Note about php_snmp and snmp v3

[xmacan]

In Technical Support is note: PHP SNMP | Installed. If you are planning on using SNMPv3, you must remove php-snmp and use the Net-SNMP toolset.

Is it still true? I don't have much experience with v3 but I have to add SNMP v3 only device and it is working without problems. I have installed: net-snmp.x86_64 1:5.7.2-48.el7_8.1 @updates net-snmp-agent-libs.x86_64 1:5.7.2-48.el7_8.1 @updates net-snmp-devel.x86_64 1:5.7.2-48.el7_8.1 @updates net-snmp-libs.x86_64 1:5.7.2-48.el7_8.1 @updates net-snmp-utils.x86_64 1:5.7.2-48.el7_8.1 @updates php-snmp.x86_64 5.4.16-48.el7 @base

Cacti Version | 1.2.12 Cacti OS | unix NET-SNMP Version | NET-SNMP version: 5.7.2 PHP Version | 5.4.16

[netniV]

You have PHP Snmp module installed, but do you have it enabled?

[xmacan]

phpinfo() says: NET-SNMP Support | enabled NET-SNMP Version | 5.7.2 PHP SNMP Version | 0.1

[TheWitness]

It was really about some of the advanced features, for example the SNMP Output Format and IPv6 support, which .... last time I checked, were not supported in PHP-SNMP. I have not looked at the code for over a year though. Someone should. @xmacan can you take a peak? We also have the AES512 stuff to think about as we move forward.

[TheWitness]

I just took a look value_output_format(hex/ascii) has not been addressed, and would have to hack around to see if it was built on Net-SNMP 5.8, if it would support the higher encryption levels outside of AES/SHA1, etc.

[TheWitness]

Even php8 does not seem to support more than SHA, AES, AES128. So, both those two things need someone to help the PHP team out with.

[xmacan]

I guess that it isn't only our problem. I found this https://github.com/FreeDSx/SNMP

[TheWitness]

Oh, that's slick. You want to do a pull on this one?

[xmacan]

I can try it, but I need few days. I'm busy now

[netniV]

I like the idea of using a library that we can contribute to or fork, have we checked the license usage? This should go against develop.

[TheWitness]

Yea, I'm all for this as well. We will still have to hack spine to get it in there, but it's simply a minor code change, and no third party locked in PHP module update required.

[tla2k12]

I am having an issue with this using the Fedora packaged Cacti (& Spine). This may help other Cacti on Fedora users. Versions are:

OS Fedora 37 server
Cacti 1.2.23
RRDTool 1.8.0
PHP 8.1.14
hhtpd (Apache) 2.4.55
mariadb 10.5.18
NET-SNMP Support | enabled
NET-SNMP Version | 5.9.3
PHP SNMP | Installed. Note: If you are planning on using SNMPv3, you must remove php-snmp and use the Net-SNMP toolset.

The big warning for PHP SNMP is true for SNMPv3. It doesn't work plus there seem to be other incompatibilities in terms of authentication and privacy methods supported that cause PHP SNMP to fail and errors to be written to the cacti.log. snmpd is configured on the local cacti server for SNMPv3. /etc/snmp/snmpd.conf has:

createUser cacti SHA "cacti123" AES "cacti123"
rouser  cacti priv
proc  httpd 5 5
proc  sshd 5 1
disk  / 20%
load  5 5 5
syslocation  Lab
syscontact  "John Doe"
sysservices 12

Command line is working fine (note as far as net-snmp is concerned, AES appears to be an alias for AES-128):

$ snmpwalk -v3 -l authPriv -u cacti -x AES -X cacti123 -a SHA -A cacti123 localhost sysUpTimeInstance
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (17309) 0:02:53.09
$ snmpwalk -v3 -l authPriv -u cacti -x AES-128 -X cacti123 -a SHA -A cacti123 localhost sysUpTimeInstance
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (57106) 0:09:31.06

The Cacti GUI SNMP config for local Linux machine is:

Version 3
AuthPriv
SHA
AES-128

Within Cacti the local Linux machine monitoring method is SNMPUptime. The error returned to Cacti is:

System SNMP error - SNMP::get(): Fatal error: Timeout

Oddly, I don't see any errors in cacti.log giving clues as to why PHP SNMP isn't happy. The PHP SNMP module is installed:

$ dnf info php-snmp.x86_64
Last metadata expiration check: 1:00:48 ago on Fri 03 Feb 2023 17:08:16 UTC.
Installed Packages
Name         : php-snmp
Version      : 8.1.14
Release      : 1.fc37
Architecture : x86_64
Size         : 130 k
Source       : php-8.1.14-1.fc37.src.rpm
Repository   : @System
From repo    : updates
Summary      : A module for PHP applications that query SNMP-managed devices
URL          : http://www.php.net/
License      : PHP
Description  : The php-snmp package contains a dynamic shared object that will add
             : support for querying SNMP devices to PHP.  PHP is an HTML-embeddable
             : scripting language. If you need SNMP support for PHP applications, you
             : will need to install this package and the php package.

Trying to remove php-snmp on Fedora unfortunately tries to remove cacti and cacti-spine as dependencies:

$ sudo dnf remove php-snmp.x86_64 --noautoremove
Dependencies resolved.
======================================================================================================================================================================
 Package                                  Architecture                        Version                                     Repository                             Size
======================================================================================================================================================================
Removing:
 php-snmp                                 x86_64                              8.1.14-1.fc37                               @updates                              130 k
Removing dependent packages:
 cacti                                    noarch                              1.2.23-1.fc37                               @updates                               84 M
 cacti-spine                              x86_64                              1.2.23-1.fc37                               @updates                              207 k

Transaction Summary
======================================================================================================================================================================
Remove  3 Packages

Looking at the files delivered:

]$ sudo dnf repoquery -l php-snmp.x86_64
Last metadata expiration check: 1:53:31 ago on Fri 03 Feb 2023 16:27:57 UTC.
/etc/php-zts.d/20-snmp.ini
/etc/php.d/20-snmp.ini
/usr/lib/.build-id
/usr/lib/.build-id/33
/usr/lib/.build-id/33/05a05b77eaa9eceec57e340e0e32cde345f212
/usr/lib/.build-id/f9
/usr/lib/.build-id/f9/20d04690de3a1ec5a2df7a5903f7127e299bea
/usr/lib64/php-zts/modules/snmp.so
/usr/lib64/php/modules/snmp.so

It looks as though commenting out the line in /etc/php.d/20-snmp.ini and restarting PHP should disable it:

sudo sed --in-place --expression='s?^extension=snmp?;;extension=snmp?' /etc/php.d/20-snmp.ini
sudo sed --in-place --expression='s?^extension=snmp?;;extension=snmp?' /etc/php-zts.d/20-snmp.ini
sudo systemctl restart php-fpm.service

PHP SNMP | Not Installed

That change does disable PHP SNMP and now Cacti is using net-snmp the polling works as expected.

Local Linux Machine (localhost)
SNMP Information
System: Linux localhost.localdomain 6.1.7-200.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Jan 18 17:11:49 UTC 2023 x86_64
Uptime: 464600 (0days, 1hours, 17minutes)
Hostname: localhost.localdomain
Location: Lab
Contact: John Doe

[netniV]

I think we need to change the wording to "disable php-snmp" rather than remove. You are correct, packages that install Cacti will automatically install and enable php-snmp as a module. You may need to check on an upgrade that it doesn't become re-enabled. What do you think about that minor change in wording @TheWitness ?

[TheWitness]

Right, if you are using snmpV3, you MUST disable php-snmp until someone, even myself, get's enough spare time to fix this in php-snmp. Unfortunately, I took a dive and then fell short when I found the mountain of work to get output parsing moved to the updated Net-SNMP API. Since then, I've been so busy on other projects, I've not had the time to double back.

[aquerubin]

I ran into this same problem recently when moving cacti to another server. The old server runs RHEL 7 while the new server runs RHEL 9. After moving everything over, many (maybe all) of the devices were not polling until I disabled php-snmp (in 20-snmp.ini per previous comments). Although that fixed most of the polling issues, the SNMPv3 devices that were using SHA and DES remained un-pollable. The workaround for those devices is to revert back to SNMPv2.

old server (RHEL 7)

cacti version 1.2.25 php-snmp version 5.4.16 net-snmp version 5.7.2

new server (RHEL 9)

cacti version 1.2.25 php-snmp version 8.1.14 net-snmp version 5.9.1

Eventually I'd like to convert back to SNMPv3 polling for those devices when this gets fixed.