XenServer already comes with SNMP support installed, but the snmpd daemon does not run by default. This article shows how to use the preconfigured SNMP support and also how to configure SNMP v 3 with password.

Enabling the preconfigured SNMP

To start the snmpd daemon, execute from the console:

# chkconfig snmpd on
# service snmpd start
Starting snmpd:                                            [  OK  ]

You also need to enable the snmpd port in the firewall: run system-config-securitylevel-tui and enable snmpd:udp in the "Customize" screen.

You can then query the snmp status of this server by running snmpwalk:

# snmpwalk -v 1 -c public myserver.mydomain.de
SNMPv2-MIB::sysDescr.0 = STRING: Linux server15 2.6.32.12-0.7.1.xs5.6.100.307.170586xen #1 SMP Tue Nov 30 09:55:20 EST 2010 i686
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (330504) 0:55:05.04
SNMPv2-MIB::sysContact.0 = STRING: Root <root@localhost> (edit /etc/snmp/snmpd.conf)
SNMPv2-MIB::sysName.0 = STRING: server15
SNMPv2-MIB::sysLocation.0 = STRING: Unknown (edit /etc/snmp/snmpd.conf)
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORID.1 = OID: SNMPv2-MIB::snmpMIB
SNMPv2-MIB::sysORID.2 = OID: TCP-MIB::tcpMIB
SNMPv2-MIB::sysORID.3 = OID: IP-MIB::ip
SNMPv2-MIB::sysORID.4 = OID: UDP-MIB::udpMIB
SNMPv2-MIB::sysORID.5 = OID: SNMP-VIEW-BASED-ACM-MIB::vacmBasicGroup
SNMPv2-MIB::sysORID.6 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance
SNMPv2-MIB::sysORID.7 = OID: SNMP-MPD-MIB::snmpMPDCompliance
SNMPv2-MIB::sysORID.8 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance
....

After snmp has been enabled, you can then query this server from Cacti, for example, to get fancy network and cpu load diagrams.

Disabling public access

The default SNMP configuration enables querying of the server without password. So everybody in the world can run the snmpwalk command and retrieve your server status. If you do not want this then you have to disable the default configuration and add a new configuration that will grant access only to hosts identified by username and password.

To remove public access of the SNMP data, comment out all lines starting with "view systemview included" in /etc/snmp/snmpd.conf and restart sndmp.

# Third, create a view for us to let the group have rights to:

#       name          incl/excl  subtree         mask(optional)
#view   systemview    included   system
#view   systemview    included   interfaces
#view   systemview    included   at
#view   systemview    included   ip
#view   systemview    included   icmp
#view   systemview    included   tcp
#view   systemview    included   udp
#view   systemview    included   snmp

Enabling SNMP v 3

The easiest way of adding password protection is to use the net-snmp-config command. Unfortunately, the binary is not available on Citrix XenServer, so it must be installed first. Since it is also not available in the Citrix package repository, we need to retrieve it from some other place first. As Citrix XenServer is based on CentOS 5.4, make sure you download the 5.4 release of the package.

The net-snmp-devel package has lots of dependencies which we don't need. So we force installation of this package only with the --nodeps flat.

Finally, we create a username and password for SNMP with the net-snmp-config command.

# wget http://vault.centos.org/5.4/os/i386/CentOS/net-snmp-devel-5.3.2.2-7.el5.i386.rpm
--2011-07-17 18:26:45--  http://vault.centos.org/5.4/os/i386/CentOS/net-snmp-devel-5.3.2.2-7.el5.i386.rpm
Resolving vault.centos.org... 95.211.98.141
Connecting to vault.centos.org|95.211.98.141|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1995703 (1.9M) [application/x-rpm]
Saving to: `net-snmp-devel-5.3.2.2-7.el5.i386.rpm.1'

100%[======================================================================================================================>] 1,995,703   6.51M/s   in 0.3s

2011-07-17 18:26:45 (6.51 MB/s) - `net-snmp-devel-5.3.2.2-7.el5.i386.rpm' saved [1995703/1995703]

# rpm -hiv --nodeps net-snmp-devel-5.3.2.2-7.el5.i386.rpm
warning: net-snmp-devel-5.3.2.2-7.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID e8562897
Preparing...                ########################################### [100%]
   1:net-snmp-devel         ########################################### [100%]

# service snmpd stop

# net-snmp-config --create-snmpv3-user -a mytopsecredpassword monitor
adding the following line to /var/net-snmp/snmpd.conf:
   createUser monitor MD5 "mytopsecredpassword" DES
adding the following line to /etc/snmp/snmpd.conf:
   rwuser monitor
# service snmpd start
Starting snmpd:                                            [  OK  ]
#

The SNMP information can now be retrieved only by issuing the user name and password:

# snmpwalk -v 3 -c public myserver.mydomain.de -u monitor -A mytopsecredpassword -l AuthNoPriv 
SNMPv2-MIB::sysDescr.0 = STRING: Linux server00 2.6.32.12-0.7.1.xs5.6.100.323.170596xen #1 SMP Fri Apr 8 07:25:07 EDT 2011 i686
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (35243502) 4 days, 1:53:55.02
SNMPv2-MIB::sysContact.0 = STRING: Root <root@localhost> (edit /etc/snmp/snmpd.conf)
SNMPv2-MIB::sysName.0 = STRING: server15
SNMPv2-MIB::sysLocation.0 = STRING: Unknown
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORID.1 = OID: SNMPv2-MIB::snmpMIB
SNMPv2-MIB::sysORID.2 = OID: TCP-MIB::tcpMIB
SNMPv2-MIB::sysORID.3 = OID: IP-MIB::ip
SNMPv2-MIB::sysORID.4 = OID: UDP-MIB::udpMIB
SNMPv2-MIB::sysORID.5 = OID: SNMP-VIEW-BASED-ACM-MIB::vacmBasicGroup
SNMPv2-MIB::sysORID.6 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance
SNMPv2-MIB::sysORID.7 = OID: SNMP-MPD-MIB::snmpMPDCompliance