From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: Re: [PATCH 1/4] [V2] zabbix_agentd: Update to v5.0.10 (LTS) Date: Mon, 12 Apr 2021 13:23:01 +0200 Message-ID: <1beb8e64-838b-b31b-03e2-dcfc024f2e28@ipfire.org> In-Reply-To: <856FB294-FFE3-4AF6-9BD4-3CAAEB6C9120@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5545465127246940867==" List-Id: --===============5545465127246940867== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Michael, On 12/04/2021 12:27, Michael Tremer wrote: > Hello Adolf, >=20 > You can use the Reviewed-by: tag to mark a patch as reviewed by you: >=20 > https://wiki.ipfire.org/devel/git/tags I wasn't sure if I was OK for me to use the reviewed tag or if it was limited= to specific people. I will use it in future now when I do a review of a patc= h. Regards, Adolf. >=20 > -Michael >=20 >> On 9 Apr 2021, at 20:25, Adolf Belka wrote: >> >> Hi Robin, >> >> I am not knowledgeable enough about zabbix to make any comment about the c= onf file changes other than that I could follow your explanations of why they= were being done. >> >> The lfs file changes look perfect to me. >> >> A general comment I would make is that when you want to do a v2 version th= en if you enter >> >> git patch-format -v2 -o ..... then the patches will be created automatical= ly as [PATCH v2 1/3]. >> >> Note it is lower case v >> >> Regards, >> >> Adolf >> >> On 07/04/2021 22:44, Robin Roevens wrote: >>> - Update from 4.2.6 to latest LTS version 5.0.10 >>> See release notes: https://www.zabbix.com/rn/rn5.0.10 >>> >>> Signed-off-by: Robin Roevens >>> --- >>> config/zabbix_agentd/zabbix_agentd.conf | 124 ++++++++++++++++++++++-- >>> lfs/zabbix_agentd | 11 ++- >>> 2 files changed, 121 insertions(+), 14 deletions(-) >>> >>> diff --git a/config/zabbix_agentd/zabbix_agentd.conf b/config/zabbix_agen= td/zabbix_agentd.conf >>> index 21b8e0122..4d6c4c154 100644 >>> --- a/config/zabbix_agentd/zabbix_agentd.conf >>> +++ b/config/zabbix_agentd/zabbix_agentd.conf >>> @@ -63,14 +63,33 @@ LogFileSize=3D0 >>> # Default: >>> # SourceIP=3D >>> -### Option: EnableRemoteCommands >>> -# Whether remote commands from Zabbix server are allowed. >>> -# 0 - not allowed >>> -# 1 - allowed >>> +### Option: AllowKey >>> +# Allow execution of item keys matching pattern. >>> +# Multiple keys matching rules may be defined in combination with DenyKe= y. >>> +# Key pattern is wildcard expression, which support "*" character to mat= ch any number of any characters in certain position. It might be used in both= key name and key arguments. >>> +# Parameters are processed one by one according their appearance order. >>> +# If no AllowKey or DenyKey rules defined, all keys are allowed. >>> +# >>> +# Mandatory: no >>> + >>> +### Option: DenyKey >>> +# Deny execution of items keys matching pattern. >>> +# Multiple keys matching rules may be defined in combination with AllowK= ey. >>> +# Key pattern is wildcard expression, which support "*" character to mat= ch any number of any characters in certain position. It might be used in both= key name and key arguments. >>> +# Parameters are processed one by one according their appearance order. >>> +# If no AllowKey or DenyKey rules defined, all keys are allowed. >>> +# Unless another system.run[*] rule is specified DenyKey=3Dsystem.= run[*] is added by default. >>> # >>> # Mandatory: no >>> # Default: >>> -# EnableRemoteCommands=3D0 >>> +# DenyKey=3Dsystem.run[*] >>> + >>> +### Option: EnableRemoteCommands - Deprecated, use AllowKey=3Dsystem.run= [*] or DenyKey=3Dsystem.run[*] instead >>> +# Internal alias for AllowKey/DenyKey parameters depending on value: >>> +# 0 - DenyKey=3Dsystem.run[*] >>> +# 1 - AllowKey=3Dsystem.run[*] >>> +# >>> +# Mandatory: no >>> ### Option: LogRemoteCommands >>> # Enable logging of executed shell commands as warnings. >>> @@ -177,6 +196,28 @@ ServerActive=3D127.0.0.1 >>> # Default: >>> # HostMetadataItem=3D >>> +### Option: HostInterface >>> +# Optional parameter that defines host interface. >>> +# Host interface is used at host auto-registration process. >>> +# An agent will issue an error and not start if the value is over limit = of 255 characters. >>> +# If not defined, value will be acquired from HostInterfaceItem. >>> +# >>> +# Mandatory: no >>> +# Range: 0-255 characters >>> +# Default: >>> +# HostInterface=3D >>> + >>> +### Option: HostInterfaceItem >>> +# Optional parameter that defines an item used for getting host interfac= e. >>> +# Host interface is used at host auto-registration process. >>> +# During an auto-registration request an agent will log a warning messag= e if >>> +# the value returned by specified item is over limit of 255 characters. >>> +# This option is only used when HostInterface is not defined. >>> +# >>> +# Mandatory: no >>> +# Default: >>> +# HostInterfaceItem=3D >>> + >>> ### Option: RefreshActiveChecks >>> # How often list of active checks is refreshed, in seconds. >>> # >>> @@ -265,7 +306,6 @@ ServerActive=3D127.0.0.1 >>> Include=3D/etc/zabbix_agentd/zabbix_agentd.d/*.conf >>> - >>> ####### USER-DEFINED MONITORED PARAMETERS ####### >>> ### Option: UnsafeUserParameters >>> @@ -299,7 +339,7 @@ Include=3D/etc/zabbix_agentd/zabbix_agentd.d/*.conf >>> # >>> # Mandatory: no >>> # Default: >>> -# LoadModulePath=3D/usr/lib/modules >>> +# LoadModulePath=3D${libdir}/modules >>> LoadModulePath=3D/usr/lib/zabbix >>> @@ -357,14 +397,14 @@ LoadModulePath=3D/usr/lib/zabbix >>> # TLSCRLFile=3D >>> ### Option: TLSServerCertIssuer >>> -# Allowed server certificate issuer. >>> +# Allowed server certificate issuer. >>> # >>> # Mandatory: no >>> # Default: >>> # TLSServerCertIssuer=3D >>> ### Option: TLSServerCertSubject >>> -# Allowed server certificate subject. >>> +# Allowed server certificate subject. >>> # >>> # Mandatory: no >>> # Default: >>> @@ -397,3 +437,69 @@ LoadModulePath=3D/usr/lib/zabbix >>> # Mandatory: no >>> # Default: >>> # TLSPSKFile=3D >>> + >>> +####### For advanced users - TLS ciphersuite selection criteria ####### >>> + >>> +### Option: TLSCipherCert13 >>> +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. >>> +# Override the default ciphersuite selection criteria for certificate-ba= sed encryption. >>> +# >>> +# Mandatory: no >>> +# Default: >>> +# TLSCipherCert13=3D >>> + >>> +### Option: TLSCipherCert >>> +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. >>> +# Override the default ciphersuite selection criteria for certificate-ba= sed encryption. >>> +# Example for GnuTLS: >>> +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SH= A256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 >>> +# Example for OpenSSL: >>> +# EECDH+aRSA+AES128:RSA+aRSA+AES128 >>> +# >>> +# Mandatory: no >>> +# Default: >>> +# TLSCipherCert=3D >>> + >>> +### Option: TLSCipherPSK13 >>> +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. >>> +# Override the default ciphersuite selection criteria for PSK-based encr= yption. >>> +# Example: >>> +# TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 >>> +# >>> +# Mandatory: no >>> +# Default: >>> +# TLSCipherPSK13=3D >>> + >>> +### Option: TLSCipherPSK >>> +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. >>> +# Override the default ciphersuite selection criteria for PSK-based encr= yption. >>> +# Example for GnuTLS: >>> +# NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SH= A256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL >>> +# Example for OpenSSL: >>> +# kECDHEPSK+AES128:kPSK+AES128 >>> +# >>> +# Mandatory: no >>> +# Default: >>> +# TLSCipherPSK=3D >>> + >>> +### Option: TLSCipherAll13 >>> +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. >>> +# Override the default ciphersuite selection criteria for certificate- a= nd PSK-based encryption. >>> +# Example: >>> +# TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_S= HA256 >>> +# >>> +# Mandatory: no >>> +# Default: >>> +# TLSCipherAll13=3D >>> + >>> +### Option: TLSCipherAll >>> +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. >>> +# Override the default ciphersuite selection criteria for certificate- a= nd PSK-based encryption. >>> +# Example for GnuTLS: >>> +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-1= 28-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 >>> +# Example for OpenSSL: >>> +# EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128 >>> +# >>> +# Mandatory: no >>> +# Default: >>> +# TLSCipherAll=3D >>> diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd >>> index c69643a54..2d57b0dbe 100644 >>> --- a/lfs/zabbix_agentd >>> +++ b/lfs/zabbix_agentd >>> @@ -1,7 +1,7 @@ >>> #######################################################################= ######## >>> # = # >>> # IPFire.org - A linux based firewall = # >>> -# Copyright (C) 2007-2019 IPFire Team = # >>> +# Copyright (C) 2007-2021 IPFire Team = # >>> # = # >>> # This program is free software: you can redistribute it and/or modify = # >>> # it under the terms of the GNU General Public License as published by = # >>> @@ -24,7 +24,7 @@ >>> include Config >>> -VER =3D 4.2.6 >>> +VER =3D 5.0.10 >>> THISAPP =3D zabbix-$(VER) >>> DL_FILE =3D $(THISAPP).tar.gz >>> @@ -32,7 +32,7 @@ DL_FROM =3D $(URL_IPFIRE) >>> DIR_APP =3D $(DIR_SRC)/$(THISAPP) >>> TARGET =3D $(DIR_INFO)/$(THISAPP) >>> PROG =3D zabbix_agentd >>> -PAK_VER =3D 4 >>> +PAK_VER =3D 5 >>> DEPS =3D >>> #####################################################################= ########## >>> @@ -43,7 +43,7 @@ objects =3D $(DL_FILE) >>> $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) >>> -$(DL_FILE)_MD5 =3D 6cd55cd743d416d9ffbf2e6fdee680ee >>> +$(DL_FILE)_MD5 =3D 17403cce60266019f25ff53c72f0e212 >>> install : $(TARGET) >>> @@ -80,7 +80,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >>> --prefix=3D/usr \ >>> --enable-agent \ >>> --sysconfdir=3D/etc/zabbix_agentd \ >>> - --with-openssl >>> + --with-openssl \ >>> + --with-libcurl >>> cd $(DIR_APP) && make >>> cd $(DIR_APP) && make install >=20 --===============5545465127246940867==--