NOTE: If you are looking to configure net-mgmt/net-snmp for the first time, the latest article is Configuration of net-mgmt/net-snmp on FreeBSD.
snmpd can be royal pain to configure. I got my hints from Ryan Steinmetz, the maintainer for the FreeBSD port.
Lately, net-snmpd has changed how net-snmp-config works.
In this post:
- FreeBSD 12.2
- net-snmp-5.9_3,1
Compare my hints with the following, run today with net-snmp-5.9_3,1:
[dan@nginx01:~] $ sudo net-snmp-config --create-snmpv3-user -ro -x AES -a SHA -A 'secret123' -X secret123 roTesting adding the following line to /var/net-snmp/snmpd.conf: createUser roTesting SHA "secret123" AES "secret123" adding the following line to /snmp/snmpd.conf: rouser roTesting touch: /snmp/snmpd.conf: No such file or directory /usr/local/bin/net-snmp-create-v3-user: cannot create /snmp/snmpd.conf: No such file or directory [dan@nginx01:~] $
Why does it need /snmp/snmpd.conf?
Update 2023-02-18 – Today I see it wants /share/snmp/snmpd.conf:
[r730-01 dvl ~] % sudo net-snmp-config --create-snmpv3-user -ro -x AES -a SHA -A '[redacted]' -X '.[redacted]' roTesting adding the following line to /var/net-snmp/snmpd.conf: createUser roMinions SHA "[redacted]" AES "[redacted]" adding the following line to /share/snmp/snmpd.conf: rouser roMinions touch: /share/snmp/snmpd.conf: No such file or directory /usr/local/bin/net-snmp-create-v3-user: cannot create /share/snmp/snmpd.conf: No such file or directory
OK, I’ll play your silly game.
[dan@nginx01:~] $ sudo mkdir /snmp
Update 2023-02-28 – Or, as happened today, it’s sudo mkdir -p /share/snmp/
Let’s try the config again:
[dan@nginx01:~] $ sudo net-snmp-config --create-snmpv3-user -ro -x AES -a SHA -A 'secret123' -X secret123 roTesting adding the following line to /var/net-snmp/snmpd.conf: createUser roTesting SHA "secret123" AES "secret123" adding the following line to /snmp/snmpd.conf: rouser roTesting
Now, let’s move the file to the expected location:
sudo mv /snmp/snmpd.conf /usr/local/share/snmp/snmpd.conf
Update 2023-02-28 – Or, with the more recent new directory:
[r730-01 dvl ~] % sudo mv /share/snmp/snmpd.conf /usr/local/share/snmp/snmpd.conf [r730-01 dvl ~] %
Let’s start and try a connection:
[dan@nginx01:~] $ sudo service snmpd start Starting snmpd. [dan@nginx01:~] $ snmpwalk -v3 -l authPriv -u roTesting -a SHA -A 'secret123' -x AES -X 'secret123' udp:10.130.0.80 HOST-RESOURCES-MIB::hrSystemNumUsers HOST-RESOURCES-MIB::hrSystemNumUsers = No Such Object available on this agent at this OID [dan@nginx01:~] $
Success!
The fix
I think this patch against net-mgmt/net-snmpd/Make is the fix:
@@ -62,6 +62,7 @@
--with-persistent-directory="${NET_SNMP_PERSISTENTDIR}" \
--with-gnu-ld --without-libwrap \
--with-ldflags="-lm -lkvm -ldevstat -L${PKG_PREFIX}/lib -L${LOCALBASE}/lib ${LCRYPTO}"
+CONFIGURE_ARGS+=--datadir=${PREFIX}/share
SUB_FILES= pkg-message
.if !defined(WITHOUT_SSP)
Trouble with FreeBSD jails
I’m sure this isn’t specific to FreeBSD jails: if are trying to configure the host, you must stop snmpd in the jail[s] first.
EDIT 2023-02-24 – This has been patched in the FreeBSD port. See PR 269791
Example:
[dan@aws-1:~] $ sudo net-snmp-config --create-snmpv3-user -ro -x AES -a SHA -A 'redacted' -X 'redacted' roTesting Apparently at least one snmpd demon is already running. You must stop them in order to use this command.
This host is running a few jails:
[dan@aws-1:~] $ jls
JID IP Address Hostname Path
2 127.163.0.25 mx-ingress04 /jails/mx-ingress04
4 127.163.0.10 ingress01 /jails/ingress01
5 127.163.0.80 nginx01 /jails/nginx01
[dan@aws-1:~] $
Yes, one of those jails is running an instance of snmpd.
[dan@aws-1:~] $ ps auwwx | grep snmpd root 8959 0.0 0.4 28368 14468 - SJ 11:59 0:00.58 /usr/local/sbin/snmpd -p /var/run/net_snmpd.pid -c /usr/local/etc/snmpd.conf -a -r dan 21691 0.0 0.1 11396 2228 1 S+ 13:00 0:00.00 grep snmpd [dan@aws-1:~] $
What is net-snmp-config doing?
[dan@aws-1:~] $ sudo sh -x /us/usr/local/bin/net-snmp-config --create-snmpv3-user -ro -x AES -a SHA -A 'redacted' -X 'redacted' roTesting + prefix=/usr/local + exec_prefix=/usr/local + includedir=/usr/local/include + libdir=/usr/local/lib + echo /usr/local/share + NSC_LDFLAGS='-L/usr/lib -lm -lkvm -ldevstat -L/lib -L/usr/local/lib ' + NSC_LIBS='-lelf -lpkg -lssp_nonshared -lregex' + NSC_LNETSNMPLIBS=' -lcrypto' + NSC_LAGENTLIBS=' -Wl,-R/usr/local/lib/perl5/5.32/mach/CORE' + NSC_LMIBLIBS='' + NSC_INCLUDEDIR=/usr/local/include + NSC_LIBDIR=-L/usr/local/lib + NSC_SNMPLIBS='-lnetsnmp -lcrypto' + NSC_SUBAGENTLIBS='-lnetsnmpagent -Wl,-R/usr/local/lib/perl5/5.32/mach/CORE -lnetsnmp -lcrypto' + NSC_AGENTLIBS='-lnetsnmpmibs -lnetsnmpagent -Wl,-R/usr/local/lib/perl5/5.32/mach/CORE -lnetsnmp -lcrypto' + NSC_PREFIX=/usr/local + NSC_EXEC_PREFIX=/usr/local + NSC_SRCDIR=. + NSC_INCDIR=/usr/local/include + NSC_BASE_SNMP_LIBS=-lnetsnmp + NSC_BASE_SUBAGENT_LIBS='-lnetsnmpagent -lnetsnmp' + NSC_BASE_AGENT_LIBS='-lnetsnmpmibs -lnetsnmpagent -lnetsnmp' + NSC_SRC_LIBDIRS='agent/.libs snmplib/.libs' + NSC_SRC_LIBDEPS='agent/.libs/libnetsnmpmibs.a agent/.libs/libnetsnmpagent.a snmplib/.libs/libnetsnmp.a' + test x. '=' x. + NSC_SRCDIR=NET-SNMP-SOURCE-DIR + test x--create-snmpv3-user '=' x + test x '=' x -a x--create-snmpv3-user '!=' x -a x '!=' xyes + optarg='' + unset shifted + done=1 + shift + net-snmp-create-v3-user -ro -x AES -a SHA -A 'redacted' -X 'redacted' roTesting Apparently at least one snmpd demon is already running. You must stop them in order to use this command. + exit 1 [dan@aws-1:~] $ which net-snmp-create-v3-user /usr/local/bin/net-snmp-create-v3-user [dan@aws-1:~] $ file /us/usr/local/bin/net-snmp-create-v3-user /usr/local/bin/net-snmp-create-v3-user: POSIX shell script, ASCII text executable [dan@aws-1:~] $ grep ps /usr/local/bin/net-snmp-create-v3-user if /bin/ps acx | egrep ' snmpd *$' > /dev/null 2>&1 ; then [dan@aws-1:~] $
net-snmp-create-v3-user is the guilty code.
OK, I’ll play your stupid game. Let me stop the jail instance.
[dan@nginx01:~] $ sudo service snmpd stop Stopping snmpd. Waiting for PIDS: 8959. [dan@nginx01:~] $
And we’re back to this:
[dan@aws-1:~] $ sudo net-snmp-config --create-snmpv3-user -ro -x AES -a SHA -A 'redacted' -X 'redacted' roTesting adding the following line to /var/net-snmp/snmpd.conf: createUser roTesting SHA "redacted" AES "redacted" adding the following line to /snmp/snmpd.conf: rouser roTesting touch: /snmp/snmpd.conf: No such file or directory /usr/local/bin/net-snmp-create-v3-user: cannot create /snmp/snmpd.conf: No such file or directory
The solution: use -J 0 as documented at man 1 ps.
I have tested this locally:
[dan@aws-1:~] $ head /usr/local/bin/net-snmp-create-v3-user
#!/bin/sh
#
# $Id$
#
# this shell script is designed to add new SNMPv3 users
# to Net-SNMP config file.
if /bin/ps acx -J 0 | egrep ' snmpd *$' > /dev/null 2>&1 ; then
echo "Apparently at least one snmpd demon is already running."
echo "You must stop them in order to use this command."
[dan@aws-1:~] $
[dan@aws-1:~] $ sudo /usr/local/bin/net-snmp-config --create-snmpv3-user -ro -x AES -a SHA -A 'redacted' -X 'redacted' roTesting
adding the following line to /var/net-snmp/snmpd.conf:
createUser snmpd.conf SHA "redacted" AES "redacted"
adding the following line to /snmp/snmpd.conf:
rouser snmpd.conf
I’ve sent in a patch via https://github.com/net-snmp/net-snmp/issues/280.
EDIT: More than three months later, no movement on that issue.
EDIT: 2023-02-24 – 10 months later, the FreeBSD port was patched.
This is not a new issue: This one is from 2015: https://sourceforge.net/p/net-snmp/bugs/2607/