saltstack-formulas / snmp-formula Goto Github PK

View Code? Open in Web Editor NEW

17.0 40.0 49.0 174 KB

Home Page: http://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html

License: Other

SaltStack 17.34% Ruby 35.37% Jinja 17.94% Shell 6.83% JavaScript 22.53%

saltstack snmp

snmp-formula's Introduction

snmp-formula

This formula installs the snmp daemon and utilities.

Table of Contents

General notes
Contributing to this repo
Special notes
Available states
Layered configuration
Testing

General notes

See the full SaltStack Formulas installation and usage instructions.

If you are interested in writing or contributing to formulas, please pay attention to the Writing Formula Section.

If you want to use this formula, please pay attention to the FORMULA file and/or git tag, which contains the currently released version. This formula is versioned according to Semantic Versioning.

See Formula Versioning Section for more details.

If you need (non-default) configuration, please refer to:

how to configure the formula with map.jinja
the pillar.example file
the Special notes section

Contributing to this repo

Commit messages

Commit message formatting is significant!!

Please see How to contribute for more details.

pre-commit

pre-commit is configured for this formula, which you may optionally use to ease the steps involved in submitting your changes. First install the pre-commit package manager using the appropriate method, then run bin/install-hooks and now pre-commit will run automatically on each git commit.

$ bin/install-hooks
pre-commit installed at .git/hooks/pre-commit
pre-commit installed at .git/hooks/commit-msg

Special notes

None.

`snmp`

Installs the snmp daemon, starts, and enables the associated snmp service.

`snmp.conf`

Configures the snmp daemon.

`snmp.trap`

Starts and enables the trap service.

`snmp.conftrap`

Configures the trap service.

`snmp.options`

Sets snmp runtime options.

Layered configuration

Since SNMP can be integrated with many services, it may be handy to split configuration between several files, each belonging to different packages and teams. For example, you may setup generic SNMP configuration in common pillar file, and it will include:

snmp:
  conf:
    settings:
      logconnects: false
      sysServices: 72

Whereas team, that wants to monitor GPFS with SNMP on the same cluster will add this pillar file to their package:

snmp:
  conf:
    settings:
      master: ['agentx']
      AgentXSocket: tcp:localhost:705
    rocommunities:
      - gpfs
    mibs:
      GPFS: salt://gpfs/files/GPFS-mib.txt

To utilize this ability of layered configuration, you can modify snmp/conf.jinja file in following manner:

# Generic configuration:
{% set conf = salt['pillar.get']('snmp:conf', {}) %}

# Imagine you have team_names list which consist of packages provided
# by set of independent teams inside your company:
{% for team in team_names %}
{% set conf = salt['pillar.get'](
    team + ":snmp",
    default=conf,
    merge=True)
%}
{% endfor %}

# Afterall there might configuration specific to current deployment in separate pillar file:
{% set conf = salt['pillar.get'](
    "user:snmp",
    default=conf,
    merge=True)
%}

Testing

Linux testing is done with kitchen-salt.

Requirements

Ruby
Docker

$ gem install bundler
$ bundle install
$ bin/kitchen test [platform]

Where [platform] is the platform name defined in kitchen.yml, e.g. debian-9-2019-2-py3.

`bin/kitchen converge`

Creates the docker instance and runs the TEMPLATE main state, ready for testing.

`bin/kitchen verify`

Runs the inspec tests on the actual instance.

`bin/kitchen destroy`

Removes the docker instance.

`bin/kitchen test`

Runs all of the stages above in one go: i.e. destroy + converge + verify + destroy.

`bin/kitchen login`

Gives you SSH access to the instance for manual testing.

snmp-formula's People

Contributors

Stargazers

Watchers

snmp-formula's Issues

Security issue when adding a snmpv3 user with the formula

When adding a SNMPv3 user according the formula:

rwusers:
- username: '<user>'
   authpassphrase: '<authpassphrase>'
   view: all
   authproto: 'SHA'
   privproto: 'AES'
   privpassphrase: '<privpassphrase>'

The formula adds two lines to the snmpd.conf file:

rwuser <user> auth -V all
createUser <user> SHA <authpassphrase> AES <privpassphrase>

The last line is what causes the security issue.
When adding an SNMPv3 user by using net-snmp-create-v3-user the first line is added in the file snmpd.conf file located in /etc/snmp/snmpd. The second line is added in another file snmpd.conf file located in: /var/lib/net-snmp/.
When the line is read from the snmpd.conf file located in /var/lib/net-snmp/, the line is removed (eliminating the storage of the master password for that user) and replaced with the key that is derived from it.
Source: man page snmpd.conf

In the current situation, the formula adds the createUser line in the snmpd.conf file located in /etc/snmp/. Therefore the line will not be removed and the passwords are visible to anyone that can access that snmpd.conf file.

Process monitoring? Seeing no options for adding "proc" configuration lines in snmp.conf

I am tasked with converting our existing configuration files into salt states, and I see no options for adding process monitoring. I have been successful converting the rest of the configuration file, just hung up on this one since I see no examples in the pillar.example.

our current config contains:
proc mountd
proc ntalkd 4
proc sendmail 10 1

Is there an option for process monitoring configuration at the moment or will I have to resort to a file.contains workaround for this? Apologies in advance if there is a fundamental misunderstanding, if so please point me to the relevant documentation and I will read up.

snmp.conf in saltenv base is not available

Sometimes I get:

Specified SLS snmp.conf in saltenv base is not available on the salt master or through a configured fileserver

ONLY on 1-2 nodes of 8

Only works with 2015.2 and develop

This formula unfortunately uses the osfinger grain in map.jinja which is not available in 2014.7. I'd consider this a breaking change for everyone who uses this formula with a stable salt release.

This was introduced in 65277e5 by @emuehlstein

configdefault not available on RHEL family systems

If you use the snmp.default role for RHEL systems you get:

Rendering SLS 'base:snmp.default' failed: Jinja variable 'dict object' has no attribute 'configdefault'

The following should be added to the map.jinja under Redhat:
configdefault: /etc/sysconfig/snmpd

Disk property value

Is there any way to change the "disk" property value of the snmpd.conf? Looking at the template file there's no pillar variable available to define it.

[BUG] Unsafe Jinja no longer works with v3002.5

Your setup

Formula commit hash / release tag

commit 1a0a422

Versions reports (master & minion)

Salt Version:
Salt: 3002.5

Dependency Versions:
cffi: Not Installed
cherrypy: unknown
dateutil: Not Installed
docker-py: Not Installed
gitdb: 0.6.4
gitpython: 1.0.1
Jinja2: 2.11.1
libgit2: Not Installed
M2Crypto: 0.35.2
Mako: Not Installed
msgpack: 0.6.2
msgpack-pure: Not Installed
mysql-python: Not Installed
pycparser: Not Installed
pycrypto: Not Installed
pycryptodome: Not Installed
pygit2: Not Installed
Python: 3.6.8 (default, Nov 11 2020, 09:19:43)
python-gnupg: Not Installed
PyYAML: 5.1.2
PyZMQ: 17.0.0
smmap: 0.9.0
timelib: Not Installed
Tornado: 4.5.3
ZMQ: 4.1.4

System Versions:
dist: ol 7.9
locale: UTF-8
machine: x86_64
release: 5.4.17-2036.103.3.1.el7uek.x86_64
system: Linux
version: Oracle Linux Server 7.9

Pillar / config used

snmp:
  conf:
    syscontact: '[email protected]'
    rocommunities:
      somerocommunity:
        source:
          - x.x.x.x
       location: somelocation

Bug details

Formula fails with jinja errors about unsafe objects in v3002.5 - likely due to fix for CVE-2021-25283
Issue appears to be in macro.jinja

----------
          ID: snmp_conf
    Function: file.managed
        Name: /etc/snmp/snmpd.conf
      Result: False
     Comment: An exception occurred in this state: Traceback (most recent call last):
                File "/usr/lib/python3.6/site-packages/salt/utils/templates.py", line 501, in render_jinja_tmpl
                  output = template.render(**decoded_context)
                File "/usr/lib/python3.6/site-packages/jinja2/environment.py", line 1090, in render
                  self.environment.handle_exception()
                File "/usr/lib/python3.6/site-packages/jinja2/environment.py", line 832, in handle_exception
                  reraise(*rewrite_traceback_stack(source=source))
                File "/usr/lib/python3.6/site-packages/jinja2/_compat.py", line 28, in reraise
                  raise value.with_traceback(tb)
                File "<template>", line 164, in top-level template code
                File "/usr/lib/python3.6/site-packages/jinja2/sandbox.py", line 462, in call
                  return __context.call(__obj, *args, **kwargs)
                File "/usr/lib/python3.6/site-packages/jinja2/runtime.py", line 679, in _invoke
                  rv = self._func(*arguments)
                File "/var/cache/salt/minion/files/base/snmp/macros.jinja", line 5, in template
                  {% set communities = conf.get(mode+'communities'+proto, []) -%}
              jinja2.exceptions.SecurityError: access to attribute '__class__' of 'dict' object is unsafe.
              
              During handling of the above exception, another exception occurred:
              
              Traceback (most recent call last):
                File "/usr/lib/python3.6/site-packages/salt/state.py", line 2154, in call
                  *cdata["args"], **cdata["kwargs"]
                File "/usr/lib/python3.6/site-packages/salt/loader.py", line 2106, in wrapper
                  return f(*args, **kwargs)
                File "/usr/lib/python3.6/site-packages/salt/states/file.py", line 3149, in managed
                  **kwargs
                File "/usr/lib/python3.6/site-packages/salt/modules/file.py", line 5403, in check_managed_changes
                  **kwargs
                File "/usr/lib/python3.6/site-packages/salt/modules/file.py", line 4661, in get_managed
                  **kwargs
                File "/usr/lib/python3.6/site-packages/salt/utils/templates.py", line 261, in render_tmpl
                  output = render_str(tmplstr, context, tmplpath)
                File "/usr/lib/python3.6/site-packages/salt/utils/templates.py", line 519, in render_jinja_tmpl
                  "Jinja syntax error: {}{}".format(exc, out), line, tmplstr
              salt.exceptions.SaltRenderError: Jinja syntax error: access to attribute '__class__' of 'dict' object is unsafe.
              /var/cache/salt/minion/files/base/snmp/macros.jinja(5):
              ---
              {% from "snmp/conf.jinja" import conf with context -%}
              
              {# mode can be either 'ro' or 'rw' #}
              {%- macro v12c_communities(mode, proto='') -%}
                {% set communities = conf.get(mode+'communities'+proto, []) -%}    <======================
                {%- for community in communities %}
                  {%- if communities.__class__ == {}.__class__ and communities.get(community, {}) is  mapping %}
                    {%- set source = communities.get(community).get('source', '') %}
                    {%- set view = communities.get(community).get('view', None) %}
                  {%- else %}
              [...]
              ---
     Started: 22:45:50.434915
    Duration: 670.872 ms
     Changes:

Steps to reproduce the bug

salt * state.apply snmp.conf

Expected behaviour

Expect states to apply without error

Attempts to fix the bug

N/A

Additional context

N/A

[BUG] Location is quoted

Line 19 and 20 in files/snmpd.conf.minimal forcefully adds quotes around the strings:
(edit: ditto for lines 186 & 187 of files/snmpd.conf)

syslocation "{{ conf.get('location', 'Unknown (add saltstack pillar)') }}"
syscontact "{{ conf.get('syscontact', 'Root <root@localhost> (add saltstack pillar)') }}"

This results in a Location string of "Someplace" as opposed to the desired Someplace. Is there a reason for this?

When setting the location in other SNMP devices, the Location string is unquoted, and so this creates 2 separate grouping in our monitoring system.

IPv6 feature

Is your feature request related to a problem?

At the moment the formula ist not able to deploy IPv6 agent transport specfiers. It defaults to IPv4 only.

Describe the solution you'd like

Add an option in the pillar to specify the agentaddress.

Example: agentaddress: udp:161 or udp6:161

Describe alternatives you've considered

None that really would make sense.

configuring /etc/default/snmpd doesn't work anymore in Debian Stretch

Debian made some changes in Stretch. First the user changed from snmp to Debian-snmp.

The more important change is that the settings made in /etc/default/snmpd don't apply anymore. Those settings moved to the systemd-unit file in /lib/systemd/system/snmpd.service (ExecStart).