net-mgmt/zabbix-agent: replace EnableRemoteCommands with AllowKey/DenyKey

[fraenki]

In Zabbix 5 EnableRemoteCommands is deprecated, we should migrate to AllowKey/DenyKey:

https://www.zabbix.com/documentation/5.0/manual/installation/upgrade_notes_500#configuration_parameters

[Taomyn]

While we wait for a fix, is there any way to manually add "AllowKey=system.run[*]" to the agent config? I can see there's an "Advanced" tab in the OPNsense GUI but I'm not sure what that's all about.

[fraenki]

@Taomyn What exactly isn't working? The old commands still work as expected, Zabbix just added a warning message, but the functionality hasn't changed.

[Taomyn]

@Taomyn What exactly isn't working? The old commands still work as expected, Zabbix just added a warning message, but the functionality hasn't changed.

Going by the Windows v5 agents (1 and 2) the deprecated command is exactly that and no longer works. I had to add the AllowKey to all my agents even though the old one was enabled with the old command. More annoyingly the MSI upgrade from 5.2.4 to 5.2.5 hasn't been updated for the new keys so they got wiped on the one server I tested it on,

Back to the "why?", I was trying to run a script that calls an executable on the firewall which was originally being submitted by PRTG via SSH. When I applied it to run through the Zabbix agent I kept getting "Access denied" when the script tried to run the executable - this is why I thought it was the AllowKey blocking the run command. Even enabling the "root" option on the Zabbix plugin did not help, but it turned out to be something more simple. Tthe Zabbix user did not have home directory and the executable needed to write something there. Once I enabled a home directory for the account it started to work, and all I needed to do was convert the output format so that the XML data was compatible with Zabbix. FYI, it's a SpeedTest script using Ookla's command-line executable for FreeBSD, that is then run across 5 specific servers and also calculate the average.

[fraenki]

If a feature is deprecated it means that it is still working in this version, but it will be removed in a future version. That's all I known. I will add the new command when I have the time to do so. Everyone is free to contribute and submit a PR.

Going by the Windows v5 agents (1 and 2) the deprecated command is exactly that and no longer works. [...] More annoyingly the MSI upgrade from 5.2.4 [...]

It may have been removed in version 5.2, but OPNsense still uses Zabbix Agent 5.0.

[Taomyn]

Everyone is free to contribute and submit a PR.

I'd love to but I have no clue where to start, my only experience is with using VSCode with Github Desktop to maintain a fork of Marlin for my 3D printer, and then it's mostly all configuration stuff.

[fraenki]

The deprecated option EnableRemoteCommands will be replaced with AllowKey/DenyKey in the upcoming os-zabbix-agent 1.10.