Apr 032021
 

snmpd can be royal pain to configure. I got my hints from Ryan Steinmetz, the maintainer for the FreeBSD port.

Lately, net-snmpd has changed how net-snmp-config works.

In this post:

  • FreeBSD 12.2
  • net-snmp-5.9_3,1

Compare my hints with the following, run today with net-snmp-5.9_3,1:

[dan@nginx01:~] $ sudo net-snmp-config --create-snmpv3-user -ro -x AES -a SHA -A 'secret123' -X secret123 roTesting
adding the following line to /var/net-snmp/snmpd.conf:
   createUser roTesting SHA "secret123" AES "secret123"
adding the following line to /snmp/snmpd.conf:
   rouser roTesting
touch: /snmp/snmpd.conf: No such file or directory
/usr/local/bin/net-snmp-create-v3-user: cannot create /snmp/snmpd.conf: No such file or directory
[dan@nginx01:~] $ 

Why does it need /snmp/snmpd.conf?

OK, I’ll play your silly game.

[dan@nginx01:~] $ sudo mkdir /snmp

Let’s try the config again:

[dan@nginx01:~] $ sudo net-snmp-config --create-snmpv3-user -ro -x AES -a SHA -A 'secret123' -X secret123 roTesting
adding the following line to /var/net-snmp/snmpd.conf:
   createUser roTesting SHA "secret123" AES "secret123"
adding the following line to /snmp/snmpd.conf:
   rouser roTesting

Now, let’s move the file to the expected location:

sudo mv /snmp/snmpd.conf /usr/local/share/snmp/snmpd.conf

Let’s start and try a connection:

[dan@nginx01:~] $ sudo service snmpd start
Starting snmpd.
[dan@nginx01:~] $ snmpwalk\ -v3 -l authPriv -u roTesting -a SHA -A 'secret123' -x AES -X 'secret123' udp:10.130.0.80 HOST-RESOURCES-MIB::hrSystemNumUsers
HOST-RESOURCES-MIB::hrSystemNumUsers = No Such Object available on this agent at this OID
[dan@nginx01:~] $ 

Success!

The fix

I think this patch against net-mgmt/net-snmpd/Makeis the fix:

@@ -62,6 +62,7 @@
 		--with-persistent-directory="${NET_SNMP_PERSISTENTDIR}" \
 		--with-gnu-ld --without-libwrap \
 		--with-ldflags="-lm -lkvm -ldevstat -L${PKG_PREFIX}/lib -L${LOCALBASE}/lib ${LCRYPTO}"
+CONFIGURE_ARGS+=--datadir=${PREFIX}/share
 SUB_FILES=	pkg-message
 
 .if !defined(WITHOUT_SSP)

Trouble with FreeBSD jails

I’m sure this isn’t specific to FreeBSD jails: if are trying to configure the host, you must stop snmpd in the jail[s] first.

Example:

[dan@aws-1:~] $ sudo net-snmp-config --create-snmpv3-user -ro -x AES -a SHA -A 'redacted'  -X 'redacted' roTesting
Apparently at least one snmpd demon is already running.
You must stop them in order to use this command.

This host is running a few jails:

[dan@aws-1:~] $ jls
   JID  IP Address      Hostname        Path
     2  127.163.0.25    mx-ingress04   /jails/mx-ingress04
     4  127.163.0.10    ingress01      /jails/ingress01
     5  127.163.0.80    nginx01        /jails/nginx01
[dan@aws-1:~] $ 

Yes, one of those jails is running an instance of snmpd.

[dan@aws-1:~] $ ps auwwx | grep snmpd
root        8959   0.0  0.4  28368 14468  -  SJ   11:59     0:00.58 /usr/local/sbin/snmpd -p /var/run/net_snmpd.pid -c /usr/local/etc/snmpd.conf -a -r
dan        21691   0.0  0.1  11396  2228  1  S+   13:00     0:00.00 grep snmpd
[dan@aws-1:~] $ 

What is net-snmp-config doing?

[dan@aws-1:~] $ sudo sh -x /us/usr/local/bin/net-snmp-config --create-snmpv3-user -ro -x AES -a SHA -A 'redacted'  -X 'redacted' roTesting
+ prefix=/usr/local
+ exec_prefix=/usr/local
+ includedir=/usr/local/include
+ libdir=/usr/local/lib
+ echo /usr/local/share
+ NSC_LDFLAGS='-L/usr/lib -lm -lkvm -ldevstat -L/lib -L/usr/local/lib '
+ NSC_LIBS='-lelf -lpkg -lssp_nonshared -lregex'
+ NSC_LNETSNMPLIBS='  -lcrypto'
+ NSC_LAGENTLIBS='   -Wl,-R/usr/local/lib/perl5/5.32/mach/CORE'
+ NSC_LMIBLIBS=''
+ NSC_INCLUDEDIR=/usr/local/include
+ NSC_LIBDIR=-L/usr/local/lib
+ NSC_SNMPLIBS='-lnetsnmp   -lcrypto'
+ NSC_SUBAGENTLIBS='-lnetsnmpagent    -Wl,-R/usr/local/lib/perl5/5.32/mach/CORE -lnetsnmp   -lcrypto'
+ NSC_AGENTLIBS='-lnetsnmpmibs  -lnetsnmpagent    -Wl,-R/usr/local/lib/perl5/5.32/mach/CORE -lnetsnmp   -lcrypto'
+ NSC_PREFIX=/usr/local
+ NSC_EXEC_PREFIX=/usr/local
+ NSC_SRCDIR=.
+ NSC_INCDIR=/usr/local/include
+ NSC_BASE_SNMP_LIBS=-lnetsnmp
+ NSC_BASE_SUBAGENT_LIBS='-lnetsnmpagent -lnetsnmp'
+ NSC_BASE_AGENT_LIBS='-lnetsnmpmibs -lnetsnmpagent -lnetsnmp'
+ NSC_SRC_LIBDIRS='agent/.libs snmplib/.libs'
+ NSC_SRC_LIBDEPS='agent/.libs/libnetsnmpmibs.a agent/.libs/libnetsnmpagent.a snmplib/.libs/libnetsnmp.a'
+ test x. '=' x.
+ NSC_SRCDIR=NET-SNMP-SOURCE-DIR
+ test x--create-snmpv3-user '=' x
+ test x '=' x -a x--create-snmpv3-user '!=' x -a x '!=' xyes
+ optarg=''
+ unset shifted
+ done=1
+ shift
+ net-snmp-create-v3-user -ro -x AES -a SHA -A 'redacted' -X 'redacted' roTesting
Apparently at least one snmpd demon is already running.
You must stop them in order to use this command.
+ exit 1
[dan@aws-1:~] $ which net-snmp-create-v3-user
/usr/local/bin/net-snmp-create-v3-user
[dan@aws-1:~] $ file /us/usr/local/bin/net-snmp-create-v3-user
/usr/local/bin/net-snmp-create-v3-user: POSIX shell script, ASCII text executable
[dan@aws-1:~] $ grep ps /usr/local/bin/net-snmp-create-v3-user
if /bin/ps acx | egrep ' snmpd *$' > /dev/null 2>&1 ; then
[dan@aws-1:~] $ 

net-snmp-create-v3-user is the guilty code.

OK, I’ll play your stupid game. Let me stop the jail instance.

[dan@nginx01:~] $ sudo service snmpd stop
Stopping snmpd.
Waiting for PIDS: 8959.
[dan@nginx01:~] $ 

And we’re back to this:

[dan@aws-1:~] $ sudo net-snmp-config --create-snmpv3-user -ro -x AES -a SHA -A 'redacted'  -X 'redacted' roTesting
adding the following line to /var/net-snmp/snmpd.conf:
   createUser roTesting SHA "redacted" AES "redacted"
adding the following line to /snmp/snmpd.conf:
   rouser roTesting
touch: /snmp/snmpd.conf: No such file or directory
/usr/local/bin/net-snmp-create-v3-user: cannot create /snmp/snmpd.conf: No such file or directory

The solution: use -J 0 as documented at man 1 ps.

I have tested this locally:

[dan@aws-1:~] $ head /usr/local/bin/net-snmp-create-v3-user
#!/bin/sh
#
# $Id$
#
# this shell script is designed to add new SNMPv3 users
# to Net-SNMP config file.

if /bin/ps acx -J 0 | egrep ' snmpd *$' > /dev/null 2>&1 ; then
    echo "Apparently at least one snmpd demon is already running."
    echo "You must stop them in order to use this command."
[dan@aws-1:~] $ 


[dan@aws-1:~] $ sudo /usr/local/bin/net-snmp-config --create-snmpv3-user -ro -x AES -a SHA -A 'redacted'  -X 'redacted' roTesting
adding the following line to /var/net-snmp/snmpd.conf:
   createUser snmpd.conf SHA "redacted" AES "redacted"
adding the following line to /snmp/snmpd.conf:
   rouser snmpd.conf

I’ve sent in a patch via https://github.com/net-snmp/net-snmp/issues/280

Website Pin Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive