packages icon indicating copy to clipboard operation
packages copied to clipboard
verified publisher icon openwrt

net-snmp: remove deprecated port setting and add SNMPv3 options and logging

Open ckorber opened this issue 1 year ago • 4 comments

Maintainer: @stintel Compile tested: x86_64, Openwrt 23.05 Run tested: x86_64, Openwrt 23.05

Description: Openssl is needed to implement encryption and authentification for SNMPv3, therefore the Makefile is modified for that purpose. Also snmpV3 prerequisites are added to snmpd.init file and the possibility to log messages to syslog or a log file.

At last the deprecated option to specifiy a port at snmpd_trap_hostname_add() and snmpd_trap_ip_add() is removed.

ckorber avatar Oct 21 '24 12:10 ckorber

Please make this optional. Enabling this unconditionally would result in my images being too large for my APs with 16MiB flash.

stintel avatar Oct 25 '24 18:10 stintel

Also, I would not remove that deprecated setting just like that. Maybe make the init script very verbose about it being deprecated and removed in X time. Both in stdout and using logger. People might be using it, and possibly breaking existing configs without any warning is something I really cannot tolerate.

stintel avatar Oct 26 '24 07:10 stintel

I will look into your suggestions on Monday. You mean to make compilation with openssl optional, do you? I am going to test if snmpv3 is possible then.

I understand your point with the port topic and I can undo that. net-snmp logs the deprecation (as far as I remember this is how I became aware of it).

Thank you for the review!

ckorber avatar Oct 26 '24 19:10 ckorber

You could have a look at the lldp package for inspiration - it has optional snmp support.

stintel avatar Oct 26 '24 19:10 stintel

@stintel : I am still in the process of making this optional. So far I have followed your advice with the lldp package and changed it accordingly. Nevertheless I now have the problem that I wanted to prepare net-snmp to add also a PR to luci-app-snmpd package.

In this other contribution I am preparing, I need openssl for SNMPv3. If it is optional in net-snmp some features will only work partially.

I have now three options:

  1. Write with sed to snmpd.init and adapt to it in the other package. But it is not "clean"
  2. I test the compiled net-snmp with ldd (if installed) and also inactivate the snmpd feature in net-snmp. And adapt the other package accordingly. This is also not a "clean" option in my opinion.
  3. I refactor net-snmp in a way that it has a "tiny" compile unit and a "full" one with openssl. This is my favorite.

Which one of these three options do you, as the maintainer, prefer?

ckorber avatar Nov 06 '24 14:11 ckorber

I have now three options:

1. Write with `sed` to snmpd.init and adapt to it in the other package. But it is not "clean"

2. I test the compiled net-snmp with `ldd` (if installed) and also inactivate the snmpd feature in net-snmp. And adapt the other package accordingly. This is also not a "clean" option in my opinion.

3. I refactor net-snmp in a way that it has a "tiny" compile unit and a "full" one with openssl. This is my favorite.

Actually I was thinking about it the other day. At some point I made miniupnpd-iptables and miniupnpd-nftables variants (7fbc5d4db3c03601bd3865a9e9aa13bb7783d036). That sounds like a good solution here indeed. I would avoid using tiny and full variants, instead, I'd go for -ssl and -nossl variants, like mosquitto.

stintel avatar Nov 20 '24 08:11 stintel

Thank you for your input. I will work further in that direction.

ckorber avatar Nov 20 '24 08:11 ckorber