From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alexander Koch To: development@lists.ipfire.org Subject: Re: New addon: zabbix_agentd Date: Thu, 07 Feb 2019 23:21:25 +0100 Message-ID: <5b293a25-3fdf-5a1c-0cf7-b2ca7cdfa5be@starkstromkonsument.de> In-Reply-To: <76FAA269-A917-40AD-BDD1-040059DED487@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0582787417886504809==" List-Id: --===============0582787417886504809== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Michael, thank you for you're detailed review. I apologize for the line wrap issue... = I will answer you're questions inline below. -------- Original-Nachricht -------- *Von:* michael.tremer(a)ipfire.org *Gesendet:* Tue, 5 Feb 2019 12:44:54 +0000 *An:* ipfire(a)starkstromkonsument.de *CC:* development(a)lists.ipfire.org *Betreff:* Re: New addon: zabbix_agentd > Hello Alexander, >=20 > Thank you very much for submitting this patch. >=20 > I guess that you have been involved in the forum thread about getting this = thing into IPFire. Happy to see that that is now making its way to the list. >=20 > However, there are some issues with the patch: >=20 > First of all, some lines are wrapped (presumably by your email program). Yo= u can see this at the end of the patch where the #s are not in the same line = any more. >=20 > Therefore it won=E2=80=99t merge. >=20 > Also it is quite a large patch and could have been broken down into smaller= parts to make it easier to review it. >=20 > I will go through the rest inline... >=20 >> On 3 Feb 2019, at 19:37, Alexander Koch = wrote: >> >> Hello, >> >> I would like to contribute a new addon for monitoring hosts running >> IPFire by Zabbix Monitoring (https://www.zabbix.com/features) to >> IPFire. Topic in the forum: >> https://forum.ipfire.org/viewtopic.php?f=3D52&t=3D22039 >> >> I'm not a professional software developer and this is going to be my >> first patch for IPFire. I hope I did not make any stupid mistakes and >> I'm not wasting you're time. I've built and tested (only for/on x86_64) >> this package for/with core126, core127 (testing) and core128 >> (Development Build: zabbix_agentd/b72540bc) so far. >> >> Before I finally submit this as a Patch, I've got two questions I could >> not figure out reading the wiki/forum: >> >> 1: How are logfiles (/var/log/zabbix) supposed to be treated by the >> backup- and uninstall-scripts of an addon? Are logs supposed to be >> included in the addon-backup? Is the log-directory supposed to be >> deleted by the uninstall.sh of the addon? If I do not include them in >> the backup, but delete the log-directory in uninstall.sh, the logs will >> be flushed on every update of the addon. This is probably not what the >> users expects to happen. >> >> 2: How is the original source-code of zabbix >> (https://www.zabbix.com/download_sources) supposed to be shipped with >> the patch? A patch only includes the lfs, config etc. and I did not find >> a place to provide a download URL for it. Did I miss something? >> >> Best, >> Alex >> >> P.S. Just in case you want to check what I achieved so far, I attached >> my current patchfile below: >> >> Subject: [PATCH] zabbix_agentd: New addon for monitoring IPFire Hosts by >> Zabbix Monitoring (https://www.zabbix.com/features). See >> https://forum.ipfire.org/viewtopic.php?f=3D52&t=3D22039 for further detail= s. >> >> Signed-off-by: Alexander Koch >> --- >> config/backup/includes/zabbix_agentd | 3 + >> config/rootfiles/packages/zabbix_agentd | 21 ++ >> config/zabbix_agentd/logrotate | 9 + >> config/zabbix_agentd/pakfire_updates.pl | 100 ++++++ >> config/zabbix_agentd/sudoers | 17 + >> config/zabbix_agentd/userparameter_pakfire.conf | 4 + >> config/zabbix_agentd/zabbix_agentd.conf | 394 >> ++++++++++++++++++++++++ >> lfs/zabbix_agentd | 128 ++++++++ >> make.sh | 1 + >> src/initscripts/packages/zabbix_agentd | 61 ++++ >> src/paks/zabbix_agentd/install.sh | 45 +++ >> src/paks/zabbix_agentd/uninstall.sh | 38 +++ >> src/paks/zabbix_agentd/update.sh | 26 ++ >> 13 files changed, 847 insertions(+) >> create mode 100644 config/backup/includes/zabbix_agentd >> create mode 100644 config/rootfiles/packages/zabbix_agentd >> create mode 100644 config/zabbix_agentd/logrotate >> create mode 100644 config/zabbix_agentd/pakfire_updates.pl >> create mode 100644 config/zabbix_agentd/sudoers >> create mode 100644 config/zabbix_agentd/userparameter_pakfire.conf >> create mode 100644 config/zabbix_agentd/zabbix_agentd.conf >> create mode 100755 lfs/zabbix_agentd >> create mode 100755 src/initscripts/packages/zabbix_agentd >> create mode 100644 src/paks/zabbix_agentd/install.sh >> create mode 100644 src/paks/zabbix_agentd/uninstall.sh >> create mode 100644 src/paks/zabbix_agentd/update.sh >> >> diff --git a/config/backup/includes/zabbix_agentd >> b/config/backup/includes/zabbix_agentd >> new file mode 100644 >> index 0000000..d6a2b49 >> --- /dev/null >> +++ b/config/backup/includes/zabbix_agentd >> @@ -0,0 +1,3 @@ >> +/etc/sudoers.d/zabbix >> +/etc/zabbix/zabbix_agentd.* >> +/etc/zabbix/scripts >=20 > I would say that /etc/sudoers.d/zabbix is not a configuration file for the = user here and therefore should not be in the backup. It is a system configura= tion file that comes with the package. The zabbix_agentd provides "items" for gathering data for monitoring by the z= abbix_server. These out-of-the-box-items can be extended by UserParameter's consisting of one-liner's or entire scripts (e.g. the pakfire= _updates.pl). These extensions of the agent have to be maintained by the user himself (and are typically shipped with zabbix templat= es). Some of the commands run by these extensions may require to be run as root. The sudoers-includefile has to be modified by the user in = order to fit the needs of his UserParameters. This is why I consider this a config file that should be included in the backup. Otherwise = the changes of the user will be overwritten on updates and lost when a system crashes. Do you agree? >=20 > Shouldn=E2=80=99t the whole /etc/zabbix directory be in the backup? The Zabbix-Ecosystem consist of several daemons: zabbix_server, zabbix_proxy,= zabbix_agentd and additionally it's php-frontend. By default they all share this config-directory. I'm planing to build another addon for = the zabbix_proxy and wanted to separate the backups. Thinking about it again, it would be better to use separate directories like /etc/zabb= ix_agentd and /etc/zabbix_proxy in the case of IPFire, although other distributions like e.g. debian don't change this ... what do you think? >=20 >> diff --git a/config/rootfiles/packages/zabbix_agentd >> b/config/rootfiles/packages/zabbix_agentd >> new file mode 100644 >> index 0000000..f12c46d >> --- /dev/null >> +++ b/config/rootfiles/packages/zabbix_agentd >> @@ -0,0 +1,21 @@ >> +#etc/group- >=20 > This file should not be in here and probably this is a mistake. It appeared in the log and I don't know why. I will remove the line. >=20 >> +etc/logrotate.d/zabbix_agentd >> +etc/rc.d/init.d/zabbix_agentd >> +etc/sudoers.d/zabbix >> +#etc/zabbix >> +#etc/zabbix/scripts >> +etc/zabbix/scripts/pakfire_updates.pl >> +etc/zabbix/zabbix_agentd.conf >> +#etc/zabbix/zabbix_agentd.conf.d >> +#etc/zabbix/zabbix_agentd.d >> +etc/zabbix/zabbix_agentd.d/userparameter_pakfire.conf >> +etc/zabbix/zabbix_agentd.psk >> +usr/bin/zabbix_get >> +usr/bin/zabbix_sender >> +#usr/lib/modules >=20 > This also does not seem to be a very well named directory. I will set it to 'usr/lib/zabbix'. >=20 >> +usr/sbin/zabbix_agentd >> +#usr/share/man/man1/zabbix_get.1 >> +#usr/share/man/man1/zabbix_sender.1 >> +#usr/share/man/man8/zabbix_agentd.8 >> +var/ipfire/backup/addons/includes/zabbix_agentd >> +#var/log/zabbix >=20 > The log directory should probably be shipped in this package. yep. >=20 >> diff --git a/config/zabbix_agentd/logrotate b/config/zabbix_agentd/logrota= te >> new file mode 100644 >> index 0000000..83bbca9 >> --- /dev/null >> +++ b/config/zabbix_agentd/logrotate >> @@ -0,0 +1,9 @@ >> +/var/log/zabbix/zabbix_agentd.log { >> + monthly >> + rotate 12 >> + compress >> + delaycompress >> + missingok >> + notifempty >> + create 0640 zabbix zabbix >> +} >=20 > Does the daemon not need to be notified when the log file is being rotated? It doe not, because the daemon performs a open/write/close-operation when wri= ting to the logfile. >=20 >> diff --git a/config/zabbix_agentd/pakfire_updates.pl >> b/config/zabbix_agentd/pakfire_updates.pl >> new file mode 100644 >> index 0000000..875df40 >> --- /dev/null >> +++ b/config/zabbix_agentd/pakfire_updates.pl >> @@ -0,0 +1,100 @@ >> +#!/usr/bin/perl >> +# >> +# Script for fetching available updates and "need reboot"-status for >> userparameter of zabbix_agentd >> +# >> +# This script is based on /opt/pakfire/lib/functions.pl >> +# >> +# Created on 09.07.2017 by Alexander Koch (ipfire(a)starkstromkonsument.d= e) >> +# Last modified on 24.01.19 by Alexander Koch >> (ipfire(a)starkstromkonsument.de) >> +# >=20 > This script is missing a license header. Presumably you want a GPLv3 or som= e similar header here. Please check the appropriate license that you would li= ke to use. Ok, this will be fixed. >=20 >> + >> +# Inculde Pakfire-Functions >> +require "/opt/pakfire/lib/functions.pl"; >> + >> +# Check for passed options >> +unless (@ARGV) { >> + print "No options given!\n"; >> + print "Possible options: updatescount, coreupdate_avail, need_reboot\n"; >> + exit 2; >> +} >> + >> +# Count packets >> +if ("$ARGV[0]" eq "updatescount") { >> + >> + # The following lines have been copied from >> /opt/pakfire/lib/functions.pl with minor modifications. >> + my @meta; >> + my $file; >> + my $line; >> + my $prog; >> + my ($name, $version, $release); >> + my @templine; >> + my $updatecount =3D 0; >> + >> + # Get list of packets >> + open(FILE, "<$Conf::dbdir/lists/packages_list.db"); >> + my @db =3D ; >> + close(FILE); >> + >> + # Get installed addons >> + opendir(DIR,"$Conf::dbdir/installed"); >> + my @files =3D readdir(DIR); >> + closedir(DIR); >> + foreach $file (@files) { >> + next if ( $file eq "." ); >> + next if ( $file eq ".." ); >> + next if ( $file =3D~ /^old/ ); >> + open(FILE, "<$Conf::dbdir/installed/$file"); >> + @meta =3D ; >> + close(FILE); >> + foreach $line (@meta) { >> + @templine =3D split(/\: /,$line); >> + if ("$templine[0]" eq "Name") { >> + $name =3D $templine[1]; >> + chomp($name); >> + } elsif ("$templine[0]" eq "ProgVersion") { >> + $version =3D $templine[1]; >> + chomp($version); >> + } elsif ("$templine[0]" eq "Release") { >> + $release =3D $templine[1]; >> + chomp($release); >> + } >> + } >> + foreach $prog (@db) { >> + @templine =3D split(/\;/,$prog); >> + if (("$name" eq "$templine[0]") && ("$release" < "$templine[2]")) { >> + $updatecount++; >> + } >> + } >> + } >> + print $updatecount; >> + exit 0; >> +} >> + >> +elsif ("$ARGV[0]" eq "coreupdate_avail") { >> + eval(`grep "core_" $Conf::dbdir/lists/core-list.db`); >> + if ("$core_release" > "$Conf::core_mine") { >> + print 1; >> + exit 0; >> + } >> + else { >> + print 0; >> + exit 0; >> + } >> +} >> + >> +elsif ("$ARGV[0]" eq "need_reboot") { >> + if ( -e "/var/run/need_reboot" ) { >> + print 1; >> + exit 0; >> + } >> + else { >> + print 0; >> + exit 0; >> + } >> +} >> + >> +else { >> + print "Wrong options!\n"; >> + print "Possible options: updatescount, coreupdate_avail, need_reboot\n"; >> + exit 2; >> +} >=20 > Would it not have been a good idea to have the functions live in the pakfir= e code and just have a convenient script to call them? Or even extend the pak= fire command to return whether there are updates or not? You are right. I didn't want to mess around with a corefile for the beginning= . As this is a UserParameter-Extension for the agent and therefore not essentially nescesarry for the addon in the first place, I will= remove this file and config/zabbix_agentd/userparameter_pakfire.conf from the patch and provide it= separately as an update for the addon or only togehter with the apropriate Zabbix-Tamplate later on. >=20 >> diff --git a/config/zabbix_agentd/sudoers b/config/zabbix_agentd/sudoers >> new file mode 100644 >> index 0000000..d6049f3 >> --- /dev/null >> +++ b/config/zabbix_agentd/sudoers >> @@ -0,0 +1,17 @@ >> +# Include file for sudoers file >> +# >> +# This is needed for some userparameters to be able to execute commands >> that only run as root (using sudo) >> +# e.g. /usr/bin/openssl or /usr/sbin/smartctl >> +# >> +# USE AT YOU'RE OWN RISK. USING THIS WRONG CAN RESULT IN A SECURITY BREAC= H! >> +# >> +# Some hints: >> +# - It is strongly recommended to edit this file only using the visudo >> -f command. If you mess up this file, >> +# you might end up locking yourself out of your system! >> +# - Append the full path to each command, using "," as separator. >> +# - Only add commands you really need. Zabbix should not have more >> rights than it has to. >> +# >> +# Uncomment the following two lines and edit the example of commands to >> fit your needs: >> +# >> +#Defaults:zabbix !requiretty >> +#zabbix ALL=3D(ALL) NOPASSWD: /usr/bin/openssl, /usr/sbin/smartctl >=20 > You might want to limit the options to be given to smartctl. Potentially yo= u can send commands to the hard drives but I assume that you only want to rea= d information. You are right. But these are just examples. I will remove these. The user has= to take care of this file anyway, as explained above. The reason for shipping this file is to have it there and in the backup with this= filename. If I don't provide this placeholder, I'm afraid of the users choosing different filenames and ending up not having it in the bac= kup of the addon. Is there a more elegant way to dispel this doubt? >=20 >> diff --git a/config/zabbix_agentd/userparameter_pakfire.conf >> b/config/zabbix_agentd/userparameter_pakfire.conf >> new file mode 100644 >> index 0000000..4fc4265 >> --- /dev/null >> +++ b/config/zabbix_agentd/userparameter_pakfire.conf >> @@ -0,0 +1,4 @@ >> +# Provide additional items for Pakfire-Updates >> +UserParameter=3Dpakfire.updatescount,/etc/zabbix/scripts/pakfire_updates.= pl >> updatescount >> +UserParameter=3Dpakfire.coreupdate_avail,/etc/zabbix/scripts/pakfire_upda= tes.pl >> coreupdate_avail >> +UserParameter=3Dpakfire.need_reboot,/etc/zabbix/scripts/pakfire_updates.p= l need_reboot >> diff --git a/config/zabbix_agentd/zabbix_agentd.conf >> b/config/zabbix_agentd/zabbix_agentd.conf >> new file mode 100644 >> index 0000000..e60af19 >> --- /dev/null >> +++ b/config/zabbix_agentd/zabbix_agentd.conf >> @@ -0,0 +1,394 @@ >> +# This is a configuration file for Zabbix agent daemon (Unix) >> +# To get more information about Zabbix, visit http://www.zabbix.com >> + >> +############ GENERAL PARAMETERS ################# >> + >> +### Option: PidFile >> +# Name of PID file. >> +# >> +# Mandatory: no >> +# Default: >> +# PidFile=3D/tmp/zabbix_agentd.pid >> + >> +PidFile=3D/var/run/zabbix/zabbix_agentd.pid >> + >> +### Option: LogType >> +# Specifies where log messages are written to: >> +# system - syslog >> +# file - file specified with LogFile parameter >> +# console - standard output >> +# >> +# Mandatory: no >> +# Default: >> +# LogType=3Dfile >> + >> +### Option: LogFile >> +# Log file name for LogType 'file' parameter. >> +# >> +# Mandatory: yes, if LogType is set to file, otherwise no >> +# Default: >> +# LogFile=3D >> + >> +LogFile=3D/var/log/zabbix/zabbix_agentd.log >> + >> +### Option: LogFileSize >> +# Maximum size of log file in MB. >> +# 0 - disable automatic log rotation. >> +# >> +# Mandatory: no >> +# Range: 0-1024 >> +# Default: >> +# LogFileSize=3D1 >=20 > Default seems to be enabled. Doesn=E2=80=99t this collide with logrotate? Yes it does, sorry I missed this. I will change it to 0. >=20 >> +### Option: DebugLevel >> +# Specifies debug level: >> +# 0 - basic information about starting and stopping of Zabbix processes >> +# 1 - critical information >> +# 2 - error information >> +# 3 - warnings >> +# 4 - for debugging (produces lots of information) >> +# 5 - extended debugging (produces even more information) >> +# >> +# Mandatory: no >> +# Range: 0-5 >> +# Default: >> +# DebugLevel=3D3 >> + >> +### Option: SourceIP >> +# Source IP address for outgoing connections. >> +# >> +# Mandatory: no >> +# Default: >> +# SourceIP=3D >> + >> +### Option: EnableRemoteCommands >> +# Whether remote commands from Zabbix server are allowed. >> +# 0 - not allowed >> +# 1 - allowed >> +# >> +# Mandatory: no >> +# Default: >> +# EnableRemoteCommands=3D0 >> + >> +### Option: LogRemoteCommands >> +# Enable logging of executed shell commands as warnings. >> +# 0 - disabled >> +# 1 - enabled >> +# >> +# Mandatory: no >> +# Default: >> +# LogRemoteCommands=3D0 >> + >> +##### Passive checks related >> + >> +### Option: Server >> +# List of comma delimited IP addresses, optionally in CIDR notation, or >> DNS names of Zabbix servers and Zabbix proxies. >> +# Incoming connections will be accepted only from the hosts listed here. >> +# If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', >> '::ffff:127.0.0.1' are treated equally >> +# and '::/0' will allow any IPv4 or IPv6 address. >> +# '0.0.0.0/0' can be used to allow any IPv4 address. >> +# Example: >> Server=3D127.0.0.1,192.168.1.0/24,::1,2001:db8::/32,zabbix.example.com >> +# >> +# Mandatory: yes, if StartAgents is not explicitly set to 0 >> +# Default: >> +# Server=3D >> + >> +Server=3D127.0.0.1 >=20 > What is the rationale behind this default? There is no rational default for this, because the IP/DNS-Name of the zabbix_= server (or proxy) will be different in every environment. Exception: the agent on the host of the server itsself. This is the default c= hosen in the sources and by the maintainers of other distributions. The agent does not start without this parameter beeing set tho= ugh. Setting this as a default prevents the agent from beeing accessible by unauthorized zabbix servers or proxys and assures the damenon s= tarting without errors anyways. Users of zabbix should be aware of his though. >=20 >> + >> +### Option: ListenPort >> +# Agent will listen on this port for connections from the server. >> +# >> +# Mandatory: no >> +# Range: 1024-32767 >> +# Default: >> +# ListenPort=3D10050 >> + >> +### Option: ListenIP >> +# List of comma delimited IP addresses that the agent should listen on. >> +# First IP address is sent to Zabbix server if connecting to it to >> retrieve list of active checks. >> +# >> +# Mandatory: no >> +# Default: >> +# ListenIP=3D0.0.0.0 >> + >> +### Option: StartAgents >> +# Number of pre-forked instances of zabbix_agentd that process passive >> checks. >> +# If set to 0, disables passive checks and the agent will not listen on >> any TCP port. >> +# >> +# Mandatory: no >> +# Range: 0-100 >> +# Default: >> +# StartAgents=3D3 >> + >> +##### Active checks related >> + >> +### Option: ServerActive >> +# List of comma delimited IP:port (or DNS name:port) pairs of Zabbix >> servers and Zabbix proxies for active checks. >> +# If port is not specified, default port is used. >> +# IPv6 addresses must be enclosed in square brackets if port for that >> host is specified. >> +# If port is not specified, square brackets for IPv6 addresses are >> optional. >> +# If this parameter is not specified, active checks are disabled. >> +# Example: >> ServerActive=3D127.0.0.1:20051,zabbix.domain,[::1]:30051,::1,[12fc::1] >> +# >> +# Mandatory: no >> +# Default: >> +# ServerActive=3D >> + >> +ServerActive=3D127.0.0.1 >=20 > See above.> >> +### Option: Hostname >> +# Unique, case sensitive hostname. >> +# Required for active checks and must match hostname as configured on >> the server. >> +# Value is acquired from HostnameItem if undefined. >> +# >> +# Mandatory: no >> +# Default: >> +# Hostname=3D >> + >> +### Option: HostnameItem >> +# Item used for generating Hostname if it is undefined. Ignored if >> Hostname is defined. >> +# Does not support UserParameters or aliases. >> +# >> +# Mandatory: no >> +# Default: >> +# HostnameItem=3Dsystem.hostname >> + >> +### Option: HostMetadata >> +# Optional parameter that defines host metadata. >> +# Host metadata is used at host auto-registration process. >> +# An agent will issue an error and not start if the value is over limit >> of 255 characters. >> +# If not defined, value will be acquired from HostMetadataItem. >> +# >> +# Mandatory: no >> +# Range: 0-255 characters >> +# Default: >> +# HostMetadata=3D >> + >> +### Option: HostMetadataItem >> +# Optional parameter that defines an item used for getting host metadata. >> +# Host metadata is used at host auto-registration process. >> +# During an auto-registration request an agent will log a warning >> message if >> +# the value returned by specified item is over limit of 255 characters. >> +# This option is only used when HostMetadata is not defined. >> +# >> +# Mandatory: no >> +# Default: >> +# HostMetadataItem=3D >> + >> +### Option: RefreshActiveChecks >> +# How often list of active checks is refreshed, in seconds. >> +# >> +# Mandatory: no >> +# Range: 60-3600 >> +# Default: >> +# RefreshActiveChecks=3D120 >> + >> +### Option: BufferSend >> +# Do not keep data longer than N seconds in buffer. >> +# >> +# Mandatory: no >> +# Range: 1-3600 >> +# Default: >> +# BufferSend=3D5 >> + >> +### Option: BufferSize >> +# Maximum number of values in a memory buffer. The agent will send >> +# all collected data to Zabbix Server or Proxy if the buffer is full. >> +# >> +# Mandatory: no >> +# Range: 2-65535 >> +# Default: >> +# BufferSize=3D100 >> + >> +### Option: MaxLinesPerSecond >> +# Maximum number of new lines the agent will send per second to Zabbix >> Server >> +# or Proxy processing 'log' and 'logrt' active checks. >> +# The provided value will be overridden by the parameter 'maxlines', >> +# provided in 'log' or 'logrt' item keys. >> +# >> +# Mandatory: no >> +# Range: 1-1000 >> +# Default: >> +# MaxLinesPerSecond=3D20 >> + >> +############ ADVANCED PARAMETERS ################# >> + >> +### Option: Alias >> +# Sets an alias for an item key. It can be used to substitute long and >> complex item key with a smaller and simpler one. >> +# Multiple Alias parameters may be present. Multiple parameters with >> the same Alias key are not allowed. >> +# Different Alias keys may reference the same item key. >> +# For example, to retrieve the ID of user 'zabbix': >> +# Alias=3Dzabbix.userid:vfs.file.regexp[/etc/passwd,^zabbix:.:([0-9]+),,,= ,\1] >> +# Now shorthand key zabbix.userid may be used to retrieve data. >> +# Aliases can be used in HostMetadataItem but not in HostnameItem >> parameters. >> +# >> +# Mandatory: no >> +# Range: >> +# Default: >> + >> +### Option: Timeout >> +# Spend no more than Timeout seconds on processing >> +# >> +# Mandatory: no >> +# Range: 1-30 >> +# Default: >> +# Timeout=3D3 >> + >> +### Option: AllowRoot >> +# Allow the agent to run as 'root'. If disabled and the agent is >> started by 'root', the agent >> +# will try to switch to the user specified by the User configuration >> option instead. >> +# Has no effect if started under a regular user. >> +# 0 - do not allow >> +# 1 - allow >> +# >> +# Mandatory: no >> +# Default: >> +# AllowRoot=3D0 >> + >> +### Option: User >> +# Drop privileges to a specific, existing user on the system. >> +# Only has effect if run as 'root' and AllowRoot is disabled. >> +# >> +# Mandatory: no >> +# Default: >> +# User=3Dzabbix >> + >> +### Option: Include >> +# You may include individual files or all files in a directory in the >> configuration file. >> +# Installing Zabbix will create include directory in /usr/local/etc, >> unless modified during the compile time. >> +# >> +# Mandatory: no >> +# Default: >> +# Include=3D >> + >> +Include=3D/etc/zabbix/zabbix_agentd.d/*.conf >> + >> + >> +####### USER-DEFINED MONITORED PARAMETERS ####### >> + >> +### Option: UnsafeUserParameters >> +# Allow all characters to be passed in arguments to user-defined >> parameters. >> +# The following characters are not allowed: >> +# \ ' " ` * ? [ ] { } ~ $ ! & ; ( ) < > | # @ >> +# Additionally, newline characters are not allowed. >> +# 0 - do not allow >> +# 1 - allow >> +# >> +# Mandatory: no >> +# Range: 0-1 >> +# Default: >> +# UnsafeUserParameters=3D0 >> + >> +### Option: UserParameter >> +# User-defined parameter to monitor. There can be several user-defined >> parameters. >> +# Format: UserParameter=3D, >> +# See 'zabbix_agentd' directory for examples. >> +# >> +# Mandatory: no >> +# Default: >> +# UserParameter=3D >> + >> +####### LOADABLE MODULES ####### >> + >> +### Option: LoadModulePath >> +# Full path to location of agent modules. >> +# Default depends on compilation options. >> +# To see the default path run command "zabbix_agentd --help". >> +# >> +# Mandatory: no >> +# Default: >> +# LoadModulePath=3D/usr/lib/modules >=20 > See above. >=20 >> +### Option: LoadModule >> +# Module to load at agent startup. Modules are used to extend >> functionality of the agent. >> +# Format: LoadModule=3D >> +# The modules must be located in directory specified by LoadModulePath. >> +# It is allowed to include multiple LoadModule parameters. >> +# >> +# Mandatory: no >> +# Default: >> +# LoadModule=3D >> + >> +####### TLS-RELATED PARAMETERS ####### >> + >> +### Option: TLSConnect >> +# How the agent should connect to server or proxy. Used for active checks. >> +# Only one value can be specified: >> +# unencrypted - connect without encryption >> +# psk - connect using TLS and a pre-shared key >> +# cert - connect using TLS and a certificate >> +# >> +# Mandatory: yes, if TLS certificate or PSK parameters are defined >> (even for 'unencrypted' connection) >> +# Default: >> +# TLSConnect=3Dunencrypted >> + >> +### Option: TLSAccept >> +# What incoming connections to accept. >> +# Multiple values can be specified, separated by comma: >> +# unencrypted - accept connections without encryption >> +# psk - accept connections secured with TLS and a pre-shared key >> +# cert - accept connections secured with TLS and a certificate >> +# >> +# Mandatory: yes, if TLS certificate or PSK parameters are defined >> (even for 'unencrypted' connection) >> +# Default: >> +# TLSAccept=3Dunencrypted >> + >> +### Option: TLSCAFile >> +# Full pathname of a file containing the top-level CA(s) certificates for >> +# peer certificate verification. >> +# >> +# Mandatory: no >> +# Default: >> +# TLSCAFile=3D >> + >> +### Option: TLSCRLFile >> +# Full pathname of a file containing revoked certificates. >> +# >> +# Mandatory: no >> +# Default: >> +# TLSCRLFile=3D >> + >> +### Option: TLSServerCertIssuer >> +# Allowed server certificate issuer. >> +# >> +# Mandatory: no >> +# Default: >> +# TLSServerCertIssuer=3D >> + >> +### Option: TLSServerCertSubject >> +# Allowed server certificate subject. >> +# >> +# Mandatory: no >> +# Default: >> +# TLSServerCertSubject=3D >> + >> +### Option: TLSCertFile >> +# Full pathname of a file containing the agent certificate or >> certificate chain. >> +# >> +# Mandatory: no >> +# Default: >> +# TLSCertFile=3D >> + >> +### Option: TLSKeyFile >> +# Full pathname of a file containing the agent private key. >> +# >> +# Mandatory: no >> +# Default: >> +# TLSKeyFile=3D >> + >> +### Option: TLSPSKIdentity >> +# Unique, case sensitive string used to identify the pre-shared key. >> +# >> +# Mandatory: no >> +# Default: >> +# TLSPSKIdentity=3D >> + >> +### Option: TLSPSKFile >> +# Full pathname of a file containing the pre-shared key. >> +# >> +# Mandatory: no >> +# Default: >> +# TLSPSKFile=3D >> + >> +#TLSPSKFile=3D/etc/zabbix/zabbix_agentd.psk >=20 > This line doesn=E2=80=99t do anything. It's yust for convenience actually. I personally aprecieate this parameter an= d the file already existing as very handy when configuring a new host. But thinking about it, actually it might be more consequent not pro= viding this, because I don't provide a default for the other TLS-parameters and files and the file ends up residing on the system without = any use if PSK is not the chosen method of encryption. I will remove both. >=20 >> + >> diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd >> new file mode 100755 >> index 0000000..fba24f1 >> --- /dev/null >> +++ b/lfs/zabbix_agentd >> @@ -0,0 +1,128 @@ >> +#########################################################################= ###### >> +# >> # >> +# IPFire.org - A linux based firewall >> # >> +# Copyright (C) 2007-2019 IPFire Team >> # >> +# >> # >> +# This program is free software: you can redistribute it and/or modify >> # >> +# it under the terms of the GNU General Public License as published by >> # >> +# the Free Software Foundation, either version 3 of the License, or >> # >> +# (at your option) any later version. >> # >> +# >> # >> +# This program is distributed in the hope that it will be useful, >> # >> +# but WITHOUT ANY WARRANTY; without even the implied warranty of >> # >> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >> # >> +# GNU General Public License for more details. >> # >> +# >> # >> +# You should have received a copy of the GNU General Public License >> # >> +# along with this program. If not, see . >> # >> +# >> # >> +#########################################################################= ###### >> + >> +#########################################################################= ###### >> +# Definitions >> +#########################################################################= ###### >> + >> +include Config >> + >> +VER =3D 4.0.3 >> + >> +THISAPP =3D zabbix-$(VER) >> +DL_FILE =3D $(THISAPP).tar.gz >> +DL_FROM =3D $(URL_IPFIRE) >> +DIR_APP =3D $(DIR_SRC)/$(THISAPP) >> +TARGET =3D $(DIR_INFO)/$(THISAPP) >> +PROG =3D zabbix_agentd >> +PAK_VER =3D 0.4 >> +DEPS =3D "" >> + >> +#########################################################################= ###### >> +# Top-level Rules >> +#########################################################################= ###### >> + >> +objects =3D $(DL_FILE) >> + >> +$(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) >> + >> +$(DL_FILE)_MD5 =3D 917d7303c248a9d1c49b8883c01ab2d9 >> + >> +install : $(TARGET) >> + >> +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) >> + >> +download :$(patsubst %,$(DIR_DL)/%,$(objects)) >> + >> +md5 : $(subst %,%_MD5,$(objects)) >> + >> +dist: >> + @$(PAK) >> + >> +#########################################################################= ###### >> +# Downloading, checking, md5sum >> +#########################################################################= ###### >> + >> +$(patsubst %,$(DIR_CHK)/%,$(objects)) : >> + @$(CHECK) >> + >> +$(patsubst %,$(DIR_DL)/%,$(objects)) : >> + @$(LOAD) >> + >> +$(subst %,%_MD5,$(objects)) : >> + @$(MD5) >> + >> +#########################################################################= ###### >> +# Installation Details >> +#########################################################################= ###### >> + >> +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >> + @$(PREBUILD) >> + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axvf $(DIR_DL)/$(DL_FILE) >> + cd $(DIR_APP) && ./configure \ >> + --prefix=3D/usr \ >> + --enable-agent \ >> + --sysconfdir=3D"/etc/zabbix" \ >> + --with-openssl >> + >> + cd $(DIR_APP) && make + cd $(DIR_APP) && make install >> + >> + # Add User Zabbix if it does not exist >> + id -u zabbix &>/dev/null || useradd -r -U -s /bin/false -M -d >> /var/empty -c "Zabbix Monitoring=E2=80=9D zabbix >=20 > You are checking if the user exists, but expect to create a user *and* a gr= oup. This could potentially go wrong. >=20 > This will also randomly select a user ID. Therefore it would be better to h= ave this in config/etc/passwd and config/etc/group so it will be persistent f= or every time the build is run. Ok, i will change this. But will this not result in the user & group existing= allways and not only if the addon is installed? >=20 >> + # Create config directory and create files. >> + -rmdir zabbix_agentd.conf.d >=20 > You are trying to delete /usr/src/zabbit_agentd.conf.d here. This should no= t exist anyways. The install-routine allways creates this and I could not figure out how to di= sable / change this in the lfs. I know this is a dirty workaround, but I don't know a better way to solve this by today. Does anybod= y have a hint for me? >=20 >> + -mkdir -pv /etc/zabbix/zabbix_agentd.d >> + -mkdir -pv /etc/zabbix/scripts >> + install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/zabbix_agentd.conf \ >> + /etc/zabbix/zabbix_agentd.conf >> + install -v -m 644 >> $(DIR_SRC)/config/zabbix_agentd/userparameter_pakfire.conf \ >> + /etc/zabbix/zabbix_agentd.d/userparameter_pakfire.conf >> + install -v -m 754 -g zabbix >> $(DIR_SRC)/config/zabbix_agentd/pakfire_updates.pl \ >> + /etc/zabbix/scripts/pakfire_updates.pl >=20 > Why should this script not be allowed to be executed by other users than ro= ot and those in the zabbix group? There is no reason besides my paranoia... The functionallity of the file will= be integrated in the original one anyways (see above). >=20 >> + touch /etc/zabbix/zabbix_agentd.psk >=20 > This file is not being used in the configuration file. See above. >=20 >> + # Create directory and file for logging. >> + -mkdir -pv /var/log/zabbix >> + chown zabbix.zabbix /var/log/zabbix -R >> + >> + # Create directory for pid. >> + -mkdir -pv /var/run/zabbix >> + chown zabbix.zabbix /var/run/zabbix >> + >> + # Install initscripts >> + $(call INSTALL_INITSCRIPT,zabbix_agentd) >> + >> + # Install sudoers include file >> + install -v -m 440 $(DIR_SRC)/config/zabbix_agentd/sudoers \ >> + /etc/sudoers.d/zabbix >> + >> + # Install include file for backup >> + install -v -m 644 $(DIR_SRC)/config/backup/includes/zabbix_agentd \ >> + /var/ipfire/backup/addons/includes/zabbix_agentd >> + >> + # Install include file for Logrotate >> + -mkdir -pv /etc/logrotate.d >> + install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/logrotate \ >> + /etc/logrotate.d/zabbix_agentd >> + >> + @rm -rf $(DIR_APP) >> + @$(POSTBUILD) >> diff --git a/make.sh b/make.sh >> index f96b74b..dadae3c 100755 >> --- a/make.sh >> +++ b/make.sh >> @@ -1588,6 +1588,7 @@ buildipfire() { >> lfsmake2 dehydrated >> lfsmake2 shairport-sync >> lfsmake2 borgbackup >> + lfsmake2 zabbix_agentd >> } >> buildinstaller() { >> diff --git a/src/initscripts/packages/zabbix_agentd >> b/src/initscripts/packages/zabbix_agentd >> new file mode 100755 >> index 0000000..e50b56c >> --- /dev/null >> +++ b/src/initscripts/packages/zabbix_agentd >> @@ -0,0 +1,61 @@ >> +#!/bin/sh >> +######################################################################## >> +# Begin $rc_base/init.d/zabbix_agentd >> +# >> +# Description : This is a script that starts zabbix_agent as deamon >> +# >> +# Authors : Alexander Koch (ipfire(a)starkstromkonsument.de) >> +# >> +# Version : 01.00 >> +# >> +# Notes : >> +# >> +######################################################################## >> + >> +. /etc/sysconfig/rc >> +. ${rc_functions} >> + >> +NAME=3Dzabbix_agentd >> +DAEMON=3D/usr/sbin/$NAME >> +DESC=3D"Zabbix agent" >> +RUNDIR=3D/var/run/zabbix >> +CONF=3D/etc/zabbix/zabbix_agentd.conf >> + >> +test -x $DAEMON || exit 0 >> + >> +case "${1}" in >> + start) >> + # Make sure RUNDIR exists >> + if [ ! -d $RUNDIR ]; then >> + boot_mesg "Creating Directory $RUNDIR ..." >> + mkdir $RUNDIR >> + chown zabbix.zabbix $RUNDIR >> + fi >> + >> + boot_mesg "Starting $NAME =E2=80=A6" >=20 > We usually use a descriptive name here and not the name of the binary here. >=20 > Also no space before the ellipsis.> >> + loadproc $DAEMON -c $CONF > /dev/null >> + evaluate_retval >> + ;; >> + =09 >> + stop) >> + boot_mesg "Stopping $NAME ..." >> + killproc $DAEMON >> + ;; >> + >> + restart) >> + ${0} stop >> + sleep 1 >> + ${0} start >> + ;; >> + >> + status) >> + statusproc $DAEMON >> + ;; >> + >> + *) >> + echo "Usage: ${0} {start|stop|restart|status}" >> + exit 1 >> + ;; >> +esac >> + >> +# End $rc_base/init.d/zabbix_agentd >=20 > This script is a bit different than the others. Variables are being used in= stead of using the command names directly. Not sure if that is necessary. Ok, I'll change it. >=20 > Why is the output of loadproc being thrown away? You won=E2=80=99t have to = call evaluate_retval if you didn=E2=80=99t do that. I actually just coppied this part from the netsnmpd-addon without thinking ab= out it ... >=20 > Is it not better to have /var/run/zabbix being created in src/initscripts/s= ysconfig/createfiles? Yes, it is. I did not know this script yet. >=20 >> diff --git a/src/paks/zabbix_agentd/install.sh >> b/src/paks/zabbix_agentd/install.sh >> new file mode 100644 >> index 0000000..7264a08 >> --- /dev/null >> +++ b/src/paks/zabbix_agentd/install.sh >> @@ -0,0 +1,45 @@ >> +#!/bin/bash >> +#########################################################################= ### >> +# >> # >> +# This file is part of the IPFire Firewall. >> # >> +# >> # >> +# IPFire is free software; you can redistribute it and/or modify >> # >> +# it under the terms of the GNU General Public License as published by >> # >> +# the Free Software Foundation; either version 2 of the License, or >> # >> +# (at your option) any later version. >> # >> +# >> # >> +# IPFire is distributed in the hope that it will be useful, >> # >> +# but WITHOUT ANY WARRANTY; without even the implied warranty of >> # >> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >> # >> +# GNU General Public License for more details. >> # >> +# >> # >> +# You should have received a copy of the GNU General Public License >> # >> +# along with IPFire; if not, write to the Free Software >> # >> +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 >> USA # >> +# >> # >> +# Copyright (C) 2007 IPFire-Team . >> # >> +# >> # >> +#########################################################################= ### >> +# >> +. /opt/pakfire/lib/functions.sh >> + >> +# Add User Zabbix if it does not exist >> +id -u zabbix &>/dev/null || useradd -r -U -s /bin/false -M -d >> /var/empty -c "Zabbix Monitoring=E2=80=9D zabbix >=20 > See above. If the group has been lost, it won=E2=80=99t be recreated again. The "-U" takes care of this. >=20 >> + >> +extract_files >> + >> +# Create additonal Directories and set permissions >> +mkdir -pv /etc/zabbix/zabbix_agentd.d >> +mkdir -pv /etc/zabbix/scripts >=20 > These should be in the tarball. >=20 >> +mkdir -pv /var/run/zabbix >> +chown zabbix.zabbix /var/run/zabbix >=20 > This is being created in the initscript. >=20 >> +mkdir -pv /var/log/zabbix >> +chown zabbix.zabbix /var/log/zabbix -R >=20 > This should also be in the tarball. I will check / fix these issues. >=20 >> +# Create symlinks for runlevel interaction. >> +ln -sf ../init.d/zabbix_agentd /etc/rc.d/rc3.d/S14zabbix_agentd >> +ln -sf ../init.d/zabbix_agentd /etc/rc.d/rc0.d/K71zabbix_agentd >> +ln -sf ../init.d/zabbix_agentd /etc/rc.d/rc6.d/K71zabbix_agentd >=20 > You are starting this very early in the boot process. Even before the netwo= rk is being started. >=20 > Is that deliberate or could this be moved to a later time? >=20 > Can zabbix bind to IP addresses if those are not assigned to the network in= terfaces, yet? No and no. I will change it to S65 & K02, if you agree. >=20 >> +restore_backup ${NAME} >> +start_service --background ${NAME} >> diff --git a/src/paks/zabbix_agentd/uninstall.sh >> b/src/paks/zabbix_agentd/uninstall.sh >> new file mode 100644 >> index 0000000..ae8f815 >> --- /dev/null >> +++ b/src/paks/zabbix_agentd/uninstall.sh >> @@ -0,0 +1,38 @@ >> +#!/bin/bash >> +#########################################################################= ### >> +# >> # >> +# This file is part of the IPFire Firewall. >> # >> +# >> # >> +# IPFire is free software; you can redistribute it and/or modify >> # >> +# it under the terms of the GNU General Public License as published by >> # >> +# the Free Software Foundation; either version 2 of the License, or >> # >> +# (at your option) any later version. >> # >> +# >> # >> +# IPFire is distributed in the hope that it will be useful, >> # >> +# but WITHOUT ANY WARRANTY; without even the implied warranty of >> # >> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >> # >> +# GNU General Public License for more details. >> # >> +# >> # >> +# You should have received a copy of the GNU General Public License >> # >> +# along with IPFire; if not, write to the Free Software >> # >> +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 >> USA # >> +# >> # >> +# Copyright (C) 2007 IPFire-Team . >> # >> +# >> # >> +#########################################################################= ### >> +# >> +. /opt/pakfire/lib/functions.sh >> +stop_service ${NAME} >> +make_backup ${NAME} >> +remove_files >> + >> +# Remove init-scripts and symlinks >> +rm -rfv /etc/rc.d/rc*.d/*zabbix_agentd >> + >> +# Remove directorys >> +rm -rfv /etc/zabbix >> +rm -rfv /var/log/zabbix >> +rm -rfv /var/run/zabbix >=20 > See above. Log files should not be removed I think. We do not do that anywh= ere else as far as I know. Ok. >=20 >> + >> +# Remove user and group >> +userdel zabbix >=20 > Do you delete the group here? I tested this an the group seems to be deleted automatically, because it's th= e users primary group. >=20 >> diff --git a/src/paks/zabbix_agentd/update.sh >> b/src/paks/zabbix_agentd/update.sh >> new file mode 100644 >> index 0000000..89c40d0 >> --- /dev/null >> +++ b/src/paks/zabbix_agentd/update.sh >> @@ -0,0 +1,26 @@ >> +#!/bin/bash >> +#########################################################################= ### >> +# >> # >> +# This file is part of the IPFire Firewall. >> # >> +# >> # >> +# IPFire is free software; you can redistribute it and/or modify >> # >> +# it under the terms of the GNU General Public License as published by >> # >> +# the Free Software Foundation; either version 2 of the License, or >> # >> +# (at your option) any later version. >> # >> +# >> # >> +# IPFire is distributed in the hope that it will be useful, >> # >> +# but WITHOUT ANY WARRANTY; without even the implied warranty of >> # >> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >> # >> +# GNU General Public License for more details. >> # >> +# >> # >> +# You should have received a copy of the GNU General Public License >> # >> +# along with IPFire; if not, write to the Free Software >> # >> +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 >> USA # >> +# >> # >> +# Copyright (C) 2007 IPFire-Team . >> # >> +# >> # >> +#########################################################################= ### >> +# >> +. /opt/pakfire/lib/functions.sh >> +./uninstall.sh >> +./install.sh >> --=20 >> 2.7.4 >=20 > So, those are a lot of comments. Most of them are just questions. Hope you = can clarify those for me. >=20 > Looking forward to hearing from you soon. Apologies for taking a couple of = days to review this. Where are the other people on this list? >=20 > -Michael >=20 I hope I cloud clarify you're questions. I'm looking forward to some more fee= dback to my few questions above and I will be preparing a modified patch within a few days. Best regards, Alex --===============0582787417886504809==--