[Pdns-users] pdns-recursor Permissions Error
Brian Candler
b.candler at pobox.com
Fri Jan 10 10:45:18 UTC 2020
On 10/01/2020 09:56, Otto Moerbeek via Pdns-users wrote:
> It looks like the rec_control line your snmpd.conf is triggering the
> problem. Likely the snmd subsystem starts rec_control as a user that
> does not have permission to write into /var/run/pdns-recursor.
>
> You can try disabling (by commenting it out) the
>
> extend pdns-rec /usr/local/bin/pdns_stats
>
> line or, if you really need it, change the permissions of the
> /var/run/pdns-recursor dir to include rwx for others.
>
> Not that the latter might have security implications on your system. You
> must decide if that is OK for you,
As someone mentioned before: if this is an SELinux environment (e.g.
CentOS/RedHat), snmpd may be prevented from accessing files in random
directories, even if normal file/directory perms allow it.
Similar situation: I was using snmpd-mdraid-connector and
snmpd-smartctl-connector, with these lines in snmpd.conf:
pass_persist .1.3.6.1.4.1.38696.2.1 /usr/sbin/snmpd-smartctl-connector
pass_persist .1.3.6.1.4.1.38696.2.2 /usr/sbin/snmpd-mdraid-connector
There is a separate cronjob which writes files that these connectors
read. To make these work, I had to ensure all the files were written
under /var/cache/snmp, and set the selinux type to `snmpd_var_run_t`
In ansible-ese:
- name: create cache dir
action: file path={{item}} state=directory setype=snmpd_var_run_t
with_items:
- /var/cache/snmp
- /var/cache/snmp/mdadm
- /var/cache/snmp/smartctl
You can test if this is the problem by putting selinux into permissive
mode temporarily, before digging down further into exact what the
required fix is.
Alternatively: move away from using SNMP for collecting host and service
information. Almost anything is better. Prometheus + node_exporter is
my favourite solution.
Regards,
Brian.
More information about the Pdns-users
mailing list