[PATCH 0/4] zabbix_agentd: new maintainer/summary

[PATCH 0/4] zabbix_agentd: new maintainer/summary

[Robin Roevens]

[-- Attachment #1: Type: text/plain, Size: 2788 bytes --]

Hi all

With this my first submission into the IPFire Project and my
implicit confirmation that I will now be the new maintainer
of the zabbix-agentd addon package.
I currently choose to only release LTS versions of the
Zabbix agent as those should contain less bugs and/or security
issues in the long term.

This set of patches does not only update the binaries (well,
the first patch only does that) but also fixes some things
that I see as problematic in previous version:
- /usr/lib/zabbix is created for users to drop custom agent
  modules in, however that dir was removed and recreated
  on update as it was not in the backup. I added it to the
  backup and prevented deletion of the directory if it is
  not empty upon uninstall, so user-added content would
  not disapear when the package is removed.
- Sometimes a new version of the agent will introduce
  new configuration parameters. In general the Zabbix Agent
  config file(s) should remain compatible, but we never
  know what the future will bring us; and the user may
  miss out on new features introduced with new parameters
  in the config file. However we don't want to plain overwrite
  the configfile as the user may (probably has) have changed
  it.
  Currently on upgrade configfiles are backed up, removed,
  new are installed, then overwritten by the old ones from
  the backup. Ending with the old config and the new agent.
  I didn't find an example of another package doing something
  similar, so I chose to save the new configfile(s) as
  .ipfirenew-files like RPM-based distro's do with
  .rpmnew-files. If the original config file is absent
  the install script will automatically strip the .ipfirenew
  extension. And if the new config file does not differ from
  the currently installed one, the .ipfirenew-file is removed.
  The install-script will also issue warning messages if
  such .ipfirenew-files are left on the filesystem, requesting
  the user to manually investigate and possibly merge the
  configfile. I hope those warnings are visible in the pakfire
  output.
  A side effect is that the config files are also not removed
  when the package is uninstalled. I don't see a problem here
  for the zabbix own config-files. But it may pose a risk 
  concerning the sudoers-file? 
- I added a few IPFire specific monitoring items to the agent
  config which can be used for more in-depth monitoring of
  the IPFire installation. The user is of course free to
  use my template available on share.zabbix.com or github
  to monitor those items, or create their own template.

Thanks for considering this patch-set. Please be honest but gentle
commenting on it :-).

Regards
Robin



-- 
Dit bericht is gescanned op virussen en andere gevaarlijke
inhoud door MailScanner en lijkt schoon te zijn.

[PATCH 1/4] zabbix_agentd: Update to v5.0.9 (LTS)

[Robin Roevens]

[-- Attachment #1: Type: text/plain, Size: 8423 bytes --]

- Update from 4.2.6 to latest LTS version 5.0.9
  See release notes: https://www.zabbix.com/rn/rn5.0.9

Signed-off-by: Robin Roevens <robin.roevens(a)disroot.org>
---
 config/zabbix_agentd/zabbix_agentd.conf | 124 ++++++++++++++++++++++--
 lfs/zabbix_agentd                       |  11 ++-
 2 files changed, 121 insertions(+), 14 deletions(-)

diff --git a/config/zabbix_agentd/zabbix_agentd.conf b/config/zabbix_agentd/zabbix_agentd.conf
index 21b8e0122..4d6c4c154 100644
--- a/config/zabbix_agentd/zabbix_agentd.conf
+++ b/config/zabbix_agentd/zabbix_agentd.conf
@@ -63,14 +63,33 @@ LogFileSize=0
 # Default:
 # SourceIP=
 
-### Option: EnableRemoteCommands
-#	Whether remote commands from Zabbix server are allowed.
-#	0 - not allowed
-#	1 - allowed
+### Option: AllowKey
+#	Allow execution of item keys matching pattern.
+#	Multiple keys matching rules may be defined in combination with DenyKey.
+#	Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments.
+#	Parameters are processed one by one according their appearance order.
+#	If no AllowKey or DenyKey rules defined, all keys are allowed.
+#
+# Mandatory: no
+
+### Option: DenyKey
+#	Deny execution of items keys matching pattern.
+#	Multiple keys matching rules may be defined in combination with AllowKey.
+#	Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments.
+#	Parameters are processed one by one according their appearance order.
+#	If no AllowKey or DenyKey rules defined, all keys are allowed.
+#       Unless another system.run[*] rule is specified DenyKey=system.run[*] is added by default.
 #
 # Mandatory: no
 # Default:
-# EnableRemoteCommands=0
+# DenyKey=system.run[*]
+
+### Option: EnableRemoteCommands - Deprecated, use AllowKey=system.run[*] or DenyKey=system.run[*] instead
+#	Internal alias for AllowKey/DenyKey parameters depending on value:
+#	0 - DenyKey=system.run[*]
+#	1 - AllowKey=system.run[*]
+#
+# Mandatory: no
 
 ### Option: LogRemoteCommands
 #	Enable logging of executed shell commands as warnings.
@@ -177,6 +196,28 @@ ServerActive=127.0.0.1
 # Default:
 # HostMetadataItem=
 
+### Option: HostInterface
+#	Optional parameter that defines host interface.
+#	Host interface is used at host auto-registration process.
+#	An agent will issue an error and not start if the value is over limit of 255 characters.
+#	If not defined, value will be acquired from HostInterfaceItem.
+#
+# Mandatory: no
+# Range: 0-255 characters
+# Default:
+# HostInterface=
+
+### Option: HostInterfaceItem
+#	Optional parameter that defines an item used for getting host interface.
+#	Host interface is used at host auto-registration process.
+#	During an auto-registration request an agent will log a warning message if
+#	the value returned by specified item is over limit of 255 characters.
+#	This option is only used when HostInterface is not defined.
+#
+# Mandatory: no
+# Default:
+# HostInterfaceItem=
+
 ### Option: RefreshActiveChecks
 #	How often list of active checks is refreshed, in seconds.
 #
@@ -265,7 +306,6 @@ ServerActive=127.0.0.1
 
 Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf
 
-
 ####### USER-DEFINED MONITORED PARAMETERS #######
 
 ### Option: UnsafeUserParameters
@@ -299,7 +339,7 @@ Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf
 #
 # Mandatory: no
 # Default:
-# LoadModulePath=/usr/lib/modules
+# LoadModulePath=${libdir}/modules
 
 LoadModulePath=/usr/lib/zabbix
 
@@ -357,14 +397,14 @@ LoadModulePath=/usr/lib/zabbix
 # TLSCRLFile=
 
 ### Option: TLSServerCertIssuer
-#	Allowed server certificate issuer.
+#		Allowed server certificate issuer.
 #
 # Mandatory: no
 # Default:
 # TLSServerCertIssuer=
 
 ### Option: TLSServerCertSubject
-#	Allowed server certificate subject.
+#		Allowed server certificate subject.
 #
 # Mandatory: no
 # Default:
@@ -397,3 +437,69 @@ LoadModulePath=/usr/lib/zabbix
 # Mandatory: no
 # Default:
 # TLSPSKFile=
+
+####### For advanced users - TLS ciphersuite selection criteria #######
+
+### Option: TLSCipherCert13
+#	Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3.
+#	Override the default ciphersuite selection criteria for certificate-based encryption.
+#
+# Mandatory: no
+# Default:
+# TLSCipherCert13=
+
+### Option: TLSCipherCert
+#	GnuTLS priority string or OpenSSL (TLS 1.2) cipher string.
+#	Override the default ciphersuite selection criteria for certificate-based encryption.
+#	Example for GnuTLS:
+#		NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509
+#	Example for OpenSSL:
+#		EECDH+aRSA+AES128:RSA+aRSA+AES128
+#
+# Mandatory: no
+# Default:
+# TLSCipherCert=
+
+### Option: TLSCipherPSK13
+#	Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3.
+#	Override the default ciphersuite selection criteria for PSK-based encryption.
+#	Example:
+#		TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
+#
+# Mandatory: no
+# Default:
+# TLSCipherPSK13=
+
+### Option: TLSCipherPSK
+#	GnuTLS priority string or OpenSSL (TLS 1.2) cipher string.
+#	Override the default ciphersuite selection criteria for PSK-based encryption.
+#	Example for GnuTLS:
+#		NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL
+#	Example for OpenSSL:
+#		kECDHEPSK+AES128:kPSK+AES128
+#
+# Mandatory: no
+# Default:
+# TLSCipherPSK=
+
+### Option: TLSCipherAll13
+#	Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3.
+#	Override the default ciphersuite selection criteria for certificate- and PSK-based encryption.
+#	Example:
+#		TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
+#
+# Mandatory: no
+# Default:
+# TLSCipherAll13=
+
+### Option: TLSCipherAll
+#	GnuTLS priority string or OpenSSL (TLS 1.2) cipher string.
+#	Override the default ciphersuite selection criteria for certificate- and PSK-based encryption.
+#	Example for GnuTLS:
+#		NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509
+#	Example for OpenSSL:
+#		EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128
+#
+# Mandatory: no
+# Default:
+# TLSCipherAll=
diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd
index c69643a54..3f2af6a40 100644
--- a/lfs/zabbix_agentd
+++ b/lfs/zabbix_agentd
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2019  IPFire Team  <info(a)ipfire.org>                     #
+# Copyright (C) 2007-2021  IPFire Team  <info(a)ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 4.2.6
+VER        = 5.0.9
 
 THISAPP    = zabbix-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -32,7 +32,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = zabbix_agentd
-PAK_VER    = 4
+PAK_VER    = 5
 DEPS       =
 
 ###############################################################################
@@ -43,7 +43,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = 6cd55cd743d416d9ffbf2e6fdee680ee
+$(DL_FILE)_MD5 = 68194e361f34cb72975a2063d8ec1df8
 
 install : $(TARGET)
 
@@ -80,7 +80,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 		--prefix=/usr \
 		--enable-agent \
 		--sysconfdir=/etc/zabbix_agentd \
-		--with-openssl
+		--with-openssl \
+		--with-libcurl
 
 	cd $(DIR_APP) && make
 	cd $(DIR_APP) && make install
-- 
2.30.2


-- 
Dit bericht is gescanned op virussen en andere gevaarlijke
inhoud door MailScanner en lijkt schoon te zijn.

[PATCH 2/4] zabbix_agentd: Fix agent modules directory

[Robin Roevens]

[-- Attachment #1: Type: text/plain, Size: 3029 bytes --]

- Add agent modules-dir to backup
- Remove original, not used agent modules dir from rootfile
- Delete agent modules dir only when empty on uninstall thus keeping
  possible user deployed custom module files but removing it if unused.

Signed-off-by: Robin Roevens <robin.roevens(a)disroot.org>
---
 config/backup/includes/zabbix_agentd    | 3 ++-
 config/rootfiles/packages/zabbix_agentd | 4 ++--
 src/paks/zabbix_agentd/install.sh       | 2 ++
 src/paks/zabbix_agentd/uninstall.sh     | 5 +++++
 src/paks/zabbix_agentd/update.sh        | 1 +
 5 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/config/backup/includes/zabbix_agentd b/config/backup/includes/zabbix_agentd
index cba18d772..d3305cb96 100644
--- a/config/backup/includes/zabbix_agentd
+++ b/config/backup/includes/zabbix_agentd
@@ -1,2 +1,3 @@
 /etc/sudoers.d/zabbix
-/etc/zabbix_agentd/*
+/etc/zabbix_agentd/
+/usr/lib/zabbix/
diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/packages/zabbix_agentd
index 4420bda05..a938f2605 100644
--- a/config/rootfiles/packages/zabbix_agentd
+++ b/config/rootfiles/packages/zabbix_agentd
@@ -8,8 +8,8 @@ etc/zabbix_agentd/zabbix_agentd.d
 etc/zabbix_agentd/zabbix_agentd.d/userparameter_pakfire.conf
 usr/bin/zabbix_get
 usr/bin/zabbix_sender
-usr/lib/modules
-usr/lib/zabbix
+#usr/lib/modules
+#usr/lib/zabbix
 usr/sbin/zabbix_agentd
 #usr/share/man/man1/zabbix_get.1
 #usr/share/man/man1/zabbix_sender.1
diff --git a/src/paks/zabbix_agentd/install.sh b/src/paks/zabbix_agentd/install.sh
index e1450a1d8..b98230ea1 100644
--- a/src/paks/zabbix_agentd/install.sh
+++ b/src/paks/zabbix_agentd/install.sh
@@ -41,6 +41,8 @@ ln -sf ../init.d/zabbix_agentd /etc/rc.d/rc6.d/K02zabbix_agentd
 # Create additonal directories and set permissions
 mkdir -pv /var/log/zabbix
 chown zabbix.zabbix /var/log/zabbix
+mkdir -pv /usr/lib/zabbix
+chown zabbix.zabbix /usr/lib/zabbix
 
 restore_backup ${NAME}
 start_service --background ${NAME}
diff --git a/src/paks/zabbix_agentd/uninstall.sh b/src/paks/zabbix_agentd/uninstall.sh
index edff3b818..b771d1f63 100644
--- a/src/paks/zabbix_agentd/uninstall.sh
+++ b/src/paks/zabbix_agentd/uninstall.sh
@@ -26,5 +26,10 @@ stop_service ${NAME}
 make_backup ${NAME}
 remove_files
 
+# Remove agent modules dir if empty
+if [ -z "$(ls -A /usr/lib/zabbix/)" ]; then
+	rmdir /usr/lib/zabbix
+fi
+
 # Remove init-scripts and symlinks
 rm -rfv /etc/rc.d/rc*.d/*zabbix_agentd
diff --git a/src/paks/zabbix_agentd/update.sh b/src/paks/zabbix_agentd/update.sh
index 7fc1c96fb..68bba4f80 100644
--- a/src/paks/zabbix_agentd/update.sh
+++ b/src/paks/zabbix_agentd/update.sh
@@ -22,6 +22,7 @@
 ############################################################################
 #
 . /opt/pakfire/lib/functions.sh
+extract_backup_includes
 ./uninstall.sh
 ./install.sh
 
-- 
2.30.2


-- 
Dit bericht is gescanned op virussen en andere gevaarlijke
inhoud door MailScanner en lijkt schoon te zijn.

[PATCH 3/4] zabbix_agentd: Better configfile handling during update

[Robin Roevens]

[-- Attachment #1: Type: text/plain, Size: 6764 bytes --]

- Renamed userparameters_pakfire.conf to template_app_pakfire.conf
  following current Zabbix template naming conventions.
- Install configfiles as .ipfirenew-files to prevent removing possible
  user changed files on uninstall.
  If the configfiles are not yet present, the .ipfirenew-files will be
  renamed to the actual configfiles. And if an existing configfile
  does not differ from the new one, the .ipfirenew-file will be removed.
  This allows the user to manually merge his existing config with the
  new config after update (warnings will be displayed during update
  when manual review is required).

Signed-off-by: Robin Roevens <robin.roevens(a)disroot.org>
---
 config/rootfiles/packages/zabbix_agentd       | 12 ++++----
 ...pakfire.conf => template_app_pakfire.conf} |  0
 lfs/zabbix_agentd                             | 11 ++++---
 src/paks/zabbix_agentd/install.sh             | 29 +++++++++++++++++++
 src/paks/zabbix_agentd/uninstall.sh           |  4 +++
 src/paks/zabbix_agentd/update.sh              | 14 +++++++--
 6 files changed, 57 insertions(+), 13 deletions(-)
 rename config/zabbix_agentd/{userparameter_pakfire.conf => template_app_pakfire.conf} (100%)

diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/packages/zabbix_agentd
index a938f2605..6945c5ef7 100644
--- a/config/rootfiles/packages/zabbix_agentd
+++ b/config/rootfiles/packages/zabbix_agentd
@@ -1,11 +1,11 @@
 etc/logrotate.d/zabbix_agentd
 etc/rc.d/init.d/zabbix_agentd
-etc/sudoers.d/zabbix
-etc/zabbix_agentd
-etc/zabbix_agentd/scripts
-etc/zabbix_agentd/zabbix_agentd.conf
-etc/zabbix_agentd/zabbix_agentd.d
-etc/zabbix_agentd/zabbix_agentd.d/userparameter_pakfire.conf
+etc/sudoers.d/zabbix.ipfirenew
+#etc/zabbix_agentd
+#etc/zabbix_agentd/scripts
+etc/zabbix_agentd/zabbix_agentd.conf.ipfirenew
+#etc/zabbix_agentd/zabbix_agentd.d
+etc/zabbix_agentd/zabbix_agentd.d/template_app_pakfire.conf.ipfirenew
 usr/bin/zabbix_get
 usr/bin/zabbix_sender
 #usr/lib/modules
diff --git a/config/zabbix_agentd/userparameter_pakfire.conf b/config/zabbix_agentd/template_app_pakfire.conf
similarity index 100%
rename from config/zabbix_agentd/userparameter_pakfire.conf
rename to config/zabbix_agentd/template_app_pakfire.conf
diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd
index 3f2af6a40..badfde3ae 100644
--- a/lfs/zabbix_agentd
+++ b/lfs/zabbix_agentd
@@ -90,10 +90,13 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	-rmdir /etc/zabbix_agentd/zabbix_agentd.conf.d
 	-mkdir -pv /etc/zabbix_agentd/zabbix_agentd.d
 	-mkdir -pv /etc/zabbix_agentd/scripts
+	# Remove original config
+	@rm -f /etc/zabbix_agentd/zabbix_agentd.conf
+	# And replace with our own config
 	install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/zabbix_agentd.conf \
-		/etc/zabbix_agentd/zabbix_agentd.conf
-	install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/userparameter_pakfire.conf \
-		/etc/zabbix_agentd/zabbix_agentd.d/userparameter_pakfire.conf
+		/etc/zabbix_agentd/zabbix_agentd.conf.ipfirenew
+	install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/template_app_pakfire.conf \
+		/etc/zabbix_agentd/zabbix_agentd.d/template_app_pakfire.conf.ipfirenew
 
 	# Create directory for additional agent modules
 	-mkdir -pv /usr/lib/zabbix
@@ -111,7 +114,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 
 	# Install sudoers include file
 	install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/sudoers \
-		/etc/sudoers.d/zabbix
+		/etc/sudoers.d/zabbix.ipfirenew
 
 	# Install include file for backup
 	install -v -m 644 $(DIR_SRC)/config/backup/includes/zabbix_agentd \
diff --git a/src/paks/zabbix_agentd/install.sh b/src/paks/zabbix_agentd/install.sh
index b98230ea1..4248a7ec1 100644
--- a/src/paks/zabbix_agentd/install.sh
+++ b/src/paks/zabbix_agentd/install.sh
@@ -23,6 +23,23 @@
 #
 . /opt/pakfire/lib/functions.sh
 
+review_required=false
+
+function setup_configfile() {
+	# Puts configfile in place if it does not already exist or 
+	# remove the shipped version if it does not differ from existing file
+	configfile=$1
+
+	if [ ! -f $configfile ]; then
+		mv $configfile.ipfirenew $configfile
+    elif diff -q $configfile $configfile.ipfirenew >/dev/null; then
+		rm -f $configfile.ipfirenew
+	else
+		echo "WARNING: new $configfile saved as $configfile.ipfirenew for manual review"
+		review_required=true
+	fi
+}
+
 if ! getent group zabbix &>/dev/null; then
 	groupadd -g 118 zabbix
 fi
@@ -45,4 +62,16 @@ mkdir -pv /usr/lib/zabbix
 chown zabbix.zabbix /usr/lib/zabbix
 
 restore_backup ${NAME}
+
+# Put zabbix configfiles in place
+setup_configfile /etc/zabbix_agentd/zabbix_agentd.conf
+setup_configfile /etc/zabbix_agentd/zabbix_agentd.d/template_app_pakfire.conf
+setup_configfile /etc/sudoers.d/zabbix
+
+if $review_required; then
+	echo "WARNING: New versions of some configfile(s) where provided as .ipfirenew-files."
+	echo "         They may need manual review in order to take advantage of new features"
+	echo "         or even to make this version of ${NAME} work."
+fi
+
 start_service --background ${NAME}
diff --git a/src/paks/zabbix_agentd/uninstall.sh b/src/paks/zabbix_agentd/uninstall.sh
index b771d1f63..7a13880c5 100644
--- a/src/paks/zabbix_agentd/uninstall.sh
+++ b/src/paks/zabbix_agentd/uninstall.sh
@@ -23,6 +23,10 @@
 #
 . /opt/pakfire/lib/functions.sh
 stop_service ${NAME}
+
+# Remove .ipfirenew files in advance so they won't be included in backup
+rm -rfv /etc/zabbix_agentd/*.ipfirenew /etc/zabbix_agentd/*/*.ipfirenew
+
 make_backup ${NAME}
 remove_files
 
diff --git a/src/paks/zabbix_agentd/update.sh b/src/paks/zabbix_agentd/update.sh
index 68bba4f80..91dd8f723 100644
--- a/src/paks/zabbix_agentd/update.sh
+++ b/src/paks/zabbix_agentd/update.sh
@@ -23,10 +23,18 @@
 #
 . /opt/pakfire/lib/functions.sh
 extract_backup_includes
-./uninstall.sh
-./install.sh
+
+# Ensure /etc/zabbix_agentd/zabbix_agentd.d/userparameter_pakfire.conf is 
+# renamed to /etc/zabbix_agentd/zabbix_agentd.d/template_app_pakfire.conf
+if [ -f /etc/zabbix_agentd/zabbix_agentd.d/userparameter_pakfire.conf ]; then
+	mv -v /etc/zabbix_agentd/zabbix_agentd.d/userparameter_pakfire.conf \
+	      /etc/zabbix_agentd/zabbix_agentd.d/template_app_pakfire.conf
+fi
 
 # Ensure /etc/sudoers.d/zabbix.user is renamed to /etc/sudoers.d/zabbix
-if [ -e /etc/sudoers.d/zabbix.user ]; then
+if [ -f /etc/sudoers.d/zabbix.user ]; then
 	mv -v /etc/sudoers.d/zabbix.user /etc/sudoers.d/zabbix
 fi
+
+./uninstall.sh
+./install.sh
\ No newline at end of file
-- 
2.30.2


-- 
Dit bericht is gescanned op virussen en andere gevaarlijke
inhoud door MailScanner en lijkt schoon te zijn.

[PATCH 4/4] zabbix_agentd: Add IPFire specific userparameters

[Robin Roevens]

[-- Attachment #1: Type: text/plain, Size: 14027 bytes --]

Provide IPFire specific items for the Zabbix server to monitor:
- Networking stats:
  - ipfire.net.gateway.pingtime: Internet Line Quality
  - ipfire.net.gateway.ping: Internet connection
  - ipfire.net.fw.hits[*]: Firewall hits
- IPFire service states:
  - ipfire.services: JSON formatted state of all IPFire services
    using new ipfire_services.pl script.

Users can install the IPFire 2 Zabbix template-set provided here:
https://share.zabbix.com/network-appliances/ipfire-2
to monitor these metrics. Or create their own template.

Signed-off-by: Robin Roevens <robin.roevens(a)disroot.org>
---
 config/rootfiles/packages/zabbix_agentd       |   3 +
 config/zabbix_agentd/ipfire_services.pl       | 221 ++++++++++++++++++
 config/zabbix_agentd/sudoers                  |   2 +-
 .../template_module_ipfire_network_stats.conf |   4 +
 .../template_module_ipfire_services.conf      |   2 +
 lfs/zabbix_agentd                             |   8 +-
 src/paks/zabbix_agentd/install.sh             |   5 +
 src/paks/zabbix_agentd/uninstall.sh           |   2 +
 8 files changed, 245 insertions(+), 2 deletions(-)
 create mode 100755 config/zabbix_agentd/ipfire_services.pl
 create mode 100644 config/zabbix_agentd/template_module_ipfire_network_stats.conf
 create mode 100644 config/zabbix_agentd/template_module_ipfire_services.conf

diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/packages/zabbix_agentd
index 6945c5ef7..aa3f1846b 100644
--- a/config/rootfiles/packages/zabbix_agentd
+++ b/config/rootfiles/packages/zabbix_agentd
@@ -3,9 +3,12 @@ etc/rc.d/init.d/zabbix_agentd
 etc/sudoers.d/zabbix.ipfirenew
 #etc/zabbix_agentd
 #etc/zabbix_agentd/scripts
+etc/zabbix_agentd/scripts/ipfire_services.pl.ipfirenew
 etc/zabbix_agentd/zabbix_agentd.conf.ipfirenew
 #etc/zabbix_agentd/zabbix_agentd.d
 etc/zabbix_agentd/zabbix_agentd.d/template_app_pakfire.conf.ipfirenew
+etc/zabbix_agentd/zabbix_agentd.d/template_module_ipfire_network_stats.conf.ipfirenew
+etc/zabbix_agentd/zabbix_agentd.d/template_module_ipfire_services.conf.ipfirenew
 usr/bin/zabbix_get
 usr/bin/zabbix_sender
 #usr/lib/modules
diff --git a/config/zabbix_agentd/ipfire_services.pl b/config/zabbix_agentd/ipfire_services.pl
new file mode 100755
index 000000000..dbf8aec56
--- /dev/null
+++ b/config/zabbix_agentd/ipfire_services.pl
@@ -0,0 +1,221 @@
+#!/usr/bin/perl
+###############################################################################
+# ipfire_services.pl - Retrieves available IPFire services information and 
+#                      return this as a JSON array suitable for easy processing 
+#                      by Zabbix server
+#
+# Author: robin.roevens (at) disroot.org
+# Version: 1.0
+#
+# Based on: services.cgi by IPFire Team
+# Copyright (C) 2007-2021  IPFire Team  <info(a)ipfire.org> 
+# 
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+# 
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License 
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+# 
+###############################################################################
+
+use strict;
+
+# enable only the following on debugging purpose
+# use warnings;
+
+# Maps a nice printable name to the changing part of the pid file, which
+# is also the name of the program
+my %servicenames =(
+        'DHCP Server' => 'dhcpd',
+        'Web Server' => 'httpd',
+        'CRON Server' => 'fcron',
+        'DNS Proxy Server' => 'unbound',
+        'Logging Server' => 'syslogd',
+        'Kernel Logging Server' => 'klogd',
+        'NTP Server' => 'ntpd',
+        'Secure Shell Server' => 'sshd',
+        'VPN' => 'charon',
+        'Web Proxy' => 'squid',
+        'Intrusion Detection System' => 'suricata',
+        'OpenVPN' => 'openvpn'
+);
+
+# Hash to overwrite the process name of a process if it differs from the launch command.
+my %overwrite_exename_hash = (
+        "suricata" => "Suricata-Main"
+);
+
+my $first = 1;
+
+print "[";
+
+# Built-in services
+my $key = '';
+foreach $key (sort keys %servicenames){
+	print "," if not $first;
+	$first = 0;
+
+	print "{";
+	print "\"service\":\"$key\",";
+
+	my $shortname = $servicenames{$key};
+	print &servicestats($shortname);
+	
+	print "}";
+}
+
+# Generate list of installed addon pak's
+my @pak = `find /opt/pakfire/db/installed/meta-* 2>/dev/null | cut -d"-" -f2`;
+foreach (@pak){
+	chomp($_);
+
+	# Check which of the paks are services
+	my @svc = `find /etc/init.d/$_ 2>/dev/null | cut -d"/" -f4`;
+	foreach (@svc){
+		# blacklist some packages
+		#
+		# alsa has trouble with the volume saving and was not really stopped
+		# mdadm should not stopped with webif because this could crash the system
+		#
+		chomp($_);
+		if ( $_ eq 'squid' ) {
+			next;
+		}
+		if ( ($_ ne "alsa") && ($_ ne "mdadm") ) {
+			print ",";
+			print "{";
+
+			print "\"service\":\"Addon: $_\",";
+			print "\"servicename\":\"$_\",";
+
+			my $onboot = isautorun($_);
+			print "\"onboot\":$onboot,";
+
+			print &addonservicestats($_);
+
+			print "}";
+		}
+	}
+}	
+
+print "]";
+
+sub servicestats{
+	my $cmd = $_[0];
+	my $status = "\"servicename\":\"$cmd\",\"state\":\"0\"";
+	my $pid = '';
+	my $testcmd = '';
+        my $exename;
+        my $memory;
+
+
+	$cmd =~ /(^[a-z]+)/;
+	
+	# Check if the exename needs to be overwritten.
+        # This happens if the expected process name string
+        # differs from the real one. This may happened if
+        # a service uses multiple processes or threads.
+        if (exists($overwrite_exename_hash{$cmd})) {
+                # Grab the string which will be reported by
+                # the process from the corresponding hash.
+                $exename = $overwrite_exename_hash{$1};
+        } else {
+                # Directly expect the launched command as
+                # process name.
+                $exename = $1;
+        }
+	
+	if (open(FILE, "/var/run/${cmd}.pid")){
+                $pid = <FILE>; chomp $pid;
+                close FILE;
+                if (open(FILE, "/proc/${pid}/status")){
+                        while (<FILE>){
+                                if (/^Name:\W+(.*)/) {
+                                        $testcmd = $1;
+                                }
+                        }
+                        close FILE;
+                }
+                if (open(FILE, "/proc/${pid}/status")) {
+                        while (<FILE>) {
+                                my ($key, $val) = split(":", $_, 2);
+                                if ($key eq 'VmRSS') {
+					$val =~ /\s*([0-9]*)\s+kB/;
+					# Convert kB to B
+                                        $memory = $1*1024;
+                                        last;
+                                }
+                        }
+                        close(FILE);
+                }
+                if ($testcmd =~ /$exename/){
+			$status = "\"servicename\":\"$cmd\",\"state\":1,\"pid\":$pid,\"memory\":$memory";
+		}
+        }
+        return $status;
+}
+
+sub isautorun{
+        my $cmd = $_[0];
+        my $status = "0";
+        my $init = `find /etc/rc.d/rc3.d/S??${cmd} 2>/dev/null`;
+        chomp ($init);
+        if ($init ne ''){
+                $status = "1";
+        }
+        $init = `find /etc/rc.d/rc3.d/off/S??${cmd} 2>/dev/null`;
+        chomp ($init);
+        if ($init ne ''){
+                $status = "0";
+        }
+
+        return $status;
+}
+
+sub addonservicestats{
+        my $cmd = $_[0];
+        my $status = "0";
+        my $pid = '';
+        my $testcmd = '';
+        my $exename;
+        my @memory = (0);
+
+        $testcmd = `sudo /usr/local/bin/addonctrl $_ status 2>/dev/null`;
+
+        if ( $testcmd =~ /is\ running/ && $testcmd !~ /is\ not\ running/){
+                $status = "\"state\":1";
+
+                $testcmd =~ s/.* //gi;
+                $testcmd =~ s/[a-z_]//gi;
+                $testcmd =~ s/\[[0-1]\;[0-9]+//gi;
+                $testcmd =~ s/[\(\)\.]//gi;
+                $testcmd =~ s/  //gi;
+                $testcmd =~ s/^[//gi;
+
+                my @pid = split(/\s/,$testcmd);
+                $status .=",\"pid\":\"$pid[0]\"";
+
+                my $memory = 0;
+
+                foreach (@pid){
+                        chomp($_);
+                        if (open(FILE, "/proc/$_/statm")){
+                                my $temp = <FILE>;
+                                @memory = split(/ /,$temp);
+                        }
+                        $memory+=$memory[0];
+                }
+		$memory*=1024;
+                $status .=",\"memory\":$memory";
+        }else{
+                $status = "\"state\":0";
+        }
+        return $status;
+}
diff --git a/config/zabbix_agentd/sudoers b/config/zabbix_agentd/sudoers
index 1b362a4fd..340bb8e66 100644
--- a/config/zabbix_agentd/sudoers
+++ b/config/zabbix_agentd/sudoers
@@ -14,4 +14,4 @@
 # Append / edit the following list of commands to fit your needs:
 #
 Defaults:zabbix !requiretty
-zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status
+zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status, /usr/local/bin/addonctrl, /sbin/iptables, /usr/sbin/fping
diff --git a/config/zabbix_agentd/template_module_ipfire_network_stats.conf b/config/zabbix_agentd/template_module_ipfire_network_stats.conf
new file mode 100644
index 000000000..f1658ed07
--- /dev/null
+++ b/config/zabbix_agentd/template_module_ipfire_network_stats.conf
@@ -0,0 +1,4 @@
+### Parameters for monitoring IPFire network statistics 
+UserParameter=ipfire.net.gateway.pingtime,sudo /usr/sbin/fping -c 3 gateway 2>&1 | tail -n 1 | awk '{print $NF}' | cut -d '/' -f2
+UserParameter=ipfire.net.gateway.ping,sudo /usr/sbin/fping -q -r 3 gateway; [ ! $? ]; echo $?
+UserParameter=ipfire.net.fw.hits[*],sudo /sbin/iptables -vnxL $1 | grep "\/\* $2 \*\/" | awk '{ print $$2 }';
diff --git a/config/zabbix_agentd/template_module_ipfire_services.conf b/config/zabbix_agentd/template_module_ipfire_services.conf
new file mode 100644
index 000000000..5f95218e3
--- /dev/null
+++ b/config/zabbix_agentd/template_module_ipfire_services.conf
@@ -0,0 +1,2 @@
+### Parameter for monitoring IPFire services
+UserParameter=ipfire.services,/etc/zabbix_agentd/scripts/ipfire_services.pl
diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd
index badfde3ae..1debfeeb0 100644
--- a/lfs/zabbix_agentd
+++ b/lfs/zabbix_agentd
@@ -33,7 +33,7 @@ DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = zabbix_agentd
 PAK_VER    = 5
-DEPS       =
+DEPS       = "fping"
 
 ###############################################################################
 # Top-level Rules
@@ -97,6 +97,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 		/etc/zabbix_agentd/zabbix_agentd.conf.ipfirenew
 	install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/template_app_pakfire.conf \
 		/etc/zabbix_agentd/zabbix_agentd.d/template_app_pakfire.conf.ipfirenew
+	install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/template_module_ipfire_network_stats.conf \
+		/etc/zabbix_agentd/zabbix_agentd.d/template_module_ipfire_network_stats.conf.ipfirenew
+	install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/template_module_ipfire_services.conf \
+		/etc/zabbix_agentd/zabbix_agentd.d/template_module_ipfire_services.conf.ipfirenew
+	install -v -m 755 $(DIR_SRC)/config/zabbix_agentd/ipfire_services.pl \
+		/etc/zabbix_agentd/scripts/ipfire_services.pl.ipfirenew
 
 	# Create directory for additional agent modules
 	-mkdir -pv /usr/lib/zabbix
diff --git a/src/paks/zabbix_agentd/install.sh b/src/paks/zabbix_agentd/install.sh
index 4248a7ec1..ced915c81 100644
--- a/src/paks/zabbix_agentd/install.sh
+++ b/src/paks/zabbix_agentd/install.sh
@@ -66,8 +66,13 @@ restore_backup ${NAME}
 # Put zabbix configfiles in place
 setup_configfile /etc/zabbix_agentd/zabbix_agentd.conf
 setup_configfile /etc/zabbix_agentd/zabbix_agentd.d/template_app_pakfire.conf
+setup_configfile /etc/zabbix_agentd/zabbix_agentd.d/template_module_ipfire_network_stats.conf
+setup_configfile /etc/zabbix_agentd/zabbix_agentd.d/template_module_ipfire_services.conf
 setup_configfile /etc/sudoers.d/zabbix
 
+# Overwrite script if it exists as user should not modify it but it is included in backup
+mv /etc/zabbix_agentd/scripts/ipfire_services.pl.ipfirenew /etc/zabbix_agentd/scripts/ipfire_services.pl
+
 if $review_required; then
 	echo "WARNING: New versions of some configfile(s) where provided as .ipfirenew-files."
 	echo "         They may need manual review in order to take advantage of new features"
diff --git a/src/paks/zabbix_agentd/uninstall.sh b/src/paks/zabbix_agentd/uninstall.sh
index 7a13880c5..ccbc8f7cf 100644
--- a/src/paks/zabbix_agentd/uninstall.sh
+++ b/src/paks/zabbix_agentd/uninstall.sh
@@ -26,6 +26,8 @@ stop_service ${NAME}
 
 # Remove .ipfirenew files in advance so they won't be included in backup
 rm -rfv /etc/zabbix_agentd/*.ipfirenew /etc/zabbix_agentd/*/*.ipfirenew
+# Remove script-file as it should not have been modified by user
+rm -fv /etc/zabbix_agentd/scripts/ipfire_services.pl
 
 make_backup ${NAME}
 remove_files
-- 
2.30.2


-- 
Dit bericht is gescanned op virussen en andere gevaarlijke
inhoud door MailScanner en lijkt schoon te zijn.