Thursday, October 2, 2008

FreeBSD jails and net-snmp

I have been using net-snmp for quite some time to monitor the servers I manage.
I have also been using FreeBSD jails for to provide testing/hosting environments.

Lately I found myself in the need of extracting some statistical info from some of the FreeBSD jails I have. Unfortunately after compiling net-snmp(version 5.4) and trying to start it i found the following in my logs

init_kmem: kvm_openfiles failed: /dev/mem: No such file or directory

So how to solve this?

You can always play around with devfs allowing /dev/mem and /dev/kmem access from the specific jail by doing

cat > /etc/devfs.rules <<EOM
# tests
add include $devfsrules_jail
add path mem unhide
add path kmem unhide


cat > /etc/rc.conf <<EOM

And restart devfs

Congratulations!!! you just gave access to the root user inside the jail to the whole box'es memory(a.ka. to ability to cause havoc in the whole system bypassing jail restrictions).In a testing environment that may not matter but it definetely does in a hosting environment where you can not trust your users.

Now that can be mitigated by setting up securelevel > 1 in the host system but that tends to cause some problems with jail management which i will not discuss here

A more proper way to solve this(and easier as it turns out) is to pass the snmpd daemon the -r flag which causes it to ignore such errors. That can be done in /etc/rc.conf like this


As long as you don't have to register a subagent you will be fine.
When you will need to you will unfortunately receive the same error when trying to start the agent.

To solve this you can add to the Makefile of the net-snmp port

--without-kmem-usage \
--with-out-mib-modules=host/hr_swrun \

And recompile net-snmp and your subagent.


Unknown said...

Thanks for this, I was driving myself crazy trying to figure out why the snmp module for asterisk was only working when it ran as root, crashed as asterisk.

For anyone who doesn't know, you can add the arguments mentioned above in Makefile.local in the port directory. No mess, no fuss.

Dan Langille said...

Thanks. I ran into this today.

Dan Langille said...

... and again today..

Dan Langille said...

This post continues to be useful to my interests. :)