diff --git a/.fixtures.yml b/.fixtures.yml index fec9c30..051720d 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -1,21 +1,23 @@ --- fixtures: repositories: - concat: https://github.com/simp/puppetlabs-concat - iptables: https://github.com/simp/pupmod-simp-iptables - logrotate: https://github.com/simp/pupmod-simp-logrotate - pki: https://github.com/simp/pupmod-simp-pki - rsync: https://github.com/simp/pupmod-simp-rsync - rsyslog: https://github.com/simp/pupmod-simp-rsyslog + concat: https://github.com/simp/puppetlabs-concat + firewalld: + repo: https://github.com/simp/pupmod-voxpupuli-firewalld + ref: v4.3.0 + iptables: https://github.com/simp/pupmod-simp-iptables + logrotate: https://github.com/simp/pupmod-simp-logrotate + pki: https://github.com/simp/pupmod-simp-pki + rsync: https://github.com/simp/pupmod-simp-rsync + rsyslog: https://github.com/simp/pupmod-simp-rsyslog selinux_core: repo: https://github.com/simp/pupmod-puppetlabs-selinux_core.git puppet_version: ">= 6.0.0" - simplib: https://github.com/simp/pupmod-simp-simplib - snmp: - repo: https://github.com/simp/puppet-snmp - ref: v4.1.0 - stdlib: https://github.com/simp/puppetlabs-stdlib - systemd: https://github.com/simp/puppet-systemd - tcpwrappers: https://github.com/simp/pupmod-simp-tcpwrappers + simp_firewalld: https://github.com/simp/pupmod-simp-simp_firewalld + simplib: https://github.com/simp/pupmod-simp-simplib + snmp: https://github.com/simp/puppet-snmp + stdlib: https://github.com/simp/puppetlabs-stdlib + systemd: https://github.com/simp/puppet-systemd + tcpwrappers: https://github.com/simp/pupmod-simp-tcpwrappers symlinks: simp_snmpd: "#{source_dir}" diff --git a/CHANGELOG b/CHANGELOG index ec6464b..6c481fd 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,26 @@ +* Fri Oct 30 2020 Jeanne Greulich - 1.0.0-0 +- This module was updated to use puppet-snmp v5.1.2 and work on EL8 with + simp 6.5. +- The user configuration directories for snmpd are not included by default. To + include and create these directories set simp_snmpd::include_userdir to true. +- Parameters to allow the user to change the owner, group and permissions + of the snmp configuration directories and files have been added. +- The default security level for VACM access directives was changed to + simp_snmpd::defvacmlevel from simp_snmpd::defsecuritylevel. + simp_snmpd::defsecuritylevel was used to set + both the client and VACM levels but this did not work correctly because + the client uses different values. Use simp_snmpd::defvacmlevel to change the + default security level of the VACM access statements. (The default has not changed, + it is still 'priv'.) +- Added in the permission options for the configuration files and directory + so users could change them. +- simp_snmpd::services was changed from a String to and Integer to be compatible + with the new module. +- The permissions on the mib and dlmod dirs are set using basic group settings + instead of acls. +- The default options for the snmpd daemon for el6 were updated to include setting + the pid file. Without this restarting the daemon in el6 failed. + * Thu Jul 23 2020 Jeanne Greulich - 0.2.1-0 - update the upper bound of simplib for SIMP 6.5 release diff --git a/README.md b/README.md index fae32ea..288068c 100644 --- a/README.md +++ b/README.md @@ -43,6 +43,12 @@ independently. [`simp/simp_options`](https://github.com/simp/pupmod-simp-simp_options) for details. +This module is a simp profile module and configures snmp using version 3 +with usm authentication. To configure snmp in a different way use +puppet-snmp directly. + +#TODO add tsm and configure snmp to use encryption + ## Setup ### What simp_snmp Affects @@ -66,9 +72,10 @@ the package manager. ## Usage + Simp_snmpd configures the snmpd daemon to listen only on the local interface by default. Set the following in hieradata to configure `snmpd` to Listen on UDP port 161 -on the local interface and the the interface with the ipaddress associated +on the local interface and tcp on the interface with the ipaddress associated with the hostname. For more information, see the LISTENING ADDRESS section of the `snmpd` man page. @@ -77,7 +84,7 @@ with the hostname. For more information, see the LISTENING ADDRESS section --- simp_snmpd::agentaddress: - udp:localhost:161 -- udp:%{facts.fqdn}:161 +- tcp:%{facts.fqdn}:161 classes: - simp_snmpd @@ -91,9 +98,14 @@ class { simp_snmpd: } ``` -NOTE: The SIMP configuration files are included under `/etc/snmp/simp_snmpd.d`. -If you wish to add configuration files to the SIMP setup, you can add them to -the `simp_snmpd::user_snmpd_dir` directory, by default `/etc/snmp/snmpd.d`. +See the "Access" section for details on how the access is configured. + +There are a few snmp options that can be configured directly from this +module via hiera. Other changes to the configuration can be done +by adding configuration files to the user snmpd dir. Set +`simp_snmpd::include_userdir` to true in hiera, and add configuration files +to the directory defined by `simp_snmpd::user_snmpd_dir`, +by default `/etc/snmp/snmpd.d`. ### Access @@ -125,7 +137,7 @@ the options sent to the snmpd daemon on start up. By default it is logging to facility 6 which will be forwarded to the server if log forwarding is enabled. For more information on these options see the man page for snmpcmd, -the Logging section. `Snmpcmd` and its man pages are installed with the +the Logging section. `Snmpcmd` and its man pages are installed with the `net-snmp-utils` package. ### Firewall @@ -138,10 +150,10 @@ systems addresses. ### SNMP System Information -`simp_snmpd` configures some basic system information: contact, location, +`simp_snmpd` configures some basic system information: contact, location system name, and services, in the snmpd configuration directory. These settings can be changed via hiera, instantiation, by creating a configuration file -in the user directory, default `/etc/snmp/snmpd.d`. +in the user directory. NOTE: If the system variables are set in a configuration file then `net-snmp` marks them as not writable and will not allow them to be changed via `snmpset` diff --git a/REFERENCE.md b/REFERENCE.md new file mode 100644 index 0000000..8593a9b --- /dev/null +++ b/REFERENCE.md @@ -0,0 +1,753 @@ +# Reference + + + +## Table of Contents + +### Classes + +* [`simp_snmpd`](#simp_snmpd): Configures the snmpd daemon. Currently, it only uses v3 USM. +* [`simp_snmpd::config`](#simp_snmpdconfig): Configure the SNMPD service +* [`simp_snmpd::config::agent`](#simp_snmpdconfigagent): Set up sensible agent defaults +* [`simp_snmpd::config::firewall`](#simp_snmpdconfigfirewall): Ensure that firewall rules are defined +* [`simp_snmpd::config::logging`](#simp_snmpdconfiglogging): Ensures that appropriate logging rules are defined +* [`simp_snmpd::config::tcpwrappers`](#simp_snmpdconfigtcpwrappers): This class is meant to be called from simp_snmp. +* [`simp_snmpd::install`](#simp_snmpdinstall): Set up snmp group/user if needed, and subsequently change permissions +* [`simp_snmpd::install::snmpduser`](#simp_snmpdinstallsnmpduser): Create systems users for running snmpd daemon +and owning the snmpd files +* [`simp_snmpd::install::vacmusers`](#simp_snmpdinstallvacmusers): Create v3 users from user hash +* [`simp_snmpd::rsync`](#simp_snmpdrsync): Set up MIBs in rsync + +### Functions + +* [`simp_snmpd::accesslist`](#simp_snmpdaccesslist): parse the access hash and return strings that for access entries for the snmpd.conf file @see The SIMP user guide HOW TO: Configure SNMPD d +* [`simp_snmpd::firewall_list`](#simp_snmpdfirewall_list): function to return a list of protocol and ports to open in iptables for snmpd to work. +* [`simp_snmpd::grouplist`](#simp_snmpdgrouplist): parse the group hash and return strings for group entries for the snmpd.conf file @see The SIMP user guide HOW TO: Configure SNMPD describe +* [`simp_snmpd::viewlist`](#simp_snmpdviewlist): parse the view hash and return strings that for view entries for the snmpd.conf file @see The SIMP user guide HOW TO: Configure SNMPD descr + +### Data types + +* [`Simp_snmpd::Seclevel`](#simp_snmpdseclevel): The default authentication level for the client to use in snmp.conf +* [`Simp_snmpd::Secmodel`](#simp_snmpdsecmodel): type Simp_snmpd::Secmodel = Enum['usm','v1','v2c','tsm','ksm'] Right now usm is the only type suppoerted by this module. If you want to use a +* [`Simp_snmpd::Vacmlevel`](#simp_snmpdvacmlevel): The default type to use in VACM access directives + +## Classes + +### `simp_snmpd` + +* This module does not configure the snmptrap service. + +Trap service parameters +SNMPD Agent Parameters +Settings for rsync +USM/VACM parameters +snmp.conf access configuration default items. +These are also used to set up view and access directives +if specific settings are not used in the hash. +snmpd.conf system info parameters +If the system parameters are set in the snmpd.conf files net-snmp +sets them as not writeable and they can not be changed by an 'set' call from +an snmpd client or manager. If you want to set them this way the +change simp_snmpd::system_info to false. +SIMP parameters used + +* **See also** + * man + * snmpd for options. + * man + * snmpd in the LISTENING ADDRESSES section for more details. +An array of listening addresses for the snmpd to listen on. +This array is also used by the config/firewall.pp to open ports if iptables +is being used. + * man + * snmpd.conf AGENT BEHAVIOR section for more information on the +This setting disables the log messages for +accepted connections. Denied connections will still be logged. + * man + * snmpd.conf AGENT BEHAVIOR section for more information on the + * man + * snmpd.conf AGENT BEHAVIOR section for more information on the + * man + * snmpd.conf SNMPv3 with the User-based Security Model (USM) section +A hash of users to create for usm access. Also see README for details + +#### Parameters + +The following parameters are available in the `simp_snmpd` class. + +##### `ensure` + +Data type: `Enum['present','absent']` + +present (default) will install files and packages +absent make sure they are not installed. + +Default value: `'present'` + +##### `manage_client` + +Data type: `Boolean` + +tell puppet snmp to manage client. +install the net-simp-utils. These are command line utilities. + +Default value: ``false`` + +##### `package_ensure` + +Data type: `String` + +If set to "latest" snmp will try to update to the latest version +of the package available, otherwise it will just check it is installed + +Default value: `simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })` + +##### `version` + +Data type: `Integer` + +The version of snmp protocol to use. +At this time the simp_snmpd profile only manages v3, to configure +older versions use the snmp module directly. + +Default value: `3` + +##### `snmp_basedir` + +Data type: `StdLib::AbsolutePath` + +Base directory for snmp configuration files + +Default value: `'/etc/snmp'` + +##### `logfile` + +Data type: `StdLib::AbsolutePath` + +Full path to local log file for snmpd + +Default value: `'/var/log/snmpd.log'` + +##### `service_config` + +Data type: `StdLib::AbsolutePath` + +Location of the snmpd daemon configuration file + +Default value: `"${simp_snmpd::snmp_basedir}/snmpd.conf"` + +##### `simp_snmpd_dir` + +Data type: `StdLib::AbsolutePath` + +Directory of *.conf files which include snmpd directives. Files in this +directory are managed by puppet. + +Default value: `"${simp_snmpd::snmp_basedir}/simp_snmpd.d"` + +##### `include_userdir` + +Data type: `Boolean` + +If set to true the user_snmpd_dir will be created and an include directive for it +put in the service_config file. This will allow users to override values in the service config +file or add values that are not included by the interface. + +Default value: ``false`` + +##### `user_snmpd_dir` + +Data type: `StdLib::AbsolutePath` + +Directory where users can include *.conf files with snmpd configuration items +that will be included. This directory is not managed by simp. Users can put +additional configurations files in this directory. This directory is only included +if include_userdir is set to true. + +Default value: `"${simp_snmpd::snmp_basedir}/snmpd.d"` + +##### `snmpd_service_ensure` + +Data type: `Enum['stopped', 'running']` + +Set the snmpd daemon service to stopped or running + +Default value: `'running'` + +##### `snmpd_service_startatboot` + +Data type: `Boolean` + +Start the snmpd service at boot + +Default value: ``true`` + +##### `trap_service_ensure` + +Data type: `Enum['stopped', 'running']` + +Set the snmptrap daemon service to stopped or running + +Default value: `'stopped'` + +##### `trap_service_startatboot` + +Data type: `Boolean` + +Start the snmptrap service at boot + +Default value: ``false`` + +##### `trap_service_config` + +Data type: `StdLib::AbsolutePath` + +Location of the trap configuration file + +Default value: `"${simp_snmpd::snmp_basedir}/snmptrapd.conf"` + +##### `user_trapd_dir` + +Data type: `StdLib::AbsolutePath` + +Directory where users can place snmptrap configuration files. +This profile does not configure snmptrap but buts down a configuration file that tells +the snmptrap daemon to look in this directory for configuration files. +This directory is only created if trap_service_ensure is set to running. + +Default value: `"${simp_snmpd::snmp_basedir}/snmptrapd.d"` + +##### `snmptrapd_options` + +Data type: `Optional[String]` + +Options to pass to the trap daemon on start up. + +Default value: ``undef`` + +##### `snmpd_options` + +Data type: `String` + +The options passed to the snmpd daemon at start up. +The default sends info through critical to local6. + +##### `agentaddress` + +Data type: `Array[String]` + + + +Default value: `['udp:127.0.0.1:161']` + +##### `do_not_log_tcpwrappers` + +Data type: `Enum['yes','no']` + + + +Default value: `'no'` + +##### `maxgetbulkrepeats` + +Data type: `Integer` + +Sets the maximum number of responses allowed for a single variable in a getbulk request + +Default value: `100` + +##### `maxgetbulkresponses` + +Data type: `Integer` + +Sets the maximum number of responses allowed for a getbulk request. + +Default value: `100` + +##### `leave_pidfile` + +Data type: `Enum['yes','no']` + +Leave the pid file when snmpd exits + +Default value: `'no'` + +##### `service_config_perms` + +Data type: `Stdlib::Filemode` + +permissions on the configuration files + +Default value: `'0600'` + +##### `service_config_dir_perms` + +Data type: `Stdlib::Filemode` + +permissions on the configuration directories + +Default value: `'0750'` + +##### `service_config_dir_owner` + +Data type: `String` + +owner of configuration files/dirs + +Default value: `'root'` + +##### `service_config_dir_group` + +Data type: `String` + +group of configuration files/dirs + +Default value: `'root'` + +##### `manage_snmpd_user` + +Data type: `Boolean` + +Set to true if you want puppet to create the user for config files + +Default value: ``false`` + +##### `manage_snmpd_group` + +Data type: `Boolean` + +Set to true if you want puppet to create the group for config files + +Default value: ``false`` + +##### `snmpd_uid` + +Data type: `Optional[Integer]` + +The uid used when creating the service_config_dir_owner + +Default value: ``undef`` + +##### `snmpd_gid` + +Data type: `Optional[Integer]` + +The gid used when creating the service_config_dir_group + +Default value: ``undef`` + +##### `rsync_server` + +Data type: `Simplib::Host` + +The rsync server from which to pull the files. + +Default value: `simplib::lookup('simp_options::rsync::server', { 'default_value' => '127.0.0.1' })` + +##### `rsync_source` + +Data type: `String` + +The source of the content to be rsync' as defined in the rsyncd.conf file on the rsync server. + +Default value: `"snmp_${::environment}_${facts['os']['name']}"` + +##### `rsync_timeout` + +Data type: `Integer` + +The timeout when connecting to the rsync server. + +Default value: `simplib::lookup('simp_options::rsync::timeout', { 'default_value' => 2 })` + +##### `rsync_dlmod` + +Data type: `Boolean` + +Whether to enable rsync to copy dlmod modules to the dlmod directory + +Default value: ``false`` + +##### `rsync_dlmod_dir` + +Data type: `Optional[StdLib::AbsolutePath]` + +The full path for the directory to use for dlmod rsync. + +Default value: `'/usr/lib64/snmp'` + +##### `dlmods` + +Data type: `Optional[Array[String]]` + +List of modules to load into snmpd from the rsync_dlmod directory + +Default value: ``undef`` + +##### `rsync_mibs` + +Data type: `Boolean` + +Whether to enable rsync for MIBS + +Default value: ``false`` + +##### `rsync_mibs_dir` + +Data type: `Optional[StdLib::AbsolutePath]` + +The full path for the directory to rsync mibs too. It does not +remove what is already there. + +Default value: `'/usr/share/snmp'` + +##### `v3_users_hash` + +Data type: `Hash` + + + +##### `v3_users_hash` + +hash of users to create for USM. + +##### `view_hash` + +Data type: `Hash` + +Hash of views to create for VACM + +##### `group_hash` + +Data type: `Hash` + +Hash of groups to create for VACM + +##### `access_hash` + +Data type: `Hash` + +Hash of access entrys to create for VACM. + +##### `defauthtype` + +Data type: `Enum['SHA','MD5']` + +The default authentication type used for clients. + +Default value: `'SHA'` + +##### `defprivtype` + +Data type: `Enum['DES', 'AES']` + +The default privacy type used for encrypting communication when using usm. + +Default value: `'AES'` + +##### `defsecuritymodel` + +Data type: `Simp_snmpd::Secmodel` + +currently simp_snmpd only supports the usm security model. + +Default value: `'usm'` + +##### `defsecuritylevel` + +Data type: `Simp_snmpd::Seclevel` + +The default security level used by the client + +Default value: `'authPriv'` + +##### `defvacmlevel` + +Data type: `Simp_snmpd::Vacmlevel` + +The default security level for the VACM access directives. + +Default value: `'priv'` + +##### `system_info` + +Data type: `Boolean` + +Deprecated (puppet-snmp does not allow you to not set these). + +Default value: ``true`` + +##### `location` + +Data type: `String` + +sets sysLocation in snmp + +Default value: `'Unknown'` + +##### `sysname` + +Data type: `String` + +sets sysName in snmp + +Default value: `$facts['fqdn']` + +##### `contact` + +Data type: `String` + +sets sysContact in snmp + +Default value: `"root@${facts['fqdn']}"` + +##### `services` + +Data type: `Integer` + +sets sysServices in snmp + +Default value: `72` + +##### `fips` + +Data type: `Boolean` + +If FIPS should be enabled or not. FIPS mode does not allow MD5 or DES +macs/ciphers. + +Default value: `simplib::lookup('simp_options::fips', { 'default_value' => false })` + +##### `firewall` + +Data type: `Boolean` + +Whether include modules that will use agentaddress array to open ports in +iptables. + +Default value: `simplib::lookup('simp_options::firewall', { 'default_value' => false })` + +##### `trusted_nets` + +Data type: `Simplib::Netlist` + +Networks that will be allowed to access the snmp ports opened by the firewall. + +Default value: `simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1'] })` + +##### `syslog` + +Data type: `Boolean` + + + +Default value: `simplib::lookup('simp_options::syslog', { 'default_value' => false })` + +##### `logrotate` + +Data type: `Boolean` + +If these variables are set then rules will be added to rsyslog to log +snmp messages to /var/log/snmpd.log and set up log rotation. + +Default value: `simplib::lookup('simp_options::logrotate', { 'default_value' => false })` + +##### `tcpwrappers` + +Data type: `Boolean` + +Whether or not the system is using tcpwrappers to control access. + +Default value: `simplib::lookup('simp_options::tcpwrappers', { 'default_value' => false })` + +### `simp_snmpd::config` + +Configure the SNMPD service + +### `simp_snmpd::config::agent` + +Set up sensible agent defaults + +### `simp_snmpd::config::firewall` + +For anything in the `$listenagent` array, it will determine if ports on the +firewall need to be opened. + +* Ignores any entries for `ipx` or `pvc` at this time + * Firewall rules will have to be set up manually if these transport + services are being used. + +### `simp_snmpd::config::logging` + +Ensures that appropriate logging rules are defined + +### `simp_snmpd::config::tcpwrappers` + +simp_snmpd::config::tcpwrappers + +It ensures that tcpwrappers rules are defined. + +### `simp_snmpd::install` + +* Set defaults in snmp.conf +* Disable v2 setup + +### `simp_snmpd::install::snmpduser` + +Create systems users for running snmpd daemon +and owning the snmpd files + +### `simp_snmpd::install::vacmusers` + +Create v3 users from user hash + +#### Parameters + +The following parameters are available in the `simp_snmpd::install::vacmusers` class. + +##### `daemon` + +Data type: `Enum['snmpd','snmptrapd']` + +The daemon that the users is meant to access. + +Default value: `'snmpd'` + +### `simp_snmpd::rsync` + +Set up MIBs in rsync + +## Functions + +### `simp_snmpd::accesslist` + +Type: Ruby 4.x API + +parse the access hash and return strings that for access entries for + the snmpd.conf file + @see The SIMP user guide HOW TO: Configure SNMPD describes the hashes in + detail. + +#### `simp_snmpd::accesslist(Hash $access_hash, String $defaultmodel, String $defaultlevel)` + +parse the access hash and return strings that for access entries for + the snmpd.conf file + @see The SIMP user guide HOW TO: Configure SNMPD describes the hashes in + detail. + +Returns: `Any` An array of strings that define VACM access lines for use in snmpd.conf files. + +##### `access_hash` + +Data type: `Hash` + +The list of accesses to create. + +##### `defaultmodel` + +Data type: `String` + +The default Security model to use if that entry is not defined in the hash entry + +##### `defaultlevel` + +Data type: `String` + +The default Security level to use if that entry is not defined in the hash entry + +### `simp_snmpd::firewall_list` + +Type: Ruby 4.x API + +function to return a list of protocol and ports to open in +iptables for snmpd to work. + +#### `simp_snmpd::firewall_list(Array $agent_array)` + +function to return a list of protocol and ports to open in +iptables for snmpd to work. + +Returns: `Any` A list of protocols and ports that must be opened. + +##### `agent_array` + +Data type: `Array` + +The array of agent addresses that the snmpd will listen on. + +### `simp_snmpd::grouplist` + +Type: Ruby 4.x API + +parse the group hash and return strings for group entries for + the snmpd.conf file + @see The SIMP user guide HOW TO: Configure SNMPD describes the hashes in + detail. + +#### `simp_snmpd::grouplist(Hash $group_hash, String $defaultmodel)` + +parse the group hash and return strings for group entries for + the snmpd.conf file + @see The SIMP user guide HOW TO: Configure SNMPD describes the hashes in + detail. + +Returns: `Any` An array of strings that define groups for use for access in snmpd.conf files. + +##### `group_hash` + +Data type: `Hash` + +The list of groups to create. + +##### `defaultmodel` + +Data type: `String` + +The default Security model to use if that entry is not defined in the hash entry + +### `simp_snmpd::viewlist` + +Type: Ruby 4.x API + +parse the view hash and return strings that for view entries for + the snmpd.conf file + @see The SIMP user guide HOW TO: Configure SNMPD describes the hashes in + detail. + +#### `simp_snmpd::viewlist(Hash $view_hash)` + +parse the view hash and return strings that for view entries for + the snmpd.conf file + @see The SIMP user guide HOW TO: Configure SNMPD describes the hashes in + detail. + +Returns: `Any` An array of strings that define VACM view lines for use in snmpd.conf files. + +##### `view_hash` + +Data type: `Hash` + +The list of views to create. + +## Data types + +### `Simp_snmpd::Seclevel` + +The default authentication level for the client to use in snmp.conf + +Alias of `Enum['noAuthNoPriv', 'authNoPriv', 'authPriv']` + +### `Simp_snmpd::Secmodel` + +type Simp_snmpd::Secmodel = Enum['usm','v1','v2c','tsm','ksm'] +Right now usm is the only type suppoerted by this module. +If you want to use another type, use the puppet/snmp module directly + +Alias of `Enum['usm']` + +### `Simp_snmpd::Vacmlevel` + +The default type to use in VACM access directives + +Alias of `Enum['noauth', 'auth', 'priv']` + diff --git a/data/common.yaml b/data/common.yaml index 7b17b3c..759bcdc 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -49,3 +49,5 @@ simp_snmpd::access_hash: write: systemview groups: - readwrite_group + +simp_snmpd::snmpd_options: '-LS0-6d' diff --git a/data/os/RedHat-6.yaml b/data/os/RedHat-6.yaml new file mode 100644 index 0000000..d32f5a0 --- /dev/null +++ b/data/os/RedHat-6.yaml @@ -0,0 +1,3 @@ +--- + +simp_snmpd::snmpd_options: '-LS0-6d -p /var/run/snmpd.pid' diff --git a/lib/puppet/functions/simp_snmpd/accesslist.rb b/lib/puppet/functions/simp_snmpd/accesslist.rb index c82298c..19708aa 100644 --- a/lib/puppet/functions/simp_snmpd/accesslist.rb +++ b/lib/puppet/functions/simp_snmpd/accesslist.rb @@ -19,9 +19,9 @@ end def createlist(access_hash,defaultmodel,defaultlevel) - accesslist = ['#access GROUP CONTEXT {any|v1|v2c|usm|tsm|ksm} LEVEL PREFX READ WRITE NOTIFY'] + # access GROUP CONTEXT {any|v1|v2c|usm|tsm|ksm} LEVEL PREFX READ WRITE NOTIFY'] + accesslist = [] access_hash.each { | name, values| - accesspref = "access" if ! values.nil? and ! values.empty? then if values.has_key?('view') and values.has_key?('groups') then model = defaultmodel @@ -81,7 +81,7 @@ def createlist(access_hash,defaultmodel,defaultlevel) groups = [ values['groups'] ] end groups.each { |group| - accesslist.push("#{accesspref} #{group} #{context} #{model} #{level} #{prefx} #{view}") + accesslist.push("#{group} #{context} #{model} #{level} #{prefx} #{view}") } else fail("simp_snmpd: access_hash definition #{name} is missing either view or groups key.") diff --git a/lib/puppet/functions/simp_snmpd/grouplist.rb b/lib/puppet/functions/simp_snmpd/grouplist.rb index f8b5918..8b5b345 100644 --- a/lib/puppet/functions/simp_snmpd/grouplist.rb +++ b/lib/puppet/functions/simp_snmpd/grouplist.rb @@ -18,7 +18,7 @@ def createlist(group_hash,defaultmodel) grouplist = [] group_hash.each { |name, values| - grouppref = "group #{name}" + grouppref = "#{name}" if ! values.nil? and ! values.empty? then if values.has_key?('model') then if ['v1','v2c','usm','tsm','ksm'].include? values['model'] then diff --git a/lib/puppet/functions/simp_snmpd/viewlist.rb b/lib/puppet/functions/simp_snmpd/viewlist.rb index 01dc31d..7ea7644 100644 --- a/lib/puppet/functions/simp_snmpd/viewlist.rb +++ b/lib/puppet/functions/simp_snmpd/viewlist.rb @@ -17,7 +17,7 @@ def createlist(view_hash) viewlist = [] view_hash.each { | name, values| - viewpref = "view #{name}" + viewpref = "#{name}" if ! values.nil? and ! values.empty? then values.each { |type, oids| case "#{type}" diff --git a/manifests/config.pp b/manifests/config.pp index edb9179..88fa7da 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -1,28 +1,11 @@ -# simp_snmpd::config -# -# @summary This class is called from simp_snmp for service config. +# @summary Configure the SNMPD service # class simp_snmpd::config { assert_private() - # Set up access control in the access.conf file - case $simp_snmpd::defsecuritymodel { - 'usm': { contain simp_snmpd::config::usm } - default: { - $msg = "The following Security model is not supported by simp_snmpd at this time: ${simp_snmpd::defsecuritymodel}. Access will not be configured. " - notify {'simp_snmpd Security Model': - message => $msg - } - } - } - # Create agent setting in agent.conf contain simp_snmpd::config::agent - if $simp_snmpd::system_info { - include simp_snmpd::config::system_info - } - if $simp_snmpd::firewall { include simp_snmpd::config::firewall } @@ -35,25 +18,4 @@ include simp_snmpd::config::logging } - file { [ $simp_snmpd::simp_snmpd_dir, $simp_snmpd::user_snmpd_dir, $simp_snmpd::user_trapd_dir]: - ensure => directory, - owner => 'root', - group => 'root', - mode => '0750', - } - - $_mibs_dir = $simp_snmpd::rsync_mibs ? { - true => $simp_snmpd::rsync_mibs_dir, - default => '' } - - $_dlmod_dir = $simp_snmpd::rsync_dlmod ? { - true => $simp_snmpd::rsync_dlmod_dir, - default => '' } - - exec { 'set_snmp_perms': - command => "/usr/bin/setfacl -R -m g:snmp:r /etc/snmp ${_dlmod_dir} ${_mibs_dir}", - onlyif => '/bin/grep -q "^snmp" /etc/group', - require => Package['snmpd'] - } - } diff --git a/manifests/config/agent.pp b/manifests/config/agent.pp index b5e7ebe..081681c 100644 --- a/manifests/config/agent.pp +++ b/manifests/config/agent.pp @@ -1,17 +1,15 @@ -# simp_snmpd::config::agent -# -# @summary This sets up some defaults for the agent, they can be changed in -# hiera +# @summary Set up sensible agent defaults # class simp_snmpd::config::agent { + assert_private() + file { "${simp_snmpd::simp_snmpd_dir}/agent.conf": ensure => file, - owner => 'root', - group => 'root', - mode => '0750', + owner => $simp_snmpd::service_config_dir_owner, + group => $simp_snmpd::service_config_dir_group, + mode => $simp_snmpd::service_config_perms, require => File[$simp_snmpd::simp_snmpd_dir], content => epp("${module_name}/snmpd/agent.conf.epp"), } - } diff --git a/manifests/config/firewall.pp b/manifests/config/firewall.pp index 6672652..43121fc 100644 --- a/manifests/config/firewall.pp +++ b/manifests/config/firewall.pp @@ -1,14 +1,17 @@ -# simp_snmpd::config::firewall +# @summary Ensure that firewall rules are defined # -# @summary This class is meant to be called from simp_snmp. -# It ensures that firewall rules are defined. For anything in the listenagent -# array, it will determine if ports on the firewall need to be opened. -# It ignores any entries for ipx or pvc at this time. IPTABLES calls will have -# to be set up manually if these transport services are being used. +# For anything in the `$listenagent` array, it will determine if ports on the +# firewall need to be opened. +# +# * Ignores any entries for `ipx` or `pvc` at this time +# * Firewall rules will have to be set up manually if these transport +# services are being used. # class simp_snmpd::config::firewall { assert_private() + simplib::assert_optional_dependency($module_name, 'simp/iptables') + $flist = simp_snmpd::firewall_list($simp_snmpd::agentaddress) $flist.each |Array $part| { case $part[0] { diff --git a/manifests/config/logging.pp b/manifests/config/logging.pp index f02a83d..3fe05cb 100644 --- a/manifests/config/logging.pp +++ b/manifests/config/logging.pp @@ -1,12 +1,11 @@ -# simp_snmpd::config::logging -# -# @summary This class is meant to be called from simp_snmp. -# It ensures that logging rules are defined. +# @summary Ensures that appropriate logging rules are defined # class simp_snmpd::config::logging { assert_private() - include '::rsyslog' + simplib::assert_optional_dependency($module_name, 'simp/rsyslog') + + include 'rsyslog' rsyslog::rule::local { 'XX_snmpd': rule => '$programname == \'snmpd\'', @@ -16,7 +15,10 @@ } if $simp_snmpd::logrotate { - include '::logrotate' + simplib::assert_optional_dependency($module_name, 'simp/logrotate') + + include 'logrotate' + logrotate::rule { 'snmpd': log_files => [ $simp_snmpd::logfile ], lastaction_restart_logger => true @@ -24,10 +26,9 @@ } file { $simp_snmpd::logfile: - owner => 'root', - group => 'root', + owner => pick($simp_snmpd::snmpd_uid,'root'), + group => pick($simp_snmpd::snmpd_gid,'root'), mode => '0640', seltype => 'snmpd_log_t', } - } diff --git a/manifests/config/system_info.pp b/manifests/config/system_info.pp deleted file mode 100644 index 580f056..0000000 --- a/manifests/config/system_info.pp +++ /dev/null @@ -1,16 +0,0 @@ -# simp_snmpd::config::system_info -# -# @summary This sets up some defaults for the agent. -# -class simp_snmpd::config::system_info { - - file { "${simp_snmpd::simp_snmpd_dir}/system_info.conf": - ensure => file, - owner => 'root', - group => 'root', - mode => '0750', - require => File[$simp_snmpd::simp_snmpd_dir], - content => epp("${module_name}/snmpd/system_info.conf.epp"), - } - -} diff --git a/manifests/config/tcpwrappers.pp b/manifests/config/tcpwrappers.pp index a943cb1..fac98d8 100644 --- a/manifests/config/tcpwrappers.pp +++ b/manifests/config/tcpwrappers.pp @@ -6,7 +6,9 @@ class simp_snmpd::config::tcpwrappers { assert_private() - include '::tcpwrappers' + simplib::assert_optional_dependency($module_name, 'simp/tcpwrappers') + + include 'tcpwrappers' tcpwrappers::allow { 'snmpd': pattern => $simp_snmpd::trusted_nets diff --git a/manifests/config/usm.pp b/manifests/config/usm.pp deleted file mode 100644 index f7efd09..0000000 --- a/manifests/config/usm.pp +++ /dev/null @@ -1,28 +0,0 @@ -# simp_snmpd::config::usm -# -# @summary This file processes the user, group, view and access hashes. It will -# create the v3 users and place the access information in the simp snmpd dir. -# It uses the VACM rules for snmpd.conf to create the groups and view. It uses -# the Type rule, (authaccess) to create the access rule. -class simp_snmpd::config::usm { - - $_viewlist = simp_snmpd::viewlist($simp_snmpd::view_hash) - $_grouplist = simp_snmpd::grouplist($simp_snmpd::group_hash,$simp_snmpd::defsecuritymodel) - $_accesslist = simp_snmpd::accesslist($simp_snmpd::access_hash,$simp_snmpd::defsecuritymodel,$simp_snmpd::defsecuritylevel) - - file { "${simp_snmpd::simp_snmpd_dir}/access_usm.conf": - ensure => file, - owner => 'root', - group => 'root', - mode => '0750', - require => File[$simp_snmpd::simp_snmpd_dir], - content => epp("${module_name}/snmpd/access_usm.conf.epp"), - } - - if $simp_snmpd::version == 3 { - class { 'simp_snmpd::v3::users' : - daemon => 'snmpd' - } - } - -} diff --git a/manifests/init.pp b/manifests/init.pp index 431541a..e2e5937 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,13 +1,13 @@ -# The simp_snmpd init class -# # @summary Configures the snmpd daemon. Currently, it only uses v3 USM. -# This module does not configure the snmptrap service. +# +# * This module does not configure the snmptrap service. # # @param ensure # present (default) will install files and packages # absent make sure they are not installed. # @param manage_client -# True = install the net-simp-utils. These are command line utilities. +# tell puppet snmp to manage client. +# install the net-simp-utils. These are command line utilities. # @param package_ensure # If set to "latest" snmp will try to update to the latest version # of the package available, otherwise it will just check it is installed @@ -15,28 +15,43 @@ # The version of snmp protocol to use. # At this time the simp_snmpd profile only manages v3, to configure # older versions use the snmp module directly. -# @param snmp_conf_file -# A file of snmp.conf directives that is included for configuration directives. -# this file is managed by puppet. +# @param snmp_basedir +# Base directory for snmp configuration files +# @param logfile +# Full path to local log file for snmpd +# @param service_config +# Location of the snmpd daemon configuration file # @param simp_snmpd_dir # Directory of *.conf files which include snmpd directives. Files in this # directory are managed by puppet. +# @param include_userdir +# If set to true the user_snmpd_dir will be created and an include directive for it +# put in the service_config file. This will allow users to override values in the service config +# file or add values that are not included by the interface. # @param user_snmpd_dir # Directory where users can include *.conf files with snmpd configuration items # that will be included. This directory is not managed by simp. Users can put -# additional configurations files in this directory. -# @param user_trapd_dir -# Directory where users can place snmptrap configuration files. -# This profile does not configure snmptrap but buts down a configuration file that tells -# the snmptrap daemon to look in this directory for configuration files. +# additional configurations files in this directory. This directory is only included +# if include_userdir is set to true. # @param snmpd_service_ensure # Set the snmpd daemon service to stopped or running -# @param trap_service_ensure -# Set the snmptrap daemon service to stopped or running # @param snmpd_service_startatboot # Start the snmpd service at boot +# +# Trap service parameters +# @param trap_service_ensure +# Set the snmptrap daemon service to stopped or running # @param trap_service_startatboot # Start the snmptrap service at boot +# @param trap_service_config +# Location of the trap configuration file +# @param user_trapd_dir +# Directory where users can place snmptrap configuration files. +# This profile does not configure snmptrap but buts down a configuration file that tells +# the snmptrap daemon to look in this directory for configuration files. +# This directory is only created if trap_service_ensure is set to running. +# @param snmptrapd_options +# Options to pass to the trap daemon on start up. # # SNMPD Agent Parameters # @param snmpd_options @@ -60,13 +75,22 @@ # @see man snmpd.conf AGENT BEHAVIOR section for more information on the # @param leave_pidfile # Leave the pid file when snmpd exits +# @param service_config_perms +# permissions on the configuration files +# @param service_config_dir_perms +# permissions on the configuration directories +# @param service_config_dir_owner +# owner of configuration files/dirs +# @param service_config_dir_group +# group of configuration files/dirs +# @param manage_snmpd_user +# Set to true if you want puppet to create the user for config files +# @param manage_snmpd_group +# Set to true if you want puppet to create the group for config files # @param snmpd_uid -# This creates the snmp user with this uid. To have snmpd daemon run as this user -# after opening sockets change snmpd_options to include -u . +# The uid used when creating the service_config_dir_owner # @param snmpd_gid -# The group id to change the snmpd to run under. It will create group snmp -# with that group if this is set. Add -g to snmpd_options for it to run -# with this gid. +# The gid used when creating the service_config_dir_group # # Settings for rsync # @param rsync_server @@ -99,40 +123,27 @@ # Hash of groups to create for VACM # @param access_hash # Hash of access entrys to create for VACM. -# @param snmp_conf_file -# File to hold snmp configuration directives for client utils. -# @param simp_snmpd_dir -# Directory to hold configuration files defined by simp and used -# by the snmpd daemon. These files are managed by puppet. -# @param user_snmpd_dir -# Directory to hold additional configuration files created by user. -# These files are not managed by puppet. For settings that are -# one off (and not cumulative like groups or access) the last one wins. -# This diretory is read after the simp_snmpd directory and will -# override those settings. -# @param logfile -# local log file for snmpd # -# snmp.conf access configuration default items +# snmp.conf access configuration default items. +# These are also used to set up view and access directives +# if specific settings are not used in the hash. # @param defauthtype # The default authentication type used for clients. # @param defprivtype # The default privacy type used for encrypting communication when using usm. # @param defsecuritymodel -# currently simp_snmpd only supports the usm security model it will support -# tsm in the near future. This option determins if usm or tsm access is -# configured. +# currently simp_snmpd only supports the usm security model. # @param defsecuritylevel -# The default security level used by the client and to set up usm users. +# The default security level used by the client +# @param defvacmlevel +# The default security level for the VACM access directives. # # snmpd.conf system info parameters # If the system parameters are set in the snmpd.conf files net-snmp # sets them as not writeable and they can not be changed by an 'set' call from # an snmpd client or manager. If you want to set them this way the # change simp_snmpd::system_info to false. -# @param system_info -# If true it will set the contact, location, name and services parameters from the -# following hiera varaiables: +# @param system_info Deprecated (puppet-snmp does not allow you to not set these). # @param location # sets sysLocation in snmp # @param sysname @@ -144,7 +155,7 @@ # # SIMP parameters used # @param fips -# If fips should be enabled or not. Fips mode does not allow MD5 or DES +# If FIPS should be enabled or not. FIPS mode does not allow MD5 or DES # macs/ciphers. # @param firewall # Whether include modules that will use agentaddress array to open ports in @@ -163,6 +174,7 @@ Hash $view_hash, # See module data Hash $group_hash, # See module data Hash $access_hash, # See module data + String $snmpd_options, Enum['present','absent'] $ensure = 'present', Integer $version = 3, Enum['stopped', 'running'] $snmpd_service_ensure = 'running', @@ -171,24 +183,32 @@ Boolean $trap_service_startatboot = false, Boolean $manage_client = false, Enum['yes','no'] $do_not_log_tcpwrappers = 'no', - Array[String] $agentaddress = [ 'udp:localhost:161'], - String $snmpd_options = '-LS0-66', - StdLib::AbsolutePath $snmp_conf_file = '/etc/snmp/simp_snmp.conf', - StdLib::AbsolutePath $simp_snmpd_dir = '/etc/snmp/simp_snmpd.d', - StdLib::AbsolutePath $user_snmpd_dir = '/etc/snmp/snmpd.d', - StdLib::AbsolutePath $user_trapd_dir = '/etc/snmp/snmptrapd.d', + Array[String] $agentaddress = ['udp:127.0.0.1:161'], + Optional[String] $snmptrapd_options = undef, + StdLib::AbsolutePath $snmp_basedir = '/etc/snmp', + StdLib::AbsolutePath $trap_service_config = "${simp_snmpd::snmp_basedir}/snmptrapd.conf", + StdLib::AbsolutePath $service_config = "${simp_snmpd::snmp_basedir}/snmpd.conf", + StdLib::AbsolutePath $simp_snmpd_dir = "${simp_snmpd::snmp_basedir}/simp_snmpd.d", + StdLib::AbsolutePath $user_snmpd_dir = "${simp_snmpd::snmp_basedir}/snmpd.d", + StdLib::AbsolutePath $user_trapd_dir = "${simp_snmpd::snmp_basedir}/snmptrapd.d", + Stdlib::Filemode $service_config_perms = '0600', + Stdlib::Filemode $service_config_dir_perms = '0750', + String $service_config_dir_owner = 'root', + String $service_config_dir_group = 'root', + Boolean $include_userdir = false, StdLib::AbsolutePath $logfile = '/var/log/snmpd.log', Enum['SHA','MD5'] $defauthtype = 'SHA', Enum['DES', 'AES'] $defprivtype = 'AES', Simp_snmpd::Secmodel $defsecuritymodel = 'usm', - Simp_snmpd::Auth $defsecuritylevel = 'priv', + Simp_snmpd::Seclevel $defsecuritylevel = 'authPriv', + Simp_snmpd::Vacmlevel $defvacmlevel = 'priv', Integer $maxgetbulkrepeats = 100, Enum['yes','no'] $leave_pidfile = 'no', Integer $maxgetbulkresponses = 100, Boolean $system_info = true, String $location = 'Unknown', String $contact = "root@${facts['fqdn']}", - String $services = '72', + Integer $services = 72, String $sysname = $facts['fqdn'], String $rsync_source = "snmp_${::environment}_${facts['os']['name']}", Boolean $rsync_dlmod = false, @@ -198,6 +218,8 @@ Optional[Array[String]] $dlmods = undef, Optional[Integer] $snmpd_gid = undef, Optional[Integer] $snmpd_uid = undef, + Boolean $manage_snmpd_user = false, + Boolean $manage_snmpd_group = false, Simplib::Host $rsync_server = simplib::lookup('simp_options::rsync::server', { 'default_value' => '127.0.0.1' }), Integer $rsync_timeout = simplib::lookup('simp_options::rsync::timeout', { 'default_value' => 2 }), Boolean $firewall = simplib::lookup('simp_options::firewall', { 'default_value' => false }), @@ -223,7 +245,7 @@ } } else { - $msg = "${module_name}: Snmp Version #{simp_snmpd::version} not supported. This module is only used for snmp version 3." + $msg = "${module_name}: Snmp Version #{simp_snmpd::version} not supported. This module is only used for snmp version 3 at this time. Try using the puppet-snmp module directly" notify{ 'net-snmp version': message => $msg} } } diff --git a/manifests/install.pp b/manifests/install.pp index aa9b019..5cbcd06 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -1,27 +1,15 @@ -# simp_snmpd::install +# @summary Set up snmp group/user if needed, and subsequently change permissions # -# @summary Set up snmp group/user if needed, and subsequently change -# permissions. Set defaults in snmp.conf. Disable v2 setup. +# * Set defaults in snmp.conf +# * Disable v2 setup # class simp_snmpd::install { - if $simp_snmpd::snmpd_gid { - group { 'snmp': - ensure => present, - gid => $simp_snmpd::snmpd_gid, - system => 'no' - } - } - - if $simp_snmpd::snmpd_uid { - user { 'snmp': - ensure => present, - uid => $simp_snmpd::snmpd_uid, - system => 'no' - } + if $simp_snmpd::manage_snmpd_user or $simp_snmpd::manage_snmpd_group { + include 'simp_snmpd::install::snmpduser' } -# Check if default types are appropriate for fips mode if it is being used. + # Check if default types are appropriate for FIPS mode if it is being used. if $simp_snmpd::fips or $facts['fips_enabled'] { if $simp_snmpd::defauthtype == 'MD5' { fail("simp_snmpd: Invalid default authentication type (simp_snmpd::defauthtype): ${simp_snmpd::defauthtype} for use in fips mode.") @@ -31,61 +19,125 @@ } } - # Include directories for further configuration. The last one wins, so put # user directory after simp, so they can include files to override, change, # and add to what simp creates. - $_snmpd_config = [ - "includeDir ${simp_snmpd::simp_snmpd_dir}", - "includeDir ${simp_snmpd::user_snmpd_dir}" - ] + if $simp_snmpd::include_userdir { + $user_dir_ensure = 'directory' + $_snmpd_config = [ + "includeDir ${simp_snmpd::simp_snmpd_dir}", + "includeDir ${simp_snmpd::user_snmpd_dir}" + ] + } + else { + $user_dir_ensure = 'absent' + $_snmpd_config = [ + "includeDir ${simp_snmpd::simp_snmpd_dir}" + ] + } - $_snmptrapd_config = [ - "includeDir ${simp_snmpd::user_trapd_dir}" - ] + file { $simp_snmpd::simp_snmpd_dir: + ensure => 'directory', + owner => $simp_snmpd::service_config_dir_owner, + group => $simp_snmpd::service_config_dir_group, + mode => $simp_snmpd::service_config_dir_perms, + recurse => 'true', + purge => 'true', + require => File[$simp_snmpd::snmp_basedir] + } + + file { $simp_snmpd::user_snmpd_dir: + ensure => $user_dir_ensure, + owner => $simp_snmpd::service_config_dir_owner, + group => $simp_snmpd::service_config_dir_group, + mode => $simp_snmpd::service_config_dir_perms, + require => File[$simp_snmpd::snmp_basedir] + } if $simp_snmpd::manage_client { - include 'simp_snmpd::install::client' + #set defaults for client in snmp.conf + $_snmp_config = [ + "defVersion ${simp_snmpd::version}", + "defSecurityModel ${simp_snmpd::defsecuritymodel}", + "defSecurityLevel ${simp_snmpd::defsecuritylevel}", + "defAuthType ${simp_snmpd::defauthtype}", + "defPrivType ${simp_snmpd::defprivtype}", + "mibdirs /usr/share/snmp/mibs:${simp_snmpd::rsync_mibs_dir}/mibs", + ] } else { # For some reason the snmp module only creates this directory if the # client is included. - file { '/etc/snmp': + $_snmp_config = [] + file { $simp_snmpd::snmp_basedir: ensure => directory, - owner => 'root', - group => 'root', - mode => '0750' + owner => $simp_snmpd::service_config_dir_owner, + group => $simp_snmpd::service_config_dir_group, + mode => $simp_snmpd::service_config_dir_perms } } - $_snmp_config = [ - "includeFile ${simp_snmpd::snmp_conf_file}" - ] - $_autoupgrade = $simp_snmpd::package_ensure ? { 'latest' => true, default => false } + # If the trap daemon is set to be running then create the trap config dir + # and add an include directive to the trap config file. + if $simp_snmpd::trap_service_ensure != 'stopped' { + $_snmptrapd_config = [ "includeDir ${simp_snmpd::user_trapd_dir}" ] + $_user_trapdir_ensure = 'directory' + } else { + $_snmptrapd_config = [] + $_user_trapdir_ensure = 'absent' + } + file { $simp_snmpd::user_trapd_dir: + ensure => $_user_trapdir_ensure, + owner => $simp_snmpd::service_config_dir_owner, + group => $simp_snmpd::service_config_dir_group, + mode => '0750' + } + + # build the usm views, access lists, and groups from the hashes in hiera. + $_viewlist = simp_snmpd::viewlist($simp_snmpd::view_hash) + $_grouplist = simp_snmpd::grouplist($simp_snmpd::group_hash,$simp_snmpd::defsecuritymodel) + $_accesslist = simp_snmpd::accesslist($simp_snmpd::access_hash,$simp_snmpd::defsecuritymodel,$simp_snmpd::defvacmlevel) + + # create the users + class { 'simp_snmpd::install::vacmusers' : + daemon => 'snmpd' + } - # TODO: determine snmpd_options Logging? class { 'snmp': agentaddress => $simp_snmpd::agentaddress, ensure => $simp_snmpd::ensure, autoupgrade => $_autoupgrade, service_ensure => $simp_snmpd::snmpd_service_ensure, service_enable => $simp_snmpd::snmpd_service_startatboot, - service_config_dir_group => 'root', - service_config_perms => '0750', - template_snmpd_conf => 'simp_snmpd/snmp/snmpd.conf.erb', - template_snmptrapd => 'simp_snmpd/snmp/snmptrapd.conf.erb', + service_config_dir_owner => $simp_snmpd::service_config_dir_owner, + service_config_dir_group => $simp_snmpd::service_config_dir_group, + snmpd_options => $simp_snmpd::snmpd_options, snmpd_config => $_snmpd_config, + service_config => $simp_snmpd::service_config, + service_config_perms => $simp_snmpd::service_config_perms, + service_config_dir_perms => $simp_snmpd::service_config_dir_perms, + trap_service_config => $simp_snmpd::trap_service_config, snmptrapd_config => $_snmptrapd_config, trap_service_ensure => $simp_snmpd::trap_service_ensure, trap_service_enable => $simp_snmpd::trap_service_startatboot, + snmptrapd_options => $simp_snmpd::snmptrapd_options, do_not_log_tcpwrappers => $simp_snmpd::do_not_log_tcpwrappers, manage_client => $simp_snmpd::manage_client, - snmpd_options => $simp_snmpd::snmpd_options, snmp_config => $_snmp_config, - } + contact => $simp_snmpd::contact, + location => $simp_snmpd::location, + sysname => $simp_snmpd::sysname, + services => $simp_snmpd::services, + disable_authorization => 'no', + com2sec => [], + com2sec6 => [], + accesses => $_accesslist, + views => $_viewlist, + groups => $_grouplist + } } diff --git a/manifests/install/client.pp b/manifests/install/client.pp deleted file mode 100644 index a33702d..0000000 --- a/manifests/install/client.pp +++ /dev/null @@ -1,26 +0,0 @@ -# simp_snmpd::install:: client -# -# @summary Sets up parameters to pass to snmp module -# for configuring the snmp.conf file. -# -# The snmp.conf file is used by client utilities -# -# -class simp_snmpd::install::client { - - case $simp_snmpd::defsecuritylevel { - 'priv': { $seclevel = 'authPriv'} - 'auth': { $seclevel = 'authNoPriv'} - 'noauth': { $seclevel = 'noAuthNoPriv'} - default: { $seclevel = 'authPriv'} - } - - file { $simp_snmpd::snmp_conf_file : - owner => 'root', - group => 'root', - mode => '0640', - content => epp("${module_name}/snmpd/snmp_conf.epp") - } - -} - diff --git a/manifests/install/snmpduser.pp b/manifests/install/snmpduser.pp new file mode 100644 index 0000000..d7d4f65 --- /dev/null +++ b/manifests/install/snmpduser.pp @@ -0,0 +1,26 @@ +# @summary Create systems users for running snmpd daemon +# and owning the snmpd files +# +class simp_snmpd::install::snmpduser{ + + assert_private() + + if $simp_snmpd::manage_snmpd_user { + if $simp_snmpd::service_config_dir_owner != 'root' { + user { $simp_snmpd::service_config_dir_owner: + ensure => present, + uid => $simp_snmpd::snmpd_uid, + system => 'no' + } + } + } + if $simp_snmpd::manage_snmpd_group { + if $simp_snmpd::service_config_dir_group != 'root' { + group { $simp_snmpd::service_config_dir_owner: + ensure => present, + gid => $simp_snmpd::snmpd_gid, + system => 'no' + } + } + } +} diff --git a/manifests/v3/users.pp b/manifests/install/vacmusers.pp similarity index 96% rename from manifests/v3/users.pp rename to manifests/install/vacmusers.pp index 3b540d3..c7e540f 100644 --- a/manifests/v3/users.pp +++ b/manifests/install/vacmusers.pp @@ -1,13 +1,13 @@ -# simp_snmpd::v3::users -# # @summary Create v3 users from user hash # # @param daemon # The daemon that the users is meant to access. -class simp_snmpd::v3::users ( +class simp_snmpd::install::vacmusers ( Enum['snmpd','snmptrapd'] $daemon = 'snmpd' ) { + assert_private() + $simp_snmpd::v3_users_hash.each |String $username, Optional[Hash] $settings| { if $settings { $_authpass = $settings['authpass'] ? { diff --git a/manifests/rsync.pp b/manifests/rsync.pp index 51dc6f8..0b868e4 100644 --- a/manifests/rsync.pp +++ b/manifests/rsync.pp @@ -1,19 +1,19 @@ -# simp_snmpd::rsync -# -# @summary Set up MIBs in rsync. +# @summary Set up MIBs in rsync # class simp_snmpd::rsync{ + simplib::assert_optional_dependency($module_name, 'simp/rsync') + include 'rsync' - $_downcase_os_name = downcase($facts['os']['name']) + $_downcase_os_name = downcase($facts['os']['name']) if $simp_snmpd::rsync_dlmod { file { $simp_snmpd::rsync_dlmod_dir : ensure => directory, - owner => 'root', - group => 'root', + owner => $simp_snmpd::service_config_dir_owner, + group => $simp_snmpd::service_config_dir_group, mode => '0750', before => Rsync['snmp_dlmod'], } @@ -33,8 +33,8 @@ if $simp_snmpd::dlmods { $_dlmods = $simp_snmpd::dlmods.map |$dlname| { "dlmod ${dlname} ${simp_snmpd::rsync_dlmod_dir}/dlmod/${dlname}.so"} file { "${simp_snmpd::simp_snmpd_dir}/dlmod.conf": - owner => 'root', - group => 'root', + owner => $simp_snmpd::service_config_dir_owner, + group => $simp_snmpd::service_config_dir_group, mode => '0750', content => $_dlmods, notify => Service['snmpd'] @@ -47,8 +47,8 @@ file { $simp_snmpd::rsync_mibs_dir : ensure => directory, - owner => 'root', - group => 'root', + owner => $simp_snmpd::service_config_dir_owner, + group => $simp_snmpd::service_config_dir_group, mode => '0750', before => Rsync['snmpd_mibs'], } @@ -62,7 +62,5 @@ target => $simp_snmpd::rsync_mibs_dir, notify => Service['snmpd'], } - } - } diff --git a/metadata.json b/metadata.json index acb5ebe..b276775 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "simp-simp_snmpd", - "version": "0.2.1", + "version": "1.0.0", "author": "SIMP Team", "summary": "Configures snmpd agent using v3 USM on the client", "license": "Apache-2.0", @@ -15,53 +15,64 @@ "dependencies": [ { "name": "simp/simplib", - "version_requirement": ">= 3.5.0 < 5.0.0" - }, - { - "name": "simp/iptables", - "version_requirement": ">= 6.0.0 < 7.0.0" - }, - { - "name": "simp/logrotate", - "version_requirement": ">= 6.0.0 < 7.0.0" + "version_requirement": ">= 4.5.0 < 5.0.0" }, { "name": "puppet/snmp", - "version_requirement": ">= 4.1.0 < 5.0.0" - }, - { - "name": "simp/rsync", - "version_requirement": ">= 6.0.0 < 7.0.0" - }, - { - "name": "simp/rsyslog", - "version_requirement": ">= 7.0.0 < 8.0.0" + "version_requirement": ">= 5.1.0 < 6.0.0" }, { "name": "puppetlabs/stdlib", "version_requirement": ">= 4.13.0 < 7.0.0" } ], + "simp": { + "optional_dependencies": [ + { + "name": "simp/iptables", + "version_requirement": ">= 6.0.0 < 7.0.0" + }, + { + "name": "simp/logrotate", + "version_requirement": ">= 6.5.0 < 7.0.0" + }, + { + "name": "simp/rsync", + "version_requirement": ">= 6.0.0 < 7.0.0" + }, + { + "name": "simp/rsyslog", + "version_requirement": ">= 7.6.0 < 8.0.0" + }, + { + "name": "simp/tcpwrappers", + "version_requirement": ">= 6.2.0 < 7.0.0" + } + ] + }, "operatingsystem_support": [ { "operatingsystem": "CentOS", "operatingsystemrelease": [ "6", - "7" + "7", + "8" ] }, { "operatingsystem": "RedHat", "operatingsystemrelease": [ "6", - "7" + "7", + "8" ] }, { "operatingsystem": "OracleLinux", "operatingsystemrelease": [ "6", - "7" + "7", + "8" ] } ], diff --git a/spec/acceptance/nodesets/default.yml b/spec/acceptance/nodesets/default.yml index 2fbc14c..8d63274 100644 --- a/spec/acceptance/nodesets/default.yml +++ b/spec/acceptance/nodesets/default.yml @@ -8,34 +8,24 @@ # This nodeset spins up a simple one-host test VM for both EL6 and EL7 HOSTS: - centos-7-1: + el6: roles: - - defaultparams - - el7 - - default - platform: el-7-x86_64 - box: centos/7 - hypervisor: <%= hypervisor %> - centos-6-1: - roles: - - defaultparams - el6 platform: el-6-x86_64 box: centos/6 hypervisor: <%= hypervisor %> - centos-7-2: + el7: roles: - - customparams - el7 + - default platform: el-7-x86_64 box: centos/7 hypervisor: <%= hypervisor %> - centos-6-2: + el8: roles: - - customparams - - el6 - platform: el-6-x86_64 - box: centos/6 + - el8 + platform: el-8-x86_64 + box: centos/8 hypervisor: <%= hypervisor %> CONFIG: log_level: verbose diff --git a/spec/acceptance/suites/default/00_default_spec.rb b/spec/acceptance/suites/default/00_default_spec.rb index 5f75774..02977cf 100644 --- a/spec/acceptance/suites/default/00_default_spec.rb +++ b/spec/acceptance/suites/default/00_default_spec.rb @@ -5,6 +5,13 @@ describe 'simp_snmpd class' do let(:manifest) { <<-EOM + # Allow ssh incase you need to troubleshoot + iptables::listen::tcp_stateful { 'allow_sshd': + order => 8, + trusted_nets => ['ALL'], + dports => 22, + } + include 'simp_snmpd' EOM } @@ -60,7 +67,7 @@ - bar_group foo: view: - read: iso1 + read: newsystemview level: auth groups: - foo_group @@ -73,7 +80,8 @@ - '.1.3.6.1.2.1.25' simp_snmpd::system_info: false simp_snmpd::agentaddress: - - udp:localhost:161 + - udp:127.0.0.1:161 + - udp:%{facts.fqdn}:161 - tcp:%{facts.fqdn}:161 simp_snmpd::manage_client: true EOH2 @@ -83,76 +91,83 @@ customconfig = hosts_with_role( hosts, 'customparams' ) context 'with default setting on snmpd agent and client installed' do - hosts.each do |node| - if defaultconfig.include?(node) - it 'should set the hiera data' do - set_hieradata_on(node, snmphieradata, 'default') - end - - it 'should work with no errors' do - # apply twice becausel of rsyslog changes - apply_manifest_on(node, manifest, :catch_failures => true) - apply_manifest_on(node, manifest, :catch_failures => true) - end + hosts.each do |node| + it 'should set the hiera data' do + set_hieradata_on(node, snmphieradata, 'default') + end - it 'should be idempotent' do - apply_manifest_on(node, manifest, :catch_changes => true) - end + it 'should work with no errors' do + # apply twice becausel of rsyslog changes + apply_manifest_on(node, manifest, :catch_failures => true) + apply_manifest_on(node, manifest, :catch_failures => true) + end - it 'should return snmp data for users' do - result = on(node, '/usr/bin/snmpwalk -u snmp_ro -X KeepItSafe -A KeepItSecret localhost sysLocation.0') - expect(result.stdout).to include("SNMPv2-MIB::sysLocation.0 = STRING: Unknown") - result = on(node, '/usr/bin/snmpwalk -u snmp_rw -X KeepItSafe -A KeepItSecret localhost sysLocation.0') - expect(result.stdout).to include("SNMPv2-MIB::sysLocation.0 = STRING: Unknown") - end - it 'should not work for undefined users' do - result = on(node, '/usr/bin/snmpwalk -u snmp_rx -X KeepItSafe -A KeepItSecret localhost sysLocation.0', { :acceptable_exit_codes => [0,1] }) - expect(result.exit_code).to_not eq(0) - expect(result.stderr).to include("Unknown user name (Sub-id not found: (top)") - end - else - it 'should set the hiera data' do - set_hieradata_on(node, snmphieradata2, 'default') - end + it 'should be idempotent' do + apply_manifest_on(node, manifest, :catch_changes => true) + end - it 'should run with no errors' do - apply_manifest_on(node, manifest, :catch_failures => true) - end - it 'should create bar user and give it write access' do - result = on(node, '/usr/bin/snmpset -u bar -X KeepItSafe -A KeepItSecret localhost sysLocation.0 s "Over the Rainbow"') - result = on(node, '/usr/bin/snmpwalk -u bar -X KeepItSafe -A KeepItSecret localhost sysLocation.0') - expect(result.stdout).to include("SNMPv2-MIB::sysLocation.0 = STRING: Over the Rainbow") - end - it 'should create user foo and add give it read access with auth only' do - result = on(node, '/usr/bin/snmpwalk -u foo -l authNoPriv -A KeepItSecret localhost sysLocation.0') - expect(result.stdout).to include("SNMPv2-MIB::sysLocation.0 = STRING: Over the Rainbow") - end - it 'should not create snmp_ro user' do - result = on(node, '/usr/bin/snmpwalk -u snmp_ro -X KeepItSafe -A KeepItSecret localhost sysLocation.0', :accept_all_exit_codes => true) - expect(result.stderr).to include("Unknown user name") - end + it 'should return snmp data for users' do + result = on(node, '/usr/bin/snmpwalk -u snmp_ro -X KeepItSafe -A KeepItSecret localhost sysLocation.0') + expect(result.stdout).to include("SNMPv2-MIB::sysLocation.0 = STRING: Unknown") + result = on(node, '/usr/bin/snmpwalk -u snmp_rw -X KeepItSafe -A KeepItSecret localhost .1') + expect(result.stdout).to include("SNMPv2-MIB::sysLocation.0 = STRING: Unknown") + end + it 'should not work for undefined users' do + result = on(node, '/usr/bin/snmpwalk -u snmp_rx -X KeepItSafe -A KeepItSecret localhost 0', { :acceptable_exit_codes => [0,1] }) + expect(result.exit_code).to_not eq(0) + expect(result.stderr).to include("Unknown user name") end end end + context 'with snmpd hiera hash updates' do + hosts.each do |node| + it 'should remove SNMPv3 users' do + on(node,'service snmpd stop') + on(node,'rm -rf /var/lib/net-snmp') + end + end + hosts.each do |node| + it 'should set the hiera data' do + set_hieradata_on(node, snmphieradata2, 'default') + end - context 'check remote' do - customconfig.each do |client| - defaultconfig.each do |remote| - it 'should be able to query the remote server over udp' do - result = on(client,"/usr/bin/snmpwalk -u snmp_ro -X KeepItSafe -A KeepItSecret #{remote} sysLocation.0", :accept_all_exit_codes => true) - expect(result.stdout).to include("SNMPv2-MIB::sysLocation.0 = STRING: Unknown") - end + it 'should run with no errors' do + apply_manifest_on(node, manifest, :catch_failures => true) + end +# puppet-snmp now includes location in snmpd.conf and you can't get rid +# of it. This makes the value unwritable and this test fails. If we want to test +# writing we would have to write our writable MIB. +# it 'should create bar user and give it write access' do +# result = on(node, '/usr/bin/snmpset -u bar -X KeepItSafe -A KeepItSecret localhost sysLocation.0 s "Over the Rainbow"') +# result = on(node, '/usr/bin/snmpwalk -u bar -X KeepItSafe -A KeepItSecret localhost sysLocation.0') +# expect(result.stdout).to include("SNMPv2-MIB::sysLocation.0 = STRING: Over the Rainbow") +# end + it 'should create user foo and add give it read access with auth only' do + result = on(node, '/usr/bin/snmpwalk -u foo -l authNoPriv -A KeepItSecret localhost sysLocation.0') + expect(result.stdout).to include("SNMPv2-MIB::sysLocation.0 = STRING: Unknown") + end + it 'should not create snmp_ro user' do + result = on(node, '/usr/bin/snmpwalk -u snmp_ro -X KeepItSafe -A KeepItSecret localhost sysLocation.0', :accept_all_exit_codes => true) + expect(result.stderr).to include("Unknown user name") end end + end - defaultconfig.each do |client| - customconfig.each do |remote| - it 'should be able to query the remote server over tcp' do - result = on(client,"/usr/bin/snmpwalk -u bar -X KeepItSafe -A KeepItSecret tcp:#{remote} sysLocation.0", :accept_all_exit_codes => true) - expect(result.stdout).to include("SNMPv2-MIB::sysLocation.0 = STRING: Over the Rainbow") +context 'check remote' do + hosts.each do |client| + hosts.each do |remote| + unless client == remote + it "#{client}, should be able to query the remote server, #{remote}, over tcp" do + result = on(client,"/usr/bin/snmpwalk -u foo -X KeepItSafe -A KeepItSecret tcp:#{remote}:161 sysLocation.0", :accept_all_exit_codes => true) + expect(result.stdout).to include("SNMPv2-MIB::sysLocation.0 = STRING: Unknown") + end + it "#{client}, should be able to query the remote server, #{remote}, over udp" do + result = on(client,"/usr/bin/snmpwalk -u foo -X KeepItSafe -A KeepItSecret udp:#{remote}:161 sysLocation.0", :accept_all_exit_codes => true) + expect(result.stdout).to include("SNMPv2-MIB::sysLocation.0 = STRING: Unknown") + end end end end end - end + diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 8b10a34..c42bcad 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -22,67 +22,79 @@ let(:params) {{ }} it_behaves_like "a structured module" it { is_expected.to_not contain_class('simp_snmpd::rsync')} - it { is_expected.to contain_class('simp_snmpd::v3::users') } - it { is_expected.to contain_snmp__snmpv3_user('snmp_ro') } - it { is_expected.to contain_snmp__snmpv3_user('snmp_rw') } + end + context "install manifest with default parameters" do + it { is_expected.to contain_class('simp_snmpd::install::vacmusers') } #install.pp it { is_expected.to contain_class('snmp').with({ - :agentaddress => ['udp:localhost:161'], + :agentaddress => ['udp:127.0.0.1:161'], :ensure => 'present', :autoupgrade => 'false', :service_ensure => 'running', :service_enable => 'true', - :service_config_perms => '0750', + :service_config_dir_owner => 'root', :service_config_dir_group => 'root', - :template_snmpd_conf => 'simp_snmpd/snmp/snmpd.conf.erb', - :snmpd_config => ['includeDir /etc/snmp/simp_snmpd.d','includeDir /etc/snmp/snmpd.d'], + :service_config_perms => '0600', + :service_config_dir_perms => '0750', + :snmpd_config => ['includeDir /etc/snmp/simp_snmpd.d'], + :snmptrapd_config => [], :trap_service_ensure => 'stopped', :trap_service_enable => 'false', :do_not_log_tcpwrappers => 'no', :manage_client => 'false', - :snmpd_options => '-LS0-66', - :snmp_config => ['includeFile /etc/snmp/simp_snmp.conf'] + :snmp_config => [], + :views => [ 'systemview included .1.3.6.1.2.1.1', + 'systemview included .1.3.6.1.2.1.25.1.1', + 'iso1 included .1' ], + :groups => ['readonly_group usm snmp_ro', + 'readwrite_group usm snmp_rw' ], + :accesses => ['readonly_group "" usm priv exact systemview none none', + 'readwrite_group "" usm priv exact iso1 systemview none'], + }) } - it { is_expected.to_not create_group('snmp') } - it { is_expected.to_not create_user('snmp') } - it { is_expected.to create_package('snmpd').with_ensure('present') } + it { is_expected.to_not contain_class('simp_snmpd::install::snmpduser') } it { is_expected.to_not contain_class('simp_snmpd::install::client') } + it { is_expected.to create_file('/etc/snmp/simp_snmpd.d')} + it { is_expected.to create_file('/etc/snmp/snmpd.d').with({ + :ensure => 'absent' + })} + it { is_expected.to create_file('/etc/snmp/snmptrapd.d').with({ + :ensure => 'absent' + })} end context "config with default params" do - it { is_expected.to create_file('/etc/snmp/simp_snmpd.d')} - it { is_expected.to create_file('/etc/snmp/snmpd.d')} it { is_expected.to create_file('/etc/snmp/snmptrapd.d')} - it { is_expected.to contain_class('simp_snmpd::config::usm') } it { is_expected.to contain_class('simp_snmpd::config::agent') } it { is_expected.to create_file('/etc/snmp/simp_snmpd.d/agent.conf') } it { is_expected.to_not contain_class('simp_snmpd::config::firewall')} it { is_expected.to_not contain_class('simp_snmpd::config::tcpwrappers')} it { is_expected.to_not contain_class('simp_snmpd::config::logging')} - it { is_expected.to contain_exec('set_snmp_perms').with_command('/usr/bin/setfacl -R -m g:snmp:r /etc/snmp ')} - it { is_expected.to contain_class('simp_snmpd::config::system_info') } end - # Tests for config::usm and v3::users - context "config::usm with default params" do - #let(:expected){ "jjunk" } - let(:expected){ File.read('spec/expected/default_access_usm_conf')} - it { is_expected.to contain_class('simp_snmpd::v3::users') } - it { is_expected.to create_file('/etc/snmp/simp_snmpd.d/access_usm.conf').with_content(expected) } - it { is_expected.to create_snmp__snmpv3_user('snmp_rw')} - it { is_expected.to create_snmp__snmpv3_user('snmp_ro')} + context "install/users with default parameters" do + it { is_expected.to contain_snmp__snmpv3_user('snmp_ro').with({ + :authtype => 'SHA', + :privtype => 'AES' + })} + it { is_expected.to contain_snmp__snmpv3_user('snmp_rw').with({ + :authtype => 'SHA', + :privtype => 'AES' + })} end + context "simp_snmp class with rsync on" do let(:params) {{ :rsync_dlmod => true, :rsync_mibs => true, :rsync_mibs_dir => '/etc/mibs_here', - :rsync_dlmod_dir => '/etc/dlmod_there' + :rsync_dlmod_dir => '/etc/dlmod_there', + :dlmods => ['mod1', 'mod2'] }} it_behaves_like "a structured module" it { is_expected.to contain_class('simp_snmpd::config').that_comes_before('Class[simp_snmpd::rsync]') } - it { is_expected.to contain_exec('set_snmp_perms').with_command('/usr/bin/setfacl -R -m g:snmp:r /etc/snmp /etc/dlmod_there /etc/mibs_here')} it { is_expected.to contain_file('/etc/mibs_here') } it { is_expected.to contain_file('/etc/dlmod_there') } + it { is_expected.to contain_file('/etc/snmp/simp_snmpd.d/dlmod.conf')} end context "simp_snmp class with set_system_info false" do let(:params) {{ @@ -104,32 +116,51 @@ it { is_expected.to create_rsyslog__rule__local('XX_snmpd')} it { is_expected.to create_logrotate__rule('snmpd')} end - context "with default security mode set to something other than usm" do - let(:params) {{ - :defsecuritymodel => 'tsm', - }} - it { is_expected.to_not contain_class('simp_snmpd::config::usm')} - it { is_expected.to contain_notify('simp_snmpd Security Model')} - end - context "with manage_client set to true" do + context "with some parameters set" do let(:params) {{ :manage_client => true, + :include_userdir => true, }} it_behaves_like "a structured module" it { is_expected.to contain_class('snmp').with({ :manage_client => 'true', + :snmp_config => [ + "defVersion 3", + "defSecurityModel usm", + "defSecurityLevel authPriv", + "defAuthType SHA", + "defPrivType AES", + "mibdirs /usr/share/snmp/mibs:/usr/share/snmp/mibs", + ] }) } - it { is_expected.to contain_class('simp_snmpd::install::client')} - it { is_expected.to contain_file('/etc/snmp/simp_snmp.conf')} + it { is_expected.to contain_file('/etc/snmp/snmpd.d').with({ + :ensure => 'directory' + })} + it { is_expected.to contain_class('snmp').with({ + :snmpd_config => [ + 'includeDir /etc/snmp/simp_snmpd.d', + 'includeDir /etc/snmp/snmpd.d' + ], + :manage_client => true, + })} end - context "with group and uid set" do + context "with manage users" do let(:params) {{ :snmpd_gid => 9999, - :snmpd_uid => 9999 + :snmpd_uid => 9999, + :manage_snmpd_user => true, + :manage_snmpd_group => true, + :service_config_dir_owner => 'snmp', + :service_config_dir_group => 'snmp' }} - it { is_expected.to create_user('snmp')} + it { is_expected.to contain_class('simp_snmpd::install::snmpduser')} it { is_expected.to create_group('snmp')} + it { is_expected.to create_user('snmp')} + it { is_expected.to contain_class('snmp').with({ + :service_config_dir_group => 'snmp', + :service_config_dir_owner => 'snmp', + })} end context "with fips on auth type set to MD5" do let(:params) {{ diff --git a/spec/functions/simp_snmpd/accesslist_spec.rb b/spec/functions/simp_snmpd/accesslist_spec.rb index 23372aa..a2d2394 100644 --- a/spec/functions/simp_snmpd/accesslist_spec.rb +++ b/spec/functions/simp_snmpd/accesslist_spec.rb @@ -12,8 +12,7 @@ } } retval = [ - '#access GROUP CONTEXT {any|v1|v2c|usm|tsm|ksm} LEVEL PREFX READ WRITE NOTIFY', - 'access group1 "" usm priv exact myview none none' + 'group1 "" usm priv exact myview none none' ] is_expected.to run.with_params(args,"usm", "priv").and_return(retval) end @@ -42,9 +41,8 @@ "empty" => {} } retval = [ - '#access GROUP CONTEXT {any|v1|v2c|usm|tsm|ksm} LEVEL PREFX READ WRITE NOTIFY', - 'access group1 c usm auth prefix none myview none', - 'access group2 c usm auth prefix none myview none' + 'group1 c usm auth prefix none myview none', + 'group2 c usm auth prefix none myview none' ] is_expected.to run.with_params(args,"usm","priv").and_return(retval) diff --git a/spec/functions/simp_snmpd/grouplist_spec.rb b/spec/functions/simp_snmpd/grouplist_spec.rb index 47aa1b9..30d8380 100644 --- a/spec/functions/simp_snmpd/grouplist_spec.rb +++ b/spec/functions/simp_snmpd/grouplist_spec.rb @@ -14,9 +14,9 @@ }, } retval = [ - 'group group1 usm user1', - 'group group1 usm user2', - 'group group2 tsm user3', + 'group1 usm user1', + 'group1 usm user2', + 'group2 tsm user3', ] is_expected.to run.with_params(args,"usm").and_return(retval) end @@ -28,8 +28,8 @@ "group2" => {} } retval = [ - 'group group1 usm user1', - 'group group1 usm user2', + 'group1 usm user1', + 'group1 usm user2', ] is_expected.to run.with_params(args,"usm").and_return(retval) end diff --git a/spec/functions/simp_snmpd/viewlist_spec.rb b/spec/functions/simp_snmpd/viewlist_spec.rb index 307a8ed..207fef6 100644 --- a/spec/functions/simp_snmpd/viewlist_spec.rb +++ b/spec/functions/simp_snmpd/viewlist_spec.rb @@ -13,10 +13,10 @@ { "included" => "My::Mib", } } retval = [ - 'view first_view included .1.2.3.4', - 'view first_view excluded 6.7.5.6', - 'view first_view excluded .9', - 'view second_view included My::Mib', + 'first_view included .1.2.3.4', + 'first_view excluded 6.7.5.6', + 'first_view excluded .9', + 'second_view included My::Mib', ] is_expected.to run.with_params(args).and_return(retval) end diff --git a/templates/snmpd/access_usm.conf.epp b/templates/snmpd/access_usm.conf.epp deleted file mode 100644 index da14aa4..0000000 --- a/templates/snmpd/access_usm.conf.epp +++ /dev/null @@ -1,18 +0,0 @@ -# This file is managed by Puppet. Changes to it will be over written -# Changes to access should be done in hiera -# or additions can be added in /etc/snmpd/snmpd.d -# -# views -<% $simp_snmpd::config::usm::_viewlist.each |$view| { -%> -<%= $view %> -<% } -%> - -# groups -<% $simp_snmpd::config::usm::_grouplist.each |$group| { -%> -<%= $group %> -<% } -%> - -<% $simp_snmpd::config::usm::_accesslist.each |$access| { -%> -<%= $access %> -<% } -%> - diff --git a/templates/snmpd/agent.conf.epp b/templates/snmpd/agent.conf.epp index 28cdf85..3b9863c 100644 --- a/templates/snmpd/agent.conf.epp +++ b/templates/snmpd/agent.conf.epp @@ -1,7 +1,7 @@ # This file is created by puppet and contains default agent setting # # The agentuser and agent group are set here. If theses settings are missing the agent -# is runnin as root:root +# is running as root:root <% if $simp_snmpd::snmpd_uid { -%> agentuser <%= $simp_snmpd::snmpd_uid %> diff --git a/templates/snmpd/snmp_conf.epp b/templates/snmpd/snmp_conf.epp deleted file mode 100644 index e93b901..0000000 --- a/templates/snmpd/snmp_conf.epp +++ /dev/null @@ -1,6 +0,0 @@ -defVersion <%= $simp_snmpd::version %> -defSecurityModel <%= $simp_snmpd::defsecuritymodel %> -defSecurityLevel <%= $simp_snmpd::install::client::seclevel %> -defAuthType <%= $simp_snmpd::defauthtype %> -defPrivType <%= $simp_snmpd::defprivtype %> -mibdirs /usr/share/snmp/mibs:<%= $simp_snmpd::rsync_mibs_dir -%>/mibs diff --git a/templates/snmpd/system_info.conf.epp b/templates/snmpd/system_info.conf.epp deleted file mode 100644 index 903e8e5..0000000 --- a/templates/snmpd/system_info.conf.epp +++ /dev/null @@ -1,14 +0,0 @@ -### -### File managed by Puppet -### -################################################################################ -# SYSTEM INFORMATION -# If the values are set here then using a they are set to not writable in the -# by the system. If you wish to set these via a snmp manager or through your -# own file you can disable this by setting simp_snmpd::set_system_info to false. -# ------------------------------------------------------------------------------ -# System Group -sysLocation <%= $simp_snmpd::location %> -sysContact <%= $simp_snmpd::contact %> -sysServices <%= $simp_snmpd::services %> -sysName <%= $simp_snmpd::sysname %> diff --git a/types/auth.pp b/types/auth.pp deleted file mode 100644 index c289d0f..0000000 --- a/types/auth.pp +++ /dev/null @@ -1 +0,0 @@ -type Simp_snmpd::Auth = Enum['noauth','auth','priv'] diff --git a/types/seclevel.pp b/types/seclevel.pp new file mode 100644 index 0000000..47fb80f --- /dev/null +++ b/types/seclevel.pp @@ -0,0 +1,2 @@ +# The default authentication level for the client to use in snmp.conf +type Simp_snmpd::Seclevel = Enum['noAuthNoPriv','authNoPriv','authPriv'] diff --git a/types/secmodel.pp b/types/secmodel.pp index 482b99e..9880408 100644 --- a/types/secmodel.pp +++ b/types/secmodel.pp @@ -1 +1,4 @@ -type Simp_snmpd::Secmodel = Enum['usm','v1','v2c','tsm','ksm'] +#type Simp_snmpd::Secmodel = Enum['usm','v1','v2c','tsm','ksm'] +# Right now usm is the only type suppoerted by this module. +# If you want to use another type, use the puppet/snmp module directly +type Simp_snmpd::Secmodel = Enum['usm'] diff --git a/types/vacmlevel.pp b/types/vacmlevel.pp new file mode 100644 index 0000000..fbf7f31 --- /dev/null +++ b/types/vacmlevel.pp @@ -0,0 +1,2 @@ +# The default type to use in VACM access directives +type Simp_snmpd::Vacmlevel = Enum['noauth','auth','priv']