* Fix path to fping and use fping as fping6
* For privacy, disable call to public API to check for Zabbix version update
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
When we updated the zabbix agent to use username zabbix-agent
we neglected to update ubus acls for zabbix-extra-network.
Therefore update the username for the network and wifi acls.
Will close#29058 once backported to 25.12.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
As noted in #28709 OpenWrt contains CONFIG_
symbols for Zabbix even when no Zabbix package is selected.
This fixes and Closes#28709.
We add a 'guard' symbol for the menus and choices so the only
generate CONFIG symbols when 'Enable Zabbix'
(CONFIG_ZABBIX_ENABLE_ZABBIX) is selected.
We also make all the Zabbix packages depend on this symbol,
for consistency.
This operates much as the pseudo-package solution, but without
a pseudo-package required.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
Rather than having a database selection for SQLITE which prevents
the server or frontend from building, we add a 'basic'
variant for the proxy which uses sqlite3, and have the database
Kconfig affect only the server and frontend.
* There are now only three variants:
1. full, which is the default. It includes the full monitoring feature
set currently available on openwrt, including netsnmp, curl-based
checks, and ldap. In addition these features, plus the choice of
database and ssl provider (or no ssl) are configuration options for
this variant.
2. basic, which provides basic functions with openssl support
3. no-configure, for packages which are not part of the main Zabbix
compile process (including the WebUI which only requires copying
files for use by a web server with PHP CGI support).
* Full is the default variant for agentd and proxy, which are the only
packages with a choice between full and basic. All other packages only
are part of one variant.
* Full variants are the base version of the packages (that is
zabbix-agentd is the 'full' version while zabbix-agentd-basic is the
core version). The proxy version is named zabbix-proxy-basic-sqlite to
announce that it is using the sqlite3 database and not a database
server.
* get and sender only build if at least one of agentd, server, or proxy
are built. Therefore prevent selection get or sender when they would not
build.
* Zabbix's use of NetSNMP requires that Zabbix be build with OpenSSL
* While we are here, enable support for dates after 2038 (64-bit time_t)
* https://github.com/openwrt/packages/pull/28585#issuecomment-3984978895
* we updated the name to reflect that it is for basic functionality
that can standalone, rather then being a core the other packages
build on.
* basic has been used rather than tiny or small since the sentence
'Provides only tiny/small functionality with SSL/TLS' in the
description, sounds strange, but using basic this reads properly.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
Using the php8 dependency allows use to go back to using the
+ZABBIX_POSTGRESQL:php8-mod-pgsql (and like dependency for
mysql/mariadb).
This has the benefit of being an apk dependency so the user does not
install the frontend without a php8 database module.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
The log file path is hardcoded as $HOME/.local/state/btop.log, i.e. to the router’s flash storage rather than to tmpfs. This patch sets the log file path to /tmp/log/btop.log
Signed-off-by: XCas13 <xcas13@gmail.com>
We aren't using packages with the same name as the provides, so don't
use an virtual (@) provides for providing zabbix-get
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
When selecting only a package of "no-configure" build variant, e.g.
CONFIG_PACKAGE_zabbix-frontend-server=y
but not any other zabbix package, then the build fails.
The sources are not extracted and the install fails finally with:
make[4]: Entering directory '/srv/openwrt/openwrt-2.git/build_dir/target-arm_arm926ej-s_musl_eabi/zabbix-no-configure/zabbix-7.0.22'
make[4]: *** No rule to make target 'install'. Stop.
make[4]: Leaving directory '/srv/openwrt.git/build_dir/target-arm_arm926ej-s_musl_eabi/zabbix-no-configure/zabbix-7.0.22'
make[3]: *** [Makefile:522: /srv/openwrt.git/build_dir/target-arm_arm926ej-s_musl_eabi/zabbix-no-configure/zabbix-7.0.22/.built] Error 2
This PR fixes this by always running the standard Prepare stage,
but skip the Install one when nothing needs to be compiled.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
The error in the #24828 patch series left Kconfig recursive depedency
error on zabbix-frontend-server. We fix this by update the database
depedencies on zabbix-frontend-server. Now, you must select the PHP8
database module you want _before_ zabbix-frontend-server will be
visible in menuconfig.
This is not a big problem, because zabbix-frontend-server already
depends on having php8 slected before the frontend can be built.
Closes: #28458
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
Due to package renaming the selection of database for the server and
proxy was missing from the Kconfig menu. This caused build failures for
proxy and server.
We now fix that.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
Using line continuation (\\) in GNU Make \$(foreach ...) and
\$(call ...) resulted in the install section for many of the packages
not being defined. This resulted in 'skipping [package-name] no install
section' messages and no new package being generated.
We remove the line continuation from the parts foreach and call, in
ordeer to restore compilation and creation of packages.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
In preparation for further changes, deduplicate package definitions,
and reorganize them. At the same time make use of provides to ensure
both existing names are preserved, and that it is possible to be
specific about the variant of the package one wants.
Also, condense the package conffiles, install, postinst, etc handling.
This is more maintainable (less copy and paste and less to modify).
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
cspell.json was accidentally include in a previous commit, so remove it.
VARIANT is to be used in package definitions, and BUILD_VARIANT
for checking which VARIANT is currently being built. BUILD_VARIANT was
incorrectly used in a package definition, so we fix that.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
The last PR (https://github.com/openwrt/packages/pull/28370) missed
including two needed changes, and had a minor packaging Makefile
mistake.
The Zabbix Agent needs to drop privileges to the zabbix-agent user.
Similarly, if run as root (not the default), the Zabbix server needs to
drop privileges to the zabbix-server user.
There are also, in the Makefile, three instances of using BUILD_VARIANT
instead of VARIANT in package definitions.
So we fix those issues.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
For items which are only copied from the source code, avoid the
prepare, configure, and compile steps, while preserving the special
behaviour of the mac80211 addon, which has a unique prepare and
compile.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
Avoid unnecessary duplication on zabbix-agentd package definitions by
using a common zabbix-agentd/Default and extending it for different
zabbix-agentd flavours.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
For security, per upstream recommendations, use a separate user for the
agent daemon and the server daemon.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
Adds an initscript for zabbix_server, and related helper files
+ uses a zabbix_server uci conf to enable/disable startup
+ updates the default zabbix_server.conf to work with initscript
+ add a sysctl.d conf to set max-files more appropriate for zabbix_server
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
Addresses the issue pointed out in #28165, which is that zabbix_agentd
always creates a PidFile and has no option to disable PidFile creation.
Therefore update the configuration file to default to create a PidFile
where we want it.
Close#28165
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
Only show zabbix-server-frontend if the build dependency 'PACKEGE_php8' is
fulfilled. This means that 'zabbix-server-frotend' can only be selected if
PHP has also been enabled for building.
This change is needed to fix the following recursive dependency warning.
error: recursive dependency detected!
symbol PACKAGE_php8 is selected by PACKAGE_zabbix-server-frontend
symbol PACKAGE_zabbix-server-frontend depends on PHP8_DOM
symbol PHP8_DOM depends on PACKAGE_php8
For a resolution refer to Documentation/kbuild/kconfig-language.rst
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
For zabbix-server-frontend, the absence of php8-mod-filter results in
many of the frontend's pages failing to render. Therefore add this
module as a frontend dependency.
Without php8-mod-openssl the frontend fails with:
[13-Dec-2025 18:47:25 UTC] PHP Fatal error: Uncaught Error: Call to
undefined function openssl_random_pseudo_bytes() in
/www/zabbix/include/classes/helpers/CEncryptHelper.php:89
Stack trace:
CEncryptHelper::generateKey()
thrown in /www/zabbix/include/classes/helpers/CEncryptHelper.php on
line 89
Therefore add php8-mod-openssl as a frontend dependency.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
Updates Zabbix to 7.0.21-r1 (latest 7.0 LTS version)
Note that for the frontend, clearing browser cache, cookies and other
site data for the zabbix frontend server may be necessary.
Security fixes compared to 7.0.12 (most are frontend only):
* CVE-2025-27238: API hostprototype.get lists data to users with
insufficient authorization https://support.zabbix.com/browse/ZBX-26988
* CVE-2025-27236: User information disclosure via api_jsonrpc.php on
method user.get with param search:
https://support.zabbix.com/browse/ZBX-27060
* CVE-2025-27231: LDAP 'Bind password' field value can be leaked by a
Zabbix Super Admin: https://support.zabbix.com/browse/ZBX-27062
* CVE-2025-49641: Insufficient permission check for the
problem.view.refresh action:
https://support.zabbix.com/browse/ZBX-27063
* CVE-2025-49643: Frontend DoS vulnerability due to asymmetric
resource consumption: https://support.zabbix.com/browse/ZBX-27284
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
earlyoom checks the amount of available memory and swap at an adaptive
rate for up to 10 times per second. When both available memory and swap
are below threshold, it'll send SIGTERM or SIGKILL to the process with
the highest oom_score. Details about oom_score can be obtained at
https://man7.org/linux/man-pages/man5/proc_pid_oom_score.5.html
Signed-off-by: Alice H. <alice.hall0451+github@gmail.com>
Replace embedded ivykis with a separate package to improve
dependency management and enable library reuse.
The ivykis library now properly supports io_uring when
CONFIG_KERNEL_IO_URING is enabled.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
