Hi all
A renewal of this patchset, now for zabbix_agentd 6.0.6, the latest LTS version at the moment.
Except for the version nothing has changed in this set since my previous submission. So please see https://lists.ipfire.org/pipermail/development/2022-March/012624.html for the summary of this patch set.
Hopefully this can be included in Core 170?..
Regards
Robin Roevens
- Update from 4.2.6 to latest LTS version 6.0.6 See release notes: https://www.zabbix.com/rn/rn6.0.6
Signed-off-by: Robin Roevens robin.roevens@disroot.org --- config/zabbix_agentd/zabbix_agentd.conf | 135 ++++++++++++++++++++++-- lfs/zabbix_agentd | 11 +- 2 files changed, 132 insertions(+), 14 deletions(-)
diff --git a/config/zabbix_agentd/zabbix_agentd.conf b/config/zabbix_agentd/zabbix_agentd.conf index 21b8e0122..aa8b899dc 100644 --- a/config/zabbix_agentd/zabbix_agentd.conf +++ b/config/zabbix_agentd/zabbix_agentd.conf @@ -63,14 +63,33 @@ LogFileSize=0 # Default: # SourceIP=
-### Option: EnableRemoteCommands -# Whether remote commands from Zabbix server are allowed. -# 0 - not allowed -# 1 - allowed +### Option: AllowKey +# Allow execution of item keys matching pattern. +# Multiple keys matching rules may be defined in combination with DenyKey. +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. +# Parameters are processed one by one according their appearance order. +# If no AllowKey or DenyKey rules defined, all keys are allowed. +# +# Mandatory: no + +### Option: DenyKey +# Deny execution of items keys matching pattern. +# Multiple keys matching rules may be defined in combination with AllowKey. +# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. +# Parameters are processed one by one according their appearance order. +# If no AllowKey or DenyKey rules defined, all keys are allowed. +# Unless another system.run[*] rule is specified DenyKey=system.run[*] is added by default. # # Mandatory: no # Default: -# EnableRemoteCommands=0 +# DenyKey=system.run[*] + +### Option: EnableRemoteCommands - Deprecated, use AllowKey=system.run[*] or DenyKey=system.run[*] instead +# Internal alias for AllowKey/DenyKey parameters depending on value: +# 0 - DenyKey=system.run[*] +# 1 - AllowKey=system.run[*] +# +# Mandatory: no
### Option: LogRemoteCommands # Enable logging of executed shell commands as warnings. @@ -177,6 +196,28 @@ ServerActive=127.0.0.1 # Default: # HostMetadataItem=
+### Option: HostInterface +# Optional parameter that defines host interface. +# Host interface is used at host auto-registration process. +# An agent will issue an error and not start if the value is over limit of 255 characters. +# If not defined, value will be acquired from HostInterfaceItem. +# +# Mandatory: no +# Range: 0-255 characters +# Default: +# HostInterface= + +### Option: HostInterfaceItem +# Optional parameter that defines an item used for getting host interface. +# Host interface is used at host auto-registration process. +# During an auto-registration request an agent will log a warning message if +# the value returned by specified item is over limit of 255 characters. +# This option is only used when HostInterface is not defined. +# +# Mandatory: no +# Default: +# HostInterfaceItem= + ### Option: RefreshActiveChecks # How often list of active checks is refreshed, in seconds. # @@ -265,7 +306,6 @@ ServerActive=127.0.0.1
Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf
- ####### USER-DEFINED MONITORED PARAMETERS #######
### Option: UnsafeUserParameters @@ -299,7 +339,7 @@ Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf # # Mandatory: no # Default: -# LoadModulePath=/usr/lib/modules +# LoadModulePath=${libdir}/modules
LoadModulePath=/usr/lib/zabbix
@@ -357,14 +397,14 @@ LoadModulePath=/usr/lib/zabbix # TLSCRLFile=
### Option: TLSServerCertIssuer -# Allowed server certificate issuer. +# Allowed server certificate issuer. # # Mandatory: no # Default: # TLSServerCertIssuer=
### Option: TLSServerCertSubject -# Allowed server certificate subject. +# Allowed server certificate subject. # # Mandatory: no # Default: @@ -397,3 +437,80 @@ LoadModulePath=/usr/lib/zabbix # Mandatory: no # Default: # TLSPSKFile= + +####### For advanced users - TLS ciphersuite selection criteria ####### + +### Option: TLSCipherCert13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# +# Mandatory: no +# Default: +# TLSCipherCert13= + +### Option: TLSCipherCert +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128 +# +# Mandatory: no +# Default: +# TLSCipherCert= + +### Option: TLSCipherPSK13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example: +# TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherPSK13= + +### Option: TLSCipherPSK +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL +# Example for OpenSSL: +# kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherPSK= + +### Option: TLSCipherAll13 +# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example: +# TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +# +# Mandatory: no +# Default: +# TLSCipherAll13= + +### Option: TLSCipherAll +# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. +# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. +# Example for GnuTLS: +# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 +# Example for OpenSSL: +# EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128 +# +# Mandatory: no +# Default: +# TLSCipherAll= + +####### For advanced users - TCP-related fine-tuning parameters ####### + +## Option: ListenBacklog +# The maximum number of pending connections in the queue. This parameter is passed to +# listen() function as argument 'backlog' (see "man listen"). +# +# Mandatory: no +# Range: 0 - INT_MAX (depends on system, too large values may be silently truncated to implementation-specified maximum) +# Default: SOMAXCONN (hard-coded constant, depends on system) +# ListenBacklog= diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd index 63566c1a7..1b7932007 100644 --- a/lfs/zabbix_agentd +++ b/lfs/zabbix_agentd @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2022 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -26,7 +26,7 @@ include Config
SUMMARY = Zabbix Agent
-VER = 4.2.6 +VER = 6.0.6
THISAPP = zabbix-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = zabbix_agentd -PAK_VER = 4 +PAK_VER = 5 DEPS =
SERVICES = zabbix_agentd @@ -47,7 +47,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 644bb9fd3afaa26c572f97018039d564a7ce156d0bf8d2449a1d3d04fdfaca05087d71e6a5ddcf3ed13a5719256865780f180dd3488bab470816dac7af70ff09 +$(DL_FILE)_BLAKE2 = f9d07ca8938ae4e5e47048c32872644caeda0ecdef17513c63c63d1ce2aaa4ac0c92e6c70932bc598ff908419dae05bab32924f5973a5528b5668f7c7c2c5a17
install : $(TARGET)
@@ -84,7 +84,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --prefix=/usr \ --enable-agent \ --sysconfdir=/etc/zabbix_agentd \ - --with-openssl + --with-openssl \ + --with-libcurl
cd $(DIR_APP) && make cd $(DIR_APP) && make install
- Add agent modules-dir to backup - Remove original, not used agent modules dir from rootfile - Create modules-dir during install if it not already exists - bugfix: Add existence check before creating log-dir, avoiding error messages if it already exists from a previous install - bugfix: add extract_backup_includes to update.sh script to make sure backup includes exist when backup is taken.
Signed-off-by: Robin Roevens robin.roevens@disroot.org --- config/backup/includes/zabbix_agentd | 3 ++- config/rootfiles/packages/zabbix_agentd | 2 +- src/paks/zabbix_agentd/install.sh | 4 ++-- src/paks/zabbix_agentd/update.sh | 1 + 4 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/config/backup/includes/zabbix_agentd b/config/backup/includes/zabbix_agentd index cba18d772..d3305cb96 100644 --- a/config/backup/includes/zabbix_agentd +++ b/config/backup/includes/zabbix_agentd @@ -1,2 +1,3 @@ /etc/sudoers.d/zabbix -/etc/zabbix_agentd/* +/etc/zabbix_agentd/ +/usr/lib/zabbix/ diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/packages/zabbix_agentd index 4420bda05..d9bbc3ccf 100644 --- a/config/rootfiles/packages/zabbix_agentd +++ b/config/rootfiles/packages/zabbix_agentd @@ -8,7 +8,7 @@ etc/zabbix_agentd/zabbix_agentd.d etc/zabbix_agentd/zabbix_agentd.d/userparameter_pakfire.conf usr/bin/zabbix_get usr/bin/zabbix_sender -usr/lib/modules +#usr/lib/modules usr/lib/zabbix usr/sbin/zabbix_agentd #usr/share/man/man1/zabbix_get.1 diff --git a/src/paks/zabbix_agentd/install.sh b/src/paks/zabbix_agentd/install.sh index e1450a1d8..cf435918d 100644 --- a/src/paks/zabbix_agentd/install.sh +++ b/src/paks/zabbix_agentd/install.sh @@ -39,8 +39,8 @@ ln -sf ../init.d/zabbix_agentd /etc/rc.d/rc0.d/K02zabbix_agentd ln -sf ../init.d/zabbix_agentd /etc/rc.d/rc6.d/K02zabbix_agentd
# Create additonal directories and set permissions -mkdir -pv /var/log/zabbix -chown zabbix.zabbix /var/log/zabbix +[ -d /var/log/zabbix ] || ( mkdir -pv /var/log/zabbix && chown zabbix.zabbix /var/log/zabbix ) +[ -d /usr/lib/zabbix ] || ( mkdir -pv /usr/lib/zabbix && chown zabbix.zabbix /usr/lib/zabbix )
restore_backup ${NAME} start_service --background ${NAME} diff --git a/src/paks/zabbix_agentd/update.sh b/src/paks/zabbix_agentd/update.sh index 7fc1c96fb..68bba4f80 100644 --- a/src/paks/zabbix_agentd/update.sh +++ b/src/paks/zabbix_agentd/update.sh @@ -22,6 +22,7 @@ ############################################################################ # . /opt/pakfire/lib/functions.sh +extract_backup_includes ./uninstall.sh ./install.sh
- Restrict default main config to only the bare minimum options and add upstream provided config as example file. - Remove /etc/zabbix_agentd from backup and instead add only zabbix_agentd.conf and subdirs 'scripts' and 'zabbix_agentd.d' to the backup. - Move ipfire managed userparameter_pakfire.conf from user managed dir /etc/zabbix_agentd/zabbix_agent.d to ipfire managed dir /var/ipfire/zabbix_agentd/userparameters - Add Include line to existing zabbix_agentd.conf to include the new ipfire managed config dir /var/ipfire/zabbix_agentd/... - Add and include mandatory IPFire specific agent configuration which should never be changed by the user.
Signed-off-by: Robin Roevens robin.roevens@disroot.org --- config/backup/includes/zabbix_agentd | 4 +- config/rootfiles/packages/zabbix_agentd | 6 +- config/zabbix_agentd/zabbix_agentd.conf | 522 +----------------- .../zabbix_agentd_ipfire_mandatory.conf | 11 + lfs/zabbix_agentd | 11 +- src/paks/zabbix_agentd/install.sh | 34 ++ 6 files changed, 78 insertions(+), 510 deletions(-) create mode 100644 config/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf
diff --git a/config/backup/includes/zabbix_agentd b/config/backup/includes/zabbix_agentd index d3305cb96..4be365297 100644 --- a/config/backup/includes/zabbix_agentd +++ b/config/backup/includes/zabbix_agentd @@ -1,3 +1,5 @@ /etc/sudoers.d/zabbix -/etc/zabbix_agentd/ +/etc/zabbix_agentd/zabbix_agentd.conf +/etc/zabbix_agentd/scripts/ +/etc/zabbix_agentd/zabbix_agentd.d/ /usr/lib/zabbix/ diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/packages/zabbix_agentd index d9bbc3ccf..c6e0c5634 100644 --- a/config/rootfiles/packages/zabbix_agentd +++ b/config/rootfiles/packages/zabbix_agentd @@ -4,8 +4,8 @@ etc/sudoers.d/zabbix etc/zabbix_agentd etc/zabbix_agentd/scripts etc/zabbix_agentd/zabbix_agentd.conf +etc/zabbix_agentd/zabbix_agentd.conf.example etc/zabbix_agentd/zabbix_agentd.d -etc/zabbix_agentd/zabbix_agentd.d/userparameter_pakfire.conf usr/bin/zabbix_get usr/bin/zabbix_sender #usr/lib/modules @@ -15,4 +15,8 @@ usr/sbin/zabbix_agentd #usr/share/man/man1/zabbix_sender.1 #usr/share/man/man8/zabbix_agentd.8 var/ipfire/backup/addons/includes/zabbix_agentd +var/ipfire/zabbix_agentd +var/ipfire/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf +var/ipfire/zabbix_agentd/userparameters +var/ipfire/zabbix_agentd/userparameters/userparameter_pakfire.conf #var/log/zabbix diff --git a/config/zabbix_agentd/zabbix_agentd.conf b/config/zabbix_agentd/zabbix_agentd.conf index aa8b899dc..e1aafc584 100644 --- a/config/zabbix_agentd/zabbix_agentd.conf +++ b/config/zabbix_agentd/zabbix_agentd.conf @@ -1,516 +1,24 @@ # This is a configuration file for Zabbix agent daemon (Unix) # To get more information about Zabbix, visit http://www.zabbix.com - -############ GENERAL PARAMETERS ################# - -### Option: PidFile -# Name of PID file. -# -# Mandatory: no -# Default: -# PidFile=/tmp/zabbix_agentd.pid - -PidFile=/var/run/zabbix/zabbix_agentd.pid - -### Option: LogType -# Specifies where log messages are written to: -# system - syslog -# file - file specified with LogFile parameter -# console - standard output -# -# Mandatory: no -# Default: -# LogType=file - -### Option: LogFile -# Log file name for LogType 'file' parameter. # -# Mandatory: yes, if LogType is set to file, otherwise no -# Default: -# LogFile= +# For possible configuration options, +# see /etc/zabbix_agentd/zabbix_agentd.conf.example
-LogFile=/var/log/zabbix/zabbix_agentd.log - -### Option: LogFileSize -# Maximum size of log file in MB. -# 0 - disable automatic log rotation. -# -# Mandatory: no -# Range: 0-1024 -# Default: -# LogFileSize=1 - -LogFileSize=0 - -### Option: DebugLevel -# Specifies debug level: -# 0 - basic information about starting and stopping of Zabbix processes -# 1 - critical information -# 2 - error information -# 3 - warnings -# 4 - for debugging (produces lots of information) -# 5 - extended debugging (produces even more information) -# -# Mandatory: no -# Range: 0-5 -# Default: -# DebugLevel=3 - -### Option: SourceIP -# Source IP address for outgoing connections. -# -# Mandatory: no -# Default: -# SourceIP= - -### Option: AllowKey -# Allow execution of item keys matching pattern. -# Multiple keys matching rules may be defined in combination with DenyKey. -# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. -# Parameters are processed one by one according their appearance order. -# If no AllowKey or DenyKey rules defined, all keys are allowed. -# -# Mandatory: no - -### Option: DenyKey -# Deny execution of items keys matching pattern. -# Multiple keys matching rules may be defined in combination with AllowKey. -# Key pattern is wildcard expression, which support "*" character to match any number of any characters in certain position. It might be used in both key name and key arguments. -# Parameters are processed one by one according their appearance order. -# If no AllowKey or DenyKey rules defined, all keys are allowed. -# Unless another system.run[*] rule is specified DenyKey=system.run[*] is added by default. -# -# Mandatory: no -# Default: -# DenyKey=system.run[*] - -### Option: EnableRemoteCommands - Deprecated, use AllowKey=system.run[*] or DenyKey=system.run[*] instead -# Internal alias for AllowKey/DenyKey parameters depending on value: -# 0 - DenyKey=system.run[*] -# 1 - AllowKey=system.run[*] -# -# Mandatory: no - -### Option: LogRemoteCommands -# Enable logging of executed shell commands as warnings. -# 0 - disabled -# 1 - enabled -# -# Mandatory: no -# Default: -# LogRemoteCommands=0 - -##### Passive checks related - -### Option: Server -# List of comma delimited IP addresses, optionally in CIDR notation, or DNS names of Zabbix servers and Zabbix proxies. -# Incoming connections will be accepted only from the hosts listed here. -# If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', '::ffff:127.0.0.1' are treated equally -# and '::/0' will allow any IPv4 or IPv6 address. -# '0.0.0.0/0' can be used to allow any IPv4 address. -# Example: Server=127.0.0.1,192.168.1.0/24,::1,2001:db8::/32,zabbix.example.com -# -# Mandatory: yes, if StartAgents is not explicitly set to 0 -# Default: -# Server= +# To make sure all Zabbix configuration is correctly included in IPFire backups: +# - Put custom userparameters in /etc/zabbix_agentd/zabbix_agentd.d/*.conf +# - Put custom scripts in /etc/zabbix_agentd/scripts +# - Put custom modules in /usr/lib/zabbix
+# Set your Zabbix Server IP or hostname here (Passive and/or Active): Server=127.0.0.1 - -### Option: ListenPort -# Agent will listen on this port for connections from the server. -# -# Mandatory: no -# Range: 1024-32767 -# Default: -# ListenPort=10050 - -### Option: ListenIP -# List of comma delimited IP addresses that the agent should listen on. -# First IP address is sent to Zabbix server if connecting to it to retrieve list of active checks. -# -# Mandatory: no -# Default: -# ListenIP=0.0.0.0 - -### Option: StartAgents -# Number of pre-forked instances of zabbix_agentd that process passive checks. -# If set to 0, disables passive checks and the agent will not listen on any TCP port. -# -# Mandatory: no -# Range: 0-100 -# Default: -# StartAgents=3 - -##### Active checks related - -### Option: ServerActive -# List of comma delimited IP:port (or DNS name:port) pairs of Zabbix servers and Zabbix proxies for active checks. -# If port is not specified, default port is used. -# IPv6 addresses must be enclosed in square brackets if port for that host is specified. -# If port is not specified, square brackets for IPv6 addresses are optional. -# If this parameter is not specified, active checks are disabled. -# Example: ServerActive=127.0.0.1:20051,zabbix.domain,[::1]:30051,::1,[12fc::1] -# -# Mandatory: no -# Default: -# ServerActive= - ServerActive=127.0.0.1
-### Option: Hostname -# Unique, case sensitive hostname. -# Required for active checks and must match hostname as configured on the server. -# Value is acquired from HostnameItem if undefined. -# -# Mandatory: no -# Default: -# Hostname= - -### Option: HostnameItem -# Item used for generating Hostname if it is undefined. Ignored if Hostname is defined. -# Does not support UserParameters or aliases. -# -# Mandatory: no -# Default: -# HostnameItem=system.hostname - -### Option: HostMetadata -# Optional parameter that defines host metadata. -# Host metadata is used at host auto-registration process. -# An agent will issue an error and not start if the value is over limit of 255 characters. -# If not defined, value will be acquired from HostMetadataItem. -# -# Mandatory: no -# Range: 0-255 characters -# Default: -# HostMetadata= - -### Option: HostMetadataItem -# Optional parameter that defines an item used for getting host metadata. -# Host metadata is used at host auto-registration process. -# During an auto-registration request an agent will log a warning message if -# the value returned by specified item is over limit of 255 characters. -# This option is only used when HostMetadata is not defined. -# -# Mandatory: no -# Default: -# HostMetadataItem= - -### Option: HostInterface -# Optional parameter that defines host interface. -# Host interface is used at host auto-registration process. -# An agent will issue an error and not start if the value is over limit of 255 characters. -# If not defined, value will be acquired from HostInterfaceItem. -# -# Mandatory: no -# Range: 0-255 characters -# Default: -# HostInterface= - -### Option: HostInterfaceItem -# Optional parameter that defines an item used for getting host interface. -# Host interface is used at host auto-registration process. -# During an auto-registration request an agent will log a warning message if -# the value returned by specified item is over limit of 255 characters. -# This option is only used when HostInterface is not defined. -# -# Mandatory: no -# Default: -# HostInterfaceItem= - -### Option: RefreshActiveChecks -# How often list of active checks is refreshed, in seconds. -# -# Mandatory: no -# Range: 60-3600 -# Default: -# RefreshActiveChecks=120 - -### Option: BufferSend -# Do not keep data longer than N seconds in buffer. -# -# Mandatory: no -# Range: 1-3600 -# Default: -# BufferSend=5 - -### Option: BufferSize -# Maximum number of values in a memory buffer. The agent will send -# all collected data to Zabbix Server or Proxy if the buffer is full. -# -# Mandatory: no -# Range: 2-65535 -# Default: -# BufferSize=100 - -### Option: MaxLinesPerSecond -# Maximum number of new lines the agent will send per second to Zabbix Server -# or Proxy processing 'log' and 'logrt' active checks. -# The provided value will be overridden by the parameter 'maxlines', -# provided in 'log' or 'logrt' item keys. -# -# Mandatory: no -# Range: 1-1000 -# Default: -# MaxLinesPerSecond=20 - -############ ADVANCED PARAMETERS ################# - -### Option: Alias -# Sets an alias for an item key. It can be used to substitute long and complex item key with a smaller and simpler one. -# Multiple Alias parameters may be present. Multiple parameters with the same Alias key are not allowed. -# Different Alias keys may reference the same item key. -# For example, to retrieve the ID of user 'zabbix': -# Alias=zabbix.userid:vfs.file.regexp[/etc/passwd,^zabbix:.:([0-9]+),,,,\1] -# Now shorthand key zabbix.userid may be used to retrieve data. -# Aliases can be used in HostMetadataItem but not in HostnameItem parameters. -# -# Mandatory: no -# Range: -# Default: +# This line activates IPFire specific userparameters. +# See IPFire wiki for details. +# To deactivate them: Comment this line out. +# (DO NOT REMOVE OR ALTER IT as then it will be re-added on next upgrade) +Include=/var/ipfire/zabbix_agentd/userparameters/*.conf
-### Option: Timeout -# Spend no more than Timeout seconds on processing -# -# Mandatory: no -# Range: 1-30 -# Default: -# Timeout=3 - -### Option: AllowRoot -# Allow the agent to run as 'root'. If disabled and the agent is started by 'root', the agent -# will try to switch to the user specified by the User configuration option instead. -# Has no effect if started under a regular user. -# 0 - do not allow -# 1 - allow -# -# Mandatory: no -# Default: -# AllowRoot=0 - -### Option: User -# Drop privileges to a specific, existing user on the system. -# Only has effect if run as 'root' and AllowRoot is disabled. -# -# Mandatory: no -# Default: -# User=zabbix - -### Option: Include -# You may include individual files or all files in a directory in the configuration file. -# Installing Zabbix will create include directory in /usr/local/etc, unless modified during the compile time. -# -# Mandatory: no -# Default: -# Include= - -Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf - -####### USER-DEFINED MONITORED PARAMETERS ####### - -### Option: UnsafeUserParameters -# Allow all characters to be passed in arguments to user-defined parameters. -# The following characters are not allowed: -# \ ' " ` * ? [ ] { } ~ $ ! & ; ( ) < > | # @ -# Additionally, newline characters are not allowed. -# 0 - do not allow -# 1 - allow -# -# Mandatory: no -# Range: 0-1 -# Default: -# UnsafeUserParameters=0 - -### Option: UserParameter -# User-defined parameter to monitor. There can be several user-defined parameters. -# Format: UserParameter=<key>,<shell command> -# See 'zabbix_agentd' directory for examples. -# -# Mandatory: no -# Default: -# UserParameter= - -####### LOADABLE MODULES ####### - -### Option: LoadModulePath -# Full path to location of agent modules. -# Default depends on compilation options. -# To see the default path run command "zabbix_agentd --help". -# -# Mandatory: no -# Default: -# LoadModulePath=${libdir}/modules - -LoadModulePath=/usr/lib/zabbix - -### Option: LoadModule -# Module to load at agent startup. Modules are used to extend functionality of the agent. -# Formats: -# LoadModule=<module.so> -# LoadModule=<path/module.so> -# LoadModule=</abs_path/module.so> -# Either the module must be located in directory specified by LoadModulePath or the path must precede the module name. -# If the preceding path is absolute (starts with '/') then LoadModulePath is ignored. -# It is allowed to include multiple LoadModule parameters. -# -# Mandatory: no -# Default: -# LoadModule= - -####### TLS-RELATED PARAMETERS ####### - -### Option: TLSConnect -# How the agent should connect to server or proxy. Used for active checks. -# Only one value can be specified: -# unencrypted - connect without encryption -# psk - connect using TLS and a pre-shared key -# cert - connect using TLS and a certificate -# -# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection) -# Default: -# TLSConnect=unencrypted - -### Option: TLSAccept -# What incoming connections to accept. -# Multiple values can be specified, separated by comma: -# unencrypted - accept connections without encryption -# psk - accept connections secured with TLS and a pre-shared key -# cert - accept connections secured with TLS and a certificate -# -# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection) -# Default: -# TLSAccept=unencrypted - -### Option: TLSCAFile -# Full pathname of a file containing the top-level CA(s) certificates for -# peer certificate verification. -# -# Mandatory: no -# Default: -# TLSCAFile= - -### Option: TLSCRLFile -# Full pathname of a file containing revoked certificates. -# -# Mandatory: no -# Default: -# TLSCRLFile= - -### Option: TLSServerCertIssuer -# Allowed server certificate issuer. -# -# Mandatory: no -# Default: -# TLSServerCertIssuer= - -### Option: TLSServerCertSubject -# Allowed server certificate subject. -# -# Mandatory: no -# Default: -# TLSServerCertSubject= - -### Option: TLSCertFile -# Full pathname of a file containing the agent certificate or certificate chain. -# -# Mandatory: no -# Default: -# TLSCertFile= - -### Option: TLSKeyFile -# Full pathname of a file containing the agent private key. -# -# Mandatory: no -# Default: -# TLSKeyFile= - -### Option: TLSPSKIdentity -# Unique, case sensitive string used to identify the pre-shared key. -# -# Mandatory: no -# Default: -# TLSPSKIdentity= - -### Option: TLSPSKFile -# Full pathname of a file containing the pre-shared key. -# -# Mandatory: no -# Default: -# TLSPSKFile= - -####### For advanced users - TLS ciphersuite selection criteria ####### - -### Option: TLSCipherCert13 -# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. -# Override the default ciphersuite selection criteria for certificate-based encryption. -# -# Mandatory: no -# Default: -# TLSCipherCert13= - -### Option: TLSCipherCert -# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. -# Override the default ciphersuite selection criteria for certificate-based encryption. -# Example for GnuTLS: -# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 -# Example for OpenSSL: -# EECDH+aRSA+AES128:RSA+aRSA+AES128 -# -# Mandatory: no -# Default: -# TLSCipherCert= - -### Option: TLSCipherPSK13 -# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. -# Override the default ciphersuite selection criteria for PSK-based encryption. -# Example: -# TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 -# -# Mandatory: no -# Default: -# TLSCipherPSK13= - -### Option: TLSCipherPSK -# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. -# Override the default ciphersuite selection criteria for PSK-based encryption. -# Example for GnuTLS: -# NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL -# Example for OpenSSL: -# kECDHEPSK+AES128:kPSK+AES128 -# -# Mandatory: no -# Default: -# TLSCipherPSK= - -### Option: TLSCipherAll13 -# Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. -# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. -# Example: -# TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 -# -# Mandatory: no -# Default: -# TLSCipherAll13= - -### Option: TLSCipherAll -# GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. -# Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. -# Example for GnuTLS: -# NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 -# Example for OpenSSL: -# EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128 -# -# Mandatory: no -# Default: -# TLSCipherAll= - -####### For advanced users - TCP-related fine-tuning parameters ####### - -## Option: ListenBacklog -# The maximum number of pending connections in the queue. This parameter is passed to -# listen() function as argument 'backlog' (see "man listen"). -# -# Mandatory: no -# Range: 0 - INT_MAX (depends on system, too large values may be silently truncated to implementation-specified maximum) -# Default: SOMAXCONN (hard-coded constant, depends on system) -# ListenBacklog= +# Mandatory Zabbix Agent configuration to start and run on IPFire correctly +# DO NOT REMOVE OR MODIFY THIS LINE: +Include=/var/ipfire/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf \ No newline at end of file diff --git a/config/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf b/config/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf new file mode 100644 index 000000000..c6be948be --- /dev/null +++ b/config/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf @@ -0,0 +1,11 @@ +PidFile=/var/run/zabbix/zabbix_agentd.pid + +# Log rotation is managed by logrotate +LogFile=/var/log/zabbix/zabbix_agentd.log +LogFileSize=0 + +# These paths are included in the IPFire backups. Do not put user modules +# or configuration files in other locations if you want them included in the +# backups. +LoadModulePath=/usr/lib/zabbix +Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf \ No newline at end of file diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd index 1b7932007..025a0f0db 100644 --- a/lfs/zabbix_agentd +++ b/lfs/zabbix_agentd @@ -94,10 +94,19 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) -rmdir /etc/zabbix_agentd/zabbix_agentd.conf.d -mkdir -pv /etc/zabbix_agentd/zabbix_agentd.d -mkdir -pv /etc/zabbix_agentd/scripts + # Move upstream supplied config out of the way for reference + # and install our own version of the config. + -mv /etc/zabbix_agentd/zabbix_agentd.conf \ + /etc/zabbix_agentd/zabbix_agentd.conf.example install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/zabbix_agentd.conf \ /etc/zabbix_agentd/zabbix_agentd.conf + + # Install IPFire-specific Zabbix Agent config + -mkdir -pv /var/ipfire/zabbix_agentd/userparameters + install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf \ + /var/ipfire/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/userparameter_pakfire.conf \ - /etc/zabbix_agentd/zabbix_agentd.d/userparameter_pakfire.conf + /var/ipfire/zabbix_agentd/userparameters/userparameter_pakfire.conf
# Create directory for additional agent modules -mkdir -pv /usr/lib/zabbix diff --git a/src/paks/zabbix_agentd/install.sh b/src/paks/zabbix_agentd/install.sh index cf435918d..3ffff10c1 100644 --- a/src/paks/zabbix_agentd/install.sh +++ b/src/paks/zabbix_agentd/install.sh @@ -43,4 +43,38 @@ ln -sf ../init.d/zabbix_agentd /etc/rc.d/rc6.d/K02zabbix_agentd [ -d /usr/lib/zabbix ] || ( mkdir -pv /usr/lib/zabbix && chown zabbix.zabbix /usr/lib/zabbix )
restore_backup ${NAME} + +# Check if old IPFire specifc userparameters exist and move out of the way +if [ -f /etc/zabbix_agentd/zabbix_agentd.d/userparameter_pakfire.conf ]; then + mv /etc/zabbix_agentd/zabbix_agentd.d/userparameter_pakfire.conf \ + /etc/zabbix_agentd/zabbix_agentd.d/userparameter_pakfire.conf.save +fi + +# Check if new IPFire specific config is included in restored config +# and add if required. +grep -q "Include=/var/ipfire/zabbix_agentd/userparameters/*.conf" /etc/zabbix_agentd/zabbix_agentd.conf +if [ $? -eq 1 ]; then + echo "" >> /etc/zabbix_agentd/zabbix_agentd.conf + echo "# This line activates IPFire specific userparameters. " >> /etc/zabbix_agentd/zabbix_agentd.conf + echo "# See IPFire wiki for details." >> /etc/zabbix_agentd/zabbix_agentd.conf + echo "# To deactivate them: Comment this line out." >> /etc/zabbix_agentd/zabbix_agentd.conf + echo "# (DO NOT REMOVE OR ALTER IT as then it will be re-added on next upgrade)" >> /etc/zabbix_agentd/zabbix_agentd.conf + echo "Include=/var/ipfire/zabbix_agentd/userparameters/*.conf" >> /etc/zabbix_agentd/zabbix_agentd.conf +fi + +grep -q "Include=/var/ipfire/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf" /etc/zabbix_agentd/zabbix_agentd.conf +if [ $? -eq 1 ]; then + # Remove settings that are now in our own config + sed -i -e "|^PidFile=.*$|d" /etc/zabbix_agentd/zabbix_agentd.conf + sed -i -e "|^LogFile=.*$|d" /etc/zabbix_agentd/zabbix_agentd.conf + sed -i -e "|^LogFileSize=.*$|d" /etc/zabbix_agentd/zabbix_agentd.conf + sed -i -e "|^LoadModulePath=.*$|d" /etc/zabbix_agentd/zabbix_agentd.conf + sed -i -e "|^Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf$|d" /etc/zabbix_agentd/zabbix_agentd.conf + # Include our own config in main config + echo "" >> /etc/zabbix_agentd/zabbix_agentd.conf + echo "# Mandatory Zabbix Agent configuration to start and run on IPFire correctly" >> /etc/zabbix_agentd/zabbix_agentd.conf + echo "# DO NOT REMOVE OR MODIFY THIS LINE:" >> /etc/zabbix_agentd/zabbix_agentd.conf + echo "Include=/var/ipfire/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf" >> /etc/zabbix_agentd/zabbix_agentd.conf +fi + start_service --background ${NAME}
- Remove sudoers file 'zabbix' in favour of new IPFire managed 'zabbix_agentd' and user managed 'zabbix_agentd_user' which is included in the backup - Provide migration of old sudoers file 'zabbix' or 'zabbix.user' to new zabbix_agentd_user sudoers file if it was modified by user.
Signed-off-by: Robin Roevens robin.roevens@disroot.org --- config/backup/includes/zabbix_agentd | 4 ++-- config/rootfiles/packages/zabbix_agentd | 3 ++- config/zabbix_agentd/sudoers | 14 ++++---------- config/zabbix_agentd/sudoers_user | 16 ++++++++++++++++ lfs/zabbix_agentd | 4 +++- src/paks/zabbix_agentd/update.sh | 22 ++++++++++++++++++---- 6 files changed, 45 insertions(+), 18 deletions(-) create mode 100644 config/zabbix_agentd/sudoers_user
diff --git a/config/backup/includes/zabbix_agentd b/config/backup/includes/zabbix_agentd index 4be365297..834766992 100644 --- a/config/backup/includes/zabbix_agentd +++ b/config/backup/includes/zabbix_agentd @@ -1,5 +1,5 @@ -/etc/sudoers.d/zabbix +/etc/sudoers.d/zabbix_agentd_user /etc/zabbix_agentd/zabbix_agentd.conf /etc/zabbix_agentd/scripts/ /etc/zabbix_agentd/zabbix_agentd.d/ -/usr/lib/zabbix/ +/usr/lib/zabbix/ \ No newline at end of file diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/packages/zabbix_agentd index c6e0c5634..b5325c636 100644 --- a/config/rootfiles/packages/zabbix_agentd +++ b/config/rootfiles/packages/zabbix_agentd @@ -1,6 +1,7 @@ etc/logrotate.d/zabbix_agentd etc/rc.d/init.d/zabbix_agentd -etc/sudoers.d/zabbix +etc/sudoers.d/zabbix_agentd +etc/sudoers.d/zabbix_agentd_user etc/zabbix_agentd etc/zabbix_agentd/scripts etc/zabbix_agentd/zabbix_agentd.conf diff --git a/config/zabbix_agentd/sudoers b/config/zabbix_agentd/sudoers index 1b362a4fd..cb4263ff6 100644 --- a/config/zabbix_agentd/sudoers +++ b/config/zabbix_agentd/sudoers @@ -1,17 +1,11 @@ # Include file for sudoers file # -# This is needed for some userparameters to be able to execute commands that only run as root (using sudo) -# e.g. /usr/bin/openssl or /usr/sbin/smartctl +# This is needed for some IPFire specific userparameters to be able to execute commands that only run as root (using sudo) # -# USE AT YOU'RE OWN RISK. USING THIS WRONG CAN RESULT IN A SECURITY BREACH! +# DO NOT CHANGE THIS FILE. This file is managed by IPFire, will be overwritten on next addon upgrade and is not +# included in the backup. # -# Some hints: -# - It is strongly recommended to edit this file only using the visudo -f <filename> command. If you mess up this file, -# you might end up locking yourself out of your system! -# - Append the full path incl. parameters to each command, using "," as separator. -# - Only add commands you really need. Zabbix should not have more rights than it has to. -# -# Append / edit the following list of commands to fit your needs: +# To add more sudo rights to zabbix agent, you should modify the sudoers file zabbix_agentd_user # Defaults:zabbix !requiretty zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status diff --git a/config/zabbix_agentd/sudoers_user b/config/zabbix_agentd/sudoers_user new file mode 100644 index 000000000..61cbc417b --- /dev/null +++ b/config/zabbix_agentd/sudoers_user @@ -0,0 +1,16 @@ +# Include file for sudoers file +# +# This is needed for some userparameters to be able to execute commands that only run as root (using sudo) +# e.g. /usr/bin/openssl or /usr/sbin/smartctl +# +# USE AT YOU'RE OWN RISK. USING THIS WRONG CAN RESULT IN A SECURITY BREACH! +# +# Some hints: +# - It is strongly recommended to edit this file only using the visudo -f <filename> command. If you mess up this file, +# you might end up locking yourself out of your system! +# - Append the full path incl. parameters to each command, using "," as separator. +# - Only add commands you really need. Zabbix should not have more rights than it has to. +# +# Uncomment the following line and edit the example of commands to fit your needs: + +#zabbix ALL=(ALL) NOPASSWD: <custom command 1>, <custom command 2>, ... diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd index 025a0f0db..f8fbdae5e 100644 --- a/lfs/zabbix_agentd +++ b/lfs/zabbix_agentd @@ -124,7 +124,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
# Install sudoers include file install -v -m 640 $(DIR_SRC)/config/zabbix_agentd/sudoers \ - /etc/sudoers.d/zabbix + /etc/sudoers.d/zabbix_agentd + install -v -m 640 $(DIR_SRC)/config/zabbix_agentd/sudoers_user \ + /etc/sudoers.d/zabbix_agentd_user
# Install include file for backup install -v -m 644 $(DIR_SRC)/config/backup/includes/zabbix_agentd \ diff --git a/src/paks/zabbix_agentd/update.sh b/src/paks/zabbix_agentd/update.sh index 68bba4f80..a41e72ab4 100644 --- a/src/paks/zabbix_agentd/update.sh +++ b/src/paks/zabbix_agentd/update.sh @@ -22,11 +22,25 @@ ############################################################################ # . /opt/pakfire/lib/functions.sh + +# Check if old sudoers file exists and remove if it was not modified +# or rename to the new zabbix_agentd_user file if it was. +if [ -f /etc/sudoers.d/zabbix.user ]; then + mv -v /etc/sudoers.d/zabbix.user /etc/sudoers.d/zabbix +fi + +if [ -f /etc/sudoers.d/zabbix ]; then + blake2=$(b2sum /etc/sudoers.d/zabbix | cut -f1 -d" ") + # from commits 5737a22 & 06fc617 + if [ "$blake2" == "b0f73b107fd3842efc7ef3e30f6d948235aa07d533715476c2d3f58c08379193fdde9ff69aa6e0f5eb6cf4a98b2ed2a6f003f23078a57aff239b34cc29e62a98" ] || \ + [ "$blake2" == "0628c416a1f217b0962a8ce6d1e339bdb0f0427d86fc06b2e40b63487ffc1a3543562d16f7f954d7fb92cee9764f0261c1663a39dd50bc73fd9b772575c56cfc" ]; then + rm -vf /etc/sudoers.d/zabbix + else + mv -v /etc/sudoers.d/zabbix /etc/sudoers.d/zabbix_agentd_user + fi +fi + extract_backup_includes ./uninstall.sh ./install.sh
-# Ensure /etc/sudoers.d/zabbix.user is renamed to /etc/sudoers.d/zabbix -if [ -e /etc/sudoers.d/zabbix.user ]; then - mv -v /etc/sudoers.d/zabbix.user /etc/sudoers.d/zabbix -fi
- Change zabbix_agentd.conf during install to only listen on the GREEN ip by default.
Signed-off-by: Robin Roevens robin.roevens@disroot.org --- config/zabbix_agentd/zabbix_agentd.conf | 3 +++ src/paks/zabbix_agentd/install.sh | 10 ++++++++++ 2 files changed, 13 insertions(+)
diff --git a/config/zabbix_agentd/zabbix_agentd.conf b/config/zabbix_agentd/zabbix_agentd.conf index e1aafc584..4480e43f2 100644 --- a/config/zabbix_agentd/zabbix_agentd.conf +++ b/config/zabbix_agentd/zabbix_agentd.conf @@ -13,6 +13,9 @@ Server=127.0.0.1 ServerActive=127.0.0.1
+# List of comma delimited IP addresses that the agent should listen on. +ListenIP=GREEN_ADDRESS + # This line activates IPFire specific userparameters. # See IPFire wiki for details. # To deactivate them: Comment this line out. diff --git a/src/paks/zabbix_agentd/install.sh b/src/paks/zabbix_agentd/install.sh index 3ffff10c1..80632d1ec 100644 --- a/src/paks/zabbix_agentd/install.sh +++ b/src/paks/zabbix_agentd/install.sh @@ -77,4 +77,14 @@ if [ $? -eq 1 ]; then echo "Include=/var/ipfire/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf" >> /etc/zabbix_agentd/zabbix_agentd.conf fi
+# By default, only listen on GREEN +( + eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) + if [ -n "${GREEN_ADDRESS}" ]; then + sed -i -e "s|ListenIP=GREEN_ADDRESS|ListenIP=${GREEN_ADDRESS}|g" /etc/zabbix_agentd/zabbix_agentd.conf + else + sed -i -e "|ListenIP=GREEN_ADDRESS|d" /etc/zabbix_agentd/zabbix_agentd.conf + fi +) || : + start_service --background ${NAME}
Provide IPFire specific items for the Zabbix server to monitor: - ipfire.net.gateway.pingtime: Internet Line Quality - ipfire.net.gateway.ping: Internet connection - ipfire.net.fw.hits.raw: JSON formatted list of Firewall hits/chain - ipfire.dhcpd.clients: Number of active DHCP leases - ipfire.captive.clients: Number of Captive Portal clients
Signed-off-by: Robin Roevens robin.roevens@disroot.org --- config/rootfiles/packages/zabbix_agentd | 1 + config/zabbix_agentd/sudoers | 2 +- config/zabbix_agentd/userparameter_ipfire.conf | 12 ++++++++++++ lfs/zabbix_agentd | 5 ++++- 4 files changed, 18 insertions(+), 2 deletions(-) create mode 100644 config/zabbix_agentd/userparameter_ipfire.conf
diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/packages/zabbix_agentd index b5325c636..6f2c831d7 100644 --- a/config/rootfiles/packages/zabbix_agentd +++ b/config/rootfiles/packages/zabbix_agentd @@ -20,4 +20,5 @@ var/ipfire/zabbix_agentd var/ipfire/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf var/ipfire/zabbix_agentd/userparameters var/ipfire/zabbix_agentd/userparameters/userparameter_pakfire.conf +var/ipfire/zabbix_agentd/userparameters/userparameter_ipfire.conf #var/log/zabbix diff --git a/config/zabbix_agentd/sudoers b/config/zabbix_agentd/sudoers index cb4263ff6..2d71ae78f 100644 --- a/config/zabbix_agentd/sudoers +++ b/config/zabbix_agentd/sudoers @@ -8,4 +8,4 @@ # To add more sudo rights to zabbix agent, you should modify the sudoers file zabbix_agentd_user # Defaults:zabbix !requiretty -zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status +zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status, /usr/sbin/fping, /usr/local/bin/getipstat diff --git a/config/zabbix_agentd/userparameter_ipfire.conf b/config/zabbix_agentd/userparameter_ipfire.conf new file mode 100644 index 000000000..10c09c25d --- /dev/null +++ b/config/zabbix_agentd/userparameter_ipfire.conf @@ -0,0 +1,12 @@ +# Parameters for monitoring IPFire specific metrics +# +# Internet Gateway ping timings, can be used to measure "Internet Line Quality" +UserParameter=ipfire.net.gateway.pingtime,sudo /usr/sbin/fping -c 3 gateway 2>&1 | tail -n 1 | awk '{print $NF}' | cut -d '/' -f2 +# Internet Gateway availability, can be used to check Internet connection +UserParameter=ipfire.net.gateway.ping,sudo /usr/sbin/fping -q -r 3 gateway; [ ! $? ]; echo $? +# Firewall Filter Forward chain drops in bytes/chain (JSON), can be used for discovery of firewall chains and monitoring of firewall hits on each chain +UserParameter=ipfire.net.fw.hits.raw,sudo /usr/local/bin/getipstat -xf | grep "/* DROP_.* */$" | awk 'BEGIN { ORS = ""; print "["} { printf "%s{"chain": "%s", "bytes": "%s"}", separator, substr($11, 6), $2; separator = ", "; } END { print"]" }' +# Number of currently Active DHCP leases +UserParameter=ipfire.dhcpd.clients,grep -s -E 'lease|bind' /var/state/dhcp/dhcpd.leases | sed ':a;/{$/{N;s/\n//;ba}' | grep "state active" | wc -l +# Number of Captive Portal clients +UserParameter=ipfire.captive.clients,awk -F ',' 'length($2) == 17 {sum += 1} END {if (length(sum) == 0) print 0; else print sum}' /var/ipfire/captive/clients \ No newline at end of file diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd index f8fbdae5e..73c5dc0b6 100644 --- a/lfs/zabbix_agentd +++ b/lfs/zabbix_agentd @@ -35,7 +35,8 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = zabbix_agentd PAK_VER = 5 -DEPS = + +DEPS = fping
SERVICES = zabbix_agentd
@@ -107,6 +108,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) /var/ipfire/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/userparameter_pakfire.conf \ /var/ipfire/zabbix_agentd/userparameters/userparameter_pakfire.conf + install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/userparameter_ipfire.conf \ + /var/ipfire/zabbix_agentd/userparameters/userparameter_ipfire.conf
# Create directory for additional agent modules -mkdir -pv /usr/lib/zabbix
Hello Robin,
I trust you that everything has been addressed.
I think this is ready to be merged.
Great work!
-Michael
On 30 Jun 2022, at 11:15, Robin Roevens robin.roevens@disroot.org wrote:
Hi all
A renewal of this patchset, now for zabbix_agentd 6.0.6, the latest LTS version at the moment.
Except for the version nothing has changed in this set since my previous submission. So please see https://lists.ipfire.org/pipermail/development/2022-March/012624.html for the summary of this patch set.
Hopefully this can be included in Core 170?..
Regards
Robin Roevens
-- Dit bericht is gescanned op virussen en andere gevaarlijke inhoud door MailScanner en lijkt schoon te zijn.
Hello Robin,
Hello Robin,
I trust you that everything has been addressed.
I think this is ready to be merged.
I just did so, and that series now landed in "next": https://git.ipfire.org/?p=ipfire-2.x.git;a=search;h=refs/heads/next;s=Robin+... You will see the changes being released with Core Update 170.
Apologies for the tardy process on our end, and thanks for being both patient and persistent. In the future, please continue to prod and poke at us to keep things moving. :-)
All the best, Peter Müller
Great work!
-Michael
On 30 Jun 2022, at 11:15, Robin Roevens robin.roevens@disroot.org wrote:
Hi all
A renewal of this patchset, now for zabbix_agentd 6.0.6, the latest LTS version at the moment.
Except for the version nothing has changed in this set since my previous submission. So please see https://lists.ipfire.org/pipermail/development/2022-March/012624.html for the summary of this patch set.
Hopefully this can be included in Core 170?..
Regards
Robin Roevens
-- Dit bericht is gescanned op virussen en andere gevaarlijke inhoud door MailScanner en lijkt schoon te zijn.
On 6 Jul 2022, at 11:11, Peter Müller peter.mueller@ipfire.org wrote:
Hello Robin,
Hello Robin,
I trust you that everything has been addressed.
I think this is ready to be merged.
I just did so, and that series now landed in "next": https://git.ipfire.org/?p=ipfire-2.x.git;a=search;h=refs/heads/next;s=Robin+... You will see the changes being released with Core Update 170.
Apologies for the tardy process on our end, and thanks for being both patient and persistent. In the future, please continue to prod and poke at us to keep things moving. :-)
*hands over a big stick for better poking*
All the best, Peter Müller
Great work!
-Michael
On 30 Jun 2022, at 11:15, Robin Roevens robin.roevens@disroot.org wrote:
Hi all
A renewal of this patchset, now for zabbix_agentd 6.0.6, the latest LTS version at the moment.
Except for the version nothing has changed in this set since my previous submission. So please see https://lists.ipfire.org/pipermail/development/2022-March/012624.html for the summary of this patch set.
Hopefully this can be included in Core 170?..
Regards
Robin Roevens
-- Dit bericht is gescanned op virussen en andere gevaarlijke inhoud door MailScanner en lijkt schoon te zijn.
Hi
Thanks for the merging and the stick. I will make good use of it!
Regards Robin
Michael Tremer michael.tremer@ipfire.org schreef op 6 juli 2022 12:20:59 CEST:
On 6 Jul 2022, at 11:11, Peter Müller peter.mueller@ipfire.org wrote:
Hello Robin,
Hello Robin,
I trust you that everything has been addressed.
I think this is ready to be merged.
I just did so, and that series now landed in "next": https://git.ipfire.org/?p=ipfire-2.x.git;a=search;h=refs/heads/next;s=Robin+... You will see the changes being released with Core Update 170.
Apologies for the tardy process on our end, and thanks for being both patient and persistent. In the future, please continue to prod and poke at us to keep things moving. :-)
*hands over a big stick for better poking*
All the best, Peter Müller
Great work!
-Michael
On 30 Jun 2022, at 11:15, Robin Roevens robin.roevens@disroot.org wrote:
Hi all
A renewal of this patchset, now for zabbix_agentd 6.0.6, the latest LTS version at the moment.
Except for the version nothing has changed in this set since my previous submission. So please see https://lists.ipfire.org/pipermail/development/2022-March/012624.html for the summary of this patch set.
Hopefully this can be included in Core 170?..
Regards
Robin Roevens
-- Dit bericht is gescanned op virussen en andere gevaarlijke inhoud door MailScanner en lijkt schoon te zijn.
-- Dit bericht is gescanned op virussen en andere gevaarlijke inhoud door MailScanner en lijkt schoon te zijn.
-
Michael Tremer -
Peter Müller -
Robin Roevens