Thursday, October 2, 2008

FreeBSD jails and net-snmp

I have been using net-snmp for quite some time to monitor the servers I manage.
I have also been using FreeBSD jails for to provide testing/hosting environments.

Lately I found myself in the need of extracting some statistical info from some of the FreeBSD jails I have. Unfortunately after compiling net-snmp(version 5.4) and trying to start it i found the following in my logs

init_kmem: kvm_openfiles failed: /dev/mem: No such file or directory


So how to solve this?

You can always play around with devfs allowing /dev/mem and /dev/kmem access from the specific jail by doing


cat > /etc/devfs.rules <<EOM
# tests
#
[devfsrules_mem=5]
add include $devfsrules_jail
add path mem unhide
add path kmem unhide
EOM


and

cat > /etc/rc.conf <<EOM
devfs_set_rulesets="/var/jails/myjailname/dev=devfsrules_mem"
EOM


And restart devfs

Congratulations!!! you just gave access to the root user inside the jail to the whole box'es memory(a.ka. to ability to cause havoc in the whole system bypassing jail restrictions).In a testing environment that may not matter but it definetely does in a hosting environment where you can not trust your users.

Now that can be mitigated by setting up securelevel > 1 in the host system but that tends to cause some problems with jail management which i will not discuss here

A more proper way to solve this(and easier as it turns out) is to pass the snmpd daemon the -r flag which causes it to ignore such errors. That can be done in /etc/rc.conf like this


snmpd_flags="-r"


As long as you don't have to register a subagent you will be fine.
When you will need to you will unfortunately receive the same error when trying to start the agent.

To solve this you can add to the Makefile of the net-snmp port

--without-kmem-usage \
--with-out-mib-modules=host/hr_swrun \

And recompile net-snmp and your subagent.