[ZBXNEXT-4737] zabbix-agent RPM for Centos 7 should provide a service for firewalld Created: 2018 Sep 14 Updated: 2024 Apr 10 Resolved: 2023 Jan 26 |
|
Status: | Closed |
Project: | ZABBIX FEATURE REQUESTS |
Component/s: | Agent (G), Packages (C) |
Affects Version/s: | 3.4.14 |
Fix Version/s: | None |
Type: | Change Request | Priority: | Trivial |
Reporter: | Krzysztof Hajdamowicz | Assignee: | Juris Lambda |
Resolution: | Fixed | Votes: | 0 |
Labels: | agent, trivial | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified | ||
Environment: |
CentOS Linux release 7.5.1804 |
Attachments: | zabbix-agent.xml zabbix-java-gateway.xml zabbix-trapper.xml |
Epic Link: | DEV-680 |
Team: | Team B |
Sprint: | Sprint 45, Sprint 46, Nov 2018, Sprint 47, Dec 2018, Sprint 92 (Sep 2022), Sprint 93 (Oct 2022), Sprint 94 (Nov 2022), Sprint 95 (Dec 2022), Sprint 96 (Jan 2023) |
Description |
Hello, Official zabbix-agent package from official repo lacks definition of zabbix-agent service for FirewallD that is shipped by default in RHEL-based systems There's docs on that: https://firewalld.org/documentation/howto/add-a-service.html |
Comments |
Comment by dimir [ 2018 Oct 17 ] |
Do you think this will be enough: <?xml version="1.0" encoding="utf-8"?> <service> <short>Zabbix server</short> <description>Zabbix server with MySQL or MariaDB database support.</description> <port port="10051" protocol="tcp"/> </service> |
Comment by Alexey Pustovalov [ 2018 Oct 17 ] |
Looks like it is completely enough. These files are official: [root@centos dotneft]# cat /usr/lib/firewalld/services/nrpe.xml <?xml version="1.0" encoding="utf-8"?> <service> <short>NRPE</short> <description>NRPE allows you to execute Nagios plugins on a remote host in as transparent a manner as possible.</description> <port protocol="tcp" port="5666"/> </service> [root@centos dotneft]# cat /usr/lib/firewalld/services/syslog.xml <?xml version="1.0" encoding="utf-8"?> <service> <short>syslog</short> <description>Syslog is a client/server protocol: a logging application transmits a text message to the syslog receiver. The receiver is commonly called syslogd, syslog daemon or syslog server.</description> <port protocol="udp" port="514"/> </service> Also I suppose name could be like we already have: cat /etc/services | grep -i zabbix zabbix-agent 10050/tcp # Zabbix Agent zabbix-agent 10050/udp # Zabbix Agent zabbix-trapper 10051/tcp # Zabbix Trapper zabbix-trapper 10051/udp # Zabbix Trapper |
Comment by Alexey Pustovalov [ 2018 Oct 17 ] |
dimir Your description is not quite good. It is not Zabbix server port only. It is Zabbix trapper port. So we need to use some general descriptions, like you see in my comment above. |
Comment by dimir [ 2018 Oct 18 ] |
Could be. I just pulled this one from our packages. |
Comment by dimir [ 2018 Oct 18 ] |
Open question: should we open the ports in firewall right after installation? The reason for not opening, the component could be meant for using in active mode. |
Comment by Krzysztof Hajdamowicz [ 2018 Oct 18 ] |
IMHO, It's sufficient to call a service zabbix-server that allows zbxsrv to listen for everything it needs and make a service zabbix-agent that allows for listening on 10050. |
Comment by Krzysztof Hajdamowicz [ 2018 Oct 18 ] |
@dimir:
IMO, no, You shouldn't enable service in firewalld during postinstall. They just should be installed and firewalld reloaded, not activated. |
Comment by dimir [ 2018 Oct 19 ] |
From these instructions, do you mean that %firewalld_reload will enable the usage of the files but not actually open ports? And I suppose we should also reload it after uninstallation: %postun %firewalld_reload |
Comment by Krzysztof Hajdamowicz [ 2018 Oct 26 ] |
Yes, you are right. Just like it's stated in those docs (https://en.opensuse.org/Firewalld/RPM_Packaging) |
Comment by Juris Lambda [ 2022 Sep 09 ] |
While fact gathering, I came to find that the firewalld project started shipping service configuration files for Zabbix almost 5 years ago. There are a few nits I have with their package, namely:
Besides that, the only questions that need to be resolved are:
|
Comment by dimir [ 2022 Sep 22 ] |
Looks like the files have reached major distributions: Debian $ cat /etc/debian_version 11.3 $ dpkg -l firewalld | grep ^ii ii firewalld 0.9.3-2 all dynamically managed firewall with support for network zones RedCap # cat /etc/redhat-release CentOS Stream release 9 # rpm -q firewalld firewalld-1.0.0-2.el9.noarch Both have these: /usr/lib/firewalld/services/zabbix-agent.xml: <?xml version="1.0" encoding="utf-8"?> <service> <short>Zabbix Agent</short> <description>Zabbix is a mature and effortless enterprise-class open source monitoring solution for network monitoring and application monitoring of millions of metrics.</description> <port protocol="tcp" port="10050"/> </service> /usr/lib/firewalld/services/zabbix-server.xml: <?xml version="1.0" encoding="utf-8"?> <service> <short>Zabbix Server</short> <description>Zabbix is a mature and effortless enterprise-class open source monitoring solution for network monitoring and application monitoring of millions of metrics.</description> <port protocol="tcp" port="10051"/> </service> So I propose to do nothing here and close "Won't Fix". |
Comment by Krzysztof Hajdamowicz [ 2022 Sep 22 ] |
Great job! |
Comment by Juris Lambda [ 2022 Sep 28 ] |
Internally, we decided to submit a PR to the firewalld project with a few changes to the existing service configurations and additions of configurations for the Java Gateway and Web Service services. I've prepared the patches for submitting and have requested that radix adds my GitHub account to the Zabbix organization to avoid creating another account. Once that is done, I'll open an issue ticket in the firewalld project with a PR and request for comments to see if they're fine with making the changes. Depending on the feedback, they'll either get merged, or worst case - we'll include these as overrides in the respective component packages that we distribute ourselves. Leaving the ticket in NEED INFO state for now. |
Comment by Juris Lambda [ 2023 Jan 05 ] |
A pull request has been submitted to the firewalld GitHub issues, #1072, to update their service configurations for Zabbix components. Awaiting feedback. EDIT: January 25th, 2023: The pull request hasn't received any comments since submission, so I commented on the issue to remind about it and ask for any feedback. |
Comment by Juris Lambda [ 2023 Jan 26 ] |
The Pull Request has been merged! Thank you everyone for contributing configurations, discussion ideas and opinions! It took us 5 years, but we've made this happen together! CLOSING. |
Comment by Krzysztof Hajdamowicz [ 2023 Jan 26 ] |
I can't remeber how I found this Jira 5 years ago, but I'm so proud of You all that this epic journey came to the end! |