先安装SAS IR SNMP包
$ sudo dnf install sas_ir_snmp
然后启动服务并添加开机启动
$ sudo chkconfig lsi_mrdsnmpd on
$ sudo /etc/init.d/lsi_mrdsnmpd start
正在启动 lsi_mrdsnmpd (via systemctl): [ 确定 ]
确保已经添加lsi snmp代理
$ sudo vi /etc/snmp/snmpd.conf
# See the snmpd.conf manual page, and the output of "snmpd -H".
pass .1.3.6.1.4.1.3582 /usr/sbin/lsi_mrdsnmpmain
我们使用snmpwalk来检查安装情况,但是这里无输出
$ snmpwalk localhost -v 2c -c public .1.3.6.1.4.1.3582
SNMPv2-SMI::enterprises.3582 = No Such Instance currently exists at this OID
检查错误日志可以看到lsi_mrdsnmpmain无法访问共享内存
$ sudo vi /var/log/messages
Jul 9 02:56:52 CC-Server journal[2039141]: MegaRAID SNMP AGENT: Error in attaching the shared memory(lsi_mrdsnmpmain)
Jul 9 02:56:52 CC-Server lsi_mrdsnmpmain[2039142]: MegaRAID SNMP AGENT: Error in attaching the shared memory(lsi_mrdsnmpmain)
究其原因是lsi_mrdsnmpagent和snmpd服务虽然是root用户启动的,然而lsi_mrdsnmpmain的可执行文件标签和snmpd并不一样,一个是默认的开机程序initrc_t,另一个则是snmpd_t
$ ps auxZ|grep snmp
system_u:system_r:snmpd_t:s0 root 1963356 0.0 0.0 25212 14464 ? Ss 7月08 0:28 /usr/sbin/snmpd -LS0-6d -f
system_u:system_r:initrc_t:s0 root 2046119 0.0 0.0 42276 16336 ? Ssl 03:33 0:00 /usr/sbin/lsi_mrdsnmpagent -c /etc/snmp/snmpd.conf
system_u:system_r:initrc_t:s0 root 2046121 0.0 0.0 8816 1900 ? Ss 03:33 0:00 /usr/sbin/lsi_mrdsnmpagent -c /etc/snmp/snmpd.conf
但是这里把initrc_t改成snmpd_t并不是好办法,因为snmpd_t属于受限组如果用它需要改很多selinux配置, 毕竟lsi_mrdsnmpagent本身需要访问硬件设备,需要的权限更高。最终我们制作一个政策包文件,使snmpd_t允许访问initrc_t的共享内存。
# vi lsi_mrdsnmpmain.te
module lsi_mrdsnmpmain 1.0;
require {
type initrc_t;
type snmpd_t;
class shm { associate read unix_read unix_write write };
}
#============= snmpd_t ==============
#!!!! This avc is allowed in the current policy
allow snmpd_t initrc_t:shm { associate unix_read unix_write };
#!!!! This avc has a dontaudit rule in the current policy
allow snmpd_t initrc_t:shm { read write };
编译.te文件并导入
# 生成模块文件
checkmodule -M -m -o lsi_mrdsnmpmain.mod lsi_mrdsnmpmain.te
# 生成政策包文件
semodule_package -o lsi_mrdsnmpmain.pp -m lsi_mrdsnmpmain.mod
# 最终导入政策包文件
semodule -i lsi_mrdsnmpmain.pp
然后重启lsi_mrdsnmpagent服务就可以完整访问snmp了
# 重启lsi_mrdsnmpd服务
sudo service lsi_mrdsnmpd restart
# 测试访问snmp的lsi OID
snmpwalk localhost -v 2c -c public .1.3.6.1.4.1.3582
SNMPv2-SMI::enterprises.3582.4.1.1.0 = STRING: "CC-Server"
SNMPv2-SMI::enterprises.3582.4.1.2.0 = STRING: "Rocky Linux release 9.6 (Blue Onyx)x86_64"
SNMPv2-SMI::enterprises.3582.4.1.3.1.0 = STRING: "1.42-01"
SNMPv2-SMI::enterprises.3582.4.1.3.2.0 = STRING: "lsi_mrdsnmpagent"
SNMPv2-SMI::enterprises.3582.4.1.3.3.0 = STRING: "3.18.0.5"
SNMPv2-SMI::enterprises.3582.4.1.3.4.0 = STRING: "21st January, 2013"
SNMPv2-SMI::enterprises.3582.4.1.4.1.1.0 = INTEGER: 1