* Fix path to fping and use fping as fping6
* For privacy, disable call to public API to check for Zabbix version update
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
When we updated the zabbix agent to use username zabbix-agent
we neglected to update ubus acls for zabbix-extra-network.
Therefore update the username for the network and wifi acls.
Will close#29058 once backported to 25.12.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
As noted in #28709 OpenWrt contains CONFIG_
symbols for Zabbix even when no Zabbix package is selected.
This fixes and Closes#28709.
We add a 'guard' symbol for the menus and choices so the only
generate CONFIG symbols when 'Enable Zabbix'
(CONFIG_ZABBIX_ENABLE_ZABBIX) is selected.
We also make all the Zabbix packages depend on this symbol,
for consistency.
This operates much as the pseudo-package solution, but without
a pseudo-package required.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
Rather than having a database selection for SQLITE which prevents
the server or frontend from building, we add a 'basic'
variant for the proxy which uses sqlite3, and have the database
Kconfig affect only the server and frontend.
* There are now only three variants:
1. full, which is the default. It includes the full monitoring feature
set currently available on openwrt, including netsnmp, curl-based
checks, and ldap. In addition these features, plus the choice of
database and ssl provider (or no ssl) are configuration options for
this variant.
2. basic, which provides basic functions with openssl support
3. no-configure, for packages which are not part of the main Zabbix
compile process (including the WebUI which only requires copying
files for use by a web server with PHP CGI support).
* Full is the default variant for agentd and proxy, which are the only
packages with a choice between full and basic. All other packages only
are part of one variant.
* Full variants are the base version of the packages (that is
zabbix-agentd is the 'full' version while zabbix-agentd-basic is the
core version). The proxy version is named zabbix-proxy-basic-sqlite to
announce that it is using the sqlite3 database and not a database
server.
* get and sender only build if at least one of agentd, server, or proxy
are built. Therefore prevent selection get or sender when they would not
build.
* Zabbix's use of NetSNMP requires that Zabbix be build with OpenSSL
* While we are here, enable support for dates after 2038 (64-bit time_t)
* https://github.com/openwrt/packages/pull/28585#issuecomment-3984978895
* we updated the name to reflect that it is for basic functionality
that can standalone, rather then being a core the other packages
build on.
* basic has been used rather than tiny or small since the sentence
'Provides only tiny/small functionality with SSL/TLS' in the
description, sounds strange, but using basic this reads properly.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
Using the php8 dependency allows use to go back to using the
+ZABBIX_POSTGRESQL:php8-mod-pgsql (and like dependency for
mysql/mariadb).
This has the benefit of being an apk dependency so the user does not
install the frontend without a php8 database module.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
We aren't using packages with the same name as the provides, so don't
use an virtual (@) provides for providing zabbix-get
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
When selecting only a package of "no-configure" build variant, e.g.
CONFIG_PACKAGE_zabbix-frontend-server=y
but not any other zabbix package, then the build fails.
The sources are not extracted and the install fails finally with:
make[4]: Entering directory '/srv/openwrt/openwrt-2.git/build_dir/target-arm_arm926ej-s_musl_eabi/zabbix-no-configure/zabbix-7.0.22'
make[4]: *** No rule to make target 'install'. Stop.
make[4]: Leaving directory '/srv/openwrt.git/build_dir/target-arm_arm926ej-s_musl_eabi/zabbix-no-configure/zabbix-7.0.22'
make[3]: *** [Makefile:522: /srv/openwrt.git/build_dir/target-arm_arm926ej-s_musl_eabi/zabbix-no-configure/zabbix-7.0.22/.built] Error 2
This PR fixes this by always running the standard Prepare stage,
but skip the Install one when nothing needs to be compiled.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
The error in the #24828 patch series left Kconfig recursive depedency
error on zabbix-frontend-server. We fix this by update the database
depedencies on zabbix-frontend-server. Now, you must select the PHP8
database module you want _before_ zabbix-frontend-server will be
visible in menuconfig.
This is not a big problem, because zabbix-frontend-server already
depends on having php8 slected before the frontend can be built.
Closes: #28458
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
Due to package renaming the selection of database for the server and
proxy was missing from the Kconfig menu. This caused build failures for
proxy and server.
We now fix that.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
Using line continuation (\\) in GNU Make \$(foreach ...) and
\$(call ...) resulted in the install section for many of the packages
not being defined. This resulted in 'skipping [package-name] no install
section' messages and no new package being generated.
We remove the line continuation from the parts foreach and call, in
ordeer to restore compilation and creation of packages.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
In preparation for further changes, deduplicate package definitions,
and reorganize them. At the same time make use of provides to ensure
both existing names are preserved, and that it is possible to be
specific about the variant of the package one wants.
Also, condense the package conffiles, install, postinst, etc handling.
This is more maintainable (less copy and paste and less to modify).
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
cspell.json was accidentally include in a previous commit, so remove it.
VARIANT is to be used in package definitions, and BUILD_VARIANT
for checking which VARIANT is currently being built. BUILD_VARIANT was
incorrectly used in a package definition, so we fix that.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
The last PR (https://github.com/openwrt/packages/pull/28370) missed
including two needed changes, and had a minor packaging Makefile
mistake.
The Zabbix Agent needs to drop privileges to the zabbix-agent user.
Similarly, if run as root (not the default), the Zabbix server needs to
drop privileges to the zabbix-server user.
There are also, in the Makefile, three instances of using BUILD_VARIANT
instead of VARIANT in package definitions.
So we fix those issues.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
For items which are only copied from the source code, avoid the
prepare, configure, and compile steps, while preserving the special
behaviour of the mac80211 addon, which has a unique prepare and
compile.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
Avoid unnecessary duplication on zabbix-agentd package definitions by
using a common zabbix-agentd/Default and extending it for different
zabbix-agentd flavours.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
For security, per upstream recommendations, use a separate user for the
agent daemon and the server daemon.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
Adds an initscript for zabbix_server, and related helper files
+ uses a zabbix_server uci conf to enable/disable startup
+ updates the default zabbix_server.conf to work with initscript
+ add a sysctl.d conf to set max-files more appropriate for zabbix_server
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
Addresses the issue pointed out in #28165, which is that zabbix_agentd
always creates a PidFile and has no option to disable PidFile creation.
Therefore update the configuration file to default to create a PidFile
where we want it.
Close#28165
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
Only show zabbix-server-frontend if the build dependency 'PACKEGE_php8' is
fulfilled. This means that 'zabbix-server-frotend' can only be selected if
PHP has also been enabled for building.
This change is needed to fix the following recursive dependency warning.
error: recursive dependency detected!
symbol PACKAGE_php8 is selected by PACKAGE_zabbix-server-frontend
symbol PACKAGE_zabbix-server-frontend depends on PHP8_DOM
symbol PHP8_DOM depends on PACKAGE_php8
For a resolution refer to Documentation/kbuild/kconfig-language.rst
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
For zabbix-server-frontend, the absence of php8-mod-filter results in
many of the frontend's pages failing to render. Therefore add this
module as a frontend dependency.
Without php8-mod-openssl the frontend fails with:
[13-Dec-2025 18:47:25 UTC] PHP Fatal error: Uncaught Error: Call to
undefined function openssl_random_pseudo_bytes() in
/www/zabbix/include/classes/helpers/CEncryptHelper.php:89
Stack trace:
CEncryptHelper::generateKey()
thrown in /www/zabbix/include/classes/helpers/CEncryptHelper.php on
line 89
Therefore add php8-mod-openssl as a frontend dependency.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
Updates Zabbix to 7.0.21-r1 (latest 7.0 LTS version)
Note that for the frontend, clearing browser cache, cookies and other
site data for the zabbix frontend server may be necessary.
Security fixes compared to 7.0.12 (most are frontend only):
* CVE-2025-27238: API hostprototype.get lists data to users with
insufficient authorization https://support.zabbix.com/browse/ZBX-26988
* CVE-2025-27236: User information disclosure via api_jsonrpc.php on
method user.get with param search:
https://support.zabbix.com/browse/ZBX-27060
* CVE-2025-27231: LDAP 'Bind password' field value can be leaked by a
Zabbix Super Admin: https://support.zabbix.com/browse/ZBX-27062
* CVE-2025-49641: Insufficient permission check for the
problem.view.refresh action:
https://support.zabbix.com/browse/ZBX-27063
* CVE-2025-49643: Frontend DoS vulnerability due to asymmetric
resource consumption: https://support.zabbix.com/browse/ZBX-27284
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
The musl libc only implements POSIX basename() but provided a GNU header
kludge in <string.h>, which was removed in musl 1.2.5 [1]. Use the standard
<libgen.h> header to avoid compilation warnings like:
zabbix-6.4.7/zabbix-extra-mac80211/zabbix_helper_mac80211.c:37:11: warning:
implicit declaration of function 'basename' [-Wimplicit-function-declaration]
37 | phy = basename(phy);
| ^~~~~~~~
zabbix-6.4.7/zabbix-extra-mac80211/zabbix_helper_mac80211.c:37:9: warning:
assignment to 'char *' from 'int' makes pointer from integer without a cast
[-Wint-conversion]
37 | phy = basename(phy);
| ^
zabbix-6.4.7/zabbix-extra-mac80211/zabbix_helper_mac80211.c:38:10: warning:
assignment to 'char *' from 'int' makes pointer from integer without a cast
[-Wint-conversion]
38 | stat = basename(stat);
| ^
Link 1: https://git.musl-libc.org/cgit/musl/log/?qt=grep&q=basename
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Switch to current stable version 6.4.7.
See release notes:
https://www.zabbix.com/rn/rn6.4.7
So that the new version builds cleanly. The 'libevent2-pthreads' must be
added as dependency.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Zabbix moved the 6.2 directory from "stable" into "oldstable". This adds
the "oldstable" URL to PKG_SOURCE_URL.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This change makes it possible to build zabbix with sqlite3 support.
Attention:
By selecting "SQLite" as "Database Software" you are not able
to build the zabbix-server and zabbix-server-frontend package anymore.
This database is not supported for this service.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
opkg does not offer ssl varients:
zabbix-agentd
zabbix-sender
zabbix-get
zabbix-proxy
zabbix-server
resolve this by adding ssl varients.
Signed-off-by: Scott Roberts <ttocsr@gmail.com>
If fping is not installed on the system the following message is show if
hosts should be monitored via icmp.
Log-Message:
"At least one of '/usr/sbin/fping', '/usr/sbin/fping6' must exist. Both
are missing in the system."
To fix this also, add a dependency to 'fping' for 'zabbix-server' and
'zabbix-proxy' for installation to allow icmp hosts monitoring.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Those devices don't have 'device' propery, only 'l3_device', which
causes 'attempt to concatenate field 'device' (a nil value)' lua error.
Use 'l3_device' as a fallback in this case.
Signed-off-by: Jacek Konieczny <jajcus@jajcus.net>
Some versions of killall do support the `killall -SIGNAL` syntax and
have only `-s SIGNAL` which should be supported everywhere.
I see the problem with *killall (PSmisc) 23.3* on latest TurrisOS 5.2
Signed-off-by: Jan Baier <jan.baier@amagical.net>
