Index | Thread | Search

From:
Martijn van Duren <openbsd+tech@list.imperialat.at>
Subject:
Re: snmpd_metrics
To:
Steve Shockley <steve.shockley@shockley.net>, tech@openbsd.org
Date:
Wed, 20 May 2026 08:44:45 +0200

Download raw body.

Thread

  • Martijn van Duren:

    snmpd_metrics

Moving to tech@

On 5/19/26 21:07, Steve Shockley wrote:
> Hi, I'm using OpenBSD 7.8 and -current, and for a variety of reasons I'm using Net-SNMPD instead of the built-in one.

My work on snmpd has slowed down quite a bit the last couple of years,
but could you share what is keeping you from using base snmpd?

>  Previously I was forwarding from net_snmpd using proxy to snmpd listening on localhost. I recently discovered snmpd_metrics, which seems to do something similar without worrying about which oids to forward.

Indeed. snmpd_metrics is used as the default (only) backend for not
snmp-related (the protocol internals) OIDs, which is spawned by snmpd
itself and uses a socketpair, instead of letting snmpd_metrics connect
to snmpd itself. Via AgentX the subagent itself determines what OIDs
it wants to export.
>
> If I add agentx to the net_snmpd config and run snmpd_metrics -d -v, it works great and I can see all the queries.  The documentation is a little sparse, but I discovered in the initial commit message (end of https://cvsweb.openbsd.org/log/src/libexec/snmpd/snmpd_metrics/mib.c,v) that it needs to be run as a daemon.

I've added a daemon functionality exactly for your usecase, but I
don't use the functionality, is only lightly tested, and got victim
of bitrot.
> 
> Is a template available for rc.d?  I can write one myself, but what user should it run as?

There's no template rc.d, because the base system doesn't need it and
could cause confusion in the other direction. The daemon functionality
for snmpd_metrics is there for inquisitive people such as yourself.

snmpd_metrics must be spawned as root, and it will drop its privileges
to _snmpd:_agentx (keep this in mind when setting the permissions on
your agentx socket).
> 
> I noticed if snmpd_metrics is running and net_snmpd restarts, it prints
> [fd:4]: lost connection: Connection reset by peer
> Failed to connect to snmpd: Permission denied
> Failed to connect to snmpd: Permission denied

This is part of the bitrot, and related to changed behaviour in unveil
when it comes to unix sockets since I wrote snmpd_metrics.
> 
> and never recovers.  Is there a way to make snmpd_metrics "depend" on net_snmpd so if net_ restarts it also restarts _metrics?  (Or should it be able to recover from that?)

With the diff below it should just recover from it. Please test
it and let me know if this works as you'd expect.
> 
> Thanks.
> 
martijn@


diff /usr/src
path + /usr/src
commit - d39f547900e2171e14b179e6cff6421f29f5667c
blob - 7d9c34e2a23c7ae3b3de1ebad6c5bb6e45238f72
file + libexec/snmpd/snmpd_metrics/mib.c
--- libexec/snmpd/snmpd_metrics/mib.c
+++ libexec/snmpd/snmpd_metrics/mib.c
@@ -3324,6 +3324,11 @@ main(int argc, char *argv[])
 	if (agentxfd == -1 && agentxsocket == NULL)
 		agentxsocket = AGENTX_MASTER_PATH;
 
+	if (daemonize) {
+		log_init(0, LOG_DAEMON);
+		daemon(0, 0);
+	}
+	log_setverbose(verbose);
 	event_init();
 
 	if ((sa = agentx(snmp_connect, NULL)) == NULL)
@@ -3345,7 +3350,7 @@ main(int argc, char *argv[])
 			errno = ENAMETOOLONG;
 			fatal("-s");
 		}
-		if (unveil(dirname(agentxsocketdir), "r") == -1)
+		if (unveil(dirname(agentxsocketdir), "w") == -1)
 			fatal("unveil");
 	}
 
@@ -4375,12 +4380,6 @@ main(int argc, char *argv[])
 	    1, 0, mib_dot1dtable)) == NULL)
 		fatal("agentx_object");
 
-	if (daemonize) {
-		log_init(0, LOG_DAEMON);
-		daemon(0, 0);
-	}
-	log_setverbose(verbose);
-
 	event_dispatch();
 }