From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH v3 1/5] zabbix_agentd: Update to v5.0.20 (LTS)
Date: Tue, 15 Feb 2022 13:22:56 +0000 [thread overview]
Message-ID: <01DB377B-46A6-44B0-B1B5-3DB8B14EC9CC@ipfire.org> (raw)
In-Reply-To: <20220209232631.14673-2-robin.roevens@disroot.org>
[-- Attachment #1: Type: text/plain, Size: 10064 bytes --]
Hello Robin,
Thank you for working on Zabbix and integrating it better into IPFire.
I am very happy with this, but I have my reservations about the mechanism with the “new” configuration file. I do not quite see the necessity for this since we have a package management system which will allow you to start again from scratch if you want by uninstalling the package, throwing away the backup and then installing the package again.
It would also create some unique feature around one package, but not for others which is probably more confusing than helpful.
What is your motivation for this?
-Michael
> On 9 Feb 2022, at 23:26, Robin Roevens <robin.roevens(a)disroot.org> wrote:
>
> - Update from 4.2.6 to latest LTS version 5.0.20
> See release notes: https://www.zabbix.com/rn/rn5.0.20
>
> Signed-off-by: Robin Roevens <robin.roevens(a)disroot.org>
> ---
> config/zabbix_agentd/zabbix_agentd.conf | 135 ++++++++++++++++++++++--
> lfs/zabbix_agentd | 11 +-
> 2 files changed, 132 insertions(+), 14 deletions(-)
>
> diff --git a/config/zabbix_agentd/zabbix_agentd.conf b/config/zabbix_agentd/zabbix_agentd.conf
> index 21b8e0122..aa8b899dc 100644
> --- a/config/zabbix_agentd/zabbix_agentd.conf
> +++ b/config/zabbix_agentd/zabbix_agentd.conf
> @@ -63,14 +63,33 @@ LogFileSize=0
> # Default:
> # SourceIP=
>
> -### Option: EnableRemoteCommands
> -# Whether remote commands from Zabbix server are allowed.
> -# 0 - not allowed
> -# 1 - allowed
> +### Option: AllowKey
> +# Allow execution of item keys matching pattern.
> +# Multiple keys matching rules may be defined in combination with DenyKey.
> +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments.
> +# Parameters are processed one by one according their appearance order.
> +# If no AllowKey or DenyKey rules defined, all keys are allowed.
> +#
> +# Mandatory: no
> +
> +### Option: DenyKey
> +# Deny execution of items keys matching pattern.
> +# Multiple keys matching rules may be defined in combination with AllowKey.
> +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments.
> +# Parameters are processed one by one according their appearance order.
> +# If no AllowKey or DenyKey rules defined, all keys are allowed.
> +# Unless another system.run[*] rule is specified DenyKey=system.run[*] is added by default.
> #
> # Mandatory: no
> # Default:
> -# EnableRemoteCommands=0
> +# DenyKey=system.run[*]
> +
> +### Option: EnableRemoteCommands - Deprecated, use AllowKey=system.run[*] or DenyKey=system.run[*] instead
> +# Internal alias for AllowKey/DenyKey parameters depending on value:
> +# 0 - DenyKey=system.run[*]
> +# 1 - AllowKey=system.run[*]
> +#
> +# Mandatory: no
>
> ### Option: LogRemoteCommands
> # Enable logging of executed shell commands as warnings.
> @@ -177,6 +196,28 @@ ServerActive=127.0.0.1
> # Default:
> # HostMetadataItem=
>
> +### Option: HostInterface
> +# Optional parameter that defines host interface.
> +# Host interface is used at host auto-registration process.
> +# An agent will issue an error and not start if the value is over limit of 255 characters.
> +# If not defined, value will be acquired from HostInterfaceItem.
> +#
> +# Mandatory: no
> +# Range: 0-255 characters
> +# Default:
> +# HostInterface=
> +
> +### Option: HostInterfaceItem
> +# Optional parameter that defines an item used for getting host interface.
> +# Host interface is used at host auto-registration process.
> +# During an auto-registration request an agent will log a warning message if
> +# the value returned by specified item is over limit of 255 characters.
> +# This option is only used when HostInterface is not defined.
> +#
> +# Mandatory: no
> +# Default:
> +# HostInterfaceItem=
> +
> ### Option: RefreshActiveChecks
> # How often list of active checks is refreshed, in seconds.
> #
> @@ -265,7 +306,6 @@ ServerActive=127.0.0.1
>
> Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf
>
> -
> ####### USER-DEFINED MONITORED PARAMETERS #######
>
> ### Option: UnsafeUserParameters
> @@ -299,7 +339,7 @@ Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf
> #
> # Mandatory: no
> # Default:
> -# LoadModulePath=/usr/lib/modules
> +# LoadModulePath=${libdir}/modules
>
> LoadModulePath=/usr/lib/zabbix
>
> @@ -357,14 +397,14 @@ LoadModulePath=/usr/lib/zabbix
> # TLSCRLFile=
>
> ### Option: TLSServerCertIssuer
> -# Allowed server certificate issuer.
> +# Allowed server certificate issuer.
> #
> # Mandatory: no
> # Default:
> # TLSServerCertIssuer=
>
> ### Option: TLSServerCertSubject
> -# Allowed server certificate subject.
> +# Allowed server certificate subject.
> #
> # Mandatory: no
> # Default:
> @@ -397,3 +437,80 @@ LoadModulePath=/usr/lib/zabbix
> # Mandatory: no
> # Default:
> # TLSPSKFile=
> +
> +####### For advanced users - TLS ciphersuite selection criteria #######
> +
> +### Option: TLSCipherCert13
> +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3.
> +# Override the default ciphersuite selection criteria for certificate-based encryption.
> +#
> +# Mandatory: no
> +# Default:
> +# TLSCipherCert13=
> +
> +### Option: TLSCipherCert
> +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string.
> +# Override the default ciphersuite selection criteria for certificate-based encryption.
> +# Example for GnuTLS:
> +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509
> +# Example for OpenSSL:
> +# EECDH+aRSA+AES128:RSA+aRSA+AES128
> +#
> +# Mandatory: no
> +# Default:
> +# TLSCipherCert=
> +
> +### Option: TLSCipherPSK13
> +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3.
> +# Override the default ciphersuite selection criteria for PSK-based encryption.
> +# Example:
> +# TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
> +#
> +# Mandatory: no
> +# Default:
> +# TLSCipherPSK13=
> +
> +### Option: TLSCipherPSK
> +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string.
> +# Override the default ciphersuite selection criteria for PSK-based encryption.
> +# Example for GnuTLS:
> +# NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL
> +# Example for OpenSSL:
> +# kECDHEPSK+AES128:kPSK+AES128
> +#
> +# Mandatory: no
> +# Default:
> +# TLSCipherPSK=
> +
> +### Option: TLSCipherAll13
> +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3.
> +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption.
> +# Example:
> +# TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
> +#
> +# Mandatory: no
> +# Default:
> +# TLSCipherAll13=
> +
> +### Option: TLSCipherAll
> +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string.
> +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption.
> +# Example for GnuTLS:
> +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509
> +# Example for OpenSSL:
> +# EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128
> +#
> +# Mandatory: no
> +# Default:
> +# TLSCipherAll=
> +
> +####### For advanced users - TCP-related fine-tuning parameters #######
> +
> +## Option: ListenBacklog
> +# The maximum number of pending connections in the queue. This parameter is passed to
> +# listen() function as argument 'backlog' (see "man listen").
> +#
> +# Mandatory: no
> +# Range: 0 - INT_MAX (depends on system, too large values may be silently truncated to implementation-specified maximum)
> +# Default: SOMAXCONN (hard-coded constant, depends on system)
> +# ListenBacklog=
> diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd
> index c69643a54..28fe97b4f 100644
> --- a/lfs/zabbix_agentd
> +++ b/lfs/zabbix_agentd
> @@ -1,7 +1,7 @@
> ###############################################################################
> # #
> # IPFire.org - A linux based firewall #
> -# Copyright (C) 2007-2019 IPFire Team <info(a)ipfire.org> #
> +# Copyright (C) 2007-2022 IPFire Team <info(a)ipfire.org> #
> # #
> # This program is free software: you can redistribute it and/or modify #
> # it under the terms of the GNU General Public License as published by #
> @@ -24,7 +24,7 @@
>
> include Config
>
> -VER = 4.2.6
> +VER = 5.0.20
>
> THISAPP = zabbix-$(VER)
> DL_FILE = $(THISAPP).tar.gz
> @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE)
> DIR_APP = $(DIR_SRC)/$(THISAPP)
> TARGET = $(DIR_INFO)/$(THISAPP)
> PROG = zabbix_agentd
> -PAK_VER = 4
> +PAK_VER = 5
> DEPS =
>
> ###############################################################################
> @@ -43,7 +43,7 @@ objects = $(DL_FILE)
>
> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>
> -$(DL_FILE)_MD5 = 6cd55cd743d416d9ffbf2e6fdee680ee
> +$(DL_FILE)_MD5 = 52df25394f9a4cf83ff55278b23e6295
>
> install : $(TARGET)
>
> @@ -80,7 +80,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> --prefix=/usr \
> --enable-agent \
> --sysconfdir=/etc/zabbix_agentd \
> - --with-openssl
> + --with-openssl \
> + --with-libcurl
>
> cd $(DIR_APP) && make
> cd $(DIR_APP) && make install
> --
> 2.34.1
>
>
> --
> Dit bericht is gescanned op virussen en andere gevaarlijke
> inhoud door MailScanner en lijkt schoon te zijn.
>
next prev parent reply other threads:[~2022-02-15 13:22 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-09 23:26 [PATCH v3 0/5] zabbix_agentd: Update to v5.0.20 (LTS) and more Robin Roevens
2022-02-09 23:26 ` [PATCH v3 1/5] zabbix_agentd: Update to v5.0.20 (LTS) Robin Roevens
2022-02-15 13:22 ` Michael Tremer [this message]
2022-02-16 23:35 ` Robin Roevens
2022-02-20 18:10 ` Michael Tremer
2022-02-20 22:18 ` Robin Roevens
2022-02-21 11:41 ` Michael Tremer
2022-02-21 23:48 ` Robin Roevens
2022-03-01 14:02 ` Michael Tremer
2022-02-09 23:26 ` [PATCH v3 2/5] zabbix_agentd: Fix agent modules dir and few minor bugs Robin Roevens
2022-02-09 23:26 ` [PATCH v3 3/5] zabbix_agentd: Better configfile handling during update Robin Roevens
2022-02-09 23:26 ` [PATCH v3 4/5] zabbix_agentd: By default only listen on GREEN ip Robin Roevens
2022-02-09 23:26 ` [PATCH v3 5/5] zabbix_agentd: Add IPFire specific userparameters Robin Roevens
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=01DB377B-46A6-44B0-B1B5-3DB8B14EC9CC@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox