Snmptrapd Could not connect to database, check logs/librenms.log

Hello all,

I’m trying to set up SNMP Trap Handling. I followed the instructions, and used Option 2 for configuring snmptrapd. Traps are logging to /var/log/snmptrap/traps.log, but /var/log/messages is filling up with an error:

snmptrapd[2017268]: Could not connect to database, check logs/librenms.log.

For some reason, /opt/librenms/snmptrap.php cannot connect to the database.

Is there something I’m likely missing in my setup, or any suggestions on debugging?

Thanks in advance,
Dave


The modified files are my doing.

./validate.php

====================================

Component Version
LibreNMS 21.1.0-27-g4fa7993e2
DB Schema 2021_02_08_224355_fix_invalid_dates (199)
PHP 7.3.20
Python 3.6.8
MySQL 10.3.27-MariaDB
RRDTool 1.7.0
SNMP NET-SNMP 5.8

====================================

[OK] Composer Version: 2.0.9
[OK] Dependencies up-to-date.
[OK] Database connection successful
[OK] Database schema correct
[WARN] Your local git contains modified files, this could prevent automatic updates.
[FIX]:
You can fix this with ./scripts/github-remove
Modified Files:
config/snmptraps.php
includes/init.php

Odd, could be permissions or something as the snmptrapd daemon will execute snmptrap.php

That’s what it looks like to me too. To test, I commented out the if statement that was causing the error and got another error:

In StreamHandler.php line 111:
The stream or file “/opt/librenms/logs/librenms.log” could not be opened in
append mode: failed to open stream: Permission denied

The snmptrapd service runs under root, and it has to because port 162 is a privileged port.

Any suggestions?

It seems to be working now.

TLDR; try disabling SELinux.

setenforce 0


The long answer.

I tried to get the PHP running under the librenms user.

vi /etc/snmp/snmptrapd.conf
# edit traphandle line
# traphandle default su - librenms -c /opt/librenms/snmptrap.php
:wq
systemctl restart snmptrapd.service

I checked /var/log/messages. It was blowing up with errors, like:

su: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running’ failed.

Temporarily disabled SELinux:

setenforce 0

The snmptrapd service was working, but new errors were appearing in /var/log/messages:

systemd[1]: [email protected]: Start request repeated too quickly.

Tried to fix SELinux:

audit2allow -a
#============= snmpd_t ==============
allow snmpd_t faillog_t:file { open read };
allow snmpd_t httpd_sys_rw_content_t:file { append getattr open read };
allow snmpd_t lastlog_t:file { open read write };

#!!! This avc can be allowed using the boolean ‘daemons_enable_cluster_mode’
allow snmpd_t mysqld_t:unix_stream_socket connectto;
allow snmpd_t mysqld_var_run_t:sock_file write;
allow snmpd_t security_t:security compute_av;
allow snmpd_t self:capability { audit_write dac_override };
allow snmpd_t self:netlink_audit_socket { create nlmsg_relay };
allow snmpd_t self:netlink_selinux_socket { bind create };
allow snmpd_t self:passwd rootok;
allow snmpd_t systemd_logind_t:dbus send_msg;
#============= systemd_logind_t ==============
allow systemd_logind_t snmpd_t:dbus send_msg;

# audit2allow -a -M snmpd_t
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i snmpd_t.pp

semodule -i snmpd_t.pp
setenforce 1


Running tail -f /var/log/messages:

snmptrapd[3541543]: su: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running’ failed.

Traps are working by this point, but /var/log/messages is a mess. The selinux commands didn’t seem to help before. Leaving it disabled still gave us other weird messages, like the issue with starting up too fast.

I rolled back some of the changes to simplify things and see if it would still work.
Edited /etc/snmp/snmptrapd.conf the original traphandle instead of calling it through su - librenms.
No funky errors coming up in /var/log/messages. Better than I would have expected.

Then I re-enabled selinux with setenforce 1. Still no error messages, for a while. Soon, ./daily.sh was complaining that the PHP version was too low. Updates only made things worse. PHP was unable to load dynamic libraries. I gave up for the day.

Today, everything is working. No funky messages in logs, SNMP traps are coming in, ./daily.sh works, validation looks good. The main thing different right now is SELinux is still set with setenforce 0.