Having an issue in trying to setup secret stores, if i list the secrets via telegraf or keyctl it shows the correct number of secrets, however when running telegraf the plugin tries to load 2^64 - 1 secrets. I cannot figure out where I am going wrong here. has anyone else run into this issue?
Session Keyring
131910578 --alswrv 11583 100 keyring: _ses
256743614 --alswrv 11583 65534 \_ keyring: _uid.11583
866959729 --alswrv 11583 100 \_ keyring: telegraf
463416624 --alswrv 11583 100 \_ user: account1
112947335 --alswrv 11583 100 \_ user: account2
1006910304 --alswrv 11583 100 \_ user: account3
31592065 --alswrv 11583 100 \_ user: account4
280251353 --alswrv 11583 100 \_ user: account5
[user@host telegraf.d]$ telegraf --config ./00_outputs.conf --config ./secret_stores.conf --config ./99_testhost.conf --test
2024-03-12T17:15:38Z I! Loading config: /opt/telegraf_snmp/telegraf.d/00_outputs.conf
2024-03-12T17:15:38Z I! Loading config: ./secret_stores.conf
2024-03-12T17:15:38Z I! Loading config: ./99_testhost.conf
2024-03-12T17:15:38Z I! Starting Telegraf 1.30.0 brought to you by InfluxData the makers of InfluxDB
2024-03-12T17:15:38Z I! Available plugins: 233 inputs, 9 aggregators, 31 processors, 24 parsers, 60 outputs, 6 secret-stores
2024-03-12T17:15:38Z I! Loaded inputs: snmp
2024-03-12T17:15:38Z I! Loaded aggregators:
2024-03-12T17:15:38Z I! Loaded processors:
2024-03-12T17:15:38Z I! Loaded secretstores: telegraf
2024-03-12T17:15:38Z W! Outputs are not used in testing mode!
2024-03-12T17:15:38Z I! Found 18446744073709551615 secrets...
2024-03-12T17:15:38Z W! Insufficient lockable memory 8192kb when 18014398509481972kb is required. Please increase the limit for Telegraf in your Operating System!
2024-03-12T17:15:38Z D! [agent] Initializing plugins```
The calculation for lockable memory is:
required := 3 * c.NumberSecrets * uint64(os.Getpagesize())
Let’s look at each value:
- The three is an arbitrary value we decided to scale the count to ensure headroom.
- What is your page size? (e.g. run
getconf PAGESIZE in terminal) Wondering if you are using 4096 or huge pages, which would be 4MB.
- How many secrets are you actually using in your SNMP config? Secret count is used here and is incremented for every call to
secret.init. Which would be called each time we unmarshall a secret text.
Thanks!
using 4096 page size, theres only the 5 secrets in the store (and only the keyrings/keys secrets shown)
the config was a simple single poll to test, only referenced a single time, also at this point the inputs have not yet been loaded, its only trying to grab the secrets.
So this is loading the entire configuration, the inputs may not have started yet, but we know how many secrets were referenced at this point. Secrets usually are not obtained yet either, only when used.
Can you give me an example config? Would like to try this out locally as well.
Here is a base config I just tried
OS: RHEL 9.3
Telegraf 1.30.0
[user@host]~% telegraf secrets set secrets community
Enter secret value:
[user@host]~% keyctl show
Session Keyring
326687728 --alswrv 11583 1004 keyring: _ses
256743614 --alswrv 11583 65534 \_ keyring: _uid.11583
866959729 --alswrv 11583 100 \_ keyring: telegraf
228082843 --alswrv 11583 1004 \_ user: community
[user@host]~% telegraf --config ./test.conf --test
2024-03-13T17:12:22Z I! Loading config: ./test.conf
2024-03-13T17:12:22Z I! Starting Telegraf 1.30.0 brought to you by InfluxData the makers of InfluxDB
2024-03-13T17:12:22Z I! Available plugins: 233 inputs, 9 aggregators, 31 processors, 24 parsers, 60 outputs, 6 secret-stores
2024-03-13T17:12:22Z I! Loaded inputs: snmp
2024-03-13T17:12:22Z I! Loaded aggregators:
2024-03-13T17:12:22Z I! Loaded processors:
2024-03-13T17:12:22Z I! Loaded secretstores: secrets
2024-03-13T17:12:22Z W! Outputs are not used in testing mode!
2024-03-13T17:12:22Z I! Tags enabled:
2024-03-13T17:12:22Z I! Found 18446744073709551615 secrets...
2024-03-13T17:12:22Z W! Insufficient lockable memory 8192kb when 18014398509481972kb is required. Please increase the limit for Telegraf in your Operating System!
2024-03-13T17:12:22Z D! [agent] Initializing plugins
2024-03-13T17:12:26Z W! DeprecationWarning: Value "agent_host" for option "agent_host_tag" of plugin "inputs.snmp" deprecated since version 1.29.0 and will be removed in : set to "source" for consistent usage across plugins or safely ignore this message and continue to use the current value
2024-03-13T17:12:26Z D! [agent] Starting service inputs
2024-03-13T17:12:26Z D! [agent] Stopping service inputs
2024-03-13T17:12:26Z D! [agent] Input channel closed
2024-03-13T17:12:26Z D! [agent] Stopped Successfully
[user@host]~% cat test.conf
[global_tags]
[agent]
interval = "1m"
round_interval = true
metric_batch_size = 1000
metric_buffer_limit = 10000
collection_jitter = "5s"
flush_interval = "10s"
flush_jitter = "5s"
precision = ""
debug = true
quiet = false
omit_hostname = true
snmp_translator = "gosmi"
[[secretstores.os]]
id = "secrets"
keyring = "telegraf"
dynamic = false
[[outputs.influxdb]]
urls = ["http://localhost:8086"]
database = "telegraf"
retention_policy = "5y2w"
write_consistency = "any"
timeout = "5s"
[[inputs.snmp]]
agents = [ "host1" ]
version = 2
community = "@{secrets.community}"
interval = "60s"
timeout = "10s"
retries = 0
name = "sbc"
[[inputs.snmp.field]]
name = "sysUpTime"
oid = "RFC1213-MIB::sysUpTime.0"
Thanks - I can reproduce and know what is happening.
Essentially the call to get the secret count is returning -1, and the value is converted to a unsigned int 
I’ll put up a check for this. Thanks for letting us know!
Great, thanks for the help and for checking into it.
Hi again,
I went looking into this a bit more and realize that the field community that you are using secret stores on doesn’t actually support secret stores. Looking at the readme the only fields are auth_password and priv_password, which was a recent change and not released: feat(snmp): Add secret support for auth_password and priv_password by srebhan · Pull Request #14975 · influxdata/telegraf · GitHub
