Add ENABLE_FRR_SNMP_AGENT build option to disable BGP4-MIB#27877

Merged

lguohan merged 1 commit into

sonic-net:masterfrom

securely1g:disable-frr-snmp-agent

Jun 15, 2026

securely1g commented Jun 13, 2026 •

edited

Loading

Contributor

Description

Add a build-time option ENABLE_FRR_SNMP_AGENT (default: y) that controls whether FRR's SNMP AgentX support (rfc1657 BGP4-MIB) is included in the image.

Why I did it

The SNMP rfc1657 BGP4-MIB triggers memory management issues and causes snmpd to crash. This option allows deployments that do not need BGP4-MIB to disable it at build time.

How I did it

Added ENABLE_FRR_SNMP_AGENT to rules/config with conditional logic across build-time and runtime paths:

Build-time (Makefile/Dockerfile):

rules/config — define ENABLE_FRR_SNMP_AGENT ?= y
rules/frr.mk — conditionally define FRR_SNMP / FRR_SNMP_DBG packages
rules/docker-fpm-frr.mk — conditionally depend on FRR_SNMP
slave.mk — export variable for Dockerfile.j2 rendering and image build
dockers/docker-fpm-frr/Dockerfile.j2 — conditionally COPY snmp.conf

Runtime (sonic-cfggen template rendering):

files/build_templates/sonic_debian_extension.j2 — injects constants.frr.enable_snmp_agent into /etc/sonic/constants.yml at image build time
dockers/docker-fpm-frr/frr/supervisord/supervisord.conf.j2 — conditionally adds -M snmp to zebra, bgpd, ospfd based on constants.frr.enable_snmp_agent
dockers/docker-fpm-frr/frr/bgpd/bgpd.conf.j2 — conditionally emits agentx
dockers/docker-fpm-frr/frr/frr.conf.j2 — conditionally emits agentx

Note: dockers/docker-snmp/snmpd.conf.j2 keeps agentxsocket unconditionally — the listening socket is harmless when no AgentX client connects, and docker-snmp does not load constants.yml.

When `ENABLE_FRR_SNMP_AGENT=n`:

frr-snmp package is not installed into docker-fpm-frr
zebra, bgpd, and ospfd run without -M snmp module
agentx directive is omitted from FRR config at runtime
snmp.conf is not copied into the FRR container

How to verify it

Build with ENABLE_FRR_SNMP_AGENT=n in rules/config and confirm:

# OID not available
admin@switch:~$ sudo docker exec -it snmp snmpwalk -v2c -c public 127.0.0.1 .1.3.6.1.2.1.15
iso.3.6.1.2.1.15 = No Such Object available on this agent at this OID

# No agentx socket
admin@switch:~$ netstat | grep 3161
(no output)

# Verify constants.yml has the flag
admin@switch:~$ grep -A1 "frr:" /etc/sonic/constants.yml
  frr:
    enable_snmp_agent: false

Default build (ENABLE_FRR_SNMP_AGENT=y) keeps existing behavior unchanged.

Signed-off-by: securely1g securely1g@users.noreply.github.com

securely1g requested review from lguohan, qiluo-msft and xumia as code owners

June 13, 2026 21:02

mssonicbld commented Jun 13, 2026

Collaborator

/azp run Azure.sonic-buildimage

azure-pipelines Bot commented Jun 13, 2026

Azure Pipelines successfully started running 1 pipeline(s).

securely1g force-pushed the disable-frr-snmp-agent branch from 9494398 to 1746cdc Compare

June 13, 2026 21:48

mssonicbld commented Jun 13, 2026

Collaborator

/azp run Azure.sonic-buildimage

azure-pipelines Bot commented Jun 13, 2026

Azure Pipelines successfully started running 1 pipeline(s).

lguohan previously approved these changes

View reviewed changes

securely1g dismissed lguohan’s stale review via

ecb4005

June 14, 2026 01:55

securely1g force-pushed the disable-frr-snmp-agent branch from 1746cdc to ecb4005 Compare

June 14, 2026 01:55

mssonicbld commented Jun 14, 2026

Collaborator

/azp run Azure.sonic-buildimage

azure-pipelines Bot commented Jun 14, 2026

Azure Pipelines successfully started running 1 pipeline(s).

securely1g force-pushed the disable-frr-snmp-agent branch from ecb4005 to b95dbc2 Compare

June 14, 2026 02:00

mssonicbld commented Jun 14, 2026

Collaborator

/azp run Azure.sonic-buildimage

azure-pipelines Bot commented Jun 14, 2026

Azure Pipelines successfully started running 1 pipeline(s).

securely1g force-pushed the disable-frr-snmp-agent branch from b95dbc2 to 8c78f63 Compare

June 14, 2026 04:12

mssonicbld commented Jun 14, 2026

Collaborator

/azp run Azure.sonic-buildimage

azure-pipelines Bot commented Jun 14, 2026

Azure Pipelines successfully started running 1 pipeline(s).

mssonicbld commented Jun 14, 2026

Collaborator

/azp run Azure.sonic-buildimage

azure-pipelines Bot commented Jun 14, 2026

Azure Pipelines successfully started running 1 pipeline(s).

lguohan previously approved these changes

View reviewed changes

lguohan commented Jun 14, 2026

Collaborator

/azpw ms_conflict

securely1g force-pushed the disable-frr-snmp-agent branch from 6b2b997 to ece0486 Compare

June 14, 2026 06:01

mssonicbld commented Jun 14, 2026

Collaborator

/azp run Azure.sonic-buildimage

azure-pipelines Bot commented Jun 14, 2026

Azure Pipelines successfully started running 1 pipeline(s).

securely1g dismissed lguohan’s stale review via

978f3a9

June 14, 2026 07:12

mssonicbld commented Jun 14, 2026

Collaborator

/azp run Azure.sonic-buildimage

azure-pipelines Bot commented Jun 14, 2026

Azure Pipelines successfully started running 1 pipeline(s).

mssonicbld commented Jun 14, 2026

Collaborator

/azp run Azure.sonic-buildimage

azure-pipelines Bot commented Jun 14, 2026

Azure Pipelines successfully started running 1 pipeline(s).

mssonicbld commented Jun 14, 2026

Collaborator

/azp run Azure.sonic-buildimage

azure-pipelines Bot commented Jun 14, 2026

Azure Pipelines successfully started running 1 pipeline(s).

lguohan previously approved these changes

View reviewed changes

securely1g force-pushed the disable-frr-snmp-agent branch from 3cdb5ca to 8e96556 Compare

June 14, 2026 15:34

mssonicbld commented Jun 14, 2026

Collaborator

/azp run Azure.sonic-buildimage

azure-pipelines Bot commented Jun 14, 2026

Azure Pipelines successfully started running 1 pipeline(s).

securely1g dismissed lguohan’s stale review via

0fd3a67

June 14, 2026 17:11

mssonicbld commented Jun 14, 2026

Collaborator

/azp run Azure.sonic-buildimage

azure-pipelines Bot commented Jun 14, 2026

Azure Pipelines successfully started running 1 pipeline(s).

securely1g force-pushed the disable-frr-snmp-agent branch from 0fd3a67 to e3439c5 Compare

June 14, 2026 18:12

mssonicbld commented Jun 14, 2026

Collaborator

/azp run Azure.sonic-buildimage

azure-pipelines Bot commented Jun 14, 2026

Azure Pipelines successfully started running 1 pipeline(s).

lguohan previously approved these changes

View reviewed changes


          Add ENABLE_FRR_SNMP_AGENT build option to disable BGP4-MIB

5c842ca

Add a new build-time option ENABLE_FRR_SNMP_AGENT (default 'y') that
controls whether FRR loads the SNMP AgentX module. When set to 'n':

- frr-snmp package is excluded from docker-fpm-frr
- bgpd/zebra/ospfd run without -M snmp module
- agentx directive is omitted from bgpd/zebra configs
- snmp.conf is not copied into the container

This avoids snmpd memory issues caused by BGP4-MIB polling on switches
that don't require SNMP monitoring of BGP state.

Implementation:
- New ENABLE_FRR_SNMP_AGENT variable in rules/config (default y)
- constants.yml.j2 template renders frr.enable_snmp_agent for runtime use
- Jinja2 expression syntax in supervisord.conf.j2 for -M snmp flag
  (uses {{ }} expressions instead of {% if %} blocks to avoid
  trim_blocks newline eating in sonic-cfggen's Jinja2 environment)
- Jinja2 conditionals in bgpd.conf.j2, zebra.conf.j2 for agentx
- Docker build conditionals for frr-snmp package and snmp.conf
- Unit test constants.yml added to src/sonic-config-engine/tests/data/
- Static constants.yml kept at files/image_config/constants/ for bgpcfgd

Signed-off-by: securely1g <securely1g@users.noreply.github.com>

securely1g dismissed lguohan’s stale review via

5c842ca

June 14, 2026 23:40

securely1g force-pushed the disable-frr-snmp-agent branch from e3439c5 to 5c842ca Compare

June 14, 2026 23:40

mssonicbld commented Jun 14, 2026

Collaborator

/azp run Azure.sonic-buildimage

azure-pipelines Bot commented Jun 14, 2026

Azure Pipelines successfully started running 1 pipeline(s).

yijingyan2 commented Jun 15, 2026

Contributor

/azpw ms_conflict

lguohan approved these changes

View reviewed changes

lguohan merged commit ac10730 into sonic-net:master

28 checks passed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet