diff options
| author | Christian Poessinger <christian@poessinger.com> | 2018-06-08 11:18:50 +0200 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2018-06-08 11:18:50 +0200 |
| commit | 838eff5caa58330b4c922f786fe3d5ef4867fd6f (patch) | |
| tree | 8508b8b20bed55f1ec0f0bbc7c0de948a9ab6d3a | |
| parent | 3b7b936cc53dd06e27d10ad2995286762cb7fa84 (diff) | |
| download | vyatta-cfg-system-838eff5caa58330b4c922f786fe3d5ef4867fd6f.tar.gz vyatta-cfg-system-838eff5caa58330b4c922f786fe3d5ef4867fd6f.zip | |
T652: remove PERL scripts required for SNMP service
| -rw-r--r-- | Makefile.am | 3 | ||||
| -rwxr-xr-x | scripts/snmp/vyatta-snmp-v3.pl | 676 | ||||
| -rwxr-xr-x | scripts/snmp/vyatta-snmp.pl | 333 | ||||
| -rwxr-xr-x | scripts/system/vyatta_check_snmp_name.pl | 31 |
4 files changed, 0 insertions, 1043 deletions
diff --git a/Makefile.am b/Makefile.am index 3e70ca59..01ea0ce6 100644 --- a/Makefile.am +++ b/Makefile.am @@ -43,7 +43,6 @@ sbin_SCRIPTS += scripts/vyatta-grub-setup sbin_SCRIPTS += scripts/standalone_root_pw_reset sbin_SCRIPTS += scripts/vyatta-passwd-sync sbin_SCRIPTS += scripts/system/vyatta_check_username.pl -sbin_SCRIPTS += scripts/system/vyatta_check_snmp_name.pl sbin_SCRIPTS += scripts/system/vyatta_check_domainname.pl sbin_SCRIPTS += scripts/system/vyatta_interface_rescan sbin_SCRIPTS += scripts/system/vyatta_update_login.pl @@ -53,8 +52,6 @@ sbin_SCRIPTS += scripts/system/vyatta_update_sysctl.pl sbin_SCRIPTS += scripts/system/vyatta_update_syslog.pl sbin_SCRIPTS += scripts/system/vyatta_update_console.pl sbin_SCRIPTS += scripts/system/irq-affinity.pl -sbin_SCRIPTS += scripts/snmp/vyatta-snmp.pl -sbin_SCRIPTS += scripts/snmp/vyatta-snmp-v3.pl sbin_SCRIPTS += scripts/snmp/if-mib-alias sbin_SCRIPTS += scripts/telnetd.init sbin_SCRIPTS += scripts/dynamic-dns/vyatta-dynamic-dns.pl diff --git a/scripts/snmp/vyatta-snmp-v3.pl b/scripts/snmp/vyatta-snmp-v3.pl deleted file mode 100755 index a2d738eb..00000000 --- a/scripts/snmp/vyatta-snmp-v3.pl +++ /dev/null @@ -1,676 +0,0 @@ -#!/usr/bin/perl -# -# **** License **** -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# This code was originally developed by Vyatta, Inc. -# Portions created by Vyatta are Copyright (C) 2013 Vyatta, Inc. -# All Rights Reserved. -# -# **** End License **** - -use strict; -use warnings; - -use lib "/opt/vyatta/share/perl5/"; -use Vyatta::Config; -use File::Copy; -use Getopt::Long; -use Socket; -use Socket6; - -my $snmp_v3_level = 'service snmp v3'; -my $snmp_restart = 'systemctl restart snmpd.service'; -my $snmp_stop = 'systemctl stop snmpd.service'; -my $snmp_start = 'systemctl start snmpd.service'; -my $snmp_reload = 'systemctl reload snmpd.service'; -my $snmpd_conf = '/etc/snmp/snmpd.conf'; -my $snmpd_usr_conf = '/usr/share/snmp/snmpd.conf'; -my $snmpd_var_conf = '/var/lib/snmp/snmpd.conf'; -my $snmpd_conf_tmp = "/tmp/snmpd.conf.$$"; -my $snmpd_usr_conf_tmp = "/tmp/snmpd.usr.conf.$$"; -my $snmpd_var_conf_tmp = "/tmp/snmpd.var.conf.$$"; -my $versionfile = '/opt/vyatta/etc/version'; -my $local_agent = 'unix:/run/snmpd.socket'; - -my $oldEngineID = ""; -my $setserialno = ""; - -my %OIDs = ( - "md5", ".1.3.6.1.6.3.10.1.1.2", "sha", ".1.3.6.1.6.3.10.1.1.3", - "aes", ".1.3.6.1.6.3.10.1.2.4", "des", ".1.3.6.1.6.3.10.1.2.2", - "none", ".1.3.6.1.6.3.10.1.2.1" -); - -# generate a random character hex string -sub randhex { - my $length = shift; - return join "", map { unpack "H*", chr( rand(256) ) } 1 .. ( $length / 2 ); -} - -sub snmpd_running { - open( my $pidf, '<', "/run/snmpd.pid" ) - or return; - my $pid = <$pidf>; - close $pidf; - - chomp $pid; - my $exe = readlink "/proc/$pid/exe"; - - return ( defined($exe) && $exe eq "/usr/sbin/snmpd" ); -} - -sub check_snmp_exit_code { - my $code = shift; - - # snmpd can start/restart with exit code 256 if trap-target is unavailable - if ( $code != 0 && $code != 256 ) { - return 1; - } - else { - return 0; - } -} - -sub snmpd_stop { - system("$snmp_stop > /dev/null 2>&1"); - if ( check_snmp_exit_code($?) ) { - print "ERROR: Can not stop snmpd!\n"; - exit(1); - } -} - -sub snmpd_start { - system("$snmp_start > /dev/null 2>&1"); - if ( check_snmp_exit_code($?) ) { - print "ERROR: Can not start snmpd!\n"; - exit(1); - } -} - -sub snmpd_update { - system("$snmp_reload > /dev/null 2>&1"); - if ( check_snmp_exit_code($?) ) { - print "ERROR: Can not reload snmpd!\n"; - exit(1); - } -} - -sub snmpd_restart { - system("$snmp_restart > /dev/null 2>&1"); - if ( check_snmp_exit_code($?) ) { - print "ERROR: Can not restart snmpd!\n"; - exit(1); - } -} - -# get vyatta version -sub get_version { - my $version = "unknown-version"; - - if ( open( my $f, '<', $versionfile ) ) { - while (<$f>) { - chomp; - if (m/^Version\s*:\s*(.*)$/) { - $version = $1; - last; - } - } - close $f; - } - return $version; -} - -sub ipv6_disabled { - socket( my $s, PF_INET6, SOCK_DGRAM, 0 ) - or return 1; - close($s); - return; -} - -# write tsm config from current to snmpd_conf -sub set_tsm { - my $config = get_snmp_config(); - if ( $config->exists("tsm") ) { - my $port = $config->returnValue("tsm port"); - my $local_key = $config->returnValue("tsm local-key"); - system( -"sed -i 's/^agentaddress.*\$/&,tlstcp:$port,dtlsudp:$port/' $snmpd_conf_tmp" - ); - system("echo \"[snmp] localCert $local_key\" >> $snmpd_conf_tmp"); - } -} - -# delete all SNMP config files -# can be called directly -sub snmp_delete { - snmpd_stop(); - - my @files = ( $snmpd_conf, $snmpd_usr_conf, $snmpd_var_conf ); - foreach my $file (@files) { - if ( -e $file ) { - unlink($file); - } - } -} - -sub get_snmp_config { - my $config = new Vyatta::Config; - $config->setLevel($snmp_v3_level); - return $config; -} - -# write views from vyatta config to snmpd_conf -sub set_views { - print "# views \n"; - my $config = get_snmp_config(); - foreach my $view ( $config->listNodes("view") ) { - foreach my $oid ( $config->listNodes("view $view oid") ) { - my $mask = ''; - $mask = $config->returnValue("view $view oid $oid mask") - if $config->exists("view $view oid $oid mask"); - if ( $config->exists("view $view oid $oid exclude") ) { - print "view $view excluded .$oid $mask\n"; - } - else { - print "view $view included .$oid $mask\n"; - } - } - } - print "\n"; -} - -# write groups from vyatta config to snmpd_conf -sub set_groups { - print -"#access\n# context sec.model sec.level match read write notif\n"; - my $config = get_snmp_config(); - foreach my $group ( $config->listNodes("group") ) { - my $mode = $config->returnValue("group $group mode"); - my $view = $config->returnValue("group $group view"); - my $secLevel = $config->returnValue("group $group seclevel"); - if ( $mode eq "ro" ) { - print "access $group \"\" usm $secLevel exact $view none none\n"; - print "access $group \"\" tsm $secLevel exact $view none none\n"; - } - else { - print "access $group \"\" usm $secLevel exact $view $view none\n"; - print "access $group \"\" tsm $secLevel exact $view $view none\n"; - } - } - print "\n"; -} - -# write users from vyatta config to snmpd_conf -sub set_users_in_etc { - - print "#group\n"; - my $tsm_counter = 0; - my $config = get_snmp_config(); - foreach my $user ( $config->listNodes("user") ) { - $config->setLevel( $snmp_v3_level . " user $user" ); - if ( $config->exists("group") ) { - my $group = $config->returnValue("group"); - print "group $group usm $user\n"; - print "group $group tsm $user\n"; - } - if ( $config->exists("tsm-key") ) { - my $cert = $config->returnValue("tsm-key"); - $tsm_counter++; - print "certSecName $tsm_counter $cert --sn $user\n"; - } - } - - print "\n"; -} - -# write users from vyatta config to config files in /usr & /var -sub set_users_to_other { - open( my $usr_conf, '>>', $snmpd_usr_conf_tmp ) - or die "Couldn't open $snmpd_usr_conf_tmp - $!"; - open( my $var_conf, '>>', $snmpd_var_conf_tmp ) - or die "Couldn't open $snmpd_var_conf_tmp - $!"; - - print $var_conf "\n"; - - my $config = get_snmp_config(); - my $needTsm = 0; - if ( $config->exists("tsm") ) { - $needTsm = 1; - } - - my %trap_users = (); - - foreach my $trap ( $config->listNodes("trap-target") ) { - $trap_users{ $config->returnValue("trap-target $trap user") } = 1; - } - - foreach my $user ( $config->listNodes("user") ) { - delete $trap_users{$user}; - $config->setLevel( $snmp_v3_level . " user $user" ); - my $auth_type = $config->returnValue("auth type"); - my $priv_type = $config->returnValue("privacy type"); - if ( $config->exists("auth") ) { - if ( $config->exists("auth plaintext-key") ) { - my $auth_key = $config->returnValue("auth plaintext-key"); - my $priv_key = ''; - $priv_key = $config->returnValue("privacy plaintext-key") - if $config->exists("privacy plaintext-key"); - print $var_conf -"createUser $user \U$auth_type\E $auth_key \U$priv_type\E $priv_key\n"; - } - else { - my $name_print = get_printable_name($user); - my $EngineID = $config->returnValue("engineid"); - if ( $EngineID eq "" ) { - die "ERROR: engineid is null\n"; - } - my $auth_type_oid = $OIDs{$auth_type}; - my $auth_key_hex = $config->returnValue("auth encrypted-key"); - - my ( $priv_type_oid, $priv_key_hex ); - if ( $config->exists("privacy") ) { - $priv_type_oid = $OIDs{$priv_type}; - $priv_key_hex = - $config->returnValue("privacy encrypted-key"); - } - else { - $priv_type_oid = $OIDs{'none'}; - $priv_key_hex = '0x'; - } - print $var_conf -"usmUser 1 3 $EngineID $name_print $name_print NULL $auth_type_oid $auth_key_hex $priv_type_oid $priv_key_hex 0x\n"; - } - } - my $mode = $config->returnValue("mode"); - my $end = "auth"; - if ( $config->exists("privacy") ) { - $end = "priv"; - } - print $usr_conf $mode . "user $user $end\n"; - if ($needTsm) { - print $usr_conf $mode . "user -s tsm $user $end\n"; - } - } - -# add users for trap if they are not exists in vyatta config /services/snmp/v3/user - foreach my $user ( keys %trap_users ) { - my $name_print = get_printable_name($user); - print $var_conf "usmUser 1 3 0x" - . randhex(26) - . " $name_print $name_print NULL .1.3.6.1.6.3.10.1.1.2 0x" - . randhex(32) - . " .1.3.6.1.6.3.10.1.2.1 0x 0x\n"; - print $usr_conf "rouser $user auth\n"; - } - - print $var_conf "setserialno $setserialno\n" - if !($setserialno eq ""); - print $var_conf "oldEngineID $oldEngineID\n" - if !($oldEngineID eq ""); - - close $usr_conf; - close $var_conf; -} - -# if name contains '-' then it must be printed in hex format -sub get_printable_name { - my $name = shift; - if ( $name =~ /-/ ) { - my @array = unpack( 'C*', $name ); - my $stringHex = '0x'; - foreach my $c (@array) { - $stringHex .= sprintf( "%lx", $c ); - } - return $stringHex; - } - else { - return "\"$name\""; - } -} - - -# read encrypted keys from config file in /var to vyatta config -# read additional info from config file in /var to VConfig variable -# delete plaintext passwords in vyatta config -sub update_users_vyatta_conf { - open( my $var_conf, '<', $snmpd_var_conf ) - or die "Couldn't open $snmpd_usr_conf - $!"; - my $config = get_snmp_config(); - while ( my $line = <$var_conf> ) { - if ( $line =~ /^oldEngineID (.*)$/ ) { - my $value = $1; - if ($config->exists("engineid") && - $config->returnValue("engineid") eq ""){ - system( -"/opt/vyatta/sbin/my_set service snmp v3 engineid $value > /dev/null" - ); - } - } - if ( $line =~ /^usmUser / ) { - my @values = split( / /, $line ); - my $name = $values[4]; - if ( $name =~ /^"(.*)"$/ ) { - $name = $1; - } - else { - $name = pack( 'H*', $name ); - } - - # this file contain users for trap-target and vyatta... user - # these users recreating automatically on each commit - if ( $config->exists("user $name") ) { - system( -"/opt/vyatta/sbin/my_set service snmp v3 user \"$name\" engineid $values[3] > /dev/null" - ); - system( -"/opt/vyatta/sbin/my_set service snmp v3 user \"$name\" auth encrypted-key $values[8] > /dev/null" - ); - if ( $values[10] ne "\"\"" && $values[10] ne "0x" ) { - system( -"/opt/vyatta/sbin/my_set service snmp v3 user \"$name\" privacy encrypted-key $values[10] > /dev/null" - ); - system( -"/opt/vyatta/sbin/my_delete service snmp v3 user \"$name\" privacy plaintext-key > /dev/null" - ); - } - system( -"/opt/vyatta/sbin/my_delete service snmp v3 user \"$name\" auth plaintext-key > /dev/null" - ); - } - } - } - close $var_conf; -} - -# write trap-target hosts from vyatta config to snmpd_conf -sub set_hosts { - print "#trap-target\n"; - my $config = get_snmp_config(); - foreach my $target ( $config->listNodes("trap-target") ) { - $config->setLevel( $snmp_v3_level . " trap-target $target" ); - my $auth_key = ''; - if ( $config->exists("auth plaintext-key") ) { - $auth_key = "-A " . $config->returnValue("auth plaintext-key"); - } - else { - $auth_key = "-3m " . $config->returnValue("auth encrypted-key"); - } - my $auth_type = $config->returnValue("auth type"); - my $user = $config->returnValue("user"); - my $port = $config->returnValue("port"); - my $protocol = $config->returnValue("protocol"); - my $type = $config->returnValue("type"); - my $inform_flag = '-Ci'; - $inform_flag = '-Ci' if ( $type eq 'inform' ); - - if ( $type eq 'trap' ) { - $inform_flag = '-e ' . $config->returnValue("engineid"); - } - my $privacy = ''; - my $secLevel = 'authNoPriv'; - if ( $config->exists("privacy") ) { - my $priv_key = ''; - if ( $config->exists("privacy plaintext-key") ) { - $priv_key = - "-X " . $config->returnValue("privacy plaintext-key"); - } - else { - $priv_key = - "-3M " . $config->returnValue("privacy encrypted-key"); - } - my $priv_type = $config->returnValue("privacy type"); - $privacy = "-x $priv_type $priv_key"; - $secLevel = 'authPriv'; - } - - # TODO understand difference between master and local - # Uses: - # set -3m / -3M for auth / priv for master - # or -3k / -3K for local - # Current use only master - my $target_print = $target; - if ( $target =~ /:/ ) { - $target_print = "[$target]"; - $protocol = $protocol . "6"; - } - print -"trapsess -v 3 $inform_flag -u $user -l $secLevel -a $auth_type $auth_key $privacy $protocol:$target_print:$port\n"; - } - print "\n"; -} - -# check changes in auth and privacy nodes -# deny set encrypted-key in case engineid wasn't set -sub check_user_auth_changes { - my $config = get_snmp_config(); - my $v3engineid = ""; - - if($config->exists("engineid")){ - $v3engineid=$config->returnValue("engineid"); - } - - if ( $config->isChanged("user") || $config->isChanged("engineid")) { - my $haveError = 0; - foreach my $user ( $config->listNodes("user") ) { - $config->setLevel( $snmp_v3_level . " user $user" ); - if ( $config->exists("engineid") && - !($v3engineid eq "" ) && - !($config->returnValue("engineid") eq "" ) && - !($config->returnValue("engineid") eq $v3engineid)){ - print -"Warning: Encrypted key(s) for snmp v3 user \"$user\" was(were) generated for another SNMP engineid. It won't work. Please recreate this user.\n"; - } - if ( $config->exists("auth") ) { - if ( - !( - $config->exists("engineid") && - ( - $config->exists("auth encrypted-key") || - $config->exists("privacy encrypted-key") - ) - ) - ) - { - $haveError = 1; - print -"Discard encrypted-key on user \"$user\". It's necessary to setup engineid the encrypted-key was generated with.\n"; - } - my $isAuthKeyChanged = $config->isChanged("auth plaintext-key"); - my $isAuthEKeyChanged = $config->isChanged("auth encrypted-key"); - if ( $config->exists("privacy") ) { - my $isPrivKeyChanged = - $config->isChanged("privacy plaintext-key"); - my $isPrivEKeyChanged = - $config->isChanged("privacy encrypted-key"); - if ( ($isPrivEKeyChanged && !$isAuthEKeyChanged) - || ($isPrivKeyChanged && !$isAuthKeyChanged) ) { - $haveError = 1; - print - "Please, set correct auth and privacy for user \"$user\"\n"; - print - "Set plaintext-key for auth and privacy or set encrypted-key for both\n"; - } - } - } - else { - if ( $config->exists("privacy") ) { - $haveError = 1; - print "Please, delete privacy for user \"$user\"\n"; - } - } - } - if ($haveError) { - exit(1); - } - } -} - -# check relation between user & group & view -sub check_relation { - my $config = get_snmp_config(); - my $haveError = 0; - foreach my $user ( $config->listNodes("user") ) { - if ( $config->exists("user $user group") ) { - my $group = $config->returnValue("user $user group"); - if ( !$config->exists("group $group") ) { - $haveError = 1; - print -"Please, create group \"$group\". It's need for user \"$user\"\n"; - } - } - } - foreach my $group ( $config->listNodes("group") ) { - my $view = $config->returnValue("group $group view"); - if ( !$config->exists("view $view") ) { - $haveError = 1; - print - "Please, create view \"$view\". It's need for group \"$group\"\n"; - } - } - if ($haveError) { - exit(1); - } -} - -# check is new tsm port free on system -sub check_tsm_port { - my $config = get_snmp_config(); - if ( $config->isChanged("tsm port") ) { - my $port = $config->returnValue("tsm port"); - my $reg = ":$port\$"; - my $output = `netstat -anltup | awk '{print \$4}'`; - foreach my $line ( split( /\n/, $output ) ) { - if ( $line =~ /$reg/ ) { - print - "Actually port $port is using. It can not be used for tsm.\n"; - exit(1); - } - } - } -} - -# check group seclevel and user auth/privacy -sub check_seclevel { - my $config = get_snmp_config(); - my $haveError = 0; - if ( $config->isChanged("user") || $config->isChanged("group") ) { - foreach my $user ( $config->listNodes("user") ) { - if ( $config->exists("user $user group") ) { - my $group = $config->returnValue("user $user group"); - if ( $config->isChanged("user $user") - || $config->isChanged("group $group") ) - { - my $group_seclevel = - $config->returnValue("group $group seclevel"); - if ( $config->exists("user $user privacy") ) { - if ( $group_seclevel eq "auth" ) { - print -"User \"$user\" have privacy, but group \"$group\" have \"auth\" as seclevel. So auth and priv work both.\n"; - } - } - else { - if ( $group_seclevel eq "priv" ) { - print -"User \"$user\" will not work, because he haven't privacy, but group \"$group\" have \"priv\" as seclevel.\n"; - $haveError = 1; - } - } - } - } - } - } - if ($haveError) { - exit(1); - } -} - -sub copy_conf_to_tmp { - - # these files already contain SNMPv2 configuration - copy( $snmpd_conf, $snmpd_conf_tmp ) - or die "Couldn't copy $snmpd_conf to $snmpd_conf_tmp - $!"; - copy( $snmpd_usr_conf, $snmpd_usr_conf_tmp ) - or die "Couldn't copy $snmpd_usr_conf to $snmpd_usr_conf_tmp - $!"; - copy( $snmpd_var_conf, $snmpd_var_conf_tmp ) - or die "Couldn't copy $snmpd_var_conf to $snmpd_var_conf_tmp - $!"; -} - -# update all vyatta config -# can be called directly -sub snmp_update { - - copy_conf_to_tmp(); - - set_tsm(); - - open( my $fh, '>>', $snmpd_conf_tmp ) - or die "Couldn't open $snmpd_conf_tmp - $!"; - - select $fh; - - set_views(); - set_groups(); - set_hosts(); - set_users_in_etc(); - - close $fh; - select STDOUT; - - move( $snmpd_conf_tmp, $snmpd_conf ) - or die "Couldn't move $snmpd_conf_tmp to $snmpd_conf - $!"; - - my $config = get_snmp_config(); - if ($config->exists("engineid")) { - $oldEngineID = $config->returnValue("engineid"); - } - - snmpd_stop(); - - #add newly added users to var config to get encrypted values - set_users_to_other(); - - move( $snmpd_usr_conf_tmp, $snmpd_usr_conf ) - or die "Couldn't move $snmpd_usr_conf_tmp to $snmpd_usr_conf - $!"; - move( $snmpd_var_conf_tmp, $snmpd_var_conf ) - or die "Couldn't move $snmpd_var_conf_tmp to $snmpd_var_conf - $!"; - - snmpd_start(); - snmpd_stop(); - - # now we have encrypted user config - start and read it after - snmpd_start(); - update_users_vyatta_conf(); -} - -# validate vyatta config before write it into files -# can be called directly -sub snmp_check { - check_user_auth_changes(); - check_relation(); - check_tsm_port(); - check_seclevel(); -} - -my $check_config; -my $update_snmp; -my $delete_snmp; - -GetOptions( - "check-config!" => \$check_config, - "update-snmp!" => \$update_snmp, - "delete-snmp!" => \$delete_snmp, - "oldEngineID=s" => \$oldEngineID, - "setserialno=s" => \$setserialno -); - -snmp_check() if ($check_config); -snmp_update() if ($update_snmp); -snmp_delete() if ($delete_snmp); diff --git a/scripts/snmp/vyatta-snmp.pl b/scripts/snmp/vyatta-snmp.pl deleted file mode 100755 index 5c4ff1d0..00000000 --- a/scripts/snmp/vyatta-snmp.pl +++ /dev/null @@ -1,333 +0,0 @@ -#!/usr/bin/perl -# -# Module: vyatta-snmp.pl -# -# **** License **** -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# This code was originally developed by Vyatta, Inc. -# Portions created by Vyatta are Copyright (C) 2007 Vyatta, Inc. -# All Rights Reserved. -# -# Author: Stig Thormodsrud -# Date: October 2007 -# Description: Script to glue vyatta cli to snmp daemon -# -# **** End License **** -# - -use strict; -use warnings; - -use lib "/opt/vyatta/share/perl5/"; -use Vyatta::Config; -use Vyatta::Misc; -use NetAddr::IP; -use Getopt::Long; -use File::Copy; -use Socket; -use Socket6; - -my $mibdir = '/opt/vyatta/share/snmp/mibs'; -my $snmp_start = 'systemctl start snmpd.service'; -my $snmp_stop = 'systemctl stop snmpd.service'; -my $snmp_conf = '/etc/snmp/snmpd.conf'; -my $snmp_client = '/etc/snmp/snmp.conf'; -my $snmp_tmp = "/tmp/snmpd.conf.$$"; -my $snmp_snmpv3_user_conf = '/usr/share/snmp/snmpd.conf'; -my $snmp_snmpv3_createuser_conf = '/var/lib/snmp/snmpd.conf'; -my $versionfile = '/opt/vyatta/etc/version'; -my $local_agent = 'unix:/run/snmpd.socket'; -my $password_file = '/config/snmp/superuser_pass'; - -my $snmp_level = 'service snmp'; - -sub snmp_running { - open (my $pidf, '<', "/run/snmpd.pid") - or return; - my $pid = <$pidf>; - close $pidf; - - chomp $pid; - my $exe = readlink "/proc/$pid/exe"; - - return (defined($exe) && $exe eq "/usr/sbin/snmpd"); -} - -sub snmp_stop { - system("$snmp_stop > /dev/null 2>&1"); -} - -sub snmp_start { - # we must stop snmpd first for creating vyatta user - system("$snmp_stop > /dev/null 2>&1"); - open (my $fh, '>', $snmp_tmp) - or die "Couldn't open $snmp_tmp - $!"; - - select $fh; - snmp_get_constants(); - snmp_get_values(); - snmp_get_traps(); - close $fh; - select STDOUT; - - snmp_client_config(); - - move($snmp_tmp, $snmp_conf) - or die "Couldn't move $snmp_tmp to $snmp_conf - $!"; -} - -sub get_version { - my $version = "unknown-version"; - - if (open (my $f, '<', $versionfile)) { - while (<$f>) { - chomp; - if (m/^Version\s*:\s*(.*)$/) { - $version = $1; - last; - } - } - close $f; - } - return $version; -} - -# convert address to snmpd transport syntax -sub transport_syntax { - my ($addr, $port) = @_; - my $ip = new NetAddr::IP $addr; - die "$addr: not a valid IP address" unless $ip; - - my $version = $ip->version(); - return "udp:$addr:$port" if ($version == 4); - return "udp6:[$addr]:$port" if ($version == 6); - die "$addr: unknown IP version $version"; -} - -# Test if IPv6 is possible by opening a socket -sub ipv6_disabled { - socket ( my $s, PF_INET6, SOCK_DGRAM, 0) - or return 1; - close($s); - return; -} - -# Find SNMP agent listening addresses -sub get_listen_address { - my $config = new Vyatta::Config; - my @listen; - - $config->setLevel('service snmp listen-address'); - my @address = $config->listNodes(); - - if(@address) { - foreach my $addr (@address) { - my $port = $config->returnValue("$addr port"); - push @listen, transport_syntax($addr, $port); - } - } else { - # default if no address specified - @listen = ( 'udp:161' ); - push @listen, 'udp6:161' unless ipv6_disabled(); - return @listen; - } - - return @listen; -} - -sub snmp_get_constants { - my $version = get_version(); - my $now = localtime; - my @addr = get_listen_address(); - - # add local unix domain target for use by operational commands - unshift @addr, $local_agent; - - print "# autogenerated by vyatta-snmp.pl on $now\n"; - print "sysDescr VyOS $version\n"; - print "sysObjectID 1.3.6.1.4.1.44641\n"; - print "sysServices 14\n"; - print "master agentx\n"; # maybe needed by lldpd - print "agentaddress ", join(',',@addr), "\n"; - print "agentXPerms 0755 0755\n"; - - # add hook to read IF-MIB::ifAlias from sysfs - print "pass .1.3.6.1.2.1.31.1.1.1.18 /opt/vyatta/sbin/if-mib-alias\n"; - - print "smuxpeer .1.3.6.1.4.1.3317.1.2.2\n"; # ospfd - print "smuxpeer .1.3.6.1.4.1.3317.1.2.5\n"; # bgpd - print "smuxpeer .1.3.6.1.4.1.3317.1.2.3\n"; # ripd - print "smuxpeer .1.3.6.1.4.1.3317.1.2.9\n"; # mribd - print "smuxpeer .1.3.6.1.2.1.83\n"; # mribd - print "smuxpeer .1.3.6.1.4.1.3317.1.2.8\n"; # pimd - print "smuxpeer .1.3.6.1.2.1.157\n"; # pimd - print "smuxsocket localhost\n"; -} - -# generate a random character hex string -sub randhex { - my $length = shift; - return join "", map { unpack "H*", chr(rand(256)) } 1..($length/2); -} - -# output snmpd.conf file syntax for community -sub print_community { - my ($config, $community) = @_; - my $ro = $config->returnValue('authorization'); - $ro = 'ro' unless $ro; - - my @clients = $config->returnValues('client'); - my @networks = $config->returnValues('network'); - - my @restriction = (@clients, @networks); - if (!@restriction) { - print $ro . "community $community\n"; - print $ro . "community6 $community\n" unless ipv6_disabled(); - return; - } - - foreach my $addr (@restriction) { - my $ip = new NetAddr::IP $addr; - die "$addr: Not a valid IP address" unless $ip; - - if ($ip->version() == 4) { - print $ro . "community $community $addr\n"; - } elsif ($ip->version() == 6) { - print $ro . "community6 $community $addr\n"; - } else { - die "$addr: bad IP version ", $ip->version(); - } - } -} - -sub snmp_get_values { - my $config = new Vyatta::Config; - - my @communities = $config->listNodes("service snmp community"); - foreach my $community (@communities) { - $config->setLevel("service snmp community $community"); - print_community($config, $community); - } - - $config->setLevel("service snmp smux-peer"); - my @smuxpeers = $config->returnValues(); - foreach my $smuxpeer (@smuxpeers) { - print "smuxpeer $smuxpeer \n"; - } - - $config->setLevel($snmp_level); - my $contact = $config->returnValue("contact"); - if (defined $contact) { - print "SysContact $contact \n"; - } - - my $description = $config->returnValue("description"); - if (defined $description) { - print "SysDescr $description \n"; - } - - my $location = $config->returnValue("location"); - if (defined $location) { - print "SysLocation $location \n"; - } -} - -sub snmp_get_traps { - my $config = new Vyatta::Config; - $config->setLevel($snmp_level); - - # linkUp/Down configure the Event MIB tables to monitor - # the ifTable for network interfaces being taken up or down - # for making internal queries to retrieve any necessary information - - # create an internal snmpv3 user of the form 'vyattaxxxxxxxxxxxxxxxx' - my $vyatta_user = "vyatta" . randhex(16); - snmp_create_snmpv3_user($vyatta_user); - snmp_write_snmpv3_user($vyatta_user); - print "iquerySecName $vyatta_user\n"; - - # Modified from the default linkUpDownNotification - # to include more OIDs and poll more frequently - print <<EOF; -notificationEvent linkUpTrap linkUp ifIndex ifDescr ifType ifAdminStatus ifOperStatus -notificationEvent linkDownTrap linkDown ifIndex ifDescr ifType ifAdminStatus ifOperStatus -monitor -r 10 -e linkUpTrap "Generate linkUp" ifOperStatus != 2 -monitor -r 10 -e linkDownTrap "Generate linkDown" ifOperStatus == 2 -EOF - - my @trap_targets = $config->listNodes("trap-target"); - return unless @trap_targets; - - foreach my $trap_target (@trap_targets) { - my $port = $config->returnValue("trap-target $trap_target port"); - my $community - = $config->returnValue("trap-target $trap_target community"); - - print "trap2sink $trap_target"; - print ":$port" if $port; - print " $community" if $community; - print "\n"; - } -} - -# Configure SNMP client parameters -sub snmp_client_config { - my $config = new Vyatta::Config; - $config->setLevel($snmp_level); - - open (my $cf, '>', $snmp_client) - or die "Couldn't open $snmp_client - $!"; - - my $version = get_version(); - my $now = localtime; - print {$cf} "# autogenerated by vyatta-snmp.pl on $now\n"; - - my $trap_source = $config->returnValue('trap-source'); - print {$cf} "clientaddr $trap_source\n" if ($trap_source); - close $cf; -} - -sub snmp_create_snmpv3_user { - - my $vyatta_user = shift; - my $passphrase = randhex(32); - - my $createuser = "createUser $vyatta_user MD5 \"$passphrase\" DES"; - open(my $fh, '>', $snmp_snmpv3_createuser_conf) || die "Couldn't open $snmp_snmpv3_createuser_conf - $!"; - print $fh $createuser; - close $fh; - - open(my $pass_file, '>', $password_file) || die "Couldn't open $password_file - $!"; - print $pass_file $passphrase; - close $pass_file; -} - -sub snmp_write_snmpv3_user { - - my $vyatta_user = shift; - my $user = "rwuser $vyatta_user\n"; - open(my $fh, '>', $snmp_snmpv3_user_conf) || die "Couldn't open $snmp_snmpv3_user_conf - $!"; - print $fh $user; - close $fh; -} - - -# -# main -# -my $update_snmp; -my $stop_snmp; - -GetOptions("update-snmp!" => \$update_snmp, - "stop-snmp!" => \$stop_snmp); - -snmp_start() if ($update_snmp); -snmp_stop() if ($stop_snmp); diff --git a/scripts/system/vyatta_check_snmp_name.pl b/scripts/system/vyatta_check_snmp_name.pl deleted file mode 100755 index 599fe398..00000000 --- a/scripts/system/vyatta_check_snmp_name.pl +++ /dev/null @@ -1,31 +0,0 @@ -#!/usr/bin/perl - -# **** License **** -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# This code was originally developed by Vyatta, Inc. -# Portions created by Vyatta are Copyright (C) 2010 Vyatta, Inc. -# All Rights Reserved. -# -# **** End License **** - -use strict; -use warnings; - -foreach my $name (@ARGV) { - die "$name : illegal characters in name\n" - if (!($name =~ /^[a-zA-Z0-9]*$/)); - - # Usernames may only be up to 32 characters long. - die "$name: name may only be up to 32 characters long\n" - if (length($name) > 32); -} - -exit 0; |