summaryrefslogtreecommitdiff
path: root/src/conf_mode/snmp.py
AgeCommit message (Collapse)Author
2021-12-27snmp: T4093: add missing verify() step for required group per snmp v3 userChristian Poessinger
(cherry picked from commit a70a4001fe0b3a91a7d86191ff32dcc7205d2eae)
2021-11-17snmp: T3996: fix invalid IPv6 localhost handling when using listen-addressChristian Poessinger
We need to use a temporary variable when validating the tuple if address is used. If not the else branch will always add the tuple to the list of addresses used for listen-address. (cherry picked from commit d13b91462487e090b32c0d1ecf9139a2271b4837)
2020-11-13vyos.template: provide general is_ip(v4|v6) helpersChristian Poessinger
We had two places were the is_ip, is_ipv4 and is_ipv6 helpers had been defined. All places now have been converged into vyos.template as they are used both in the Jinja2 templates and also in our scripts.
2020-09-25T2926: Missing importkroy
2020-07-12snmp: T2687: replace 3rd party hash library with custom codeChristian Poessinger
The 3rd party library used for calculating the SNMP hashes in advance only worked for SHA and nod for MD5 as SHA was hardcoded [1]. The code has been replaced by a class-less implementation providing only the required functionality. [1]: https://github.com/TheMysteriousX/SNMPv3-Hash-Generator/issues/2
2020-07-11snmp: T2687: precalculate snmpv3 encrypted keysChristian Poessinger
As of now when adding new credentials for any SNMPv3 user we submit the credential either plaintext or encrypted. A plaintext credential will be hashed by SNMPd in the background and then passed back into the CLI so it's not stored in cleartext. This feels like the wrong way in changing the CLI content with data produced by a 3rd party daemon which implements the service. It feels like the tail wiggles the entire dog. This should be changed in the following way: - After retrieving the plaintext password from CLI, use Python to hash the key in advance - Re-populate the encrypted key into the CLI and drop the plaintext one - Generate service configuration and continue startup of SNMPd This also fixes a race condition when SNMPd started up but not properly provided the hasehd keys in the configuration resulting in a ConfigurationError. Now as we also support binding SNMPd to a VRF this fixes a deadlock situation on bootup as we can only bind late to the VRF and require up to 5 restarts of the service - but the service will never start.
2020-07-04snmp: vrf: T2682: support restart on failure indefinitely.Christian Poessinger
Linux tries to bind sshd to the VRF but it is yet not ready - for any arbitrary reason. After restarting SSH to often (rate-limiting) it is blocked by systemd. Using Restart/RestartSec is not enough - systemd services use start rate limiting (enabled by default). If service is started more than StartLimitBurst times in StartLimitIntervalSec seconds is it not permitted to start any more. Parameters are inherited from DefaultStartLimitIntervalSec (default 10s) and DefaultStartLimitBurst (default 5).
2020-06-16snmp: T2321: use restart of start in systemctlChristian Poessinger
For an unknown reason snmpd not always starts after reboot.
2020-06-13snmp: T2321: add VRF supportChristian Poessinger
2020-05-29airbag: T2088: explicit enabling of the featureThomas Mangin
airbag must now be explicitly installed. the patch also allow to fully disables the installation of the logging code at setup (and not just installing and doing nothing)
2020-04-15dns-forwarding: T2298: fix path to control fileChristian Poessinger
After migrating PowerDNS to systemd and also its configuration files to a volatile directory in commit 77d725f ("dns-forwarding: T2185: move configuration files to volatile /run directory") the path for the control file has not been altered and pushed to the client rec_control binary"
2020-04-12template: T2230: use render to generate templatesThomas Mangin
convert all call to jinja to use template.render
2020-04-09util: T2226: os.system was wrongly converted to runThomas Mangin
os.system does print the ouput of the command, run() does not. A new function called call() does the printing and return the error code.
2020-04-06util: T2226: covert most calls from os.system to utilThomas Mangin
As little change a possible but the function call The behaviour should be totally unchanged.
2020-04-05snmp: T2230: move inlined templates to dedicated filesChristian Poessinger
2020-03-25T2161: Skip ipv6 listen, if it is disabledAndras Elso
2020-03-21snmp: cleanup import sectionChristian Poessinger
2020-02-19snmp: T1769: fix indentation error and add try clauseJohn Estabrook
2020-02-18snmp: T1769: cleanup leftove code path for certificate migrationChristian Poessinger
2020-02-18snmp: T2042: remove superfluous sudo callsChristian Poessinger
2020-02-18snmp: T2042: import statement cleanupChristian Poessinger
2020-02-15snmp: T2042: stricter validation when deleting SNMP in combination with LLDPChristian Poessinger
A consistency check was missing to prevent deleting the SNMP configuration but still setting "service lldp snmp enable".
2020-02-09snmp: T1931: instead of searching a pseudo marker find real marker in configChristian Poessinger
As we need to operate with usmUser, we can search for it directly if its present or not. There is always one usmUser entry for the system user.
2020-02-09snmp: T1931: change calling order when setting marker flagChristian Poessinger
2020-02-09snmp: T1931: delete obsolete reading of oldEngineIDChristian Poessinger
2020-02-09snmp: T1931: harden logic when re-reading config fpr encrypted keysChristian Poessinger
2020-02-09snmp: T1931: shorten file read timeout to 10msChristian Poessinger
2020-01-26snmpd: T1937: fix all startup warningsChristian Poessinger
This is actually an "upstream" bug, see [1] but it can be fixed via our own scripts. [1]: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1384122
2020-01-26Revert "snmp: T1937: fix "unknown token" warnings"Christian Poessinger
This reverts commit 6945b2e3561cd76d193d41dd6ab5249661230460.
2020-01-06service-snmp: T1931: Enabling SNMP commit errorhagbard
2020-01-03snmp: T1937: fix "unknown token" warningsChristian Poessinger
2019-12-30snmp: T1921: reduce syslog noiseChristian Poessinger
Remove informative but noisy messages: Dec 30 11:45:02 vyos snmpd[2870]: Connection from UDP: [172.16.100.1]:42781 ... Dec 30 11:45:02 vyos snmpd[2870]: Connection from UDP: [172.16.100.1]:57331 ...
2019-12-30snmp: T1921: change log optionsChristian Poessinger
suppress error message: Dec 30 11:44:10 LR1 snmpd[2870]: error on subcontainer 'ia_addr' insert (-1)
2019-12-30snmp: T1921: migrate sysvinit default to systemd override fileChristian Poessinger
2019-12-30snmp: adopt user/group to Debian BusterChristian Poessinger
2019-12-18snmp: T1881: Add path for ext-scripts without pathDmitriyEshenko
2019-12-17snmp: T1881: add S_IRGRP to snmp script file permission setChristian Poessinger
2019-12-17snmp: T1881: Change permission for script filesViacheslav Hletenko
2019-10-27snmp: make script extension code more readableChristian Poessinger
2019-10-27snmp: use proper stat literals on chmod()Christian Poessinger
2019-10-27snmp: fix verify() indent on script extensionsChristian Poessinger
2019-10-27snmp: fix verify() bail out early orderChristian Poessinger
2019-10-27snmp: T1738: cleanup import statementsChristian Poessinger
2019-10-27snmp: T1769: remove TSM (Transport Security Mode) supportChristian Poessinger
The SNMPv3 TSM is very complex and I know 0 users of it. Also this is untested and I know no way how it could be tested. Instead of carrying on dead and unused code we should favour a drop of it using a proper config migration script.
2019-10-27snmp: T818: T1738: remove per user/trap engine idChristian Poessinger
As of the SNMP specification an SNMP engine ID should be unique per device. To not make it more complicated for users - only use the global SNMP engine ID.
2019-10-15snmpd: T1705 - High CPU usage by bgpd when snmp is activehagbard
* typo fixed
2019-10-13Revert "snmpd: T1705 - High CPU usage by bgpd when snmp is active"Christian Poessinger
Systems not runing BGP won't boot anymore. Syslog shows: snmpd[5404]: getaddrinfo: inetCidrRouteTable Name or service not known snmpd[5404]: getaddrinfo("inetCidrRouteTable", NULL, ...): Name or service not known snmpd[5404]: Error opening specified endpoint "inetCidrRouteTable" snmpd[5404]: Server Exiting with code 1 snmpd[5401]: Starting SNMP services:: systemd[1]: snmpd.service: control process exited, code=exited status=1 systemd[1]: Failed to start LSB: SNMP agents. systemd[1]: Unit snmpd.service entered failed state. This reverts commit e45648cdd5a52569be7f3ac30473b0c7474a7894.
2019-10-10snmpd: T1705 - High CPU usage by bgpd when snmp is activehagbard
2019-07-15[T1299] - SNMP extension with custom scriptshagbard
2019-01-30T1160: fix (ro|rw)community ACLChristian Poessinger
WHen building up the SNMP v2 community ro/rw access all hosts from a INET version could access even when the community was locked to one INET family. Example #1: set service snmp community bar network 172.16.0.0/12 Allowed access only to IPv4 network 172.16.0.0/12 but it allowed acces from IPv6 ::/0. Example #2: set service snmp community baz network 2001:db8::/64 Limited IPv6 access to 2001:db8::/64 but IPv4 was open to 0.0.0.0/0