Hi,
I install and run the os-updates via snmp extend on both Debian and CentOS.
All the Debian boxes graph fine.
All the CentOS boxes don’t.
When I run the script in CentOS 7, it runs fine:
27
Yet the graphs all say “nan”.
Any ideas how I can trouble-shoot this problem?
Thanks.
Michael.
What’s happening when you’re running the script from the server itself? Is SELinux enforcing?
What is your configuration for os-updates in snmpd.conf? I had the issues where I didn’t name it write because of a script I wrote. Make sure it’s extend osupdate <path to os-updates.sh>
if you have anything other than that, it will not work (I had extend os-updates instead, and it was broke)
Hi FTBZ… the output displayed above is the output when run from the server itself, the script detects the number of packages correctly, the problem seems to be that the LibreNMS server doesn’t.
SELinux is disabled.
Thanks.
Hi Gorian. Thanks for your reply.
The config is:
extend osupdate /etc/snmp/os-updates.sh
That looks right yes? on the Debian servers this works fine, only on the CentOS 7 servers it doesn’t.
Thanks.
After you added that did you restart snmp service ?
Hi Kevin. Yes absolutely. Note that “OS Updates” isn’t the only app installed and working on these hosts, I also have things like Apache, “NTP Server”, “NTP Client” etc apps working and graphing.
It’s just the “OS Updates” that shows nan’s, the rest are fine.
I’ve looked and review logs, can’t see anything amiss.
Michael.
There is an error somewhere… I have the os-updates working on all my Centos 7 boxes.
https://docs.librenms.org/#Extensions/Applications/#os-updates
can you post the discovery output from on the centos boxes? Use Pastebin to post the output please.
Hi Kevin,
I’ve done further (more in-depth) analysis and have determined that SELinux is the problem.
I see things like:
Oct 3 05:55:15 host setroubleshoot: SELinux is preventing /usr/bin/python2.7 from open access on the file /var/log/yum.log. For complete SELinux messages. run sealert -l blah
I’ve tried to put in manual policies as per the instructions they provide in the logs, however the directories created for the osupdates script to query yum generate random directories like:
5KOT_oPLUM
so putting in a rule using:
ausearch -c 'bash' --raw | audit2allow -M my-bash
and then:
semodule -i my-bash.pp
does not fix anything, since on the next run another random directory is created and still denied access.
It’s not an option to remove SELinux unfortunately.
Any ideas how we can tell SELinux to allow python2.7, /bin/bash and other items to have access to yum properly?
Thanks.
Michael.
Hi team.
I ended up working it out.
I saw three main things causing the problems in audit.log:
snmpd
bash
perl
So I performed the following on each:
# grep snmpd /var/log/audit/audit.log | audit2allow -M mypolsnmpd
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i mypolsnmpd.pp
# semodule -i mypolsnmpd.pp
and the same for “perl” and “bash”.
Hope this ends up helping others with the same issues. It took some hours to research and learn SELinux to figure the above out.
The graphs are working now.
I have one more issue with osupdates on the LibreNMS server itself, but I will raise a separate forum case for that one.
Thanks.
Michael.
I thought you said SE Linux was disabled?
Anyway glad you got it working. 
We may need to add this into the docs
Hi Kevin. Yeah I checked the wrong server at the time (was adding at the time about 4 servers and the one I checked didn’t have SELinux). So the ones that weren’t working had SELInux.
I just checked the wrong server at the time.
Michael.
Hi Kevin. Yes I had to run through it a couple of times before all the rules were added.
tail -f /var/log/audit/audit.log | grep denied
Watched the output of that on each snmpd poll, if anything was still denied I would run the relevant:
grep perl /var/log/audit/audit.log | audit2allow -M mypolperl
semodule -i mypolperl
etc… until no more denies were made that related to LibreNMS snmpd polling.
Once all that was done, graphs were good to go.
Michael.