1

I set up, sometimes ago, a Cacti plugin on a Linux Debian that allows to collect DNS statistics, through SNMP/rndc queries, for generating beautiful graphics.

It was working fine until some weeks ago... :-(

So the issue is that the file named.stats has its specific user/group file permissions as usual. But the Cacti poller user hasn't the needed file permission to read it...

The work-flow is:

  • the Cacti poller calls the bind-stats.sh script
  • this script does a snmpget of the hostname
  • the snmpget calls the runstats.sh script
  • finally runstats.sh performs the following:
    • deletes the old named.stats
    • does a rndc stats that generates a new named.stats file.
    • reads & parses the named.stats file with a Perl template

console output:

mdw05:~# /usr/share/cacti/site/scripts/bind-stats.sh example.serverfault.com snmpCommunity 
cat: /var/cache/bind/named.stats: Permission denied
mdw05:~#
mdw05:~# ls -l /var/cache/bind/named.stats
-rw-r----- 1 bind bind 4.8K Jul 23 10:54 /var/cache/bind/named.stats
mdw05:~#



Therefore, how can I configure Bind rndccommand to change the default file permissions to allow the script runstats.sh to read this file...?
I have already tried to add SNMP and/or Cacti user as member of the Bind group, but it doesn't work >_<

Thanks for your help.

bind-stats.sh:

#!/bin/sh

# $1 hostname $2 community

/usr/bin/snmpget -v 2c -Ovq -c $2 $1 .1.3.6.1.4.1.18689.0.1.4.1.2.14.100.110.115.99.97.99.104.101.45.115.116.97.116.115.1 | sed 's/"//g'

snmpd.conf:

## cacti polling (http://docs.cacti.net/usertemplate:host:bind9.7)
extend .1.3.6.1.4.1.18689.0.1 dnscache-stats /usr/local/sbin/cacti_bind9.7/runstats.sh

runstats.sh:

#!/bin/sh

rm -f /var/cache/bind/named.stats

rndc stats
cat /var/cache/bind/named.stats | perl /usr/local/sbin/cacti_bind9.7/dnsstats.pl
gudepier
  • 111
  • 1
  • 4
  • 1
    You might also want to add the permissions and the SELinux context (`ls -lZ` if you are using that) of the `/var/cache/bind/` directory to your question. Either of those could be the reason that adding the Cacti user to the Bind group didn't work. You will also need to add yourself or switch to the Cacti user if you're running the script from the command line for testing. – Ladadadada Jul 23 '13 at 09:40
  • I didn't use SELinux module and the permissions of `/var/cache/bind/` directory is `0775 - bind:snmp` (Users of Cacti & SNMP can both list the content of `/var/cache/bind/` folder). – gudepier Jul 23 '13 at 10:17
  • To answer to your last remark, `bind-stats.sh` can be launch with root or Cacti user because the _job_ is "forked" to the SNMP user (but indeed I will do a test with Cacti user at the end ;-) ). – gudepier Jul 23 '13 at 10:24

1 Answers1

1

Use sudo for this. Add this to /etc/sudoers

snmp ALL= NOPASSWD: /usr/local/sbin/cacti_bind9.7/runstats.sh

And modify your snmpd.conf extend line to:

extend .1.3.6.1.4.1.18689.0.1 dnscache-stats /usr/bin/sudo /usr/local/sbin/cacti_bind9.7/runstats.sh

Regards,

Rubén.

Rubén Cardenal Niño
  • 11
  • 1