Installing the SNMP software

Installing the package

Before we install any packages we should ensure that the correct use-flags are specified so that all required functionality is made available and unnecessary functionality is not included. The net-analyzer/net-snmp package provides a variety of use-flags only some of which will be discussed further here. As usual feel free to add and remove use-flags at will although the minimum set which are required for using this guide in its entirety are shown below.

lisa ~ # emerge -pv net-snmp

These are the packages that would be merged, in order:

Calculating dependencies... done!

[ebuild   N    ] dev-libs/eventlog-0.2.12 USE="-static-libs"
[ebuild   N    ] dev-libs/libgamin-0.1.10-r2 USE="python -debug -static-libs"
[ebuild   N    ] dev-python/setuptools-0.6.15
[ebuild   N    ] dev-perl/TermReadKey-2.30
[ebuild   N    ] app-admin/gamin-0.1.10
[ebuild   N    ] virtual/fam-0
[ebuild   N    ] dev-libs/glib-2.28.8 USE="fam static-libs -debug -doc -test -xattr"
[ebuild   N    ] app-admin/gam-server-0.1.10 USE="-debug"
[ebuild   N    ] app-admin/syslog-ng-3.2.4 USE="caps ipv6 pcre ssl tcpd -hardened -spoof-source -sql -static"
[ebuild   N    ] virtual/logger-0
[ebuild   N    ] sys-apps/lm_sensors-3.3.0 USE="sensord"
[ebuild   N    ] net-analyzer/net-snmp-5.4.2.1-r4 USE="bzip2 diskio ipv6 lm_sensors mfd-rewrites perl python sendmail smux ssl tcpd zlib -X -doc -elf -extensible -minimal -rpm"

It is entirely up to you whether you choose to enable the use of TCP wrappers or not. This guide will, however, assume that you have enabled this use-flag, and give instructions for adding entries to the /etc/hosts.allow file as required. If you have chosen to disable the use of TCP wrappers simply ignore all references to this file.

As you can see from the example output above the net-analyzer/net-snmp package requires a correctly installed log daemon to function correctly. If you do not already have a suitable package installed you the app-admin/syslog-ng package will be installed automatically. More information on configuring and using the app-admin/syslog-ng package can be located in the System logging with syslog-ng guide.

When the lm_sensors use flag is set the sys-apps/lm_sensors package will automatically be installed, as shown in the example above, allowing the output of correctly configured on-board sensors to be monitored using SNMP providing remote access to information such as fan-speed, temperature and power-supply voltage. More information on configuring and using the sys-apps/lm_sensors package can be located in the Hardware monitoring guide.

Once you are confident that the correct use-flags are set for the net-analyzer/net-snmp package, and any dependencies it may require, you can proceed with the installation by issuing the emerge command shown below.

lisa ~ # emerge net-snmp

Basic SNMP daemon configuration

There are two methods of configuring the applications provided with the net-analyzer/net-snmp package. The first is to use the snmpconf utility to create a configuration file for one or more of the applications using an interactive menu system. The second, more flexible, method - and the one we shall be employing here - is to edit the appropriate configuration file, manually inserting the appropriate configuration directives as required.

The example below provides a very basic configuration file which will allow us to start the snmpd daemon and test that we can correctly connect to it from remote hosts. As you can see the syntax of the configuration file is extremely simple consisting of comments, which start with a # symbol, and configuration entries which consist of a single key followed by space separated data.

/etc/snmp/snmpd.conf

# SECTION: System Information Setup
#
#   This section defines some of the information reported in
#   the "system" mib group in the mibII tree.

syslocation  "Colo 1 Shelf 2"
syscontact   sysdamin@internal.hacking.co.uk
sysservices  72
sysDescr     "Web server (node 1)"

# SECTION: Access Control Setup
#
#   This section defines who is allowed to talk to your running
#   snmp agent.

rocommunity   hacking

The above configuration file is clearly divided in to two sections with the first detailing the System Information Setup and the second detailing the Access Control Setup. Most of the configuration entries are fairly self explanatory. The syslocation entry specifies a user readable location string so the system can be easily located (in a data-centre for example), the syscontact entry provides the email address of the system manager and the sysDescr entry allows for a description of the system to be stored. For the moment we shall use the "default" value of 72 for the sysservices entry which describes a system offering application + end-to-end layers. We shall cover the sysservices entry in more detail later.

The Access Control Setup section of the above configuration file defines a single read-only community which can be used to access the SNMP daemon from the local host (using the loop-back address) or remote systems on the network. We shall cover the Access Control Setup section in more detail later.

The above configuration uses SNMPv2 community authentication which passes the authentication credentials in clear text. Clearly, this can pose a serious security risk when this data is transmitted over a public network or other insecure data transport. If you are intending to use the SNMP protocol in this manner then the use of IPsec or an enhanced security mode is recommended.

Assuming that we have a correctly operating System Logger installed we can direct the output of the snmpd daemon there by modifying the /etc/conf.d/snmpd file as shown below.

/etc/conf.d/snmpd

# Enable syslog and disable file log.
SNMPD_FLAGS="${SNMPD_FLAGS} -Lsd -Lf /dev/null"

If you built the net-analyzer/net-snmp package with TCP Wrappers support enabled (using the tcpd use-flag as shown in the example) the above configuration will result in a message being sent to the system log for every successful connection. To reduce this flood of messages the following entry should be added to the SNMPD configuration.

/etc/snmp/snmpd.conf

# Limit connection logging

dontLogTCPWrappersConnects true

Starting the SNMP daemon

Now that we have a very minimal configuration in place we can start the snmpd daemon and, assuming that it starts correctly, add it to the default run-level so that it is started automatically after every boot.

lisa ~ # /etc/init.d/snmpd start
lisa ~ # rc-update add snmpd default

Testing the SNMP daemon

Once the snmpd daemon is running we can use the snmpwalk application to perform a simple test request. As you can see from the example below we have specified hacking as the community identifier (using the -c option) and that we wish to use version 2c of the SNMP protocol (using the -v option). The final two values specify that we wish to connect to the localhost and retrieve the system portion of the object identifier space.

lisa ~ # snmpwalk -c hacking -v 2c localhost system

SNMPv2-MIB::sysDescr.0 = STRING: "Web server (node 1)"

SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10

DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (216451) 0:36:04.51

SNMPv2-MIB::sysContact.0 = STRING: sysdamin@internal.hacking.co.uk

SNMPv2-MIB::sysName.0 = STRING: web-1-1

SNMPv2-MIB::sysLocation.0 = STRING: "Colo 1 Shelf 2"

SNMPv2-MIB::sysServices.0 = INTEGER: 72

...

Assuming all goes well you should see output similar to the above. The values which we entered in the configuration file should be present in the output you receive.