Note on docker app script
Thermi opened this issue · 3 comments
Please note that giving access to the docker daemon to the snmp agent effectively gives it root access to the system.
A better solution would be a systemd timer and unit that write that information periodically to a file in /tmp that is chown'd to match the access rights of the agent (if you seperate /tmp per systemd unit and that affects snmpd, you need to decide on a different dir and use that. Maybe a general dir in /var/run would be a good general solution for data sharing between snmpd and any scripts so snmpd doesn't need root access to gather the information.
Just a general note, maybe inspiration for a PR that rewrites all the integrations with these apps so they don't need root access anymore.
This is already covered under https://docs.librenms.org/Extensions/Applications/#sudo.
It's very likely I'm being dense, but in the following directions
https://docs.librenms.org/Extensions/Applications/#docker-stats
If your run Debian, you need to add the Debian-snmp user to the docker group
usermod -a -G docker Debian-snmp
Debian-snmp now has all the privialleges of the docker group, regardless of any other sudos. From my current understanding, if a command like:
https://docs.librenms.org/Extensions/Applications/#sudo
extend docker /usr/bin/sudo /etc/snmp/docker-stats.shcoupled with visudo
Debian-snmp ALL = NOPASSWD: /etc/snmp/docker-stats.sh
Would execute /usr/bin/docker stats as if it was root. Wouldn't that preclude the need for usermod -a -G docker Debian-snmp and the questions around it?
Sorry if I'm slow, as that's likely what's going on, and thanks for your work on one of my favorite pieces of software :)
Yeah. No need to add the snmpd user to that group if running the script via sudo.
Similarly there also running it via cron and then just catting the file the output is dumped to from snmpd, which works great for extends that will not finish in a timely fashion.