters - Add Include line to existing zabbix_agentd.conf to include the new ipfire managed config dir /var/ipfire/zabbix_agentd/... - Add and include mandatory IPFire specific agent configuration which should never be changed by the user. Signed-off-by: Robin Roevens --- config/backup/includes/zabbix_agentd | 4 +- config/rootfiles/packages/zabbix_agentd | 6 +- config/zabbix_agentd/zabbix_agentd.conf | 522 +----------------- .../zabbix_agentd_ipfire_mandatory.conf | 11 + lfs/zabbix_agentd | 11 +- src/paks/zabbix_agentd/install.sh | 34 ++ 6 files changed, 78 insertions(+), 510 deletions(-) create mode 100644 config/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf diff --git a/config/backup/includes/zabbix_agentd b/config/backup/includes/zabbix_agentd index d3305cb96..4be365297 100644 --- a/config/backup/includes/zabbix_agentd +++ b/config/backup/includes/zabbix_agentd @@ -1,3 +1,5 @@ /etc/sudoers.d/zabbix -/etc/zabbix_agentd/ +/etc/zabbix_agentd/zabbix_agentd.conf +/etc/zabbix_agentd/scripts/ +/etc/zabbix_agentd/zabbix_agentd.d/ /usr/lib/zabbix/ diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/packages/zabbix_agentd index d9bbc3ccf..c6e0c5634 100644 --- a/config/rootfiles/packages/zabbix_agentd +++ b/config/rootfiles/packages/zabbix_agentd @@ -4,8 +4,8 @@ etc/sudoers.d/zabbix etc/zabbix_agentd etc/zabbix_agentd/scripts etc/zabbix_agentd/zabbix_agentd.conf +etc/zabbix_agentd/zabbix_agentd.conf.example etc/zabbix_agentd/zabbix_agentd.d -etc/zabbix_agentd/zabbix_agentd.d/userparameter_pakfire.conf usr/bin/zabbix_get usr/bin/zabbix_sender #usr/lib/modules @@ -15,4 +15,8 @@ usr/sbin/zabbix_agentd #usr/share/man/man1/zabbix_sender.1 #usr/share/man/man8/zabbix_agentd.8 var/ipfire/backup/addons/includes/zabbix_agentd +var/ipfire/zabbix_agentd +var/ipfire/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf +var/ipfire/zabbix_agentd/userparameters +var/ipfire/zabbix_agentd/userparameters/userparameter_pakfire.conf #var/log/zabbix diff --git a/config/zabbix_agentd/zabbix_agentd.conf b/config/zabbix_agentd/zabbix_agentd.conf index aa8b899dc..e1aafc584 100644 --- a/config/zabbix_agentd/zabbix_agentd.conf +++ b/config/zabbix_agentd/zabbix_agentd.conf @@ -1,516 +1,24 @@ # This is a configuration file for Zabbix agent daemon (Unix) # To get more information about Zabbix, visit http://www.zabbix.com - -############ GENERAL PARAMETERS ################# - -### Option: PidFile -# Name of PID file. -# -# Mandatory: no -# Default: -# PidFile=/tmp/zabbix_agentd.pid - -PidFile=/var/run/zabbix/zabbix_agentd.pid - -### Option: LogType -# Specifies where log messages are written to: -# system - syslog -# file - file specified with LogFile parameter -# console - standard output -# -# Mandatory: no -# Default: -# LogType=file - -### Option: LogFile -# Log file name for LogType 'file' parameter. # -# Mandatory: yes, if LogType is set to file, otherwise no -# Default: -# LogFile= +# For possible configuration options, +# see /etc/zabbix_agentd/zabbix_agentd.conf.example -LogFile=/var/log/zabbix/zabbix_agentd.log - -### Option: LogFileSize -# Maximum size of log file in MB. -# 0 - disable automatic log rotation. -# -# Mandatory: no -# Range: 0-1024 -# Default: -# LogFileSize=1 - -LogFileSize=0 - -### Option: DebugLevel -# Specifies debug level: -# 0 - basic information about starting and stopping of Zabbix processes -# 1 - critical information -# 2 - error information -# 3 - warnings -# 4 - for debugging (produces lots of information) -# 5 - extended debugging (produces even more information) -# -# Mandatory: no -# Range: 0-5 -# Default: -# DebugLevel=3 - -### Option: SourceIP -# Source IP address for outgoing connections. -# -# Mandatory: no -# Default: -# SourceIP= - -### Option: AllowKey -# Allow execution of item keys matching pattern. -# Multiple keys matching rules may be defined in combination with DenyKey. -# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. -# Parameters are processed one by one according their appearance order. -# If no AllowKey or DenyKey rules defined, all keys are allowed. -# -# Mandatory: no - -### Option: DenyKey -# Deny execution of items keys matching pattern. -# Multiple keys matching rules may be defined in combination with AllowKey. -# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. -# Parameters are processed one by one according their appearance order. -# If no AllowKey or DenyKey rules defined, all keys are allowed. -# Unless another system.run[*] rule is specified DenyKey=system.run[*] is added by default. -# -# Mandatory: no -# Default: -# DenyKey=system.run[*] - -### Option: EnableRemoteCommands - Deprecated, use AllowKey=system.run[*] or DenyKey=system.run[*] instead -# Internal alias for AllowKey/DenyKey parameters depending on value: -# 0 - DenyKey=system.run[*] -# 1 - AllowKey=system.run[*] -# -# Mandatory: no - -### Option: LogRemoteCommands -# Enable logging of executed shell commands as warnings. -# 0 - disabled -# 1 - enabled -# -# Mandatory: no -# Default: -# LogRemoteCommands=0 - -##### Passive checks related - -### Option: Server -# List of comma delimited IP addresses, optionally in CIDR notation, or DNS names of Zabbix servers and Zabbix proxies. -# Incoming connections will be accepted only from the hosts listed here. -# If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', '::ffff:127.0.0.1' are treated equally -# and '::/0' will allow any IPv4 or IPv6 address. -# '0.0.0.0/0' can be used to allow any IPv4 address. -# Example: Server=127.0.0.1,192.168.1.0/24,::1,2001:db8::/32,zabbix.example.com -# -# Mandatory: yes, if StartAgents is not explicitly set to 0 -# Default: -# Server= +# To make sure all Zabbix configuration is correctly included in IPFire backups: +# - Put custom userparameters in /etc/zabbix_agentd/zabbix_agentd.d/*.conf +# - Put custom scripts in /etc/zabbix_agentd/scripts +# - Put custom modules in /usr/lib/zabbix +# Set your Zabbix Server IP or hostname here (Passive and/or Active): Server=127.0.0.1 - -### Option: ListenPort -# Agent will listen on this port for connections from the server. -# -# Mandatory: no -# Range: 1024-32767 -# Default: -# ListenPort=10050 - -### Option: ListenIP -# List of comma delimited IP addresses that the agent should listen on. -# First IP address is sent to Zabbix server if connecting to it to retrieve list of active checks. -# -# Mandatory: no -# Default: -# ListenIP=0.0.0.0 - -### Option: StartAgents -# Number of pre-forked instances of zabbix_agentd that process passive checks. -# If set to 0, disables passive checks and the agent will not listen on any TCP port. -# -# Mandatory: no -# Range: 0-100 -# Default: -# StartAgents=3 - -##### Active checks related - -### Option: ServerActive -# List of comma delimited IP:port (or DNS name:port) pairs of Zabbix servers and Zabbix proxies for active checks. -# If port is not specified, default port is used. -# IPv6 addresses must be enclosed in square brackets if port for that host is specified. -# If port is not specified, square brackets for IPv6 addresses are optional. -# If this parameter is not specified, active checks are disabled. -# Example: ServerActive=127.0.0.1:20051,zabbix.domain,[::1]:30051,::1,[12fc::1] -# -# Mandatory: no -# Default: -# ServerActive= - ServerActive=127.0.0.1 -### Option: Hostname -# Unique, case sensitive hostname. -# Required for active checks and must match hostname as configured on the server. -# Value is acquired from HostnameItem if undefined. -# -# Mandatory: no -# Default: -# Hostname= - -### Option: HostnameItem -# Item used for generating Hostname if it is undefined. Ignored if Hostname is defined. -# Does not support UserParameters or aliases. -# -# Mandatory: no -# Default: -# HostnameItem=system.hostname - -### Option: HostMetadata -# Optional parameter that defines host metadata. -# Host metadata is used at host auto-registration process. -# An agent will issue an error and not start if the value is over limit of 255 characters. -# If not defined, value will be acquired from HostMetadataItem. -# -# Mandatory: no -# Range: 0-255 characters -# Default: -# HostMetadata= - -### Option: HostMetadataItem -# Optional parameter that defines an item used for getting host metadata. -# Host metadata is used at host auto-registration process. -# During an auto-registration request an agent will log a warning message if -# the value returned by specified item is over limit of 255 characters. -# This option is only used when HostMetadata is not defined. -# -# Mandatory: no -# Default: -# HostMetadataItem= - -### Option: HostInterface -# Optional parameter that defines host interface. -# Host interface is used at host auto-registration process. -# An agent will issue an error and not start if the value is over limit of 255 characters. -# If not defined, value will be acquired from HostInterfaceItem. -# -# Mandatory: no -# Range: 0-255 characters -# Default: -# HostInterface= - -### Option: HostInterfaceItem -# Optional parameter that defines an item used for getting host interface. -# Host interface is used at host auto-registration process. -# During an auto-registration request an agent will log a warning message if -# the value returned by specified item is over limit of 255 characters. -# This option is only used when HostInterface is not defined. -# -# Mandatory: no -# Default: -# HostInterfaceItem= - -### Option: RefreshActiveChecks -# How often list of active checks is refreshed, in seconds. -# -# Mandatory: no -# Range: 60-3600 -# Default: -# RefreshActiveChecks=120 - -### Option: BufferSend -# Do not keep data longer than N seconds in buffer. -# -# Mandatory: no -# Range: 1-3600 -# Default: -# BufferSend=5 - -### Option: BufferSize -# Maximum number of values in a memory buffer. The agent will send -# all collected data to Zabbix Server or Proxy if the buffer is full. -# -# Mandatory: no -# Range: 2-65535 -# Default: -# BufferSize=100 - -### Option: MaxLinesPerSecond -# Maximum number of new lines the agent will send per second to Zabbix Server -# or Proxy processing 'log' and 'logrt' active checks. -# The provided value will be overridden by the parameter 'maxlines', -# provided in 'log' or 'logrt' item keys. -# -# Mandatory: no -# Range: 1-1000 -# Default: -# MaxLinesPerSecond=20 - -############ ADVANCED PARAMETERS ################# - -### Option: Alias -# Sets an alias for an item key. It can be used to substitute long and complex item key with a smaller and simpler one. -# Multiple Alias parameters may be present. Multiple parameters with the same Alias key are not allowed. -# Different Alias keys may reference the same item key. -# For example, to retrieve the ID of user 'zabbix': -# Alias=zabbix.userid:vfs.file.regexp[/etc/passwd,^zabbix:.:([0-9]+),,,,\1] -# Now shorthand key zabbix.userid may be used to retrieve data. -# Aliases can be used in HostMetadataItem but not in HostnameItem parameters. -# -# Mandatory: no -# Range: -# Default: +# This line activates IPFire specific userparameters. +# See IPFire wiki for details. +# To deactivate them: Comment this line out. +# (DO NOT REMOVE OR ALTER IT as then it will be re-added on next upgrade) +Include=/var/ipfire/zabbix_agentd/userparameters/*.conf -### Option: Timeout -# Spend no more than Timeout seconds on processing -# -# Mandatory: no -# Range: 1-30 -# Default: -# Timeout=3 - -### Option: AllowRoot -# Allow the agent to run as 'root'. If disabled and the agent is started by 'root', the agent -# will try to switch to the user specified by the User configuration option instead. -# Has no effect if started under a regular user. -# 0 - do not allow -# 1 - allow -# -# Mandatory: no -# Default: -# AllowRoot=0 - -### Option: User -# Drop privileges to a specific, existing user on the system. -# Only has effect if run as 'root' and AllowRoot is disabled. -# -# Mandatory: no -# Default: -# User=zabbix - -### Option: Include -# You may include individual files or all files in a directory in the configuration file. -# Installing Zabbix will create include directory in /usr/local/etc, unless modified during the compile time. -# -# Mandatory: no -# Default: -# Include= - -Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf - -####### USER-DEFINED MONITORED PARAMETERS ####### - -### Option: UnsafeUserParameters -# Allow all characters to be passed in arguments to user-defined parameters. -# The following characters are not allowed: -# \ ' " ` * ? [ ] { } ~ $ ! & ; ( ) < > | # @ -# Additionally, newline characters are not allowed. -# 0 - do not allow -# 1 - allow -# -# Mandatory: no -# Range: 0-1 -# Default: -# UnsafeUserParameters=0 - -### Option: UserParameter -# User-defined parameter to monitor. There can be several user-defined parameters. -# Format: UserParameter=, -# See 'zabbix_agentd' directory for examples. -# -# Mandatory: no -# Default: -# UserParameter= - -####### LOADABLE MODULES ####### - -### Option: LoadModulePath -# Full path to location of agent modules. -# Default depends on compilation options. -# To see the default path run command "zabbix_agentd --help". -# -# Mandatory: no -# Default: -# LoadModulePath=${libdir}/modules - -LoadModulePath=/usr/lib/zabbix - -### Option: LoadModule -# Module to load at agent startup. Modules are used to extend functionality of the agent. -# Formats: -# LoadModule= -# LoadModule= -# LoadModule= -# Either the module must be located in directory specified by LoadModulePath or the path must precede the module name. -# If the preceding path is absolute (starts with '/') then LoadModulePath is ignored. -# It is allowed to include multiple LoadModule parameters. -# -# Mandatory: no -# Default: -# LoadModule= - -####### TLS-RELATED PARAMETERS ####### - -### Option: TLSConnect -# How the agent should connect to server or proxy. Used for active checks. -# Only one value can be specified: -# unencrypted - connect without encryption -# psk - connect using TLS and a pre-shared key -# cert - connect using TLS and a certificate -# -# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection) -# Default: -# TLSConnect=unencrypted - -### Option: TLSAccept -# What incoming connections to accept. -# Multiple values can be specified, separated by comma: -# unencrypted - accept connections without encryption -# psk - accept connections secured with TLS and a pre-shared key -# cert - accept connections secured with TLS and a certificate -# -# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection) -# Default: -# TLSAccept=unencrypted - -### Option: TLSCAFile -# Full pathname of a file containing the top-level CA(s) certificates for -# peer certificate verification. -# -# Mandatory: no -# Default: -# TLSCAFile= - -### Option: TLSCRLFile -# Full pathname of a file containing revoked certificates. -# -# Mandatory: no -# Default: -# TLSCRLFile= - -### Option: TLSServerCertIssuer -# Allowed server certificate issuer. -# -# Mandatory: no -# Default: -# TLSServerCertIssuer= - -### Option: TLSServerCertSubject -# Allowed server certificate subject. -# -# Mandatory: no -# Default: -# TLSServerCertSubject= - -### Option: TLSCertFile -# Full pathname of a file containing the agent certificate or certificate chain. -# -# Mandatory: no -# Default: -# TLSCertFile= - -### Option: TLSKeyFile -# Full pathname of a file containing the agent private key. -# -# Mandatory: no -# Default: -# TLSKeyFile= - -### Option: TLSPSKIdentity -# Unique, case sensitive string used to identify the pre-shared key. -# -# Mandatory: no -# Default: -# TLSPSKIdentity= - -### Option: TLSPSKFile -# Full pathname of a file containing the pre-shared key. -# -# Mandatory: no -# Default: -# TLSPSKFile= - -####### For advanced users - TLS ciphersuite selection criteria ####### - -### Option: TLSCipherCert13 -# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. -# Override the default ciphersuite selection criteria for certificate-based encryption. -# -# Mandatory: no -# Default: -# TLSCipherCert13= - -### Option: TLSCipherCert -# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. -# Override the default ciphersuite selection criteria for certificate-based encryption. -# Example for GnuTLS: -# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 -# Example for OpenSSL: -# EECDH+aRSA+AES128:RSA+aRSA+AES128 -# -# Mandatory: no -# Default: -# TLSCipherCert= - -### Option: TLSCipherPSK13 -# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. -# Override the default ciphersuite selection criteria for PSK-based encryption. -# Example: -# TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 -# -# Mandatory: no -# Default: -# TLSCipherPSK13= - -### Option: TLSCipherPSK -# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. -# Override the default ciphersuite selection criteria for PSK-based encryption. -# Example for GnuTLS: -# NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL -# Example for OpenSSL: -# kECDHEPSK+AES128:kPSK+AES128 -# -# Mandatory: no -# Default: -# TLSCipherPSK= - -### Option: TLSCipherAll13 -# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. -# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. -# Example: -# TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 -# -# Mandatory: no -# Default: -# TLSCipherAll13= - -### Option: TLSCipherAll -# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. -# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. -# Example for GnuTLS: -# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 -# Example for OpenSSL: -# EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128 -# -# Mandatory: no -# Default: -# TLSCipherAll= - -####### For advanced users - TCP-related fine-tuning parameters ####### - -## Option: ListenBacklog -# The maximum number of pending connections in the queue. This parameter is passed to -# listen() function as argument 'backlog' (see "man listen"). -# -# Mandatory: no -# Range: 0 - INT_MAX (depends on system, too large values may be silently truncated to implementation-specified maximum) -# Default: SOMAXCONN (hard-coded constant, depends on system) -# ListenBacklog= +# Mandatory Zabbix Agent configuration to start and run on IPFire correctly +# DO NOT REMOVE OR MODIFY THIS LINE: +Include=/var/ipfire/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf \ No newline at end of file diff --git a/config/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf b/config/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf new file mode 100644 index 000000000..c6be948be --- /dev/null +++ b/config/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf @@ -0,0 +1,11 @@ +PidFile=/var/run/zabbix/zabbix_agentd.pid + +# Log rotation is managed by logrotate +LogFile=/var/log/zabbix/zabbix_agentd.log +LogFileSize=0 + +# These paths are included in the IPFire backups. Do not put user modules +# or configuration files in other locations if you want them included in the +# backups. +LoadModulePath=/usr/lib/zabbix +Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf \ No newline at end of file diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd index 1b7932007..025a0f0db 100644 --- a/lfs/zabbix_agentd +++ b/lfs/zabbix_agentd @@ -94,10 +94,19 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) -rmdir /etc/zabbix_agentd/zabbix_agentd.conf.d -mkdir -pv /etc/zabbix_agentd/zabbix_agentd.d -mkdir -pv /etc/zabbix_agentd/scripts + # Move upstream supplied config out of the way for reference + # and install our own version of the config. + -mv /etc/zabbix_agentd/zabbix_agentd.conf \ + /etc/zabbix_agentd/zabbix_agentd.conf.example install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/zabbix_agentd.conf \ /etc/zabbix_agentd/zabbix_agentd.conf + + # Install IPFire-specific Zabbix Agent config + -mkdir -pv /var/ipfire/zabbix_agentd/userparameters + install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf \ + /var/ipfire/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/userparameter_pakfire.conf \ - /etc/zabbix_agentd/zabbix_agentd.d/userparameter_pakfire.conf + /var/ipfire/zabbix_agentd/userparameters/userparameter_pakfire.conf # Create directory for additional agent modules -mkdir -pv /usr/lib/zabbix diff --git a/src/paks/zabbix_agentd/install.sh b/src/paks/zabbix_agentd/install.sh index cf435918d..3ffff10c1 100644 --- a/src/paks/zabbix_agentd/install.sh +++ b/src/paks/zabbix_agentd/install.sh @@ -43,4 +43,38 @@ ln -sf ../init.d/zabbix_agentd /etc/rc.d/rc6.d/K02zabbix_agentd [ -d /usr/lib/zabbix ] || ( mkdir -pv /usr/lib/zabbix && chown zabbix.zabbix /usr/lib/zabbix ) restore_backup ${NAME} + +# Check if old IPFire specifc userparameters exist and move out of the way +if [ -f /etc/zabbix_agentd/zabbix_agentd.d/userparameter_pakfire.conf ]; then + mv /etc/zabbix_agentd/zabbix_agentd.d/userparameter_pakfire.conf \ + /etc/zabbix_agentd/zabbix_agentd.d/userparameter_pakfire.conf.save +fi + +# Check if new IPFire specific config is included in restored config +# and add if required. +grep -q "Include=/var/ipfire/zabbix_agentd/userparameters/\*.conf" /etc/zabbix_agentd/zabbix_agentd.conf +if [ $? -eq 1 ]; then + echo "" >> /etc/zabbix_agentd/zabbix_agentd.conf + echo "# This line activates IPFire specific userparameters. " >> /etc/zabbix_agentd/zabbix_agentd.conf + echo "# See IPFire wiki for details." >> /etc/zabbix_agentd/zabbix_agentd.conf + echo "# To deactivate them: Comment this line out." >> /etc/zabbix_agentd/zabbix_agentd.conf + echo "# (DO NOT REMOVE OR ALTER IT as then it will be re-added on next upgrade)" >> /etc/zabbix_agentd/zabbix_agentd.conf + echo "Include=/var/ipfire/zabbix_agentd/userparameters/*.conf" >> /etc/zabbix_agentd/zabbix_agentd.conf +fi + +grep -q "Include=/var/ipfire/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf" /etc/zabbix_agentd/zabbix_agentd.conf +if [ $? -eq 1 ]; then + # Remove settings that are now in our own config + sed -i -e "\|^PidFile=.*$|d" /etc/zabbix_agentd/zabbix_agentd.conf + sed -i -e "\|^LogFile=.*$|d" /etc/zabbix_agentd/zabbix_agentd.conf + sed -i -e "\|^LogFileSize=.*$|d" /etc/zabbix_agentd/zabbix_agentd.conf + sed -i -e "\|^LoadModulePath=.*$|d" /etc/zabbix_agentd/zabbix_agentd.conf + sed -i -e "\|^Include=/etc/zabbix_agentd/zabbix_agentd\.d/\*\.conf$|d" /etc/zabbix_agentd/zabbix_agentd.conf + # Include our own config in main config + echo "" >> /etc/zabbix_agentd/zabbix_agentd.conf + echo "# Mandatory Zabbix Agent configuration to start and run on IPFire correctly" >> /etc/zabbix_agentd/zabbix_agentd.conf + echo "# DO NOT REMOVE OR MODIFY THIS LINE:" >> /etc/zabbix_agentd/zabbix_agentd.conf + echo "Include=/var/ipfire/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf" >> /etc/zabbix_agentd/zabbix_agentd.conf +fi + start_service --background ${NAME} From patchwork Thu Jun 30 10:15:53 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Robin Roevens X-Patchwork-Id: 5714 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4LYZ4b6YNRz40V9 for ; Thu, 30 Jun 2022 10:16:47 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4LYZ4X2SY9z1gg; Thu, 30 Jun 2022 10:16:44 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4LYZ4X1mKMz2yWQ; Thu, 30 Jun 2022 10:16:44 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4LYZ4W5BNrz2yWP for ; Thu, 30 Jun 2022 10:16:43 +0000 (UTC) Received: from knopi.disroot.org (knopi.disroot.org [178.21.23.139]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPS id 4LYZ4W1fybz1gR for ; Thu, 30 Jun 2022 10:16:43 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by disroot.org (Postfix) with ESMTP id 091444597A for ; Thu, 30 Jun 2022 12:16:43 +0200 (CEST) X-Virus-Scanned: SPAM Filter at disroot.org Received: from knopi.disroot.org ([127.0.0.1]) by localhost (disroot.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5C1cEfb23SEZ for ; Thu, 30 Jun 2022 12:16:41 +0200 (CEST) Received: from chojin.sicho.home (amaterasu.sicho.home [192.168.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (no client certificate requested) (Authenticated sender) by hachiman (MailScanner Milter) with SMTP id 6F7004B9EE; Thu, 30 Jun 2022 12:16:11 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1656584195; bh=ZPEzL6fP+y6r1+PaK75uWwtAr0PDgg2hmrlsSsLcW2Q=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=aidjg84Ugo3a+olGW1FfCvAVXVNi91FQLLcjLKC8ZnTSyz1Ax9VEFpGJTF6AZXJQL CBt+m99imKaRhwxmAPAj9dzX9UcXbJ0WqfRZMnHCMueQypnsn4mriWGmgePgjxRIT1 sknPMl+pJvwKrz3z/wFogP19NZGkvsg3S3EYuwewpAj32NQkDfsCDAEpVV6mnfhbOg F9yf8fI0hbfE2/C/R7pOBCYC6fDTB4gnxqHE3v3netjlOX+iVo6VS+K16uYB12B9lF jl4vNiyAGU+0srOUuMi2OORlxUFUGW8RF9cqIsg5HTlTnlf9sy/xKb9lFFI+DVLuuT DQ7ktG/2flUHg== From: Robin Roevens To: development@lists.ipfire.org Subject: [PATCH v5 4/6] zabbix_agentd: Sudoers file reorganization Date: Thu, 30 Jun 2022 12:15:53 +0200 Message-Id: <20220630101555.13438-5-robin.roevens@disroot.org> In-Reply-To: <20220630101555.13438-1-robin.roevens@disroot.org> References: <20220630101555.13438-1-robin.roevens@disroot.org> Mime-Version: 1.0 X-sicho-MailScanner-ID: 6F7004B9EE.A8A80 X-sicho-MailScanner: Found to be clean X-sicho-MailScanner-From: robin.roevens@disroot.org X-sicho-MailScanner-Watermark: 1657188971.77068@MiP/wbEW1njHDyUbnk53Ig ARC-Seal: i=1; s=202003rsa; d=lists.ipfire.org; t=1656584203; a=rsa-sha256; cv=none; b=blkIB7gOmVNQ+yFWBgXAhVPUScLHoVEvNOqCviI3vx7MKw3X/i5LWt1A3vuVskMVe+q6C1 uFt3ZDnicdvKBmSLF3wJDEFmKVwMl97kBdCE+wYbkLHPm99pvftP4iJmG0atYLLyXqTBqH 8qlziyYezR6khIqKJvYyFXp0UmyiTAQDfMzOGVLeUEOS3+CcLk/7WXnzG0+2+wvZZ4rOt/ iOtphLA5gJI+YpVQmEDiOzbHmvdJIhsK3W21ircDDuHIHRbB/Ky/ChHAzRYS1SpNve6PoL t17mJli4wYR4l+hCCxSuXQhYpe4AMYegkX1G5GsPbbsjvdxs8iHM/jPJjdwUzw== ARC-Authentication-Results: i=1; mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b=aidjg84U; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org; dmarc=pass (policy=quarantine) header.from=disroot.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.ipfire.org; s=202003rsa; t=1656584203; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=EVAFmx4v40C2pGpQve1yqD9/Fe86Mfj9du9GoaAthK0=; b=uVCGAF+pBZu6YfnCwynkhSBHjhU9Dst3fslraTcUPlNL7Z7Hc80ZI11JU3lSiy3qCrfXqq 61RIuHoXKbFvNPfdQ8S2BerCG1wmETalWHztEmNXUIOVtf982/407dneruJ6fdbUOmaiM8 m3tBRNfZsKGwh3CzJABds/RocP8T5Ei7HiWFgtwlNYPgzDjwhQJja6Vm32hDcQEqF/uWly YYIbyxOWqHH8KBlprPHDDZW6x4asQHcEFnDL5lZ18cccWgnWufC/wr5y8/Am/458+OM5Jo EImaD4TY1r3f4gYyGdeFspbUUWblEbILm8y8QnNe1w5Ujc6PQ+7Fd+9TrClLtg== X-Spamd-Result: default: False [-7.80 / 11.00]; REPLY(-4.00)[]; BAYES_HAM(-3.00)[99.99%]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-1.00)[-1.000]; SPF_REPUTATION_HAM(-0.78)[-0.78380193243943]; R_MISSING_CHARSET(0.50)[]; MV_CASE(0.50)[]; DMARC_POLICY_ALLOW(-0.50)[disroot.org,quarantine]; R_SPF_ALLOW(-0.20)[+a:c]; R_DKIM_ALLOW(-0.20)[disroot.org:s=mail]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; IP_REPUTATION_HAM(-0.01)[asn: 50673(0.00), country: NL(-0.01), ip: 178.21.23.139(0.00)]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_HAS_DN(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[development@lists.ipfire.org]; ARC_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; ARC_SIGNED(0.00)[lists.ipfire.org:s=202003rsa:i=1]; RCVD_COUNT_THREE(0.00)[4]; ASN(0.00)[asn:50673, ipnet:178.21.23.0/24, country:NL]; DKIM_TRACE(0.00)[disroot.org:+]; MIME_TRACE(0.00)[0:+]; RCPT_COUNT_TWO(0.00)[2]; TO_DN_SOME(0.00)[] Authentication-Results: mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b=aidjg84U; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org; dmarc=pass (policy=quarantine) header.from=disroot.org X-Rspamd-Queue-Id: 4LYZ4W1fybz1gR X-Rspamd-Server: mail01.haj.ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" - Remove sudoers file 'zabbix' in favour of new IPFire managed 'zabbix_agentd' and user managed 'zabbix_agentd_user' which is included in the backup - Provide migration of old sudoers file 'zabbix' or 'zabbix.user' to new zabbix_agentd_user sudoers file if it was modified by user. Signed-off-by: Robin Roevens --- config/backup/includes/zabbix_agentd | 4 ++-- config/rootfiles/packages/zabbix_agentd | 3 ++- config/zabbix_agentd/sudoers | 14 ++++---------- config/zabbix_agentd/sudoers_user | 16 ++++++++++++++++ lfs/zabbix_agentd | 4 +++- src/paks/zabbix_agentd/update.sh | 22 ++++++++++++++++++---- 6 files changed, 45 insertions(+), 18 deletions(-) create mode 100644 config/zabbix_agentd/sudoers_user diff --git a/config/backup/includes/zabbix_agentd b/config/backup/includes/zabbix_agentd index 4be365297..834766992 100644 --- a/config/backup/includes/zabbix_agentd +++ b/config/backup/includes/zabbix_agentd @@ -1,5 +1,5 @@ -/etc/sudoers.d/zabbix +/etc/sudoers.d/zabbix_agentd_user /etc/zabbix_agentd/zabbix_agentd.conf /etc/zabbix_agentd/scripts/ /etc/zabbix_agentd/zabbix_agentd.d/ -/usr/lib/zabbix/ +/usr/lib/zabbix/ \ No newline at end of file diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/packages/zabbix_agentd index c6e0c5634..b5325c636 100644 --- a/config/rootfiles/packages/zabbix_agentd +++ b/config/rootfiles/packages/zabbix_agentd @@ -1,6 +1,7 @@ etc/logrotate.d/zabbix_agentd etc/rc.d/init.d/zabbix_agentd -etc/sudoers.d/zabbix +etc/sudoers.d/zabbix_agentd +etc/sudoers.d/zabbix_agentd_user etc/zabbix_agentd etc/zabbix_agentd/scripts etc/zabbix_agentd/zabbix_agentd.conf diff --git a/config/zabbix_agentd/sudoers b/config/zabbix_agentd/sudoers index 1b362a4fd..cb4263ff6 100644 --- a/config/zabbix_agentd/sudoers +++ b/config/zabbix_agentd/sudoers @@ -1,17 +1,11 @@ # Include file for sudoers file # -# This is needed for some userparameters to be able to execute commands that only run as root (using sudo) -# e.g. /usr/bin/openssl or /usr/sbin/smartctl +# This is needed for some IPFire specific userparameters to be able to execute commands that only run as root (using sudo) # -# USE AT YOU'RE OWN RISK. USING THIS WRONG CAN RESULT IN A SECURITY BREACH! +# DO NOT CHANGE THIS FILE. This file is managed by IPFire, will be overwritten on next addon upgrade and is not +# included in the backup. # -# Some hints: -# - It is strongly recommended to edit this file only using the visudo -f command. If you mess up this file, -# you might end up locking yourself out of your system! -# - Append the full path incl. parameters to each command, using "," as separator. -# - Only add commands you really need. Zabbix should not have more rights than it has to. -# -# Append / edit the following list of commands to fit your needs: +# To add more sudo rights to zabbix agent, you should modify the sudoers file zabbix_agentd_user # Defaults:zabbix !requiretty zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status diff --git a/config/zabbix_agentd/sudoers_user b/config/zabbix_agentd/sudoers_user new file mode 100644 index 000000000..61cbc417b --- /dev/null +++ b/config/zabbix_agentd/sudoers_user @@ -0,0 +1,16 @@ +# Include file for sudoers file +# +# This is needed for some userparameters to be able to execute commands that only run as root (using sudo) +# e.g. /usr/bin/openssl or /usr/sbin/smartctl +# +# USE AT YOU'RE OWN RISK. USING THIS WRONG CAN RESULT IN A SECURITY BREACH! +# +# Some hints: +# - It is strongly recommended to edit this file only using the visudo -f command. If you mess up this file, +# you might end up locking yourself out of your system! +# - Append the full path incl. parameters to each command, using "," as separator. +# - Only add commands you really need. Zabbix should not have more rights than it has to. +# +# Uncomment the following line and edit the example of commands to fit your needs: + +#zabbix ALL=(ALL) NOPASSWD: , , ... diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd index 025a0f0db..f8fbdae5e 100644 --- a/lfs/zabbix_agentd +++ b/lfs/zabbix_agentd @@ -124,7 +124,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) # Install sudoers include file install -v -m 640 $(DIR_SRC)/config/zabbix_agentd/sudoers \ - /etc/sudoers.d/zabbix + /etc/sudoers.d/zabbix_agentd + install -v -m 640 $(DIR_SRC)/config/zabbix_agentd/sudoers_user \ + /etc/sudoers.d/zabbix_agentd_user # Install include file for backup install -v -m 644 $(DIR_SRC)/config/backup/includes/zabbix_agentd \ diff --git a/src/paks/zabbix_agentd/update.sh b/src/paks/zabbix_agentd/update.sh index 68bba4f80..a41e72ab4 100644 --- a/src/paks/zabbix_agentd/update.sh +++ b/src/paks/zabbix_agentd/update.sh @@ -22,11 +22,25 @@ ############################################################################ # . /opt/pakfire/lib/functions.sh + +# Check if old sudoers file exists and remove if it was not modified +# or rename to the new zabbix_agentd_user file if it was. +if [ -f /etc/sudoers.d/zabbix.user ]; then + mv -v /etc/sudoers.d/zabbix.user /etc/sudoers.d/zabbix +fi + +if [ -f /etc/sudoers.d/zabbix ]; then + blake2=$(b2sum /etc/sudoers.d/zabbix | cut -f1 -d" ") + # from commits 5737a22 & 06fc617 + if [ "$blake2" == "b0f73b107fd3842efc7ef3e30f6d948235aa07d533715476c2d3f58c08379193fdde9ff69aa6e0f5eb6cf4a98b2ed2a6f003f23078a57aff239b34cc29e62a98" ] || \ + [ "$blake2" == "0628c416a1f217b0962a8ce6d1e339bdb0f0427d86fc06b2e40b63487ffc1a3543562d16f7f954d7fb92cee9764f0261c1663a39dd50bc73fd9b772575c56cfc" ]; then + rm -vf /etc/sudoers.d/zabbix + else + mv -v /etc/sudoers.d/zabbix /etc/sudoers.d/zabbix_agentd_user + fi +fi + extract_backup_includes ./uninstall.sh ./install.sh -# Ensure /etc/sudoers.d/zabbix.user is renamed to /etc/sudoers.d/zabbix -if [ -e /etc/sudoers.d/zabbix.user ]; then - mv -v /etc/sudoers.d/zabbix.user /etc/sudoers.d/zabbix -fi From patchwork Thu Jun 30 10:15:54 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Robin Roevens X-Patchwork-Id: 5710 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4LYZ4V1KPwz40TL for ; Thu, 30 Jun 2022 10:16:42 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4LYZ4S0TJXz1YW; Thu, 30 Jun 2022 10:16:40 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4LYZ4R5qmBz2yqV; Thu, 30 Jun 2022 10:16:39 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4LYZ4Q03Zkz2xbW for ; Thu, 30 Jun 2022 10:16:37 +0000 (UTC) Received: from knopi.disroot.org (knopi.disroot.org [178.21.23.139]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPS id 4LYZ4P1P19zqL for ; Thu, 30 Jun 2022 10:16:37 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by disroot.org (Postfix) with ESMTP id 8560545A5E for ; Thu, 30 Jun 2022 12:16:36 +0200 (CEST) X-Virus-Scanned: SPAM Filter at disroot.org Received: from knopi.disroot.org ([127.0.0.1]) by localhost (disroot.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wcLfxVyHmk80 for ; Thu, 30 Jun 2022 12:16:35 +0200 (CEST) Received: from chojin.sicho.home (amaterasu.sicho.home [192.168.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (no client certificate requested) (Authenticated sender) by hachiman (MailScanner Milter) with SMTP id 7CF624B9F1; Thu, 30 Jun 2022 12:16:11 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1656584195; bh=HP7sLh7TgRc1UGI+4Mn8kj8NWDos3YNmHTSVGqP8RP4=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=ZGZk0wuAsTnA0f29CcjbXDce5UVDOAa4/wDfwCW3h7ysYCmX5xN1RHC3wlfIRBHUH 5ymM0hdVvTRz91E667XXyjMT9iP1sm2x4BwDBfUA/csQkjNWP7PnM/tdSfPLOimhiy mWv7LrPkDnU1DcJ3o+5Wfu+6kDJQMv6A95EDy7kaiddFNqeI+WXsF+34OpaVtAlLvi i7vBHwfGVL6fEe2vlgXZfp78nZadGgvrPjONynsDEOonhSqaXc/7AFLb3eAdkgJjSU 6hu/LuPZ0XjoDxtXMoCDuey6u1hAvz1MEKTP/399ORezZmJom6wPzsidPhP2Em7kbU tQdVD6UeQuvFg== From: Robin Roevens To: development@lists.ipfire.org Subject: [PATCH v5 5/6] zabbix_agentd: By default only listen on GREEN ip Date: Thu, 30 Jun 2022 12:15:54 +0200 Message-Id: <20220630101555.13438-6-robin.roevens@disroot.org> In-Reply-To: <20220630101555.13438-1-robin.roevens@disroot.org> References: <20220630101555.13438-1-robin.roevens@disroot.org> Mime-Version: 1.0 X-sicho-MailScanner-ID: 7CF624B9F1.A8A80 X-sicho-MailScanner: Found to be clean X-sicho-MailScanner-From: robin.roevens@disroot.org X-sicho-MailScanner-Watermark: 1657188971.71752@ATSmDPX4Dv44mQYnlqPcpw ARC-Seal: i=1; s=202003rsa; d=lists.ipfire.org; t=1656584197; a=rsa-sha256; cv=none; b=qrthFk52+FYHZSx+TJ/NPO6kfL/lWWR29wLi41YH+ANmZmkfVMO4th+058zUTqt+f4SCjT tEIFb0eXq5a33sspwoI3wpmUsUQhuJ6GRL7qDGXpACS9kG6IOrxkF0EtKylBjX9piXBAFK QnElpc6WFV2cu1i9hp5HQYnufyb0VD9gDA0r9PJ+8h5bMiaNtUjT1qpnGqQsMWGHSaWuk1 O9ihl8nrW9IFFZQCyu0MT6YUefUmLhG9W2Luoisi4BymzEBQFfJRckyz+x3GSYX2LM/ZpT sg5pCvpnAbaKw2qZElOS4v0Y/608giiVY+zBEljJRg3m/q2MwSnWdJJYOPT96w== ARC-Authentication-Results: i=1; mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b=ZGZk0wuA; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org; dmarc=pass (policy=quarantine) header.from=disroot.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.ipfire.org; s=202003rsa; t=1656584197; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=amK3N8RHnEEgYG8VdtR8SbBbYfvOIRMEbsyRkPJ2P8E=; b=Obt3uN55tzCHHh3w7X+2DGhoo2Imrj7/bslhG2lz6OoDtEDigfkH1D407L+EnbTdeAi3YU Q7DrO7jESw6EBdypomDXNQh20JSQYh60jTM6GyzPKHJKzZWIhBem+9Fnb73i/FDEvpP6oz RvPFWR4yzRm8kddTr1dyuN9a1qy99KVMHrHzTVxuwf9nsAwBXdBJcNsqWE+incblfAyMGN juURqOvqO0Z5lsknf3JlLXFoyBxqOu0WM91QO7vR8XepLdrIWIxrnK5LBvul/Q/0e0OCaW KasKl2o0c7+CETmADsPJ1UUeulCbQMv3qDG31tslBuJWCQG3nE4k0bgNvcHoHg== X-Spamd-Result: default: False [-3.80 / 11.00]; BAYES_HAM(-3.00)[99.99%]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-1.00)[-1.000]; SPF_REPUTATION_HAM(-0.78)[-0.78380299197672]; MV_CASE(0.50)[]; R_MISSING_CHARSET(0.50)[]; DMARC_POLICY_ALLOW(-0.50)[disroot.org,quarantine]; R_SPF_ALLOW(-0.20)[+a]; R_DKIM_ALLOW(-0.20)[disroot.org:s=mail]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; IP_REPUTATION_HAM(-0.01)[asn: 50673(0.00), country: NL(-0.01), ip: 178.21.23.139(0.00)]; ARC_SIGNED(0.00)[lists.ipfire.org:s=202003rsa:i=1]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+]; FROM_HAS_DN(0.00)[]; DKIM_TRACE(0.00)[disroot.org:+]; TO_DN_SOME(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; PREVIOUSLY_DELIVERED(0.00)[development@lists.ipfire.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; ASN(0.00)[asn:50673, ipnet:178.21.23.0/24, country:NL]; ARC_NA(0.00)[] Authentication-Results: mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b=ZGZk0wuA; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org; dmarc=pass (policy=quarantine) header.from=disroot.org X-Rspamd-Queue-Id: 4LYZ4P1P19zqL X-Rspamd-Server: mail01.haj.ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" - Change zabbix_agentd.conf during install to only listen on the GREEN ip by default. Signed-off-by: Robin Roevens --- config/zabbix_agentd/zabbix_agentd.conf | 3 +++ src/paks/zabbix_agentd/install.sh | 10 ++++++++++ 2 files changed, 13 insertions(+) diff --git a/config/zabbix_agentd/zabbix_agentd.conf b/config/zabbix_agentd/zabbix_agentd.conf index e1aafc584..4480e43f2 100644 --- a/config/zabbix_agentd/zabbix_agentd.conf +++ b/config/zabbix_agentd/zabbix_agentd.conf @@ -13,6 +13,9 @@ Server=127.0.0.1 ServerActive=127.0.0.1 +# List of comma delimited IP addresses that the agent should listen on. +ListenIP=GREEN_ADDRESS + # This line activates IPFire specific userparameters. # See IPFire wiki for details. # To deactivate them: Comment this line out. diff --git a/src/paks/zabbix_agentd/install.sh b/src/paks/zabbix_agentd/install.sh index 3ffff10c1..80632d1ec 100644 --- a/src/paks/zabbix_agentd/install.sh +++ b/src/paks/zabbix_agentd/install.sh @@ -77,4 +77,14 @@ if [ $? -eq 1 ]; then echo "Include=/var/ipfire/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf" >> /etc/zabbix_agentd/zabbix_agentd.conf fi +# By default, only listen on GREEN +( + eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) + if [ -n "${GREEN_ADDRESS}" ]; then + sed -i -e "s|ListenIP=GREEN_ADDRESS|ListenIP=${GREEN_ADDRESS}|g" /etc/zabbix_agentd/zabbix_agentd.conf + else + sed -i -e "\|ListenIP=GREEN_ADDRESS|d" /etc/zabbix_agentd/zabbix_agentd.conf + fi +) || : + start_service --background ${NAME} From patchwork Thu Jun 30 10:15:55 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Robin Roevens X-Patchwork-Id: 5713 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4LYZ4Z5xJvz40V5 for ; Thu, 30 Jun 2022 10:16:46 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4LYZ4W40txz1gk; Thu, 30 Jun 2022 10:16:43 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4LYZ4W12jRz302M; Thu, 30 Jun 2022 10:16:43 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4LYZ4V33Qnz2yNm for ; Thu, 30 Jun 2022 10:16:42 +0000 (UTC) Received: from knopi.disroot.org (knopi.disroot.org [178.21.23.139]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPS id 4LYZ4T3xtCz1Fh for ; Thu, 30 Jun 2022 10:16:41 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by disroot.org (Postfix) with ESMTP id D9D7A45A8E for ; Thu, 30 Jun 2022 12:16:40 +0200 (CEST) X-Virus-Scanned: SPAM Filter at disroot.org Received: from knopi.disroot.org ([127.0.0.1]) by localhost (disroot.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GG3JQWQWWh5x for ; Thu, 30 Jun 2022 12:16:39 +0200 (CEST) Received: from chojin.sicho.home (amaterasu.sicho.home [192.168.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (no client certificate requested) (Authenticated sender) by hachiman (MailScanner Milter) with SMTP id 7F32B4B9F4; Thu, 30 Jun 2022 12:16:11 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1656584195; bh=pRQ/sHWwx0WGtAzSDNxzRzzBBkNs+evcesBZqRCDaNw=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=f4zwMeCvI5sPp28MbLh/oncL4yCJ7dcYLe9kxQvOJUTDpCuvRUiJa4lAgRh9dBHjO eZOVQ7sWIENPE3gZL9cKUezlAFO3ofqP87juHB/pnIRVlZ3Nxds2R+BPxBAZKONuCz Ko4sKOHQ/YI6ke0a1FeABcSjo3da/SEvbRf8mCjdP+87uxZAtrwlNrJgjqxmFnhvXx eqL1HMFvXONBIL+piz3RLMuNc3SDTgWX81a+q+DzzYdWaDrd0ctpl6XnPS3ZPv1fP8 z8SVHGNV47kHRHKdom4hXgnnA1KNoXH7Al+1hMF1n3zbaXfK1JN45S4mrB5kiBM9Pb GkGpxVovwREjw== From: Robin Roevens To: development@lists.ipfire.org Subject: [PATCH v5 6/6] zabbix_agentd: Add IPFire specific userparameters Date: Thu, 30 Jun 2022 12:15:55 +0200 Message-Id: <20220630101555.13438-7-robin.roevens@disroot.org> In-Reply-To: <20220630101555.13438-1-robin.roevens@disroot.org> References: <20220630101555.13438-1-robin.roevens@disroot.org> Mime-Version: 1.0 X-sicho-MailScanner-ID: 7F32B4B9F4.A8A80 X-sicho-MailScanner: Found to be clean X-sicho-MailScanner-From: robin.roevens@disroot.org X-sicho-MailScanner-Watermark: 1657188971.79462@2eZhofpGwkVYsz02HqOZ2A ARC-Seal: i=1; s=202003rsa; d=lists.ipfire.org; t=1656584201; a=rsa-sha256; cv=none; b=j5f2F0f7yNrjGWRZwC07ki2r6g35m0HkMkRC39RiYspWvBCeoNtrwIwAxtlmGJ0Wbquf/b LQipzVh3I8f1ApJwcJg8dzxtk8gXx70VSEYITzikfb+XOJF2ppnUpBAz5yCv7kDtGwd48H khfekIG8SYUzYovpQHFf7SmpRlewENVJExH8KIe7Eg2r+s/xukr3Yfmf4V7Krul/uFjSwS jBvP2bFfuiUfJ/MUArId/GPa7cerk5g/SZajf6hnsIwqv+fc07Lq8jFOvw0HKN8A1uT0Xc azL2lW5sWhklsBPJinXRQHGdFt1v6k2feC0HJXn+hZCIPjJLdY878PnNEUPHFQ== ARC-Authentication-Results: i=1; mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b=f4zwMeCv; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org; dmarc=pass (policy=quarantine) header.from=disroot.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.ipfire.org; s=202003rsa; t=1656584201; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=koA8f2mC77wHX1tnoAyNfLZzbjciG3E3gguXSw5yNNk=; b=pup8bd8OD4dovz8tYWcrq4tiDYcgrVig4rAzumpD20CWc6QSYdl/IGsAx72pUnOTpI1tmR BT9PprZB/Cw6FgmQDPKjcYxpe7cDjn7SOZ5w25uRA40epFMr0MEMatxkwsUoWTtomeT8lv JF/o3Kd6Rvdq4hSu9Z7Q43HG5WSjs+geSf7D1IGSFZAU6r93yCoBfYB99uFA+b1L5AlQcC 7kEFf+VePLVhb3XfJea9EuvpTTNgq629RLCjeKjKc2gHEa993EqkWVp/1VqNlxhzYWKoJG Ds1d3rfpC06ey5U94BGQ2qHaOU9Pwx6JjOpW7LxTOrS4byEwQkqRlE1O0cKZyg== X-Spamd-Result: default: False [-7.80 / 11.00]; REPLY(-4.00)[]; BAYES_HAM(-2.99)[99.97%]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-1.00)[-1.000]; SPF_REPUTATION_HAM(-0.78)[-0.78380183397146]; R_MISSING_CHARSET(0.50)[]; MV_CASE(0.50)[]; DMARC_POLICY_ALLOW(-0.50)[disroot.org,quarantine]; R_SPF_ALLOW(-0.20)[+a:c]; R_DKIM_ALLOW(-0.20)[disroot.org:s=mail]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; IP_REPUTATION_HAM(-0.01)[asn: 50673(0.00), country: NL(-0.01), ip: 178.21.23.139(0.00)]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_HAS_DN(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[development@lists.ipfire.org]; ARC_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; ARC_SIGNED(0.00)[lists.ipfire.org:s=202003rsa:i=1]; RCVD_COUNT_THREE(0.00)[4]; ASN(0.00)[asn:50673, ipnet:178.21.23.0/24, country:NL]; DKIM_TRACE(0.00)[disroot.org:+]; MIME_TRACE(0.00)[0:+]; RCPT_COUNT_TWO(0.00)[2]; TO_DN_SOME(0.00)[] Authentication-Results: mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b=f4zwMeCv; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org; dmarc=pass (policy=quarantine) header.from=disroot.org X-Rspamd-Queue-Id: 4LYZ4T3xtCz1Fh X-Rspamd-Server: mail01.haj.ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Provide IPFire specific items for the Zabbix server to monitor: - ipfire.net.gateway.pingtime: Internet Line Quality - ipfire.net.gateway.ping: Internet connection - ipfire.net.fw.hits.raw: JSON formatted list of Firewall hits/chain - ipfire.dhcpd.clients: Number of active DHCP leases - ipfire.captive.clients: Number of Captive Portal clients Signed-off-by: Robin Roevens --- config/rootfiles/packages/zabbix_agentd | 1 + config/zabbix_agentd/sudoers | 2 +- config/zabbix_agentd/userparameter_ipfire.conf | 12 ++++++++++++ lfs/zabbix_agentd | 5 ++++- 4 files changed, 18 insertions(+), 2 deletions(-) create mode 100644 config/zabbix_agentd/userparameter_ipfire.conf diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/packages/zabbix_agentd index b5325c636..6f2c831d7 100644 --- a/config/rootfiles/packages/zabbix_agentd +++ b/config/rootfiles/packages/zabbix_agentd @@ -20,4 +20,5 @@ var/ipfire/zabbix_agentd var/ipfire/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf var/ipfire/zabbix_agentd/userparameters var/ipfire/zabbix_agentd/userparameters/userparameter_pakfire.conf +var/ipfire/zabbix_agentd/userparameters/userparameter_ipfire.conf #var/log/zabbix diff --git a/config/zabbix_agentd/sudoers b/config/zabbix_agentd/sudoers index cb4263ff6..2d71ae78f 100644 --- a/config/zabbix_agentd/sudoers +++ b/config/zabbix_agentd/sudoers @@ -8,4 +8,4 @@ # To add more sudo rights to zabbix agent, you should modify the sudoers file zabbix_agentd_user # Defaults:zabbix !requiretty -zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status +zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status, /usr/sbin/fping, /usr/local/bin/getipstat diff --git a/config/zabbix_agentd/userparameter_ipfire.conf b/config/zabbix_agentd/userparameter_ipfire.conf new file mode 100644 index 000000000..10c09c25d --- /dev/null +++ b/config/zabbix_agentd/userparameter_ipfire.conf @@ -0,0 +1,12 @@ +# Parameters for monitoring IPFire specific metrics +# +# Internet Gateway ping timings, can be used to measure "Internet Line Quality" +UserParameter=ipfire.net.gateway.pingtime,sudo /usr/sbin/fping -c 3 gateway 2>&1 | tail -n 1 | awk '{print $NF}' | cut -d '/' -f2 +# Internet Gateway availability, can be used to check Internet connection +UserParameter=ipfire.net.gateway.ping,sudo /usr/sbin/fping -q -r 3 gateway; [ ! $? ]; echo $? +# Firewall Filter Forward chain drops in bytes/chain (JSON), can be used for discovery of firewall chains and monitoring of firewall hits on each chain +UserParameter=ipfire.net.fw.hits.raw,sudo /usr/local/bin/getipstat -xf | grep "\/\* DROP_.* \*\/$" | awk 'BEGIN { ORS = ""; print "["} { printf "%s{\"chain\": \"%s\", \"bytes\": \"%s\"}", separator, substr($11, 6), $2; separator = ", "; } END { print"]" }' +# Number of currently Active DHCP leases +UserParameter=ipfire.dhcpd.clients,grep -s -E 'lease|bind' /var/state/dhcp/dhcpd.leases | sed ':a;/{$/{N;s/\n//;ba}' | grep "state active" | wc -l +# Number of Captive Portal clients +UserParameter=ipfire.captive.clients,awk -F ',' 'length($2) == 17 {sum += 1} END {if (length(sum) == 0) print 0; else print sum}' /var/ipfire/captive/clients \ No newline at end of file diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd index f8fbdae5e..73c5dc0b6 100644 --- a/lfs/zabbix_agentd +++ b/lfs/zabbix_agentd @@ -35,7 +35,8 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = zabbix_agentd PAK_VER = 5 -DEPS = + +DEPS = fping SERVICES = zabbix_agentd @@ -107,6 +108,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) /var/ipfire/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/userparameter_pakfire.conf \ /var/ipfire/zabbix_agentd/userparameters/userparameter_pakfire.conf + install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/userparameter_ipfire.conf \ + /var/ipfire/zabbix_agentd/userparameters/userparameter_ipfire.conf # Create directory for additional agent modules -mkdir -pv /usr/lib/zabbix