* [Buildroot] [PATCH 1/1] package/netsnmp: add snmp user and systemd service file
@ 2023-04-20 21:12 David Johnson via buildroot
2023-04-23 17:30 ` Yann E. MORIN
0 siblings, 1 reply; 2+ messages in thread
From: David Johnson via buildroot @ 2023-04-20 21:12 UTC (permalink / raw)
To: buildroot; +Cc: David Johnson
* Add a snmp user so snmpd doesn't run as root
* Add a snmp systemd file as only an sysv was previously included
Signed-off-by: David Johnson <dave-git@centerclick.org>
---
package/netsnmp/S59snmpd | 2 +-
package/netsnmp/netsnmp.mk | 12 ++++++++++++
package/netsnmp/snmpd.service | 15 +++++++++++++++
3 files changed, 28 insertions(+), 1 deletion(-)
create mode 100644 package/netsnmp/snmpd.service
diff --git a/package/netsnmp/S59snmpd b/package/netsnmp/S59snmpd
index 96ed8237ac..aece896670 100644
--- a/package/netsnmp/S59snmpd
+++ b/package/netsnmp/S59snmpd
@@ -17,7 +17,7 @@ export PATH=/sbin:/usr/sbin:/bin:/usr/bin
# Defaults
export MIBDIRS=/usr/share/snmp/mibs
SNMPDRUN=yes
-SNMPDOPTS='-Lsd -Lf /dev/null -p /var/run/snmpd.pid 127.0.0.1'
+SNMPDOPTS='-Lsd -Lf /dev/null -p /var/run/snmpd.pid -u snmp -g snmp 127.0.0.1'
TRAPDRUN=no
TRAPDOPTS='-Lsd -p /var/run/snmptrapd.pid'
diff --git a/package/netsnmp/netsnmp.mk b/package/netsnmp/netsnmp.mk
index 15bc318e36..8cb7862bbf 100644
--- a/package/netsnmp/netsnmp.mk
+++ b/package/netsnmp/netsnmp.mk
@@ -41,6 +41,14 @@ NETSNMP_INSTALL_TARGET_OPTS = DESTDIR=$(TARGET_DIR) LIB_LDCONFIG_CMD=true instal
NETSNMP_MAKE = $(MAKE1)
NETSNMP_CONFIG_SCRIPTS = net-snmp-config
+define NETSNMP_USERS
+ snmp -1 snmp -1 * - - - snmpd user
+endef
+
+ifeq ($(BR2_INIT_SYSTEMD),y)
+NETSNMP_CONF_OPTS += --with-systemd
+endif
+
ifeq ($(BR2_ENDIAN),"BIG")
NETSNMP_CONF_OPTS += --with-endianness=big
else
@@ -104,6 +112,10 @@ define NETSNMP_INSTALL_INIT_SYSV
$(INSTALL) -D -m 0755 package/netsnmp/S59snmpd \
$(TARGET_DIR)/etc/init.d/S59snmpd
endef
+define NETSNMP_INSTALL_INIT_SYSTEMD
+ $(INSTALL) -D -m 0644 package/netsnmp/snmpd.service \
+ $(TARGET_DIR)/usr/lib/systemd/system/snmpd.service
+endef
endif
$(eval $(autotools-package))
diff --git a/package/netsnmp/snmpd.service b/package/netsnmp/snmpd.service
new file mode 100644
index 0000000000..6647b10c32
--- /dev/null
+++ b/package/netsnmp/snmpd.service
@@ -0,0 +1,15 @@
+[Unit]
+Description=SNMP Daemon
+After=network.target
+ConditionPathExists=/etc/snmp/snmpd.conf
+
+[Service]
+Type=simple
+Environment=MIBDIRS=/usr/share/snmp/mibs
+Environment=SNMPDOPTS='-Lsd -Lf /dev/null -p /var/run/snmpd.pid -u snmp -g snmp 127.0.0.1'
+EnvironmentFile=-/etc/default/snmpd
+PassEnvironment=MIBDIRS
+ExecStart=/usr/sbin/snmpd -f $SNMPDOPTS
+
+[Install]
+WantedBy=multi-user.target
--
2.30.2
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/netsnmp: add snmp user and systemd service file
2023-04-20 21:12 [Buildroot] [PATCH 1/1] package/netsnmp: add snmp user and systemd service file David Johnson via buildroot
@ 2023-04-23 17:30 ` Yann E. MORIN
0 siblings, 0 replies; 2+ messages in thread
From: Yann E. MORIN @ 2023-04-23 17:30 UTC (permalink / raw)
To: David Johnson; +Cc: buildroot
David, All,
On 2023-04-20 17:12 -0400, David Johnson via buildroot spake thusly:
> * Add a snmp user so snmpd doesn't run as root
> * Add a snmp systemd file as only an sysv was previously included
Those are two semantically different changes, and thus should be done in
two patches, the first to indeed add a user/group, the second to add
systemd support (and see below).
> Signed-off-by: David Johnson <dave-git@centerclick.org>
> ---
[--SNIP--]
> diff --git a/package/netsnmp/netsnmp.mk b/package/netsnmp/netsnmp.mk
> index 15bc318e36..8cb7862bbf 100644
> --- a/package/netsnmp/netsnmp.mk
> +++ b/package/netsnmp/netsnmp.mk
> @@ -41,6 +41,14 @@ NETSNMP_INSTALL_TARGET_OPTS = DESTDIR=$(TARGET_DIR) LIB_LDCONFIG_CMD=true instal
> NETSNMP_MAKE = $(MAKE1)
> NETSNMP_CONFIG_SCRIPTS = net-snmp-config
>
> +define NETSNMP_USERS
> + snmp -1 snmp -1 * - - - snmpd user
> +endef
> +
> +ifeq ($(BR2_INIT_SYSTEMD),y)
> +NETSNMP_CONF_OPTS += --with-systemd
We want to have explicit disabling option too, so:
ifeq ($(BR2_INIT_SYSTEMD),y)
NETSNMP_CONF_OPTS += --with-systemd
else
NETSNMP_CONF_OPTS += --without-systemd
endif
[--SNIP--]
> diff --git a/package/netsnmp/snmpd.service b/package/netsnmp/snmpd.service
> new file mode 100644
> index 0000000000..6647b10c32
> --- /dev/null
> +++ b/package/netsnmp/snmpd.service
> @@ -0,0 +1,15 @@
> +[Unit]
> +Description=SNMP Daemon
> +After=network.target
> +ConditionPathExists=/etc/snmp/snmpd.conf
> +
> +[Service]
> +Type=simple
> +Environment=MIBDIRS=/usr/share/snmp/mibs
> +Environment=SNMPDOPTS='-Lsd -Lf /dev/null -p /var/run/snmpd.pid -u snmp -g snmp 127.0.0.1'
So, I am not a systemd expert, but I would have expected the snmp socket
to be handled by systemd with a socket unit, and handed over to snmpd,
while the user/group would also be managed by systemd, with the
Service.User and Service.Group options, like I have seen it done for
gpsd for example: https://gitlab.com/gpsd/gpsd/-/tree/master/systemd
If that's not possible, then your proposed unit seems OK too.
Ah, I now read README.systemd, and they advise against socket activation
for snmpd, with some good rationale; just state so in the commit log.
For snmptrap, socket activation is properly supported (but it seems we
do not install it).
Also explain why we provide our own unit when there is already one
provided by upstream.
Regards,
Yann E. MORIN.
> +EnvironmentFile=-/etc/default/snmpd
> +PassEnvironment=MIBDIRS
> +ExecStart=/usr/sbin/snmpd -f $SNMPDOPTS
> +
> +[Install]
> +WantedBy=multi-user.target
> --
> 2.30.2
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-04-23 17:30 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-04-20 21:12 [Buildroot] [PATCH 1/1] package/netsnmp: add snmp user and systemd service file David Johnson via buildroot
2023-04-23 17:30 ` Yann E. MORIN
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).