From 7f2baa3eab8f35c401ab5e68fc260a0fad3bbdae Mon Sep 17 00:00:00 2001 From: Kim Hagen Date: Sun, 20 Mar 2016 08:04:53 -0400 Subject: fix "Output Channel" config so logging will work --- scripts/system/vyatta_update_syslog.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'scripts/system') diff --git a/scripts/system/vyatta_update_syslog.pl b/scripts/system/vyatta_update_syslog.pl index dd834c92..37d017e3 100755 --- a/scripts/system/vyatta_update_syslog.pl +++ b/scripts/system/vyatta_update_syslog.pl @@ -93,7 +93,7 @@ sub print_outchannel { # Force outchannel size to be 1k more than logrotate config to guarantee rotation $size = ($size + 5) * 1024; print $fh "\$outchannel $channel,$target,$size,/usr/sbin/logrotate ${LOGROTATE_CFG_DIR}/$channel\n"; - print $fh join( ';', @{ $entries{$target}{selector} } ), " \$$channel\n"; + print $fh join( ';', @{ $entries{$target}{selector} } ), " :omfile:\$$channel\n"; } my $config = new Vyatta::Config; -- cgit v1.2.3 From d582bbaf3ad95566de9b90d1572d60e39936a1a7 Mon Sep 17 00:00:00 2001 From: Kim Hagen Date: Sun, 23 Apr 2017 18:48:45 +0200 Subject: update console settings for systemd --- scripts/system/vyatta_update_console.pl | 102 ++++++++++++++++++-------------- 1 file changed, 56 insertions(+), 46 deletions(-) (limited to 'scripts/system') diff --git a/scripts/system/vyatta_update_console.pl b/scripts/system/vyatta_update_console.pl index 7c36ec7f..93f6a232 100755 --- a/scripts/system/vyatta_update_console.pl +++ b/scripts/system/vyatta_update_console.pl @@ -26,6 +26,7 @@ use lib "/opt/vyatta/share/perl5"; use Vyatta::Config; use File::Compare; use File::Copy; +use experimental 'smartmatch'; die "$0 expects no arguments\n" if (@ARGV); @@ -44,59 +45,68 @@ sub update { } } -my $INITTAB = "/etc/inittab"; -my $TMPTAB = "/tmp/inittab.$$"; +sub update_getty{ + my $directory = "/etc/systemd/system"; + my $config = new Vyatta::Config; + $config->setLevel("system console device"); + my @ttys; + + foreach my $tty ($config->listNodes()) { + push(@ttys, "serial-getty\@$tty.service"); + } + + opendir DIR, $directory or die "Couldn't open dir '$directory': $!"; + while (my $file = readdir(DIR)) { + next unless ($file =~ /^serial-getty/); + if ( not $file ~~ @ttys ) { + system("systemctl stop $file"); + if (-e "$directory/getty.target.wants/$file") { + unlink "$directory/getty.target.wants/$file" + or die "Failed to remove file $file: $!\n"; + } + if (-e "$directory/$file") { + unlink "$directory/$file" + or die "Failed to remove file $file: $!\n"; + } + system("systemctl daemon-reload"); + } + } + closedir DIR; -sub update_inittab { - open(my $inittab, '<', $INITTAB) - or die "Can't open $INITTAB: $!"; + foreach my $tty ($config->listNodes()) { + my $SGETTY = "/lib/systemd/system/serial-getty\@.service"; + my $TMPGETTY = "/etc/systemd/system/serial-getty\@$tty.service"; + my $SYMGETTY = "/etc/systemd/system/getty.target.wants/serial-getty\@$tty.service"; - open(my $tmp, '>', $TMPTAB) - or die "Can't open $TMPTAB: $!"; + open(my $sgetty, '<', $SGETTY) + or die "Can't open $SGETTY: $!"; - # Clone original inittab but remove all references to serial lines - # and Xen consoles - print {$tmp} grep {!/^T|^# Vyatta|^h/} <$inittab>; - close $inittab; + open(my $tmp, '>', $TMPGETTY) + or die "Can't open $TMPGETTY: $!"; - my $config = new Vyatta::Config; - $config->setLevel("system console device"); + my $speed = $config->returnValue("$tty speed"); + if ($tty =~ /^hvc\d/) { + $speed = 38400 unless $speed; + } else { + $speed = 9600 unless $speed; + } - print {$tmp} "# Vyatta console configuration (do not modify)\n"; - - my $serial_id = 0; - my $xen_id = 0; - - foreach my $tty ($config->listNodes()) { - my $speed = $config->returnValue("$tty speed"); - if ($tty =~ /^hvc\d/) { - $speed = 38400 unless $speed; - printf {$tmp} "h%d:23:respawn:", $xen_id; - printf {$tmp} "/sbin/getty %d %s\n", $speed, $tty; - $xen_id++; - } else { - $speed = 9600 unless $speed; - printf {$tmp} "T%d:23:respawn:", $serial_id; - if ($config->exists("$tty modem")) { - printf {$tmp} "/sbin/mgetty -x0 -s %d %s\n", $speed, $tty; - } else { - printf {$tmp} "/sbin/getty -L %s %d vt100\n", $tty, $speed; - } - - # id field is limited to 4 characters - if (++$serial_id >= 1000) { - warn "Ignoring $tty only 1000 serial devices supported\n"; - last; - } - } + while (<$sgetty>) { + if (/^ExecStart=/) { + $_ =~ s/115200,38400,9600/$speed/g; + } + print {$tmp} $_; } + close $sgetty; close $tmp; - - if (update($INITTAB, $TMPTAB)) { - - # This is same as telinit q - it tells init to re-examine inittab - kill 1, 1; + symlink("$TMPGETTY","$SYMGETTY"); + system("systemctl daemon-reload"); + if ( system("systemctl status serial-getty\@$tty.service 2>&1 > /dev/null")) { + system("systemctl start serial-getty\@$tty.service"); + } else { + system("systemctl restart serial-getty\@$tty.service"); } + } } my $GRUBCFG = "/boot/grub/grub.cfg"; @@ -135,7 +145,7 @@ sub update_grub { update($GRUBCFG, $GRUBTMP); } -update_inittab; +update_getty; update_grub; exit 0; -- cgit v1.2.3 From 6e334db424636f7612dd6d1f700b3be4197f5ec4 Mon Sep 17 00:00:00 2001 From: Kim Hagen Date: Sat, 29 Apr 2017 15:47:18 +0200 Subject: update udev folder location and partially fix T290 --- scripts/rl-system.init | 4 ++-- scripts/system/vyatta_interface_rescan | 2 +- scripts/vyatta_net_name | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) (limited to 'scripts/system') diff --git a/scripts/rl-system.init b/scripts/rl-system.init index eaf4dbd5..62eac9e7 100755 --- a/scripts/rl-system.init +++ b/scripts/rl-system.init @@ -98,8 +98,8 @@ clear_or_override_config_files () } update_interface_config () { - if [ -d /dev/.udev/vyatta ]; then - $vyatta_sbindir/vyatta_interface_rescan /dev/.udev/vyatta $BOOTFILE + if [ -d /run/udev/vyatta ]; then + $vyatta_sbindir/vyatta_interface_rescan /run/udev/vyatta $BOOTFILE fi } diff --git a/scripts/system/vyatta_interface_rescan b/scripts/system/vyatta_interface_rescan index eb45da60..2e8ad8ca 100755 --- a/scripts/system/vyatta_interface_rescan +++ b/scripts/system/vyatta_interface_rescan @@ -98,7 +98,7 @@ sub get_phy { return $1; } -# vyatta_net_name leaves files in /dev/.udev/vyatta +# vyatta_net_name leaves files in /run/udev/vyatta # the filename is the interface and the contents are the hardware id sub interface_rescan { my ($VYATTAUDEV, $BOOTFILE) = @_; diff --git a/scripts/vyatta_net_name b/scripts/vyatta_net_name index 90dd8615..53ae9fba 100755 --- a/scripts/vyatta_net_name +++ b/scripts/vyatta_net_name @@ -23,7 +23,7 @@ use Fcntl qw(:flock); my $BOOTFILE = "/opt/vyatta/etc/config/config.boot"; my $VYATTACFG = "/opt/vyatta/config/active"; -my $UDEVDIR = "/dev/.udev/"; +my $UDEVDIR = "/run/udev/"; my $VYATTAUDEV = $UDEVDIR . "vyatta"; my $LOCKFILE = $UDEVDIR . ".vyatta-lock"; my $UDEVLOG = $UDEVDIR . "log/"; -- cgit v1.2.3 From 87266d5b27778af56a814347fdd8926274b9c315 Mon Sep 17 00:00:00 2001 From: sayo Date: Sun, 11 Jun 2017 16:29:07 +0100 Subject: Fix to generate correct NTP config when specifying ipv6 servers. --- scripts/system/vyatta_update_ntp.pl | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) (limited to 'scripts/system') diff --git a/scripts/system/vyatta_update_ntp.pl b/scripts/system/vyatta_update_ntp.pl index 36a2807e..eaaae14a 100755 --- a/scripts/system/vyatta_update_ntp.pl +++ b/scripts/system/vyatta_update_ntp.pl @@ -35,19 +35,14 @@ sub ntp_format { if (defined($ip)) { my $address = $ip->addr(); my $mask = $ip->mask(); - - if ($ip->masklen() == 32) { - if ($ip->version() == 6) { - return "-6 $address"; - } else { - return "$address"; - } + + if ( + ($ip->version() == 6 && $ip->masklen() == 128) + || ($ip->version() == 4 && $ip->masklen() == 32) + ) { + return "$address"; } else { - if ($ip->version() == 6) { - return "-6 $address mask $mask"; - } else { - return "$address mask $mask"; - } + return "$address mask $mask"; } } else { return undef; -- cgit v1.2.3 From 67747479b2f6d4998687f5e7eec5c5923d913124 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 3 Nov 2017 08:54:29 +0100 Subject: vyatta_update_console.pl uses systemd, remove inittab reference --- scripts/system/vyatta_update_console.pl | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'scripts/system') diff --git a/scripts/system/vyatta_update_console.pl b/scripts/system/vyatta_update_console.pl index 93f6a232..19937060 100755 --- a/scripts/system/vyatta_update_console.pl +++ b/scripts/system/vyatta_update_console.pl @@ -16,8 +16,7 @@ # # **** End License **** -# Update console configuration in /etc/inittab and grub -# based on Vyatta configuration +# Update console configuration in systemd and grub based on Vyatta configuration use strict; use warnings; -- cgit v1.2.3 From 7ddab704b12dc447a2d8e2acb9178a0d90f63b78 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 9 Dec 2017 15:28:24 +0100 Subject: T414: Remove 'telnet' service Telnet remote logins have been deprecated for decades. As Debian 'jessie' busybox no longer has a telnetd applet, this service is no longer available. --- Makefile.am | 1 - debian/changelog | 6 ++ scripts/system/vyatta_update_telnet | 84 ------------------------ templates/service/telnet/allow-root/node.def | 3 - templates/service/telnet/listen-address/node.def | 7 -- templates/service/telnet/node.def | 8 --- templates/service/telnet/port/node.def | 9 --- 7 files changed, 6 insertions(+), 112 deletions(-) delete mode 100755 scripts/system/vyatta_update_telnet delete mode 100644 templates/service/telnet/allow-root/node.def delete mode 100644 templates/service/telnet/listen-address/node.def delete mode 100644 templates/service/telnet/node.def delete mode 100644 templates/service/telnet/port/node.def (limited to 'scripts/system') diff --git a/Makefile.am b/Makefile.am index 169df296..9dfc957c 100644 --- a/Makefile.am +++ b/Makefile.am @@ -56,7 +56,6 @@ sbin_SCRIPTS += scripts/system/vyatta_update_sysctl.pl sbin_SCRIPTS += scripts/system/vyatta_update_syslog.pl sbin_SCRIPTS += scripts/system/vyatta_update_console.pl sbin_SCRIPTS += scripts/system/vyatta_update_ntp.pl -sbin_SCRIPTS += scripts/system/vyatta_update_telnet sbin_SCRIPTS += scripts/system/irq-affinity.pl sbin_SCRIPTS += scripts/snmp/vyatta-snmp.pl sbin_SCRIPTS += scripts/snmp/vyatta-snmp-v3.pl diff --git a/debian/changelog b/debian/changelog index 2d7dc77f..8d4ebc05 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +vyatta-cfg-system (0.20.44+vyos2+current4) unstable; urgency=medium + + * T414: Remove telnetd service + + -- Christian Poessinger Sat, 09 Dec 2017 15:29:45 +0100 + vyatta-cfg-system (0.20.44+vyos2+current3) unstable; urgency=medium [ Kim Hagen ] diff --git a/scripts/system/vyatta_update_telnet b/scripts/system/vyatta_update_telnet deleted file mode 100755 index f50eef79..00000000 --- a/scripts/system/vyatta_update_telnet +++ /dev/null @@ -1,84 +0,0 @@ -#! /bin/bash -# Script to control telnet daemon parameters -# and block changes when logged in over telnet - -# Block changes to telnet daemon when logged in over telnet -pid=$(who -um | awk -F " " '{print $7}') -if [ -n "$pid" ]; then - if ps --pid $(ps --pid $pid -o ppid=) -o cmd= | grep -q telnetd - then - echo "Please configure telnet settings via ssh or console." - exit 1 - fi -fi - -usage() { - echo "Usage: $0 enable " - echo " $0 disable" - echo " $0 allow-root {true|false}" - exit 1; -} - -allow-root() { - case "$1" in - true) ;; - false) ;; - *) echo "Expect true or false" - usage ;; - esac - - sudo sed -i -e '/^# Pseudo-terminal (telnet)/,$d' /etc/securetty - - if [ $1 = "false" ]; then - return - fi - - sudo sh -c "cat >>/etc/securetty" < 0 && $VAR(@) <= 65535 ; \ - "Port number must be in range 1 to 65535" -commit:expression: exec "sudo /opt/vyatta/sbin/is_port_available.pl $VAR(@)"; \ - "Port $VAR(@) is already in use!" -- cgit v1.2.3 From 3f248ff90ecb28ae15dcf8e8191e79ca7889f69d Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Tue, 20 Feb 2018 06:36:24 +0100 Subject: Rename the "client" NTP option to "allow-clients" to make it more clear what it does (fixes T553). --- scripts/system/vyatta_update_ntp.pl | 4 ++-- templates/system/ntp/allow-clients/address/node.def | 6 ++++++ templates/system/ntp/allow-clients/node.def | 1 + templates/system/ntp/client/address/node.def | 6 ------ templates/system/ntp/client/node.def | 1 - 5 files changed, 9 insertions(+), 9 deletions(-) create mode 100644 templates/system/ntp/allow-clients/address/node.def create mode 100644 templates/system/ntp/allow-clients/node.def delete mode 100644 templates/system/ntp/client/address/node.def delete mode 100644 templates/system/ntp/client/node.def (limited to 'scripts/system') diff --git a/scripts/system/vyatta_update_ntp.pl b/scripts/system/vyatta_update_ntp.pl index eaaae14a..78a617bc 100755 --- a/scripts/system/vyatta_update_ntp.pl +++ b/scripts/system/vyatta_update_ntp.pl @@ -78,10 +78,10 @@ my @clients; if ($dhclient_script == 1) { @servers = $cfg->listOrigNodes("server"); - @clients = $cfg->returnOrigValues("client address"); + @clients = $cfg->returnOrigValues("allow-clients address"); } else { @servers = $cfg->listNodes("server"); - @clients = $cfg->returnValues("client address"); + @clients = $cfg->returnValues("allow-clients address"); } if (scalar(@servers) > 0) { diff --git a/templates/system/ntp/allow-clients/address/node.def b/templates/system/ntp/allow-clients/address/node.def new file mode 100644 index 00000000..a48a2b5a --- /dev/null +++ b/templates/system/ntp/allow-clients/address/node.def @@ -0,0 +1,6 @@ +multi: +type: ipv4net,ipv6net +help: IP address + +val_help: ipv4net; IP address and prefix length +val_help: ipv6net; IPv6 address and prefix length diff --git a/templates/system/ntp/allow-clients/node.def b/templates/system/ntp/allow-clients/node.def new file mode 100644 index 00000000..8228130e --- /dev/null +++ b/templates/system/ntp/allow-clients/node.def @@ -0,0 +1 @@ +help: Network Time Protocol (NTP) server options diff --git a/templates/system/ntp/client/address/node.def b/templates/system/ntp/client/address/node.def deleted file mode 100644 index a48a2b5a..00000000 --- a/templates/system/ntp/client/address/node.def +++ /dev/null @@ -1,6 +0,0 @@ -multi: -type: ipv4net,ipv6net -help: IP address - -val_help: ipv4net; IP address and prefix length -val_help: ipv6net; IPv6 address and prefix length diff --git a/templates/system/ntp/client/node.def b/templates/system/ntp/client/node.def deleted file mode 100644 index dd849f8f..00000000 --- a/templates/system/ntp/client/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Network Time Protocol (NTP) client -- cgit v1.2.3 From 9505422dbae1429267930d2a189f2cfe3afca426 Mon Sep 17 00:00:00 2001 From: Kim Date: Thu, 5 Apr 2018 14:07:23 +0200 Subject: Do not restart tty, it will put you back at login screen. --- scripts/system/vyatta_update_console.pl | 2 -- 1 file changed, 2 deletions(-) (limited to 'scripts/system') diff --git a/scripts/system/vyatta_update_console.pl b/scripts/system/vyatta_update_console.pl index 19937060..ff7c2df1 100755 --- a/scripts/system/vyatta_update_console.pl +++ b/scripts/system/vyatta_update_console.pl @@ -102,8 +102,6 @@ sub update_getty{ system("systemctl daemon-reload"); if ( system("systemctl status serial-getty\@$tty.service 2>&1 > /dev/null")) { system("systemctl start serial-getty\@$tty.service"); - } else { - system("systemctl restart serial-getty\@$tty.service"); } } } -- cgit v1.2.3 From 9f5c33ea3fb6101c7ce49abe3762d4d497c37ce9 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Mon, 7 May 2018 22:41:31 +0200 Subject: T623: Rewrite NTP subsystem in new XML style interface definition --- Makefile.am | 1 - scripts/system/vyatta_update_ntp.pl | 115 --------------------- scripts/system/vyatta_update_resolv.pl | 15 --- scripts/vyatta-system-nameservers | 10 -- .../system/ntp/allow-clients/address/node.def | 6 -- templates/system/ntp/allow-clients/node.def | 1 - templates/system/ntp/node.def | 16 --- templates/system/ntp/server/node.def | 3 - .../system/ntp/server/node.tag/dynamic/node.def | 2 - .../system/ntp/server/node.tag/noselect/node.def | 1 - .../system/ntp/server/node.tag/preempt/node.def | 1 - .../system/ntp/server/node.tag/prefer/node.def | 1 - 12 files changed, 172 deletions(-) delete mode 100755 scripts/system/vyatta_update_ntp.pl delete mode 100644 templates/system/ntp/allow-clients/address/node.def delete mode 100644 templates/system/ntp/allow-clients/node.def delete mode 100644 templates/system/ntp/node.def delete mode 100644 templates/system/ntp/server/node.def delete mode 100644 templates/system/ntp/server/node.tag/dynamic/node.def delete mode 100644 templates/system/ntp/server/node.tag/noselect/node.def delete mode 100644 templates/system/ntp/server/node.tag/preempt/node.def delete mode 100644 templates/system/ntp/server/node.tag/prefer/node.def (limited to 'scripts/system') diff --git a/Makefile.am b/Makefile.am index 77088eaa..cfddd656 100644 --- a/Makefile.am +++ b/Makefile.am @@ -54,7 +54,6 @@ sbin_SCRIPTS += scripts/system/vyatta_update_resolv.pl sbin_SCRIPTS += scripts/system/vyatta_update_sysctl.pl sbin_SCRIPTS += scripts/system/vyatta_update_syslog.pl sbin_SCRIPTS += scripts/system/vyatta_update_console.pl -sbin_SCRIPTS += scripts/system/vyatta_update_ntp.pl sbin_SCRIPTS += scripts/system/irq-affinity.pl sbin_SCRIPTS += scripts/snmp/vyatta-snmp.pl sbin_SCRIPTS += scripts/snmp/vyatta-snmp-v3.pl diff --git a/scripts/system/vyatta_update_ntp.pl b/scripts/system/vyatta_update_ntp.pl deleted file mode 100755 index 78a617bc..00000000 --- a/scripts/system/vyatta_update_ntp.pl +++ /dev/null @@ -1,115 +0,0 @@ -#! /usr/bin/perl - -# **** License **** -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# This code was originally developed by Vyatta, Inc. -# Portions created by Vyatta are Copyright (C) 2007 Vyatta, Inc. -# All Rights Reserved. -# -# **** End License **** - -# Filter ntp.conf - remove old servers and add current ones - -use strict; -use lib "/opt/vyatta/share/perl5"; -use Vyatta::Config; -use NetAddr::IP; -use Getopt::Long; - -my $dhclient_script = 0; - -GetOptions("dhclient-script=i" => \$dhclient_script, -); - -sub ntp_format { - my ($cidr_or_host) = @_; - my $ip = NetAddr::IP->new($cidr_or_host); - if (defined($ip)) { - my $address = $ip->addr(); - my $mask = $ip->mask(); - - if ( - ($ip->version() == 6 && $ip->masklen() == 128) - || ($ip->version() == 4 && $ip->masklen() == 32) - ) { - return "$address"; - } else { - return "$address mask $mask"; - } - } else { - return undef; - } -} - -my @ntp; -if (-e '/etc/ntp.conf') { - open (my $file, '<', '/etc/ntp.conf') - or die("$0: Error! Unable to open '/etc/ntp.conf' for input: $!\n"); - @ntp = <$file>; - close ($file); -} - -open (my $output, '>', '/etc/ntp.conf') - or die("$0: Error! Unable to open '/etc/ntp.conf' for output: $!\n"); - -my $cfg = new Vyatta::Config; -$cfg->setLevel("system ntp"); - -foreach my $line (@ntp) { - if ($line =~ /^# VyOS CLI configuration options/) { - print $output $line; - print $output "\n"; - last; - } else { - print $output $line; - } -} - -my @servers; -my @clients; - -if ($dhclient_script == 1) { - @servers = $cfg->listOrigNodes("server"); - @clients = $cfg->returnOrigValues("allow-clients address"); -} else { - @servers = $cfg->listNodes("server"); - @clients = $cfg->returnValues("allow-clients address"); -} - -if (scalar(@servers) > 0) { - print $output "# Servers\n\n"; - foreach my $server (@servers) { - my $server_addr = ntp_format($server); - if (defined($server_addr)) { - print $output "server $server_addr iburst"; - for my $property (qw(dynamic noselect preempt prefer)) { - if ($dhclient_script == 1) { - print $output " $property" if ($cfg->existsOrig("server $server $property")); - } else { - print $output " $property" if ($cfg->exists("server $server $property")); - } - } - print $output "\nrestrict $server_addr nomodify notrap nopeer noquery\n"; - } - } - print $output "\n"; -} - -if (scalar(@clients) > 0) { - print $output "# Clients\n\n"; - foreach my $client (@clients) { - my $address = ntp_format($client); - print $output "restrict $address nomodify notrap nopeer\n"; - } - print $output "\n"; -} - -exit 0; diff --git a/scripts/system/vyatta_update_resolv.pl b/scripts/system/vyatta_update_resolv.pl index 51617fce..de09a760 100755 --- a/scripts/system/vyatta_update_resolv.pl +++ b/scripts/system/vyatta_update_resolv.pl @@ -30,7 +30,6 @@ use Vyatta::Config; my $dhclient_script = 0; my $config_mode = 0; -my $ntp_config = 0; GetOptions("dhclient-script=i" => \$dhclient_script, "config-mode=i" => \$config_mode, @@ -45,7 +44,6 @@ my $disable_dhcp_nameservers = undef; if ($config_mode == 1) { $disable_dhcp_nameservers = $vc->exists('disable-dhcp-nameservers'); - $ntp_config = $vc->exists('ntp server'); } else { $disable_dhcp_nameservers = $vc->existsOrig('disable-dhcp-nameservers'); } @@ -53,7 +51,6 @@ if ($config_mode == 1) { if ($dhclient_script == 1) { @search_domains = $vc->returnOrigValues('domain-search domain'); $domain_name = $vc->returnOrigValue('domain-name'); - $ntp_config = $vc->existsOrig('ntp server'); } else { @search_domains = $vc->returnValues('domain-search domain'); $domain_name = $vc->returnValue('domain-name'); @@ -132,7 +129,6 @@ if ($domain_name && length($domain_name) > 0) { if (($dhclient_script == 1) || ($config_mode == 1)) { my @current_dhcp_nameservers; - my $restart_ntp = 0; # code below to add new name-servers received from dhcp client, but only if disable-dhcp-nameservers # hasn't been enabled. @@ -168,7 +164,6 @@ if (($dhclient_script == 1) || ($config_mode == 1)) { or die "$! error trying to overwrite"; print $rf "#nameserver written by vyatta_update_resolv.pl (dhcp)\nnameserver\t$ns\n"; close $rf; - $restart_ntp = 1; } } } @@ -206,7 +201,6 @@ if (($dhclient_script == 1) || ($config_mode == 1)) { $cmd = "sed -i -n '/nameserver\t$dhcpnameserver/".'{n;x;d;};x;1d;p;${x;p;}'."' /etc/resolv.conf"; } system($cmd); - $restart_ntp = 1; } } else { for my $dhcpnameserver (@dhcp_nameservers_in_resolvconf) { @@ -225,18 +219,9 @@ if (($dhclient_script == 1) || ($config_mode == 1)) { $cmd = "sed -i -n '/nameserver\t$dhcpnameserver/".'{n;x;d;};x;1d;p;${x;p;}'."' /etc/resolv.conf"; } system($cmd); - $restart_ntp = 1; } } } - if ($restart_ntp == 1) { - # this corresponds to what is done in name-server/node.def as a fix for bug 1300 - if ($ntp_config == 1) { - system("sudo /opt/vyatta/sbin/vyatta_update_ntp.pl --dhclient-script $dhclient_script"); - my $cmd_ntp_restart = "if [ -f /etc/ntp.conf ] && grep -q '^server' /etc/ntp.conf; then /usr/sbin/invoke-rc.d ntp restart >&/dev/null; fi &"; - system($cmd_ntp_restart); - } - } } # The following will re-write '/etc/resolv.conf' line by line, diff --git a/scripts/vyatta-system-nameservers b/scripts/vyatta-system-nameservers index 99019fd1..9c688e80 100755 --- a/scripts/vyatta-system-nameservers +++ b/scripts/vyatta-system-nameservers @@ -36,14 +36,6 @@ restart_dnsmasq () { fi } -restart_ntp () { - # restart ntp if ntp is configured - if [ -f /etc/ntp.conf ] && grep -q "^server" /etc/ntp.conf; then - sudo /opt/vyatta/sbin/vyatta_update_ntp.pl - /usr/sbin/invoke-rc.d ntp restart >&/dev/null - fi -} - update_system_nameservers () { nameserver=$1 touch /etc/resolv.conf @@ -70,7 +62,6 @@ update_system_nameservers () { mv -f /etc/resolv_tmp.conf /etc/resolv.conf fi restart_dnsmasq - restart_ntp } delete_system_nameserver () { @@ -79,7 +70,6 @@ delete_system_nameserver () { # remove specified nameserver sed -i "/$nameserver$/d" /etc/resolv.conf restart_dnsmasq - restart_ntp } # diff --git a/templates/system/ntp/allow-clients/address/node.def b/templates/system/ntp/allow-clients/address/node.def deleted file mode 100644 index a48a2b5a..00000000 --- a/templates/system/ntp/allow-clients/address/node.def +++ /dev/null @@ -1,6 +0,0 @@ -multi: -type: ipv4net,ipv6net -help: IP address - -val_help: ipv4net; IP address and prefix length -val_help: ipv6net; IPv6 address and prefix length diff --git a/templates/system/ntp/allow-clients/node.def b/templates/system/ntp/allow-clients/node.def deleted file mode 100644 index 8228130e..00000000 --- a/templates/system/ntp/allow-clients/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Network Time Protocol (NTP) server options diff --git a/templates/system/ntp/node.def b/templates/system/ntp/node.def deleted file mode 100644 index 38e67e05..00000000 --- a/templates/system/ntp/node.def +++ /dev/null @@ -1,16 +0,0 @@ -priority: 400 -help: Network Time Protocol (NTP) configuration - -end: - sudo /opt/vyatta/sbin/vyatta_update_ntp.pl - if grep -q '^server' /etc/ntp.conf - then - if pgrep -f -u ntp /usr/sbin/ntpd > /dev/null - then - sudo /usr/sbin/invoke-rc.d ntp force-reload - else - sudo /usr/sbin/invoke-rc.d ntp start - fi - else - sudo /usr/sbin/invoke-rc.d ntp stop - fi diff --git a/templates/system/ntp/server/node.def b/templates/system/ntp/server/node.def deleted file mode 100644 index 383bd992..00000000 --- a/templates/system/ntp/server/node.def +++ /dev/null @@ -1,3 +0,0 @@ -tag: -type: txt -help: Network Time Protocol (NTP) server diff --git a/templates/system/ntp/server/node.tag/dynamic/node.def b/templates/system/ntp/server/node.tag/dynamic/node.def deleted file mode 100644 index 2d68de16..00000000 --- a/templates/system/ntp/server/node.tag/dynamic/node.def +++ /dev/null @@ -1,2 +0,0 @@ -help: Allow server to be configured even if not reachable - diff --git a/templates/system/ntp/server/node.tag/noselect/node.def b/templates/system/ntp/server/node.tag/noselect/node.def deleted file mode 100644 index e2e061b5..00000000 --- a/templates/system/ntp/server/node.tag/noselect/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Marks the server as unused diff --git a/templates/system/ntp/server/node.tag/preempt/node.def b/templates/system/ntp/server/node.tag/preempt/node.def deleted file mode 100644 index ca89efa1..00000000 --- a/templates/system/ntp/server/node.tag/preempt/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Specifies the association as preemptable rather than the default persistent diff --git a/templates/system/ntp/server/node.tag/prefer/node.def b/templates/system/ntp/server/node.tag/prefer/node.def deleted file mode 100644 index 4855fd41..00000000 --- a/templates/system/ntp/server/node.tag/prefer/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Marks the server as preferred -- cgit v1.2.3 From ea256dc7956a3fbe5947c0ad9da9e90dd2320327 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Wed, 16 May 2018 06:41:40 +0200 Subject: T574: remove the old system host-name/domain-name commands, moving to vyos-1x. --- scripts/system/vyatta_update_hosts.pl | 114 ---------------------------------- templates/system/domain-name/node.def | 12 ---- templates/system/host-name/node.def | 12 ---- 3 files changed, 138 deletions(-) delete mode 100755 scripts/system/vyatta_update_hosts.pl delete mode 100644 templates/system/domain-name/node.def delete mode 100644 templates/system/host-name/node.def (limited to 'scripts/system') diff --git a/scripts/system/vyatta_update_hosts.pl b/scripts/system/vyatta_update_hosts.pl deleted file mode 100755 index 22b141ab..00000000 --- a/scripts/system/vyatta_update_hosts.pl +++ /dev/null @@ -1,114 +0,0 @@ -#!/usr/bin/perl -w -# -# Module: vyatta_update_hosts.pl -# -# **** License **** -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# This code was originally developed by Vyatta, Inc. -# Portions created by Vyatta are Copyright (C) 2012-2013 Vyatta, Inc. -# All Rights Reserved. -# -# Description: -# Script to update '/etc/hosts' on commit of 'system host-name' and -# 'system domain-name' config. -# -# **** End License **** -# - -use strict; -use English; -use lib "/opt/vyatta/share/perl5/"; - -use File::Temp qw(tempfile); -use Vyatta::File qw(touch); -use Vyatta::Config; -use Getopt::Long; - -my $HOSTS_CFG = '/etc/hosts'; -my $HOSTS_TMPL = "/tmp/hosts.XXXXXX"; -my $HOSTNAME_CFG = '/etc/hostname'; -my $MAILNAME_CFG = '/etc/mailname'; -my $restart_services = 1; - -sub set_hostname { - my ( $hostname ) = @_; - system("hostname $hostname"); - open (my $f, '>', $HOSTNAME_CFG) - or die("$0: Error! Unable to open $HOSTNAME_CFG for output: $!\n"); - print $f "$hostname\n"; - close ($f); -} - -sub set_mailname { - my ( $mailname ) = @_; - open (my $f, '>', $MAILNAME_CFG) - or die("$0: Error! Unable to open $MAILNAME_CFG for output: $!\n"); - print $f "$mailname\n"; - close ($f); -} - -if ($EUID != 0) { - printf("This program must be run by root.\n"); - exit 1; -} - -GetOptions("restart-services!" => \$restart_services); - -my $vc = new Vyatta::Config(); - -$vc->setLevel('system'); -my $host_name = $vc->returnValue('host-name'); -my $domain_name = $vc->returnValue('domain-name'); -my $mail_name; -my $hosts_line = "127.0.1.1\t "; - -if (! defined $host_name) { - $host_name = 'vyatta'; -} -$mail_name = $host_name; - -if (defined $domain_name) { - $mail_name .= '.' . $domain_name; - $hosts_line .= $host_name . '.' . $domain_name; -} -$hosts_line .= " $host_name\t #vyatta entry\n"; - -my ($out, $tempname) = tempfile($HOSTS_TMPL, UNLINK => 1) - or die "Can't create temp file: $!"; - -if (! -e $HOSTS_CFG) { - touch $HOSTS_CFG; -} -open (my $in, '<', $HOSTS_CFG) - or die("$0: Error! Unable to open '$HOSTS_CFG' for input: $!\n"); - -while (my $line = <$in>) { - if ($line =~ m:^127.0.1.1:) { - next; - } - print $out $line; -} -print $out $hosts_line; - -close ($in); -close ($out); - -system("cp $tempname $HOSTS_CFG") == 0 - or die "Can't copy $tempname to $HOSTS_CFG: $!"; - -set_hostname $host_name; -set_mailname $mail_name; - -# Restart services that use the system hostname; -# add more ase needed. -if ($restart_services) { - system("invoke-rc.d rsyslog restart"); -} diff --git a/templates/system/domain-name/node.def b/templates/system/domain-name/node.def deleted file mode 100644 index 4866ddf8..00000000 --- a/templates/system/domain-name/node.def +++ /dev/null @@ -1,12 +0,0 @@ -priority: 400 -type: txt -help: System domain name - -# Allow letter-number-hyphen in label (but can not start or end with hyphen) -syntax:expression: exec "/opt/vyatta/sbin/vyatta_check_domainname.pl $VAR(../host-name).$VAR(@)" - -update: sudo /opt/vyatta/sbin/vyatta_update_resolv.pl - sudo /opt/vyatta/sbin/vyatta_update_hosts.pl --no-restart-services - -delete: sudo /opt/vyatta/sbin/vyatta_update_resolv.pl - sudo /opt/vyatta/sbin/vyatta_update_hosts.pl --no-restart-services diff --git a/templates/system/host-name/node.def b/templates/system/host-name/node.def deleted file mode 100644 index 00798bef..00000000 --- a/templates/system/host-name/node.def +++ /dev/null @@ -1,12 +0,0 @@ -priority: 100 -type: txt -help: System host name (default: vyos) -default: "vyos" -syntax:expression: pattern $VAR(@) "^[[:alnum:]][-.[:alnum:]]*[[:alnum:]]$" - ; "invalid host name $VAR(@)" - -syntax:expression: pattern $VAR(@) "^.{1,63}$" ; "invalid host-name length" - -update: sudo /opt/vyatta/sbin/vyatta_update_hosts.pl - -delete: sudo /opt/vyatta/sbin/vyatta_update_hosts.pl -- cgit v1.2.3 From 540269c58ea647a4695a78b79714f61a2d1b80db Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Thu, 17 May 2018 19:21:25 +0200 Subject: T648: fix custom sysctl setting because of output redirection --- scripts/system/vyatta_update_sysctl.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'scripts/system') diff --git a/scripts/system/vyatta_update_sysctl.pl b/scripts/system/vyatta_update_sysctl.pl index ddf10115..6e33c5d0 100644 --- a/scripts/system/vyatta_update_sysctl.pl +++ b/scripts/system/vyatta_update_sysctl.pl @@ -62,7 +62,7 @@ sub set_sysctl_value { my $ovalue = get_sysctl_value($sysctl_opt); if ($nvalue ne $ovalue) { - my $cmd = "$SYSCTL -w $sysctl_opt=$nvalue 2>&1 1>&-"; + my $cmd = "$SYSCTL -w $sysctl_opt=$nvalue 2>&1> /dev/null"; system($cmd); if ($? >> 8) { die "exec of $SYSCTL failed: '$cmd'"; -- cgit v1.2.3 From a628e955dc687c64192947c280bbe374c5b2502c Mon Sep 17 00:00:00 2001 From: Kim Hagen Date: Mon, 28 May 2018 11:16:48 +0200 Subject: Ignore nss mapuser when radius is enabled. --- lib/Vyatta/Login/User.pm | 2 +- scripts/system/vyatta_check_username.pl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'scripts/system') diff --git a/lib/Vyatta/Login/User.pm b/lib/Vyatta/Login/User.pm index e0305fbb..02fb96ee 100755 --- a/lib/Vyatta/Login/User.pm +++ b/lib/Vyatta/Login/User.pm @@ -167,7 +167,7 @@ sub _update_user { # not found in existing passwd, must be new my $cmd; - unless ( defined($uid) ) { + unless ( defined($uid) and $uid ne "1001" ) { # make new user using vyatta shell # and make home directory (-m) # and with default group of 100 (users) diff --git a/scripts/system/vyatta_check_username.pl b/scripts/system/vyatta_check_username.pl index 30917ecb..9ecc42db 100755 --- a/scripts/system/vyatta_check_username.pl +++ b/scripts/system/vyatta_check_username.pl @@ -68,7 +68,7 @@ foreach my $user (@ARGV) { # User does not exist in system, its okay my $uid = getpwnam($user); - next unless defined($uid); + next unless defined($uid) and $uid ne "1001"; # System accounts should not be listed in vyatta configuration # 1000 is SYS_UID_MIN -- cgit v1.2.3 From 4524181410b68367d91e07552466ef577ac5b0e3 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 8 Jun 2018 10:52:32 +0200 Subject: T652: remove SNMP perl scripts --- Makefile.am | 3 - scripts/snmp/if-mib-alias | 129 ------ scripts/snmp/vyatta-snmp-v3.pl | 676 ------------------------------- scripts/snmp/vyatta-snmp.pl | 333 --------------- scripts/system/vyatta_check_snmp_name.pl | 31 -- 5 files changed, 1172 deletions(-) delete mode 100755 scripts/snmp/if-mib-alias delete mode 100755 scripts/snmp/vyatta-snmp-v3.pl delete mode 100755 scripts/snmp/vyatta-snmp.pl delete mode 100755 scripts/system/vyatta_check_snmp_name.pl (limited to 'scripts/system') diff --git a/Makefile.am b/Makefile.am index 3e70ca59..01ea0ce6 100644 --- a/Makefile.am +++ b/Makefile.am @@ -43,7 +43,6 @@ sbin_SCRIPTS += scripts/vyatta-grub-setup sbin_SCRIPTS += scripts/standalone_root_pw_reset sbin_SCRIPTS += scripts/vyatta-passwd-sync sbin_SCRIPTS += scripts/system/vyatta_check_username.pl -sbin_SCRIPTS += scripts/system/vyatta_check_snmp_name.pl sbin_SCRIPTS += scripts/system/vyatta_check_domainname.pl sbin_SCRIPTS += scripts/system/vyatta_interface_rescan sbin_SCRIPTS += scripts/system/vyatta_update_login.pl @@ -53,8 +52,6 @@ sbin_SCRIPTS += scripts/system/vyatta_update_sysctl.pl sbin_SCRIPTS += scripts/system/vyatta_update_syslog.pl sbin_SCRIPTS += scripts/system/vyatta_update_console.pl sbin_SCRIPTS += scripts/system/irq-affinity.pl -sbin_SCRIPTS += scripts/snmp/vyatta-snmp.pl -sbin_SCRIPTS += scripts/snmp/vyatta-snmp-v3.pl sbin_SCRIPTS += scripts/snmp/if-mib-alias sbin_SCRIPTS += scripts/telnetd.init sbin_SCRIPTS += scripts/dynamic-dns/vyatta-dynamic-dns.pl diff --git a/scripts/snmp/if-mib-alias b/scripts/snmp/if-mib-alias deleted file mode 100755 index d17644e9..00000000 --- a/scripts/snmp/if-mib-alias +++ /dev/null @@ -1,129 +0,0 @@ -#! /usr/bin/perl - -# **** License **** -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# This code was originally developed by Vyatta, Inc. -# Portions created by Vyatta are Copyright (C) 2007 Vyatta, Inc. -# All Rights Reserved. -# -# Author: Stephen Hemminger -# Date: October 2010 -# Description: script is run as net-snmp extension to read interface alias -# -# **** End License **** - -use strict; -use warnings; -use feature "switch"; - -# Collect interface all alias values -sub get_alias { - my @interfaces; - - open (my $ip, '-|', 'ip li') - or die "Can't run ip command\n"; - my $index; - while(<$ip>) { - if (/^(\d+): ([^:]*): /) { - $index = $1; - $interfaces[$index] = $2; - } elsif (/^ +alias (.*)$/) { - $interfaces[$index] = $1; - } - } - close $ip; - return @interfaces; -} - -sub get_oid { - my $oid = shift; - die "Not a valid Object ID: $oid" - unless ($oid =~ /.(\d+)$/); - - my $ifindex = $1; - my @interfaces = get_alias(); - - my $ifalias = $interfaces[$ifindex]; - print "$oid\nstring\n$ifalias\n" if $ifalias; -} - -# OID of ifAlias [RFC2863] -my $BASE = '.1.3.6.1.2.1.31.1.1.1.18'; - -sub get_next { - my $oid = shift; - - return get_next("$BASE.0") - if ($oid eq $BASE); - - die "Not a valid Object ID: $oid" - unless ($oid =~ /^(\S*)\.(\d+)$/); - - my $base = $1; - my $ifindex = $2; - my @interfaces = get_alias(); - - while (++$ifindex <= $#interfaces) { - my $ifalias = $interfaces[$ifindex]; - if ($ifalias) { - print "$base.$ifindex\nstring\n$ifalias\n"; - last; - } - } -} - -sub ifindextoname { - my $ifindex = shift; - - open (my $ip, '-|', 'ip li') - or die "Can't run ip command\n"; - my $index; - while(<$ip>) { - next unless (/^(\d+): ([^:]*): /); - return $2 if ($1 == $ifindex); - } - return; -} - -sub set_oid { - my ($oid, $target, $value) = @_; - die "Not a valid Object ID: $oid" - unless ($oid =~ /\.(\d+)$/); - my $ifindex = $1; - unless ($target eq 'string') { - print "wrong-type\n"; - return; - } - - my $ifname = ifindextoname($ifindex); - if ($ifname) { - system("ip li set $ifname alias '$value' >/dev/null 2>&1"); - print "not-writeable\n" if ($? != 0); - } -} - -sub usage { - warn "Usage: $0 {-g|-n} OID\n"; - warn " $0 -s OID TARGET VALUE\n"; - exit 1; -} - -usage unless $#ARGV >= 1; - -given ($ARGV[0]) { - when ('-g') { get_oid ($ARGV[1]); } - when ('-n') { get_next ($ARGV[1]); } - when ('-s') { set_oid ($ARGV[1], $ARGV[2], $ARGV[3]); } - default { - warn "$ARGV[0] unknown flag\n"; - usage; - } -} diff --git a/scripts/snmp/vyatta-snmp-v3.pl b/scripts/snmp/vyatta-snmp-v3.pl deleted file mode 100755 index a2d738eb..00000000 --- a/scripts/snmp/vyatta-snmp-v3.pl +++ /dev/null @@ -1,676 +0,0 @@ -#!/usr/bin/perl -# -# **** License **** -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# This code was originally developed by Vyatta, Inc. -# Portions created by Vyatta are Copyright (C) 2013 Vyatta, Inc. -# All Rights Reserved. -# -# **** End License **** - -use strict; -use warnings; - -use lib "/opt/vyatta/share/perl5/"; -use Vyatta::Config; -use File::Copy; -use Getopt::Long; -use Socket; -use Socket6; - -my $snmp_v3_level = 'service snmp v3'; -my $snmp_restart = 'systemctl restart snmpd.service'; -my $snmp_stop = 'systemctl stop snmpd.service'; -my $snmp_start = 'systemctl start snmpd.service'; -my $snmp_reload = 'systemctl reload snmpd.service'; -my $snmpd_conf = '/etc/snmp/snmpd.conf'; -my $snmpd_usr_conf = '/usr/share/snmp/snmpd.conf'; -my $snmpd_var_conf = '/var/lib/snmp/snmpd.conf'; -my $snmpd_conf_tmp = "/tmp/snmpd.conf.$$"; -my $snmpd_usr_conf_tmp = "/tmp/snmpd.usr.conf.$$"; -my $snmpd_var_conf_tmp = "/tmp/snmpd.var.conf.$$"; -my $versionfile = '/opt/vyatta/etc/version'; -my $local_agent = 'unix:/run/snmpd.socket'; - -my $oldEngineID = ""; -my $setserialno = ""; - -my %OIDs = ( - "md5", ".1.3.6.1.6.3.10.1.1.2", "sha", ".1.3.6.1.6.3.10.1.1.3", - "aes", ".1.3.6.1.6.3.10.1.2.4", "des", ".1.3.6.1.6.3.10.1.2.2", - "none", ".1.3.6.1.6.3.10.1.2.1" -); - -# generate a random character hex string -sub randhex { - my $length = shift; - return join "", map { unpack "H*", chr( rand(256) ) } 1 .. ( $length / 2 ); -} - -sub snmpd_running { - open( my $pidf, '<', "/run/snmpd.pid" ) - or return; - my $pid = <$pidf>; - close $pidf; - - chomp $pid; - my $exe = readlink "/proc/$pid/exe"; - - return ( defined($exe) && $exe eq "/usr/sbin/snmpd" ); -} - -sub check_snmp_exit_code { - my $code = shift; - - # snmpd can start/restart with exit code 256 if trap-target is unavailable - if ( $code != 0 && $code != 256 ) { - return 1; - } - else { - return 0; - } -} - -sub snmpd_stop { - system("$snmp_stop > /dev/null 2>&1"); - if ( check_snmp_exit_code($?) ) { - print "ERROR: Can not stop snmpd!\n"; - exit(1); - } -} - -sub snmpd_start { - system("$snmp_start > /dev/null 2>&1"); - if ( check_snmp_exit_code($?) ) { - print "ERROR: Can not start snmpd!\n"; - exit(1); - } -} - -sub snmpd_update { - system("$snmp_reload > /dev/null 2>&1"); - if ( check_snmp_exit_code($?) ) { - print "ERROR: Can not reload snmpd!\n"; - exit(1); - } -} - -sub snmpd_restart { - system("$snmp_restart > /dev/null 2>&1"); - if ( check_snmp_exit_code($?) ) { - print "ERROR: Can not restart snmpd!\n"; - exit(1); - } -} - -# get vyatta version -sub get_version { - my $version = "unknown-version"; - - if ( open( my $f, '<', $versionfile ) ) { - while (<$f>) { - chomp; - if (m/^Version\s*:\s*(.*)$/) { - $version = $1; - last; - } - } - close $f; - } - return $version; -} - -sub ipv6_disabled { - socket( my $s, PF_INET6, SOCK_DGRAM, 0 ) - or return 1; - close($s); - return; -} - -# write tsm config from current to snmpd_conf -sub set_tsm { - my $config = get_snmp_config(); - if ( $config->exists("tsm") ) { - my $port = $config->returnValue("tsm port"); - my $local_key = $config->returnValue("tsm local-key"); - system( -"sed -i 's/^agentaddress.*\$/&,tlstcp:$port,dtlsudp:$port/' $snmpd_conf_tmp" - ); - system("echo \"[snmp] localCert $local_key\" >> $snmpd_conf_tmp"); - } -} - -# delete all SNMP config files -# can be called directly -sub snmp_delete { - snmpd_stop(); - - my @files = ( $snmpd_conf, $snmpd_usr_conf, $snmpd_var_conf ); - foreach my $file (@files) { - if ( -e $file ) { - unlink($file); - } - } -} - -sub get_snmp_config { - my $config = new Vyatta::Config; - $config->setLevel($snmp_v3_level); - return $config; -} - -# write views from vyatta config to snmpd_conf -sub set_views { - print "# views \n"; - my $config = get_snmp_config(); - foreach my $view ( $config->listNodes("view") ) { - foreach my $oid ( $config->listNodes("view $view oid") ) { - my $mask = ''; - $mask = $config->returnValue("view $view oid $oid mask") - if $config->exists("view $view oid $oid mask"); - if ( $config->exists("view $view oid $oid exclude") ) { - print "view $view excluded .$oid $mask\n"; - } - else { - print "view $view included .$oid $mask\n"; - } - } - } - print "\n"; -} - -# write groups from vyatta config to snmpd_conf -sub set_groups { - print -"#access\n# context sec.model sec.level match read write notif\n"; - my $config = get_snmp_config(); - foreach my $group ( $config->listNodes("group") ) { - my $mode = $config->returnValue("group $group mode"); - my $view = $config->returnValue("group $group view"); - my $secLevel = $config->returnValue("group $group seclevel"); - if ( $mode eq "ro" ) { - print "access $group \"\" usm $secLevel exact $view none none\n"; - print "access $group \"\" tsm $secLevel exact $view none none\n"; - } - else { - print "access $group \"\" usm $secLevel exact $view $view none\n"; - print "access $group \"\" tsm $secLevel exact $view $view none\n"; - } - } - print "\n"; -} - -# write users from vyatta config to snmpd_conf -sub set_users_in_etc { - - print "#group\n"; - my $tsm_counter = 0; - my $config = get_snmp_config(); - foreach my $user ( $config->listNodes("user") ) { - $config->setLevel( $snmp_v3_level . " user $user" ); - if ( $config->exists("group") ) { - my $group = $config->returnValue("group"); - print "group $group usm $user\n"; - print "group $group tsm $user\n"; - } - if ( $config->exists("tsm-key") ) { - my $cert = $config->returnValue("tsm-key"); - $tsm_counter++; - print "certSecName $tsm_counter $cert --sn $user\n"; - } - } - - print "\n"; -} - -# write users from vyatta config to config files in /usr & /var -sub set_users_to_other { - open( my $usr_conf, '>>', $snmpd_usr_conf_tmp ) - or die "Couldn't open $snmpd_usr_conf_tmp - $!"; - open( my $var_conf, '>>', $snmpd_var_conf_tmp ) - or die "Couldn't open $snmpd_var_conf_tmp - $!"; - - print $var_conf "\n"; - - my $config = get_snmp_config(); - my $needTsm = 0; - if ( $config->exists("tsm") ) { - $needTsm = 1; - } - - my %trap_users = (); - - foreach my $trap ( $config->listNodes("trap-target") ) { - $trap_users{ $config->returnValue("trap-target $trap user") } = 1; - } - - foreach my $user ( $config->listNodes("user") ) { - delete $trap_users{$user}; - $config->setLevel( $snmp_v3_level . " user $user" ); - my $auth_type = $config->returnValue("auth type"); - my $priv_type = $config->returnValue("privacy type"); - if ( $config->exists("auth") ) { - if ( $config->exists("auth plaintext-key") ) { - my $auth_key = $config->returnValue("auth plaintext-key"); - my $priv_key = ''; - $priv_key = $config->returnValue("privacy plaintext-key") - if $config->exists("privacy plaintext-key"); - print $var_conf -"createUser $user \U$auth_type\E $auth_key \U$priv_type\E $priv_key\n"; - } - else { - my $name_print = get_printable_name($user); - my $EngineID = $config->returnValue("engineid"); - if ( $EngineID eq "" ) { - die "ERROR: engineid is null\n"; - } - my $auth_type_oid = $OIDs{$auth_type}; - my $auth_key_hex = $config->returnValue("auth encrypted-key"); - - my ( $priv_type_oid, $priv_key_hex ); - if ( $config->exists("privacy") ) { - $priv_type_oid = $OIDs{$priv_type}; - $priv_key_hex = - $config->returnValue("privacy encrypted-key"); - } - else { - $priv_type_oid = $OIDs{'none'}; - $priv_key_hex = '0x'; - } - print $var_conf -"usmUser 1 3 $EngineID $name_print $name_print NULL $auth_type_oid $auth_key_hex $priv_type_oid $priv_key_hex 0x\n"; - } - } - my $mode = $config->returnValue("mode"); - my $end = "auth"; - if ( $config->exists("privacy") ) { - $end = "priv"; - } - print $usr_conf $mode . "user $user $end\n"; - if ($needTsm) { - print $usr_conf $mode . "user -s tsm $user $end\n"; - } - } - -# add users for trap if they are not exists in vyatta config /services/snmp/v3/user - foreach my $user ( keys %trap_users ) { - my $name_print = get_printable_name($user); - print $var_conf "usmUser 1 3 0x" - . randhex(26) - . " $name_print $name_print NULL .1.3.6.1.6.3.10.1.1.2 0x" - . randhex(32) - . " .1.3.6.1.6.3.10.1.2.1 0x 0x\n"; - print $usr_conf "rouser $user auth\n"; - } - - print $var_conf "setserialno $setserialno\n" - if !($setserialno eq ""); - print $var_conf "oldEngineID $oldEngineID\n" - if !($oldEngineID eq ""); - - close $usr_conf; - close $var_conf; -} - -# if name contains '-' then it must be printed in hex format -sub get_printable_name { - my $name = shift; - if ( $name =~ /-/ ) { - my @array = unpack( 'C*', $name ); - my $stringHex = '0x'; - foreach my $c (@array) { - $stringHex .= sprintf( "%lx", $c ); - } - return $stringHex; - } - else { - return "\"$name\""; - } -} - - -# read encrypted keys from config file in /var to vyatta config -# read additional info from config file in /var to VConfig variable -# delete plaintext passwords in vyatta config -sub update_users_vyatta_conf { - open( my $var_conf, '<', $snmpd_var_conf ) - or die "Couldn't open $snmpd_usr_conf - $!"; - my $config = get_snmp_config(); - while ( my $line = <$var_conf> ) { - if ( $line =~ /^oldEngineID (.*)$/ ) { - my $value = $1; - if ($config->exists("engineid") && - $config->returnValue("engineid") eq ""){ - system( -"/opt/vyatta/sbin/my_set service snmp v3 engineid $value > /dev/null" - ); - } - } - if ( $line =~ /^usmUser / ) { - my @values = split( / /, $line ); - my $name = $values[4]; - if ( $name =~ /^"(.*)"$/ ) { - $name = $1; - } - else { - $name = pack( 'H*', $name ); - } - - # this file contain users for trap-target and vyatta... user - # these users recreating automatically on each commit - if ( $config->exists("user $name") ) { - system( -"/opt/vyatta/sbin/my_set service snmp v3 user \"$name\" engineid $values[3] > /dev/null" - ); - system( -"/opt/vyatta/sbin/my_set service snmp v3 user \"$name\" auth encrypted-key $values[8] > /dev/null" - ); - if ( $values[10] ne "\"\"" && $values[10] ne "0x" ) { - system( -"/opt/vyatta/sbin/my_set service snmp v3 user \"$name\" privacy encrypted-key $values[10] > /dev/null" - ); - system( -"/opt/vyatta/sbin/my_delete service snmp v3 user \"$name\" privacy plaintext-key > /dev/null" - ); - } - system( -"/opt/vyatta/sbin/my_delete service snmp v3 user \"$name\" auth plaintext-key > /dev/null" - ); - } - } - } - close $var_conf; -} - -# write trap-target hosts from vyatta config to snmpd_conf -sub set_hosts { - print "#trap-target\n"; - my $config = get_snmp_config(); - foreach my $target ( $config->listNodes("trap-target") ) { - $config->setLevel( $snmp_v3_level . " trap-target $target" ); - my $auth_key = ''; - if ( $config->exists("auth plaintext-key") ) { - $auth_key = "-A " . $config->returnValue("auth plaintext-key"); - } - else { - $auth_key = "-3m " . $config->returnValue("auth encrypted-key"); - } - my $auth_type = $config->returnValue("auth type"); - my $user = $config->returnValue("user"); - my $port = $config->returnValue("port"); - my $protocol = $config->returnValue("protocol"); - my $type = $config->returnValue("type"); - my $inform_flag = '-Ci'; - $inform_flag = '-Ci' if ( $type eq 'inform' ); - - if ( $type eq 'trap' ) { - $inform_flag = '-e ' . $config->returnValue("engineid"); - } - my $privacy = ''; - my $secLevel = 'authNoPriv'; - if ( $config->exists("privacy") ) { - my $priv_key = ''; - if ( $config->exists("privacy plaintext-key") ) { - $priv_key = - "-X " . $config->returnValue("privacy plaintext-key"); - } - else { - $priv_key = - "-3M " . $config->returnValue("privacy encrypted-key"); - } - my $priv_type = $config->returnValue("privacy type"); - $privacy = "-x $priv_type $priv_key"; - $secLevel = 'authPriv'; - } - - # TODO understand difference between master and local - # Uses: - # set -3m / -3M for auth / priv for master - # or -3k / -3K for local - # Current use only master - my $target_print = $target; - if ( $target =~ /:/ ) { - $target_print = "[$target]"; - $protocol = $protocol . "6"; - } - print -"trapsess -v 3 $inform_flag -u $user -l $secLevel -a $auth_type $auth_key $privacy $protocol:$target_print:$port\n"; - } - print "\n"; -} - -# check changes in auth and privacy nodes -# deny set encrypted-key in case engineid wasn't set -sub check_user_auth_changes { - my $config = get_snmp_config(); - my $v3engineid = ""; - - if($config->exists("engineid")){ - $v3engineid=$config->returnValue("engineid"); - } - - if ( $config->isChanged("user") || $config->isChanged("engineid")) { - my $haveError = 0; - foreach my $user ( $config->listNodes("user") ) { - $config->setLevel( $snmp_v3_level . " user $user" ); - if ( $config->exists("engineid") && - !($v3engineid eq "" ) && - !($config->returnValue("engineid") eq "" ) && - !($config->returnValue("engineid") eq $v3engineid)){ - print -"Warning: Encrypted key(s) for snmp v3 user \"$user\" was(were) generated for another SNMP engineid. It won't work. Please recreate this user.\n"; - } - if ( $config->exists("auth") ) { - if ( - !( - $config->exists("engineid") && - ( - $config->exists("auth encrypted-key") || - $config->exists("privacy encrypted-key") - ) - ) - ) - { - $haveError = 1; - print -"Discard encrypted-key on user \"$user\". It's necessary to setup engineid the encrypted-key was generated with.\n"; - } - my $isAuthKeyChanged = $config->isChanged("auth plaintext-key"); - my $isAuthEKeyChanged = $config->isChanged("auth encrypted-key"); - if ( $config->exists("privacy") ) { - my $isPrivKeyChanged = - $config->isChanged("privacy plaintext-key"); - my $isPrivEKeyChanged = - $config->isChanged("privacy encrypted-key"); - if ( ($isPrivEKeyChanged && !$isAuthEKeyChanged) - || ($isPrivKeyChanged && !$isAuthKeyChanged) ) { - $haveError = 1; - print - "Please, set correct auth and privacy for user \"$user\"\n"; - print - "Set plaintext-key for auth and privacy or set encrypted-key for both\n"; - } - } - } - else { - if ( $config->exists("privacy") ) { - $haveError = 1; - print "Please, delete privacy for user \"$user\"\n"; - } - } - } - if ($haveError) { - exit(1); - } - } -} - -# check relation between user & group & view -sub check_relation { - my $config = get_snmp_config(); - my $haveError = 0; - foreach my $user ( $config->listNodes("user") ) { - if ( $config->exists("user $user group") ) { - my $group = $config->returnValue("user $user group"); - if ( !$config->exists("group $group") ) { - $haveError = 1; - print -"Please, create group \"$group\". It's need for user \"$user\"\n"; - } - } - } - foreach my $group ( $config->listNodes("group") ) { - my $view = $config->returnValue("group $group view"); - if ( !$config->exists("view $view") ) { - $haveError = 1; - print - "Please, create view \"$view\". It's need for group \"$group\"\n"; - } - } - if ($haveError) { - exit(1); - } -} - -# check is new tsm port free on system -sub check_tsm_port { - my $config = get_snmp_config(); - if ( $config->isChanged("tsm port") ) { - my $port = $config->returnValue("tsm port"); - my $reg = ":$port\$"; - my $output = `netstat -anltup | awk '{print \$4}'`; - foreach my $line ( split( /\n/, $output ) ) { - if ( $line =~ /$reg/ ) { - print - "Actually port $port is using. It can not be used for tsm.\n"; - exit(1); - } - } - } -} - -# check group seclevel and user auth/privacy -sub check_seclevel { - my $config = get_snmp_config(); - my $haveError = 0; - if ( $config->isChanged("user") || $config->isChanged("group") ) { - foreach my $user ( $config->listNodes("user") ) { - if ( $config->exists("user $user group") ) { - my $group = $config->returnValue("user $user group"); - if ( $config->isChanged("user $user") - || $config->isChanged("group $group") ) - { - my $group_seclevel = - $config->returnValue("group $group seclevel"); - if ( $config->exists("user $user privacy") ) { - if ( $group_seclevel eq "auth" ) { - print -"User \"$user\" have privacy, but group \"$group\" have \"auth\" as seclevel. So auth and priv work both.\n"; - } - } - else { - if ( $group_seclevel eq "priv" ) { - print -"User \"$user\" will not work, because he haven't privacy, but group \"$group\" have \"priv\" as seclevel.\n"; - $haveError = 1; - } - } - } - } - } - } - if ($haveError) { - exit(1); - } -} - -sub copy_conf_to_tmp { - - # these files already contain SNMPv2 configuration - copy( $snmpd_conf, $snmpd_conf_tmp ) - or die "Couldn't copy $snmpd_conf to $snmpd_conf_tmp - $!"; - copy( $snmpd_usr_conf, $snmpd_usr_conf_tmp ) - or die "Couldn't copy $snmpd_usr_conf to $snmpd_usr_conf_tmp - $!"; - copy( $snmpd_var_conf, $snmpd_var_conf_tmp ) - or die "Couldn't copy $snmpd_var_conf to $snmpd_var_conf_tmp - $!"; -} - -# update all vyatta config -# can be called directly -sub snmp_update { - - copy_conf_to_tmp(); - - set_tsm(); - - open( my $fh, '>>', $snmpd_conf_tmp ) - or die "Couldn't open $snmpd_conf_tmp - $!"; - - select $fh; - - set_views(); - set_groups(); - set_hosts(); - set_users_in_etc(); - - close $fh; - select STDOUT; - - move( $snmpd_conf_tmp, $snmpd_conf ) - or die "Couldn't move $snmpd_conf_tmp to $snmpd_conf - $!"; - - my $config = get_snmp_config(); - if ($config->exists("engineid")) { - $oldEngineID = $config->returnValue("engineid"); - } - - snmpd_stop(); - - #add newly added users to var config to get encrypted values - set_users_to_other(); - - move( $snmpd_usr_conf_tmp, $snmpd_usr_conf ) - or die "Couldn't move $snmpd_usr_conf_tmp to $snmpd_usr_conf - $!"; - move( $snmpd_var_conf_tmp, $snmpd_var_conf ) - or die "Couldn't move $snmpd_var_conf_tmp to $snmpd_var_conf - $!"; - - snmpd_start(); - snmpd_stop(); - - # now we have encrypted user config - start and read it after - snmpd_start(); - update_users_vyatta_conf(); -} - -# validate vyatta config before write it into files -# can be called directly -sub snmp_check { - check_user_auth_changes(); - check_relation(); - check_tsm_port(); - check_seclevel(); -} - -my $check_config; -my $update_snmp; -my $delete_snmp; - -GetOptions( - "check-config!" => \$check_config, - "update-snmp!" => \$update_snmp, - "delete-snmp!" => \$delete_snmp, - "oldEngineID=s" => \$oldEngineID, - "setserialno=s" => \$setserialno -); - -snmp_check() if ($check_config); -snmp_update() if ($update_snmp); -snmp_delete() if ($delete_snmp); diff --git a/scripts/snmp/vyatta-snmp.pl b/scripts/snmp/vyatta-snmp.pl deleted file mode 100755 index 5c4ff1d0..00000000 --- a/scripts/snmp/vyatta-snmp.pl +++ /dev/null @@ -1,333 +0,0 @@ -#!/usr/bin/perl -# -# Module: vyatta-snmp.pl -# -# **** License **** -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# This code was originally developed by Vyatta, Inc. -# Portions created by Vyatta are Copyright (C) 2007 Vyatta, Inc. -# All Rights Reserved. -# -# Author: Stig Thormodsrud -# Date: October 2007 -# Description: Script to glue vyatta cli to snmp daemon -# -# **** End License **** -# - -use strict; -use warnings; - -use lib "/opt/vyatta/share/perl5/"; -use Vyatta::Config; -use Vyatta::Misc; -use NetAddr::IP; -use Getopt::Long; -use File::Copy; -use Socket; -use Socket6; - -my $mibdir = '/opt/vyatta/share/snmp/mibs'; -my $snmp_start = 'systemctl start snmpd.service'; -my $snmp_stop = 'systemctl stop snmpd.service'; -my $snmp_conf = '/etc/snmp/snmpd.conf'; -my $snmp_client = '/etc/snmp/snmp.conf'; -my $snmp_tmp = "/tmp/snmpd.conf.$$"; -my $snmp_snmpv3_user_conf = '/usr/share/snmp/snmpd.conf'; -my $snmp_snmpv3_createuser_conf = '/var/lib/snmp/snmpd.conf'; -my $versionfile = '/opt/vyatta/etc/version'; -my $local_agent = 'unix:/run/snmpd.socket'; -my $password_file = '/config/snmp/superuser_pass'; - -my $snmp_level = 'service snmp'; - -sub snmp_running { - open (my $pidf, '<', "/run/snmpd.pid") - or return; - my $pid = <$pidf>; - close $pidf; - - chomp $pid; - my $exe = readlink "/proc/$pid/exe"; - - return (defined($exe) && $exe eq "/usr/sbin/snmpd"); -} - -sub snmp_stop { - system("$snmp_stop > /dev/null 2>&1"); -} - -sub snmp_start { - # we must stop snmpd first for creating vyatta user - system("$snmp_stop > /dev/null 2>&1"); - open (my $fh, '>', $snmp_tmp) - or die "Couldn't open $snmp_tmp - $!"; - - select $fh; - snmp_get_constants(); - snmp_get_values(); - snmp_get_traps(); - close $fh; - select STDOUT; - - snmp_client_config(); - - move($snmp_tmp, $snmp_conf) - or die "Couldn't move $snmp_tmp to $snmp_conf - $!"; -} - -sub get_version { - my $version = "unknown-version"; - - if (open (my $f, '<', $versionfile)) { - while (<$f>) { - chomp; - if (m/^Version\s*:\s*(.*)$/) { - $version = $1; - last; - } - } - close $f; - } - return $version; -} - -# convert address to snmpd transport syntax -sub transport_syntax { - my ($addr, $port) = @_; - my $ip = new NetAddr::IP $addr; - die "$addr: not a valid IP address" unless $ip; - - my $version = $ip->version(); - return "udp:$addr:$port" if ($version == 4); - return "udp6:[$addr]:$port" if ($version == 6); - die "$addr: unknown IP version $version"; -} - -# Test if IPv6 is possible by opening a socket -sub ipv6_disabled { - socket ( my $s, PF_INET6, SOCK_DGRAM, 0) - or return 1; - close($s); - return; -} - -# Find SNMP agent listening addresses -sub get_listen_address { - my $config = new Vyatta::Config; - my @listen; - - $config->setLevel('service snmp listen-address'); - my @address = $config->listNodes(); - - if(@address) { - foreach my $addr (@address) { - my $port = $config->returnValue("$addr port"); - push @listen, transport_syntax($addr, $port); - } - } else { - # default if no address specified - @listen = ( 'udp:161' ); - push @listen, 'udp6:161' unless ipv6_disabled(); - return @listen; - } - - return @listen; -} - -sub snmp_get_constants { - my $version = get_version(); - my $now = localtime; - my @addr = get_listen_address(); - - # add local unix domain target for use by operational commands - unshift @addr, $local_agent; - - print "# autogenerated by vyatta-snmp.pl on $now\n"; - print "sysDescr VyOS $version\n"; - print "sysObjectID 1.3.6.1.4.1.44641\n"; - print "sysServices 14\n"; - print "master agentx\n"; # maybe needed by lldpd - print "agentaddress ", join(',',@addr), "\n"; - print "agentXPerms 0755 0755\n"; - - # add hook to read IF-MIB::ifAlias from sysfs - print "pass .1.3.6.1.2.1.31.1.1.1.18 /opt/vyatta/sbin/if-mib-alias\n"; - - print "smuxpeer .1.3.6.1.4.1.3317.1.2.2\n"; # ospfd - print "smuxpeer .1.3.6.1.4.1.3317.1.2.5\n"; # bgpd - print "smuxpeer .1.3.6.1.4.1.3317.1.2.3\n"; # ripd - print "smuxpeer .1.3.6.1.4.1.3317.1.2.9\n"; # mribd - print "smuxpeer .1.3.6.1.2.1.83\n"; # mribd - print "smuxpeer .1.3.6.1.4.1.3317.1.2.8\n"; # pimd - print "smuxpeer .1.3.6.1.2.1.157\n"; # pimd - print "smuxsocket localhost\n"; -} - -# generate a random character hex string -sub randhex { - my $length = shift; - return join "", map { unpack "H*", chr(rand(256)) } 1..($length/2); -} - -# output snmpd.conf file syntax for community -sub print_community { - my ($config, $community) = @_; - my $ro = $config->returnValue('authorization'); - $ro = 'ro' unless $ro; - - my @clients = $config->returnValues('client'); - my @networks = $config->returnValues('network'); - - my @restriction = (@clients, @networks); - if (!@restriction) { - print $ro . "community $community\n"; - print $ro . "community6 $community\n" unless ipv6_disabled(); - return; - } - - foreach my $addr (@restriction) { - my $ip = new NetAddr::IP $addr; - die "$addr: Not a valid IP address" unless $ip; - - if ($ip->version() == 4) { - print $ro . "community $community $addr\n"; - } elsif ($ip->version() == 6) { - print $ro . "community6 $community $addr\n"; - } else { - die "$addr: bad IP version ", $ip->version(); - } - } -} - -sub snmp_get_values { - my $config = new Vyatta::Config; - - my @communities = $config->listNodes("service snmp community"); - foreach my $community (@communities) { - $config->setLevel("service snmp community $community"); - print_community($config, $community); - } - - $config->setLevel("service snmp smux-peer"); - my @smuxpeers = $config->returnValues(); - foreach my $smuxpeer (@smuxpeers) { - print "smuxpeer $smuxpeer \n"; - } - - $config->setLevel($snmp_level); - my $contact = $config->returnValue("contact"); - if (defined $contact) { - print "SysContact $contact \n"; - } - - my $description = $config->returnValue("description"); - if (defined $description) { - print "SysDescr $description \n"; - } - - my $location = $config->returnValue("location"); - if (defined $location) { - print "SysLocation $location \n"; - } -} - -sub snmp_get_traps { - my $config = new Vyatta::Config; - $config->setLevel($snmp_level); - - # linkUp/Down configure the Event MIB tables to monitor - # the ifTable for network interfaces being taken up or down - # for making internal queries to retrieve any necessary information - - # create an internal snmpv3 user of the form 'vyattaxxxxxxxxxxxxxxxx' - my $vyatta_user = "vyatta" . randhex(16); - snmp_create_snmpv3_user($vyatta_user); - snmp_write_snmpv3_user($vyatta_user); - print "iquerySecName $vyatta_user\n"; - - # Modified from the default linkUpDownNotification - # to include more OIDs and poll more frequently - print <listNodes("trap-target"); - return unless @trap_targets; - - foreach my $trap_target (@trap_targets) { - my $port = $config->returnValue("trap-target $trap_target port"); - my $community - = $config->returnValue("trap-target $trap_target community"); - - print "trap2sink $trap_target"; - print ":$port" if $port; - print " $community" if $community; - print "\n"; - } -} - -# Configure SNMP client parameters -sub snmp_client_config { - my $config = new Vyatta::Config; - $config->setLevel($snmp_level); - - open (my $cf, '>', $snmp_client) - or die "Couldn't open $snmp_client - $!"; - - my $version = get_version(); - my $now = localtime; - print {$cf} "# autogenerated by vyatta-snmp.pl on $now\n"; - - my $trap_source = $config->returnValue('trap-source'); - print {$cf} "clientaddr $trap_source\n" if ($trap_source); - close $cf; -} - -sub snmp_create_snmpv3_user { - - my $vyatta_user = shift; - my $passphrase = randhex(32); - - my $createuser = "createUser $vyatta_user MD5 \"$passphrase\" DES"; - open(my $fh, '>', $snmp_snmpv3_createuser_conf) || die "Couldn't open $snmp_snmpv3_createuser_conf - $!"; - print $fh $createuser; - close $fh; - - open(my $pass_file, '>', $password_file) || die "Couldn't open $password_file - $!"; - print $pass_file $passphrase; - close $pass_file; -} - -sub snmp_write_snmpv3_user { - - my $vyatta_user = shift; - my $user = "rwuser $vyatta_user\n"; - open(my $fh, '>', $snmp_snmpv3_user_conf) || die "Couldn't open $snmp_snmpv3_user_conf - $!"; - print $fh $user; - close $fh; -} - - -# -# main -# -my $update_snmp; -my $stop_snmp; - -GetOptions("update-snmp!" => \$update_snmp, - "stop-snmp!" => \$stop_snmp); - -snmp_start() if ($update_snmp); -snmp_stop() if ($stop_snmp); diff --git a/scripts/system/vyatta_check_snmp_name.pl b/scripts/system/vyatta_check_snmp_name.pl deleted file mode 100755 index 599fe398..00000000 --- a/scripts/system/vyatta_check_snmp_name.pl +++ /dev/null @@ -1,31 +0,0 @@ -#!/usr/bin/perl - -# **** License **** -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# This code was originally developed by Vyatta, Inc. -# Portions created by Vyatta are Copyright (C) 2010 Vyatta, Inc. -# All Rights Reserved. -# -# **** End License **** - -use strict; -use warnings; - -foreach my $name (@ARGV) { - die "$name : illegal characters in name\n" - if (!($name =~ /^[a-zA-Z0-9]*$/)); - - # Usernames may only be up to 32 characters long. - die "$name: name may only be up to 32 characters long\n" - if (length($name) > 32); -} - -exit 0; -- cgit v1.2.3 From 3b7b936cc53dd06e27d10ad2995286762cb7fa84 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 8 Jun 2018 11:16:58 +0200 Subject: Revert "T652: remove SNMP perl scripts" This reverts commit 4524181410b68367d91e07552466ef577ac5b0e3. --- Makefile.am | 3 + scripts/snmp/if-mib-alias | 129 ++++++ scripts/snmp/vyatta-snmp-v3.pl | 676 +++++++++++++++++++++++++++++++ scripts/snmp/vyatta-snmp.pl | 333 +++++++++++++++ scripts/system/vyatta_check_snmp_name.pl | 31 ++ 5 files changed, 1172 insertions(+) create mode 100755 scripts/snmp/if-mib-alias create mode 100755 scripts/snmp/vyatta-snmp-v3.pl create mode 100755 scripts/snmp/vyatta-snmp.pl create mode 100755 scripts/system/vyatta_check_snmp_name.pl (limited to 'scripts/system') diff --git a/Makefile.am b/Makefile.am index 01ea0ce6..3e70ca59 100644 --- a/Makefile.am +++ b/Makefile.am @@ -43,6 +43,7 @@ sbin_SCRIPTS += scripts/vyatta-grub-setup sbin_SCRIPTS += scripts/standalone_root_pw_reset sbin_SCRIPTS += scripts/vyatta-passwd-sync sbin_SCRIPTS += scripts/system/vyatta_check_username.pl +sbin_SCRIPTS += scripts/system/vyatta_check_snmp_name.pl sbin_SCRIPTS += scripts/system/vyatta_check_domainname.pl sbin_SCRIPTS += scripts/system/vyatta_interface_rescan sbin_SCRIPTS += scripts/system/vyatta_update_login.pl @@ -52,6 +53,8 @@ sbin_SCRIPTS += scripts/system/vyatta_update_sysctl.pl sbin_SCRIPTS += scripts/system/vyatta_update_syslog.pl sbin_SCRIPTS += scripts/system/vyatta_update_console.pl sbin_SCRIPTS += scripts/system/irq-affinity.pl +sbin_SCRIPTS += scripts/snmp/vyatta-snmp.pl +sbin_SCRIPTS += scripts/snmp/vyatta-snmp-v3.pl sbin_SCRIPTS += scripts/snmp/if-mib-alias sbin_SCRIPTS += scripts/telnetd.init sbin_SCRIPTS += scripts/dynamic-dns/vyatta-dynamic-dns.pl diff --git a/scripts/snmp/if-mib-alias b/scripts/snmp/if-mib-alias new file mode 100755 index 00000000..d17644e9 --- /dev/null +++ b/scripts/snmp/if-mib-alias @@ -0,0 +1,129 @@ +#! /usr/bin/perl + +# **** License **** +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# This code was originally developed by Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2007 Vyatta, Inc. +# All Rights Reserved. +# +# Author: Stephen Hemminger +# Date: October 2010 +# Description: script is run as net-snmp extension to read interface alias +# +# **** End License **** + +use strict; +use warnings; +use feature "switch"; + +# Collect interface all alias values +sub get_alias { + my @interfaces; + + open (my $ip, '-|', 'ip li') + or die "Can't run ip command\n"; + my $index; + while(<$ip>) { + if (/^(\d+): ([^:]*): /) { + $index = $1; + $interfaces[$index] = $2; + } elsif (/^ +alias (.*)$/) { + $interfaces[$index] = $1; + } + } + close $ip; + return @interfaces; +} + +sub get_oid { + my $oid = shift; + die "Not a valid Object ID: $oid" + unless ($oid =~ /.(\d+)$/); + + my $ifindex = $1; + my @interfaces = get_alias(); + + my $ifalias = $interfaces[$ifindex]; + print "$oid\nstring\n$ifalias\n" if $ifalias; +} + +# OID of ifAlias [RFC2863] +my $BASE = '.1.3.6.1.2.1.31.1.1.1.18'; + +sub get_next { + my $oid = shift; + + return get_next("$BASE.0") + if ($oid eq $BASE); + + die "Not a valid Object ID: $oid" + unless ($oid =~ /^(\S*)\.(\d+)$/); + + my $base = $1; + my $ifindex = $2; + my @interfaces = get_alias(); + + while (++$ifindex <= $#interfaces) { + my $ifalias = $interfaces[$ifindex]; + if ($ifalias) { + print "$base.$ifindex\nstring\n$ifalias\n"; + last; + } + } +} + +sub ifindextoname { + my $ifindex = shift; + + open (my $ip, '-|', 'ip li') + or die "Can't run ip command\n"; + my $index; + while(<$ip>) { + next unless (/^(\d+): ([^:]*): /); + return $2 if ($1 == $ifindex); + } + return; +} + +sub set_oid { + my ($oid, $target, $value) = @_; + die "Not a valid Object ID: $oid" + unless ($oid =~ /\.(\d+)$/); + my $ifindex = $1; + unless ($target eq 'string') { + print "wrong-type\n"; + return; + } + + my $ifname = ifindextoname($ifindex); + if ($ifname) { + system("ip li set $ifname alias '$value' >/dev/null 2>&1"); + print "not-writeable\n" if ($? != 0); + } +} + +sub usage { + warn "Usage: $0 {-g|-n} OID\n"; + warn " $0 -s OID TARGET VALUE\n"; + exit 1; +} + +usage unless $#ARGV >= 1; + +given ($ARGV[0]) { + when ('-g') { get_oid ($ARGV[1]); } + when ('-n') { get_next ($ARGV[1]); } + when ('-s') { set_oid ($ARGV[1], $ARGV[2], $ARGV[3]); } + default { + warn "$ARGV[0] unknown flag\n"; + usage; + } +} diff --git a/scripts/snmp/vyatta-snmp-v3.pl b/scripts/snmp/vyatta-snmp-v3.pl new file mode 100755 index 00000000..a2d738eb --- /dev/null +++ b/scripts/snmp/vyatta-snmp-v3.pl @@ -0,0 +1,676 @@ +#!/usr/bin/perl +# +# **** License **** +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# This code was originally developed by Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2013 Vyatta, Inc. +# All Rights Reserved. +# +# **** End License **** + +use strict; +use warnings; + +use lib "/opt/vyatta/share/perl5/"; +use Vyatta::Config; +use File::Copy; +use Getopt::Long; +use Socket; +use Socket6; + +my $snmp_v3_level = 'service snmp v3'; +my $snmp_restart = 'systemctl restart snmpd.service'; +my $snmp_stop = 'systemctl stop snmpd.service'; +my $snmp_start = 'systemctl start snmpd.service'; +my $snmp_reload = 'systemctl reload snmpd.service'; +my $snmpd_conf = '/etc/snmp/snmpd.conf'; +my $snmpd_usr_conf = '/usr/share/snmp/snmpd.conf'; +my $snmpd_var_conf = '/var/lib/snmp/snmpd.conf'; +my $snmpd_conf_tmp = "/tmp/snmpd.conf.$$"; +my $snmpd_usr_conf_tmp = "/tmp/snmpd.usr.conf.$$"; +my $snmpd_var_conf_tmp = "/tmp/snmpd.var.conf.$$"; +my $versionfile = '/opt/vyatta/etc/version'; +my $local_agent = 'unix:/run/snmpd.socket'; + +my $oldEngineID = ""; +my $setserialno = ""; + +my %OIDs = ( + "md5", ".1.3.6.1.6.3.10.1.1.2", "sha", ".1.3.6.1.6.3.10.1.1.3", + "aes", ".1.3.6.1.6.3.10.1.2.4", "des", ".1.3.6.1.6.3.10.1.2.2", + "none", ".1.3.6.1.6.3.10.1.2.1" +); + +# generate a random character hex string +sub randhex { + my $length = shift; + return join "", map { unpack "H*", chr( rand(256) ) } 1 .. ( $length / 2 ); +} + +sub snmpd_running { + open( my $pidf, '<', "/run/snmpd.pid" ) + or return; + my $pid = <$pidf>; + close $pidf; + + chomp $pid; + my $exe = readlink "/proc/$pid/exe"; + + return ( defined($exe) && $exe eq "/usr/sbin/snmpd" ); +} + +sub check_snmp_exit_code { + my $code = shift; + + # snmpd can start/restart with exit code 256 if trap-target is unavailable + if ( $code != 0 && $code != 256 ) { + return 1; + } + else { + return 0; + } +} + +sub snmpd_stop { + system("$snmp_stop > /dev/null 2>&1"); + if ( check_snmp_exit_code($?) ) { + print "ERROR: Can not stop snmpd!\n"; + exit(1); + } +} + +sub snmpd_start { + system("$snmp_start > /dev/null 2>&1"); + if ( check_snmp_exit_code($?) ) { + print "ERROR: Can not start snmpd!\n"; + exit(1); + } +} + +sub snmpd_update { + system("$snmp_reload > /dev/null 2>&1"); + if ( check_snmp_exit_code($?) ) { + print "ERROR: Can not reload snmpd!\n"; + exit(1); + } +} + +sub snmpd_restart { + system("$snmp_restart > /dev/null 2>&1"); + if ( check_snmp_exit_code($?) ) { + print "ERROR: Can not restart snmpd!\n"; + exit(1); + } +} + +# get vyatta version +sub get_version { + my $version = "unknown-version"; + + if ( open( my $f, '<', $versionfile ) ) { + while (<$f>) { + chomp; + if (m/^Version\s*:\s*(.*)$/) { + $version = $1; + last; + } + } + close $f; + } + return $version; +} + +sub ipv6_disabled { + socket( my $s, PF_INET6, SOCK_DGRAM, 0 ) + or return 1; + close($s); + return; +} + +# write tsm config from current to snmpd_conf +sub set_tsm { + my $config = get_snmp_config(); + if ( $config->exists("tsm") ) { + my $port = $config->returnValue("tsm port"); + my $local_key = $config->returnValue("tsm local-key"); + system( +"sed -i 's/^agentaddress.*\$/&,tlstcp:$port,dtlsudp:$port/' $snmpd_conf_tmp" + ); + system("echo \"[snmp] localCert $local_key\" >> $snmpd_conf_tmp"); + } +} + +# delete all SNMP config files +# can be called directly +sub snmp_delete { + snmpd_stop(); + + my @files = ( $snmpd_conf, $snmpd_usr_conf, $snmpd_var_conf ); + foreach my $file (@files) { + if ( -e $file ) { + unlink($file); + } + } +} + +sub get_snmp_config { + my $config = new Vyatta::Config; + $config->setLevel($snmp_v3_level); + return $config; +} + +# write views from vyatta config to snmpd_conf +sub set_views { + print "# views \n"; + my $config = get_snmp_config(); + foreach my $view ( $config->listNodes("view") ) { + foreach my $oid ( $config->listNodes("view $view oid") ) { + my $mask = ''; + $mask = $config->returnValue("view $view oid $oid mask") + if $config->exists("view $view oid $oid mask"); + if ( $config->exists("view $view oid $oid exclude") ) { + print "view $view excluded .$oid $mask\n"; + } + else { + print "view $view included .$oid $mask\n"; + } + } + } + print "\n"; +} + +# write groups from vyatta config to snmpd_conf +sub set_groups { + print +"#access\n# context sec.model sec.level match read write notif\n"; + my $config = get_snmp_config(); + foreach my $group ( $config->listNodes("group") ) { + my $mode = $config->returnValue("group $group mode"); + my $view = $config->returnValue("group $group view"); + my $secLevel = $config->returnValue("group $group seclevel"); + if ( $mode eq "ro" ) { + print "access $group \"\" usm $secLevel exact $view none none\n"; + print "access $group \"\" tsm $secLevel exact $view none none\n"; + } + else { + print "access $group \"\" usm $secLevel exact $view $view none\n"; + print "access $group \"\" tsm $secLevel exact $view $view none\n"; + } + } + print "\n"; +} + +# write users from vyatta config to snmpd_conf +sub set_users_in_etc { + + print "#group\n"; + my $tsm_counter = 0; + my $config = get_snmp_config(); + foreach my $user ( $config->listNodes("user") ) { + $config->setLevel( $snmp_v3_level . " user $user" ); + if ( $config->exists("group") ) { + my $group = $config->returnValue("group"); + print "group $group usm $user\n"; + print "group $group tsm $user\n"; + } + if ( $config->exists("tsm-key") ) { + my $cert = $config->returnValue("tsm-key"); + $tsm_counter++; + print "certSecName $tsm_counter $cert --sn $user\n"; + } + } + + print "\n"; +} + +# write users from vyatta config to config files in /usr & /var +sub set_users_to_other { + open( my $usr_conf, '>>', $snmpd_usr_conf_tmp ) + or die "Couldn't open $snmpd_usr_conf_tmp - $!"; + open( my $var_conf, '>>', $snmpd_var_conf_tmp ) + or die "Couldn't open $snmpd_var_conf_tmp - $!"; + + print $var_conf "\n"; + + my $config = get_snmp_config(); + my $needTsm = 0; + if ( $config->exists("tsm") ) { + $needTsm = 1; + } + + my %trap_users = (); + + foreach my $trap ( $config->listNodes("trap-target") ) { + $trap_users{ $config->returnValue("trap-target $trap user") } = 1; + } + + foreach my $user ( $config->listNodes("user") ) { + delete $trap_users{$user}; + $config->setLevel( $snmp_v3_level . " user $user" ); + my $auth_type = $config->returnValue("auth type"); + my $priv_type = $config->returnValue("privacy type"); + if ( $config->exists("auth") ) { + if ( $config->exists("auth plaintext-key") ) { + my $auth_key = $config->returnValue("auth plaintext-key"); + my $priv_key = ''; + $priv_key = $config->returnValue("privacy plaintext-key") + if $config->exists("privacy plaintext-key"); + print $var_conf +"createUser $user \U$auth_type\E $auth_key \U$priv_type\E $priv_key\n"; + } + else { + my $name_print = get_printable_name($user); + my $EngineID = $config->returnValue("engineid"); + if ( $EngineID eq "" ) { + die "ERROR: engineid is null\n"; + } + my $auth_type_oid = $OIDs{$auth_type}; + my $auth_key_hex = $config->returnValue("auth encrypted-key"); + + my ( $priv_type_oid, $priv_key_hex ); + if ( $config->exists("privacy") ) { + $priv_type_oid = $OIDs{$priv_type}; + $priv_key_hex = + $config->returnValue("privacy encrypted-key"); + } + else { + $priv_type_oid = $OIDs{'none'}; + $priv_key_hex = '0x'; + } + print $var_conf +"usmUser 1 3 $EngineID $name_print $name_print NULL $auth_type_oid $auth_key_hex $priv_type_oid $priv_key_hex 0x\n"; + } + } + my $mode = $config->returnValue("mode"); + my $end = "auth"; + if ( $config->exists("privacy") ) { + $end = "priv"; + } + print $usr_conf $mode . "user $user $end\n"; + if ($needTsm) { + print $usr_conf $mode . "user -s tsm $user $end\n"; + } + } + +# add users for trap if they are not exists in vyatta config /services/snmp/v3/user + foreach my $user ( keys %trap_users ) { + my $name_print = get_printable_name($user); + print $var_conf "usmUser 1 3 0x" + . randhex(26) + . " $name_print $name_print NULL .1.3.6.1.6.3.10.1.1.2 0x" + . randhex(32) + . " .1.3.6.1.6.3.10.1.2.1 0x 0x\n"; + print $usr_conf "rouser $user auth\n"; + } + + print $var_conf "setserialno $setserialno\n" + if !($setserialno eq ""); + print $var_conf "oldEngineID $oldEngineID\n" + if !($oldEngineID eq ""); + + close $usr_conf; + close $var_conf; +} + +# if name contains '-' then it must be printed in hex format +sub get_printable_name { + my $name = shift; + if ( $name =~ /-/ ) { + my @array = unpack( 'C*', $name ); + my $stringHex = '0x'; + foreach my $c (@array) { + $stringHex .= sprintf( "%lx", $c ); + } + return $stringHex; + } + else { + return "\"$name\""; + } +} + + +# read encrypted keys from config file in /var to vyatta config +# read additional info from config file in /var to VConfig variable +# delete plaintext passwords in vyatta config +sub update_users_vyatta_conf { + open( my $var_conf, '<', $snmpd_var_conf ) + or die "Couldn't open $snmpd_usr_conf - $!"; + my $config = get_snmp_config(); + while ( my $line = <$var_conf> ) { + if ( $line =~ /^oldEngineID (.*)$/ ) { + my $value = $1; + if ($config->exists("engineid") && + $config->returnValue("engineid") eq ""){ + system( +"/opt/vyatta/sbin/my_set service snmp v3 engineid $value > /dev/null" + ); + } + } + if ( $line =~ /^usmUser / ) { + my @values = split( / /, $line ); + my $name = $values[4]; + if ( $name =~ /^"(.*)"$/ ) { + $name = $1; + } + else { + $name = pack( 'H*', $name ); + } + + # this file contain users for trap-target and vyatta... user + # these users recreating automatically on each commit + if ( $config->exists("user $name") ) { + system( +"/opt/vyatta/sbin/my_set service snmp v3 user \"$name\" engineid $values[3] > /dev/null" + ); + system( +"/opt/vyatta/sbin/my_set service snmp v3 user \"$name\" auth encrypted-key $values[8] > /dev/null" + ); + if ( $values[10] ne "\"\"" && $values[10] ne "0x" ) { + system( +"/opt/vyatta/sbin/my_set service snmp v3 user \"$name\" privacy encrypted-key $values[10] > /dev/null" + ); + system( +"/opt/vyatta/sbin/my_delete service snmp v3 user \"$name\" privacy plaintext-key > /dev/null" + ); + } + system( +"/opt/vyatta/sbin/my_delete service snmp v3 user \"$name\" auth plaintext-key > /dev/null" + ); + } + } + } + close $var_conf; +} + +# write trap-target hosts from vyatta config to snmpd_conf +sub set_hosts { + print "#trap-target\n"; + my $config = get_snmp_config(); + foreach my $target ( $config->listNodes("trap-target") ) { + $config->setLevel( $snmp_v3_level . " trap-target $target" ); + my $auth_key = ''; + if ( $config->exists("auth plaintext-key") ) { + $auth_key = "-A " . $config->returnValue("auth plaintext-key"); + } + else { + $auth_key = "-3m " . $config->returnValue("auth encrypted-key"); + } + my $auth_type = $config->returnValue("auth type"); + my $user = $config->returnValue("user"); + my $port = $config->returnValue("port"); + my $protocol = $config->returnValue("protocol"); + my $type = $config->returnValue("type"); + my $inform_flag = '-Ci'; + $inform_flag = '-Ci' if ( $type eq 'inform' ); + + if ( $type eq 'trap' ) { + $inform_flag = '-e ' . $config->returnValue("engineid"); + } + my $privacy = ''; + my $secLevel = 'authNoPriv'; + if ( $config->exists("privacy") ) { + my $priv_key = ''; + if ( $config->exists("privacy plaintext-key") ) { + $priv_key = + "-X " . $config->returnValue("privacy plaintext-key"); + } + else { + $priv_key = + "-3M " . $config->returnValue("privacy encrypted-key"); + } + my $priv_type = $config->returnValue("privacy type"); + $privacy = "-x $priv_type $priv_key"; + $secLevel = 'authPriv'; + } + + # TODO understand difference between master and local + # Uses: + # set -3m / -3M for auth / priv for master + # or -3k / -3K for local + # Current use only master + my $target_print = $target; + if ( $target =~ /:/ ) { + $target_print = "[$target]"; + $protocol = $protocol . "6"; + } + print +"trapsess -v 3 $inform_flag -u $user -l $secLevel -a $auth_type $auth_key $privacy $protocol:$target_print:$port\n"; + } + print "\n"; +} + +# check changes in auth and privacy nodes +# deny set encrypted-key in case engineid wasn't set +sub check_user_auth_changes { + my $config = get_snmp_config(); + my $v3engineid = ""; + + if($config->exists("engineid")){ + $v3engineid=$config->returnValue("engineid"); + } + + if ( $config->isChanged("user") || $config->isChanged("engineid")) { + my $haveError = 0; + foreach my $user ( $config->listNodes("user") ) { + $config->setLevel( $snmp_v3_level . " user $user" ); + if ( $config->exists("engineid") && + !($v3engineid eq "" ) && + !($config->returnValue("engineid") eq "" ) && + !($config->returnValue("engineid") eq $v3engineid)){ + print +"Warning: Encrypted key(s) for snmp v3 user \"$user\" was(were) generated for another SNMP engineid. It won't work. Please recreate this user.\n"; + } + if ( $config->exists("auth") ) { + if ( + !( + $config->exists("engineid") && + ( + $config->exists("auth encrypted-key") || + $config->exists("privacy encrypted-key") + ) + ) + ) + { + $haveError = 1; + print +"Discard encrypted-key on user \"$user\". It's necessary to setup engineid the encrypted-key was generated with.\n"; + } + my $isAuthKeyChanged = $config->isChanged("auth plaintext-key"); + my $isAuthEKeyChanged = $config->isChanged("auth encrypted-key"); + if ( $config->exists("privacy") ) { + my $isPrivKeyChanged = + $config->isChanged("privacy plaintext-key"); + my $isPrivEKeyChanged = + $config->isChanged("privacy encrypted-key"); + if ( ($isPrivEKeyChanged && !$isAuthEKeyChanged) + || ($isPrivKeyChanged && !$isAuthKeyChanged) ) { + $haveError = 1; + print + "Please, set correct auth and privacy for user \"$user\"\n"; + print + "Set plaintext-key for auth and privacy or set encrypted-key for both\n"; + } + } + } + else { + if ( $config->exists("privacy") ) { + $haveError = 1; + print "Please, delete privacy for user \"$user\"\n"; + } + } + } + if ($haveError) { + exit(1); + } + } +} + +# check relation between user & group & view +sub check_relation { + my $config = get_snmp_config(); + my $haveError = 0; + foreach my $user ( $config->listNodes("user") ) { + if ( $config->exists("user $user group") ) { + my $group = $config->returnValue("user $user group"); + if ( !$config->exists("group $group") ) { + $haveError = 1; + print +"Please, create group \"$group\". It's need for user \"$user\"\n"; + } + } + } + foreach my $group ( $config->listNodes("group") ) { + my $view = $config->returnValue("group $group view"); + if ( !$config->exists("view $view") ) { + $haveError = 1; + print + "Please, create view \"$view\". It's need for group \"$group\"\n"; + } + } + if ($haveError) { + exit(1); + } +} + +# check is new tsm port free on system +sub check_tsm_port { + my $config = get_snmp_config(); + if ( $config->isChanged("tsm port") ) { + my $port = $config->returnValue("tsm port"); + my $reg = ":$port\$"; + my $output = `netstat -anltup | awk '{print \$4}'`; + foreach my $line ( split( /\n/, $output ) ) { + if ( $line =~ /$reg/ ) { + print + "Actually port $port is using. It can not be used for tsm.\n"; + exit(1); + } + } + } +} + +# check group seclevel and user auth/privacy +sub check_seclevel { + my $config = get_snmp_config(); + my $haveError = 0; + if ( $config->isChanged("user") || $config->isChanged("group") ) { + foreach my $user ( $config->listNodes("user") ) { + if ( $config->exists("user $user group") ) { + my $group = $config->returnValue("user $user group"); + if ( $config->isChanged("user $user") + || $config->isChanged("group $group") ) + { + my $group_seclevel = + $config->returnValue("group $group seclevel"); + if ( $config->exists("user $user privacy") ) { + if ( $group_seclevel eq "auth" ) { + print +"User \"$user\" have privacy, but group \"$group\" have \"auth\" as seclevel. So auth and priv work both.\n"; + } + } + else { + if ( $group_seclevel eq "priv" ) { + print +"User \"$user\" will not work, because he haven't privacy, but group \"$group\" have \"priv\" as seclevel.\n"; + $haveError = 1; + } + } + } + } + } + } + if ($haveError) { + exit(1); + } +} + +sub copy_conf_to_tmp { + + # these files already contain SNMPv2 configuration + copy( $snmpd_conf, $snmpd_conf_tmp ) + or die "Couldn't copy $snmpd_conf to $snmpd_conf_tmp - $!"; + copy( $snmpd_usr_conf, $snmpd_usr_conf_tmp ) + or die "Couldn't copy $snmpd_usr_conf to $snmpd_usr_conf_tmp - $!"; + copy( $snmpd_var_conf, $snmpd_var_conf_tmp ) + or die "Couldn't copy $snmpd_var_conf to $snmpd_var_conf_tmp - $!"; +} + +# update all vyatta config +# can be called directly +sub snmp_update { + + copy_conf_to_tmp(); + + set_tsm(); + + open( my $fh, '>>', $snmpd_conf_tmp ) + or die "Couldn't open $snmpd_conf_tmp - $!"; + + select $fh; + + set_views(); + set_groups(); + set_hosts(); + set_users_in_etc(); + + close $fh; + select STDOUT; + + move( $snmpd_conf_tmp, $snmpd_conf ) + or die "Couldn't move $snmpd_conf_tmp to $snmpd_conf - $!"; + + my $config = get_snmp_config(); + if ($config->exists("engineid")) { + $oldEngineID = $config->returnValue("engineid"); + } + + snmpd_stop(); + + #add newly added users to var config to get encrypted values + set_users_to_other(); + + move( $snmpd_usr_conf_tmp, $snmpd_usr_conf ) + or die "Couldn't move $snmpd_usr_conf_tmp to $snmpd_usr_conf - $!"; + move( $snmpd_var_conf_tmp, $snmpd_var_conf ) + or die "Couldn't move $snmpd_var_conf_tmp to $snmpd_var_conf - $!"; + + snmpd_start(); + snmpd_stop(); + + # now we have encrypted user config - start and read it after + snmpd_start(); + update_users_vyatta_conf(); +} + +# validate vyatta config before write it into files +# can be called directly +sub snmp_check { + check_user_auth_changes(); + check_relation(); + check_tsm_port(); + check_seclevel(); +} + +my $check_config; +my $update_snmp; +my $delete_snmp; + +GetOptions( + "check-config!" => \$check_config, + "update-snmp!" => \$update_snmp, + "delete-snmp!" => \$delete_snmp, + "oldEngineID=s" => \$oldEngineID, + "setserialno=s" => \$setserialno +); + +snmp_check() if ($check_config); +snmp_update() if ($update_snmp); +snmp_delete() if ($delete_snmp); diff --git a/scripts/snmp/vyatta-snmp.pl b/scripts/snmp/vyatta-snmp.pl new file mode 100755 index 00000000..5c4ff1d0 --- /dev/null +++ b/scripts/snmp/vyatta-snmp.pl @@ -0,0 +1,333 @@ +#!/usr/bin/perl +# +# Module: vyatta-snmp.pl +# +# **** License **** +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# This code was originally developed by Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2007 Vyatta, Inc. +# All Rights Reserved. +# +# Author: Stig Thormodsrud +# Date: October 2007 +# Description: Script to glue vyatta cli to snmp daemon +# +# **** End License **** +# + +use strict; +use warnings; + +use lib "/opt/vyatta/share/perl5/"; +use Vyatta::Config; +use Vyatta::Misc; +use NetAddr::IP; +use Getopt::Long; +use File::Copy; +use Socket; +use Socket6; + +my $mibdir = '/opt/vyatta/share/snmp/mibs'; +my $snmp_start = 'systemctl start snmpd.service'; +my $snmp_stop = 'systemctl stop snmpd.service'; +my $snmp_conf = '/etc/snmp/snmpd.conf'; +my $snmp_client = '/etc/snmp/snmp.conf'; +my $snmp_tmp = "/tmp/snmpd.conf.$$"; +my $snmp_snmpv3_user_conf = '/usr/share/snmp/snmpd.conf'; +my $snmp_snmpv3_createuser_conf = '/var/lib/snmp/snmpd.conf'; +my $versionfile = '/opt/vyatta/etc/version'; +my $local_agent = 'unix:/run/snmpd.socket'; +my $password_file = '/config/snmp/superuser_pass'; + +my $snmp_level = 'service snmp'; + +sub snmp_running { + open (my $pidf, '<', "/run/snmpd.pid") + or return; + my $pid = <$pidf>; + close $pidf; + + chomp $pid; + my $exe = readlink "/proc/$pid/exe"; + + return (defined($exe) && $exe eq "/usr/sbin/snmpd"); +} + +sub snmp_stop { + system("$snmp_stop > /dev/null 2>&1"); +} + +sub snmp_start { + # we must stop snmpd first for creating vyatta user + system("$snmp_stop > /dev/null 2>&1"); + open (my $fh, '>', $snmp_tmp) + or die "Couldn't open $snmp_tmp - $!"; + + select $fh; + snmp_get_constants(); + snmp_get_values(); + snmp_get_traps(); + close $fh; + select STDOUT; + + snmp_client_config(); + + move($snmp_tmp, $snmp_conf) + or die "Couldn't move $snmp_tmp to $snmp_conf - $!"; +} + +sub get_version { + my $version = "unknown-version"; + + if (open (my $f, '<', $versionfile)) { + while (<$f>) { + chomp; + if (m/^Version\s*:\s*(.*)$/) { + $version = $1; + last; + } + } + close $f; + } + return $version; +} + +# convert address to snmpd transport syntax +sub transport_syntax { + my ($addr, $port) = @_; + my $ip = new NetAddr::IP $addr; + die "$addr: not a valid IP address" unless $ip; + + my $version = $ip->version(); + return "udp:$addr:$port" if ($version == 4); + return "udp6:[$addr]:$port" if ($version == 6); + die "$addr: unknown IP version $version"; +} + +# Test if IPv6 is possible by opening a socket +sub ipv6_disabled { + socket ( my $s, PF_INET6, SOCK_DGRAM, 0) + or return 1; + close($s); + return; +} + +# Find SNMP agent listening addresses +sub get_listen_address { + my $config = new Vyatta::Config; + my @listen; + + $config->setLevel('service snmp listen-address'); + my @address = $config->listNodes(); + + if(@address) { + foreach my $addr (@address) { + my $port = $config->returnValue("$addr port"); + push @listen, transport_syntax($addr, $port); + } + } else { + # default if no address specified + @listen = ( 'udp:161' ); + push @listen, 'udp6:161' unless ipv6_disabled(); + return @listen; + } + + return @listen; +} + +sub snmp_get_constants { + my $version = get_version(); + my $now = localtime; + my @addr = get_listen_address(); + + # add local unix domain target for use by operational commands + unshift @addr, $local_agent; + + print "# autogenerated by vyatta-snmp.pl on $now\n"; + print "sysDescr VyOS $version\n"; + print "sysObjectID 1.3.6.1.4.1.44641\n"; + print "sysServices 14\n"; + print "master agentx\n"; # maybe needed by lldpd + print "agentaddress ", join(',',@addr), "\n"; + print "agentXPerms 0755 0755\n"; + + # add hook to read IF-MIB::ifAlias from sysfs + print "pass .1.3.6.1.2.1.31.1.1.1.18 /opt/vyatta/sbin/if-mib-alias\n"; + + print "smuxpeer .1.3.6.1.4.1.3317.1.2.2\n"; # ospfd + print "smuxpeer .1.3.6.1.4.1.3317.1.2.5\n"; # bgpd + print "smuxpeer .1.3.6.1.4.1.3317.1.2.3\n"; # ripd + print "smuxpeer .1.3.6.1.4.1.3317.1.2.9\n"; # mribd + print "smuxpeer .1.3.6.1.2.1.83\n"; # mribd + print "smuxpeer .1.3.6.1.4.1.3317.1.2.8\n"; # pimd + print "smuxpeer .1.3.6.1.2.1.157\n"; # pimd + print "smuxsocket localhost\n"; +} + +# generate a random character hex string +sub randhex { + my $length = shift; + return join "", map { unpack "H*", chr(rand(256)) } 1..($length/2); +} + +# output snmpd.conf file syntax for community +sub print_community { + my ($config, $community) = @_; + my $ro = $config->returnValue('authorization'); + $ro = 'ro' unless $ro; + + my @clients = $config->returnValues('client'); + my @networks = $config->returnValues('network'); + + my @restriction = (@clients, @networks); + if (!@restriction) { + print $ro . "community $community\n"; + print $ro . "community6 $community\n" unless ipv6_disabled(); + return; + } + + foreach my $addr (@restriction) { + my $ip = new NetAddr::IP $addr; + die "$addr: Not a valid IP address" unless $ip; + + if ($ip->version() == 4) { + print $ro . "community $community $addr\n"; + } elsif ($ip->version() == 6) { + print $ro . "community6 $community $addr\n"; + } else { + die "$addr: bad IP version ", $ip->version(); + } + } +} + +sub snmp_get_values { + my $config = new Vyatta::Config; + + my @communities = $config->listNodes("service snmp community"); + foreach my $community (@communities) { + $config->setLevel("service snmp community $community"); + print_community($config, $community); + } + + $config->setLevel("service snmp smux-peer"); + my @smuxpeers = $config->returnValues(); + foreach my $smuxpeer (@smuxpeers) { + print "smuxpeer $smuxpeer \n"; + } + + $config->setLevel($snmp_level); + my $contact = $config->returnValue("contact"); + if (defined $contact) { + print "SysContact $contact \n"; + } + + my $description = $config->returnValue("description"); + if (defined $description) { + print "SysDescr $description \n"; + } + + my $location = $config->returnValue("location"); + if (defined $location) { + print "SysLocation $location \n"; + } +} + +sub snmp_get_traps { + my $config = new Vyatta::Config; + $config->setLevel($snmp_level); + + # linkUp/Down configure the Event MIB tables to monitor + # the ifTable for network interfaces being taken up or down + # for making internal queries to retrieve any necessary information + + # create an internal snmpv3 user of the form 'vyattaxxxxxxxxxxxxxxxx' + my $vyatta_user = "vyatta" . randhex(16); + snmp_create_snmpv3_user($vyatta_user); + snmp_write_snmpv3_user($vyatta_user); + print "iquerySecName $vyatta_user\n"; + + # Modified from the default linkUpDownNotification + # to include more OIDs and poll more frequently + print <listNodes("trap-target"); + return unless @trap_targets; + + foreach my $trap_target (@trap_targets) { + my $port = $config->returnValue("trap-target $trap_target port"); + my $community + = $config->returnValue("trap-target $trap_target community"); + + print "trap2sink $trap_target"; + print ":$port" if $port; + print " $community" if $community; + print "\n"; + } +} + +# Configure SNMP client parameters +sub snmp_client_config { + my $config = new Vyatta::Config; + $config->setLevel($snmp_level); + + open (my $cf, '>', $snmp_client) + or die "Couldn't open $snmp_client - $!"; + + my $version = get_version(); + my $now = localtime; + print {$cf} "# autogenerated by vyatta-snmp.pl on $now\n"; + + my $trap_source = $config->returnValue('trap-source'); + print {$cf} "clientaddr $trap_source\n" if ($trap_source); + close $cf; +} + +sub snmp_create_snmpv3_user { + + my $vyatta_user = shift; + my $passphrase = randhex(32); + + my $createuser = "createUser $vyatta_user MD5 \"$passphrase\" DES"; + open(my $fh, '>', $snmp_snmpv3_createuser_conf) || die "Couldn't open $snmp_snmpv3_createuser_conf - $!"; + print $fh $createuser; + close $fh; + + open(my $pass_file, '>', $password_file) || die "Couldn't open $password_file - $!"; + print $pass_file $passphrase; + close $pass_file; +} + +sub snmp_write_snmpv3_user { + + my $vyatta_user = shift; + my $user = "rwuser $vyatta_user\n"; + open(my $fh, '>', $snmp_snmpv3_user_conf) || die "Couldn't open $snmp_snmpv3_user_conf - $!"; + print $fh $user; + close $fh; +} + + +# +# main +# +my $update_snmp; +my $stop_snmp; + +GetOptions("update-snmp!" => \$update_snmp, + "stop-snmp!" => \$stop_snmp); + +snmp_start() if ($update_snmp); +snmp_stop() if ($stop_snmp); diff --git a/scripts/system/vyatta_check_snmp_name.pl b/scripts/system/vyatta_check_snmp_name.pl new file mode 100755 index 00000000..599fe398 --- /dev/null +++ b/scripts/system/vyatta_check_snmp_name.pl @@ -0,0 +1,31 @@ +#!/usr/bin/perl + +# **** License **** +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# This code was originally developed by Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2010 Vyatta, Inc. +# All Rights Reserved. +# +# **** End License **** + +use strict; +use warnings; + +foreach my $name (@ARGV) { + die "$name : illegal characters in name\n" + if (!($name =~ /^[a-zA-Z0-9]*$/)); + + # Usernames may only be up to 32 characters long. + die "$name: name may only be up to 32 characters long\n" + if (length($name) > 32); +} + +exit 0; -- cgit v1.2.3 From 838eff5caa58330b4c922f786fe3d5ef4867fd6f Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 8 Jun 2018 11:18:50 +0200 Subject: T652: remove PERL scripts required for SNMP service --- Makefile.am | 3 - scripts/snmp/vyatta-snmp-v3.pl | 676 ------------------------------- scripts/snmp/vyatta-snmp.pl | 333 --------------- scripts/system/vyatta_check_snmp_name.pl | 31 -- 4 files changed, 1043 deletions(-) delete mode 100755 scripts/snmp/vyatta-snmp-v3.pl delete mode 100755 scripts/snmp/vyatta-snmp.pl delete mode 100755 scripts/system/vyatta_check_snmp_name.pl (limited to 'scripts/system') diff --git a/Makefile.am b/Makefile.am index 3e70ca59..01ea0ce6 100644 --- a/Makefile.am +++ b/Makefile.am @@ -43,7 +43,6 @@ sbin_SCRIPTS += scripts/vyatta-grub-setup sbin_SCRIPTS += scripts/standalone_root_pw_reset sbin_SCRIPTS += scripts/vyatta-passwd-sync sbin_SCRIPTS += scripts/system/vyatta_check_username.pl -sbin_SCRIPTS += scripts/system/vyatta_check_snmp_name.pl sbin_SCRIPTS += scripts/system/vyatta_check_domainname.pl sbin_SCRIPTS += scripts/system/vyatta_interface_rescan sbin_SCRIPTS += scripts/system/vyatta_update_login.pl @@ -53,8 +52,6 @@ sbin_SCRIPTS += scripts/system/vyatta_update_sysctl.pl sbin_SCRIPTS += scripts/system/vyatta_update_syslog.pl sbin_SCRIPTS += scripts/system/vyatta_update_console.pl sbin_SCRIPTS += scripts/system/irq-affinity.pl -sbin_SCRIPTS += scripts/snmp/vyatta-snmp.pl -sbin_SCRIPTS += scripts/snmp/vyatta-snmp-v3.pl sbin_SCRIPTS += scripts/snmp/if-mib-alias sbin_SCRIPTS += scripts/telnetd.init sbin_SCRIPTS += scripts/dynamic-dns/vyatta-dynamic-dns.pl diff --git a/scripts/snmp/vyatta-snmp-v3.pl b/scripts/snmp/vyatta-snmp-v3.pl deleted file mode 100755 index a2d738eb..00000000 --- a/scripts/snmp/vyatta-snmp-v3.pl +++ /dev/null @@ -1,676 +0,0 @@ -#!/usr/bin/perl -# -# **** License **** -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# This code was originally developed by Vyatta, Inc. -# Portions created by Vyatta are Copyright (C) 2013 Vyatta, Inc. -# All Rights Reserved. -# -# **** End License **** - -use strict; -use warnings; - -use lib "/opt/vyatta/share/perl5/"; -use Vyatta::Config; -use File::Copy; -use Getopt::Long; -use Socket; -use Socket6; - -my $snmp_v3_level = 'service snmp v3'; -my $snmp_restart = 'systemctl restart snmpd.service'; -my $snmp_stop = 'systemctl stop snmpd.service'; -my $snmp_start = 'systemctl start snmpd.service'; -my $snmp_reload = 'systemctl reload snmpd.service'; -my $snmpd_conf = '/etc/snmp/snmpd.conf'; -my $snmpd_usr_conf = '/usr/share/snmp/snmpd.conf'; -my $snmpd_var_conf = '/var/lib/snmp/snmpd.conf'; -my $snmpd_conf_tmp = "/tmp/snmpd.conf.$$"; -my $snmpd_usr_conf_tmp = "/tmp/snmpd.usr.conf.$$"; -my $snmpd_var_conf_tmp = "/tmp/snmpd.var.conf.$$"; -my $versionfile = '/opt/vyatta/etc/version'; -my $local_agent = 'unix:/run/snmpd.socket'; - -my $oldEngineID = ""; -my $setserialno = ""; - -my %OIDs = ( - "md5", ".1.3.6.1.6.3.10.1.1.2", "sha", ".1.3.6.1.6.3.10.1.1.3", - "aes", ".1.3.6.1.6.3.10.1.2.4", "des", ".1.3.6.1.6.3.10.1.2.2", - "none", ".1.3.6.1.6.3.10.1.2.1" -); - -# generate a random character hex string -sub randhex { - my $length = shift; - return join "", map { unpack "H*", chr( rand(256) ) } 1 .. ( $length / 2 ); -} - -sub snmpd_running { - open( my $pidf, '<', "/run/snmpd.pid" ) - or return; - my $pid = <$pidf>; - close $pidf; - - chomp $pid; - my $exe = readlink "/proc/$pid/exe"; - - return ( defined($exe) && $exe eq "/usr/sbin/snmpd" ); -} - -sub check_snmp_exit_code { - my $code = shift; - - # snmpd can start/restart with exit code 256 if trap-target is unavailable - if ( $code != 0 && $code != 256 ) { - return 1; - } - else { - return 0; - } -} - -sub snmpd_stop { - system("$snmp_stop > /dev/null 2>&1"); - if ( check_snmp_exit_code($?) ) { - print "ERROR: Can not stop snmpd!\n"; - exit(1); - } -} - -sub snmpd_start { - system("$snmp_start > /dev/null 2>&1"); - if ( check_snmp_exit_code($?) ) { - print "ERROR: Can not start snmpd!\n"; - exit(1); - } -} - -sub snmpd_update { - system("$snmp_reload > /dev/null 2>&1"); - if ( check_snmp_exit_code($?) ) { - print "ERROR: Can not reload snmpd!\n"; - exit(1); - } -} - -sub snmpd_restart { - system("$snmp_restart > /dev/null 2>&1"); - if ( check_snmp_exit_code($?) ) { - print "ERROR: Can not restart snmpd!\n"; - exit(1); - } -} - -# get vyatta version -sub get_version { - my $version = "unknown-version"; - - if ( open( my $f, '<', $versionfile ) ) { - while (<$f>) { - chomp; - if (m/^Version\s*:\s*(.*)$/) { - $version = $1; - last; - } - } - close $f; - } - return $version; -} - -sub ipv6_disabled { - socket( my $s, PF_INET6, SOCK_DGRAM, 0 ) - or return 1; - close($s); - return; -} - -# write tsm config from current to snmpd_conf -sub set_tsm { - my $config = get_snmp_config(); - if ( $config->exists("tsm") ) { - my $port = $config->returnValue("tsm port"); - my $local_key = $config->returnValue("tsm local-key"); - system( -"sed -i 's/^agentaddress.*\$/&,tlstcp:$port,dtlsudp:$port/' $snmpd_conf_tmp" - ); - system("echo \"[snmp] localCert $local_key\" >> $snmpd_conf_tmp"); - } -} - -# delete all SNMP config files -# can be called directly -sub snmp_delete { - snmpd_stop(); - - my @files = ( $snmpd_conf, $snmpd_usr_conf, $snmpd_var_conf ); - foreach my $file (@files) { - if ( -e $file ) { - unlink($file); - } - } -} - -sub get_snmp_config { - my $config = new Vyatta::Config; - $config->setLevel($snmp_v3_level); - return $config; -} - -# write views from vyatta config to snmpd_conf -sub set_views { - print "# views \n"; - my $config = get_snmp_config(); - foreach my $view ( $config->listNodes("view") ) { - foreach my $oid ( $config->listNodes("view $view oid") ) { - my $mask = ''; - $mask = $config->returnValue("view $view oid $oid mask") - if $config->exists("view $view oid $oid mask"); - if ( $config->exists("view $view oid $oid exclude") ) { - print "view $view excluded .$oid $mask\n"; - } - else { - print "view $view included .$oid $mask\n"; - } - } - } - print "\n"; -} - -# write groups from vyatta config to snmpd_conf -sub set_groups { - print -"#access\n# context sec.model sec.level match read write notif\n"; - my $config = get_snmp_config(); - foreach my $group ( $config->listNodes("group") ) { - my $mode = $config->returnValue("group $group mode"); - my $view = $config->returnValue("group $group view"); - my $secLevel = $config->returnValue("group $group seclevel"); - if ( $mode eq "ro" ) { - print "access $group \"\" usm $secLevel exact $view none none\n"; - print "access $group \"\" tsm $secLevel exact $view none none\n"; - } - else { - print "access $group \"\" usm $secLevel exact $view $view none\n"; - print "access $group \"\" tsm $secLevel exact $view $view none\n"; - } - } - print "\n"; -} - -# write users from vyatta config to snmpd_conf -sub set_users_in_etc { - - print "#group\n"; - my $tsm_counter = 0; - my $config = get_snmp_config(); - foreach my $user ( $config->listNodes("user") ) { - $config->setLevel( $snmp_v3_level . " user $user" ); - if ( $config->exists("group") ) { - my $group = $config->returnValue("group"); - print "group $group usm $user\n"; - print "group $group tsm $user\n"; - } - if ( $config->exists("tsm-key") ) { - my $cert = $config->returnValue("tsm-key"); - $tsm_counter++; - print "certSecName $tsm_counter $cert --sn $user\n"; - } - } - - print "\n"; -} - -# write users from vyatta config to config files in /usr & /var -sub set_users_to_other { - open( my $usr_conf, '>>', $snmpd_usr_conf_tmp ) - or die "Couldn't open $snmpd_usr_conf_tmp - $!"; - open( my $var_conf, '>>', $snmpd_var_conf_tmp ) - or die "Couldn't open $snmpd_var_conf_tmp - $!"; - - print $var_conf "\n"; - - my $config = get_snmp_config(); - my $needTsm = 0; - if ( $config->exists("tsm") ) { - $needTsm = 1; - } - - my %trap_users = (); - - foreach my $trap ( $config->listNodes("trap-target") ) { - $trap_users{ $config->returnValue("trap-target $trap user") } = 1; - } - - foreach my $user ( $config->listNodes("user") ) { - delete $trap_users{$user}; - $config->setLevel( $snmp_v3_level . " user $user" ); - my $auth_type = $config->returnValue("auth type"); - my $priv_type = $config->returnValue("privacy type"); - if ( $config->exists("auth") ) { - if ( $config->exists("auth plaintext-key") ) { - my $auth_key = $config->returnValue("auth plaintext-key"); - my $priv_key = ''; - $priv_key = $config->returnValue("privacy plaintext-key") - if $config->exists("privacy plaintext-key"); - print $var_conf -"createUser $user \U$auth_type\E $auth_key \U$priv_type\E $priv_key\n"; - } - else { - my $name_print = get_printable_name($user); - my $EngineID = $config->returnValue("engineid"); - if ( $EngineID eq "" ) { - die "ERROR: engineid is null\n"; - } - my $auth_type_oid = $OIDs{$auth_type}; - my $auth_key_hex = $config->returnValue("auth encrypted-key"); - - my ( $priv_type_oid, $priv_key_hex ); - if ( $config->exists("privacy") ) { - $priv_type_oid = $OIDs{$priv_type}; - $priv_key_hex = - $config->returnValue("privacy encrypted-key"); - } - else { - $priv_type_oid = $OIDs{'none'}; - $priv_key_hex = '0x'; - } - print $var_conf -"usmUser 1 3 $EngineID $name_print $name_print NULL $auth_type_oid $auth_key_hex $priv_type_oid $priv_key_hex 0x\n"; - } - } - my $mode = $config->returnValue("mode"); - my $end = "auth"; - if ( $config->exists("privacy") ) { - $end = "priv"; - } - print $usr_conf $mode . "user $user $end\n"; - if ($needTsm) { - print $usr_conf $mode . "user -s tsm $user $end\n"; - } - } - -# add users for trap if they are not exists in vyatta config /services/snmp/v3/user - foreach my $user ( keys %trap_users ) { - my $name_print = get_printable_name($user); - print $var_conf "usmUser 1 3 0x" - . randhex(26) - . " $name_print $name_print NULL .1.3.6.1.6.3.10.1.1.2 0x" - . randhex(32) - . " .1.3.6.1.6.3.10.1.2.1 0x 0x\n"; - print $usr_conf "rouser $user auth\n"; - } - - print $var_conf "setserialno $setserialno\n" - if !($setserialno eq ""); - print $var_conf "oldEngineID $oldEngineID\n" - if !($oldEngineID eq ""); - - close $usr_conf; - close $var_conf; -} - -# if name contains '-' then it must be printed in hex format -sub get_printable_name { - my $name = shift; - if ( $name =~ /-/ ) { - my @array = unpack( 'C*', $name ); - my $stringHex = '0x'; - foreach my $c (@array) { - $stringHex .= sprintf( "%lx", $c ); - } - return $stringHex; - } - else { - return "\"$name\""; - } -} - - -# read encrypted keys from config file in /var to vyatta config -# read additional info from config file in /var to VConfig variable -# delete plaintext passwords in vyatta config -sub update_users_vyatta_conf { - open( my $var_conf, '<', $snmpd_var_conf ) - or die "Couldn't open $snmpd_usr_conf - $!"; - my $config = get_snmp_config(); - while ( my $line = <$var_conf> ) { - if ( $line =~ /^oldEngineID (.*)$/ ) { - my $value = $1; - if ($config->exists("engineid") && - $config->returnValue("engineid") eq ""){ - system( -"/opt/vyatta/sbin/my_set service snmp v3 engineid $value > /dev/null" - ); - } - } - if ( $line =~ /^usmUser / ) { - my @values = split( / /, $line ); - my $name = $values[4]; - if ( $name =~ /^"(.*)"$/ ) { - $name = $1; - } - else { - $name = pack( 'H*', $name ); - } - - # this file contain users for trap-target and vyatta... user - # these users recreating automatically on each commit - if ( $config->exists("user $name") ) { - system( -"/opt/vyatta/sbin/my_set service snmp v3 user \"$name\" engineid $values[3] > /dev/null" - ); - system( -"/opt/vyatta/sbin/my_set service snmp v3 user \"$name\" auth encrypted-key $values[8] > /dev/null" - ); - if ( $values[10] ne "\"\"" && $values[10] ne "0x" ) { - system( -"/opt/vyatta/sbin/my_set service snmp v3 user \"$name\" privacy encrypted-key $values[10] > /dev/null" - ); - system( -"/opt/vyatta/sbin/my_delete service snmp v3 user \"$name\" privacy plaintext-key > /dev/null" - ); - } - system( -"/opt/vyatta/sbin/my_delete service snmp v3 user \"$name\" auth plaintext-key > /dev/null" - ); - } - } - } - close $var_conf; -} - -# write trap-target hosts from vyatta config to snmpd_conf -sub set_hosts { - print "#trap-target\n"; - my $config = get_snmp_config(); - foreach my $target ( $config->listNodes("trap-target") ) { - $config->setLevel( $snmp_v3_level . " trap-target $target" ); - my $auth_key = ''; - if ( $config->exists("auth plaintext-key") ) { - $auth_key = "-A " . $config->returnValue("auth plaintext-key"); - } - else { - $auth_key = "-3m " . $config->returnValue("auth encrypted-key"); - } - my $auth_type = $config->returnValue("auth type"); - my $user = $config->returnValue("user"); - my $port = $config->returnValue("port"); - my $protocol = $config->returnValue("protocol"); - my $type = $config->returnValue("type"); - my $inform_flag = '-Ci'; - $inform_flag = '-Ci' if ( $type eq 'inform' ); - - if ( $type eq 'trap' ) { - $inform_flag = '-e ' . $config->returnValue("engineid"); - } - my $privacy = ''; - my $secLevel = 'authNoPriv'; - if ( $config->exists("privacy") ) { - my $priv_key = ''; - if ( $config->exists("privacy plaintext-key") ) { - $priv_key = - "-X " . $config->returnValue("privacy plaintext-key"); - } - else { - $priv_key = - "-3M " . $config->returnValue("privacy encrypted-key"); - } - my $priv_type = $config->returnValue("privacy type"); - $privacy = "-x $priv_type $priv_key"; - $secLevel = 'authPriv'; - } - - # TODO understand difference between master and local - # Uses: - # set -3m / -3M for auth / priv for master - # or -3k / -3K for local - # Current use only master - my $target_print = $target; - if ( $target =~ /:/ ) { - $target_print = "[$target]"; - $protocol = $protocol . "6"; - } - print -"trapsess -v 3 $inform_flag -u $user -l $secLevel -a $auth_type $auth_key $privacy $protocol:$target_print:$port\n"; - } - print "\n"; -} - -# check changes in auth and privacy nodes -# deny set encrypted-key in case engineid wasn't set -sub check_user_auth_changes { - my $config = get_snmp_config(); - my $v3engineid = ""; - - if($config->exists("engineid")){ - $v3engineid=$config->returnValue("engineid"); - } - - if ( $config->isChanged("user") || $config->isChanged("engineid")) { - my $haveError = 0; - foreach my $user ( $config->listNodes("user") ) { - $config->setLevel( $snmp_v3_level . " user $user" ); - if ( $config->exists("engineid") && - !($v3engineid eq "" ) && - !($config->returnValue("engineid") eq "" ) && - !($config->returnValue("engineid") eq $v3engineid)){ - print -"Warning: Encrypted key(s) for snmp v3 user \"$user\" was(were) generated for another SNMP engineid. It won't work. Please recreate this user.\n"; - } - if ( $config->exists("auth") ) { - if ( - !( - $config->exists("engineid") && - ( - $config->exists("auth encrypted-key") || - $config->exists("privacy encrypted-key") - ) - ) - ) - { - $haveError = 1; - print -"Discard encrypted-key on user \"$user\". It's necessary to setup engineid the encrypted-key was generated with.\n"; - } - my $isAuthKeyChanged = $config->isChanged("auth plaintext-key"); - my $isAuthEKeyChanged = $config->isChanged("auth encrypted-key"); - if ( $config->exists("privacy") ) { - my $isPrivKeyChanged = - $config->isChanged("privacy plaintext-key"); - my $isPrivEKeyChanged = - $config->isChanged("privacy encrypted-key"); - if ( ($isPrivEKeyChanged && !$isAuthEKeyChanged) - || ($isPrivKeyChanged && !$isAuthKeyChanged) ) { - $haveError = 1; - print - "Please, set correct auth and privacy for user \"$user\"\n"; - print - "Set plaintext-key for auth and privacy or set encrypted-key for both\n"; - } - } - } - else { - if ( $config->exists("privacy") ) { - $haveError = 1; - print "Please, delete privacy for user \"$user\"\n"; - } - } - } - if ($haveError) { - exit(1); - } - } -} - -# check relation between user & group & view -sub check_relation { - my $config = get_snmp_config(); - my $haveError = 0; - foreach my $user ( $config->listNodes("user") ) { - if ( $config->exists("user $user group") ) { - my $group = $config->returnValue("user $user group"); - if ( !$config->exists("group $group") ) { - $haveError = 1; - print -"Please, create group \"$group\". It's need for user \"$user\"\n"; - } - } - } - foreach my $group ( $config->listNodes("group") ) { - my $view = $config->returnValue("group $group view"); - if ( !$config->exists("view $view") ) { - $haveError = 1; - print - "Please, create view \"$view\". It's need for group \"$group\"\n"; - } - } - if ($haveError) { - exit(1); - } -} - -# check is new tsm port free on system -sub check_tsm_port { - my $config = get_snmp_config(); - if ( $config->isChanged("tsm port") ) { - my $port = $config->returnValue("tsm port"); - my $reg = ":$port\$"; - my $output = `netstat -anltup | awk '{print \$4}'`; - foreach my $line ( split( /\n/, $output ) ) { - if ( $line =~ /$reg/ ) { - print - "Actually port $port is using. It can not be used for tsm.\n"; - exit(1); - } - } - } -} - -# check group seclevel and user auth/privacy -sub check_seclevel { - my $config = get_snmp_config(); - my $haveError = 0; - if ( $config->isChanged("user") || $config->isChanged("group") ) { - foreach my $user ( $config->listNodes("user") ) { - if ( $config->exists("user $user group") ) { - my $group = $config->returnValue("user $user group"); - if ( $config->isChanged("user $user") - || $config->isChanged("group $group") ) - { - my $group_seclevel = - $config->returnValue("group $group seclevel"); - if ( $config->exists("user $user privacy") ) { - if ( $group_seclevel eq "auth" ) { - print -"User \"$user\" have privacy, but group \"$group\" have \"auth\" as seclevel. So auth and priv work both.\n"; - } - } - else { - if ( $group_seclevel eq "priv" ) { - print -"User \"$user\" will not work, because he haven't privacy, but group \"$group\" have \"priv\" as seclevel.\n"; - $haveError = 1; - } - } - } - } - } - } - if ($haveError) { - exit(1); - } -} - -sub copy_conf_to_tmp { - - # these files already contain SNMPv2 configuration - copy( $snmpd_conf, $snmpd_conf_tmp ) - or die "Couldn't copy $snmpd_conf to $snmpd_conf_tmp - $!"; - copy( $snmpd_usr_conf, $snmpd_usr_conf_tmp ) - or die "Couldn't copy $snmpd_usr_conf to $snmpd_usr_conf_tmp - $!"; - copy( $snmpd_var_conf, $snmpd_var_conf_tmp ) - or die "Couldn't copy $snmpd_var_conf to $snmpd_var_conf_tmp - $!"; -} - -# update all vyatta config -# can be called directly -sub snmp_update { - - copy_conf_to_tmp(); - - set_tsm(); - - open( my $fh, '>>', $snmpd_conf_tmp ) - or die "Couldn't open $snmpd_conf_tmp - $!"; - - select $fh; - - set_views(); - set_groups(); - set_hosts(); - set_users_in_etc(); - - close $fh; - select STDOUT; - - move( $snmpd_conf_tmp, $snmpd_conf ) - or die "Couldn't move $snmpd_conf_tmp to $snmpd_conf - $!"; - - my $config = get_snmp_config(); - if ($config->exists("engineid")) { - $oldEngineID = $config->returnValue("engineid"); - } - - snmpd_stop(); - - #add newly added users to var config to get encrypted values - set_users_to_other(); - - move( $snmpd_usr_conf_tmp, $snmpd_usr_conf ) - or die "Couldn't move $snmpd_usr_conf_tmp to $snmpd_usr_conf - $!"; - move( $snmpd_var_conf_tmp, $snmpd_var_conf ) - or die "Couldn't move $snmpd_var_conf_tmp to $snmpd_var_conf - $!"; - - snmpd_start(); - snmpd_stop(); - - # now we have encrypted user config - start and read it after - snmpd_start(); - update_users_vyatta_conf(); -} - -# validate vyatta config before write it into files -# can be called directly -sub snmp_check { - check_user_auth_changes(); - check_relation(); - check_tsm_port(); - check_seclevel(); -} - -my $check_config; -my $update_snmp; -my $delete_snmp; - -GetOptions( - "check-config!" => \$check_config, - "update-snmp!" => \$update_snmp, - "delete-snmp!" => \$delete_snmp, - "oldEngineID=s" => \$oldEngineID, - "setserialno=s" => \$setserialno -); - -snmp_check() if ($check_config); -snmp_update() if ($update_snmp); -snmp_delete() if ($delete_snmp); diff --git a/scripts/snmp/vyatta-snmp.pl b/scripts/snmp/vyatta-snmp.pl deleted file mode 100755 index 5c4ff1d0..00000000 --- a/scripts/snmp/vyatta-snmp.pl +++ /dev/null @@ -1,333 +0,0 @@ -#!/usr/bin/perl -# -# Module: vyatta-snmp.pl -# -# **** License **** -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# This code was originally developed by Vyatta, Inc. -# Portions created by Vyatta are Copyright (C) 2007 Vyatta, Inc. -# All Rights Reserved. -# -# Author: Stig Thormodsrud -# Date: October 2007 -# Description: Script to glue vyatta cli to snmp daemon -# -# **** End License **** -# - -use strict; -use warnings; - -use lib "/opt/vyatta/share/perl5/"; -use Vyatta::Config; -use Vyatta::Misc; -use NetAddr::IP; -use Getopt::Long; -use File::Copy; -use Socket; -use Socket6; - -my $mibdir = '/opt/vyatta/share/snmp/mibs'; -my $snmp_start = 'systemctl start snmpd.service'; -my $snmp_stop = 'systemctl stop snmpd.service'; -my $snmp_conf = '/etc/snmp/snmpd.conf'; -my $snmp_client = '/etc/snmp/snmp.conf'; -my $snmp_tmp = "/tmp/snmpd.conf.$$"; -my $snmp_snmpv3_user_conf = '/usr/share/snmp/snmpd.conf'; -my $snmp_snmpv3_createuser_conf = '/var/lib/snmp/snmpd.conf'; -my $versionfile = '/opt/vyatta/etc/version'; -my $local_agent = 'unix:/run/snmpd.socket'; -my $password_file = '/config/snmp/superuser_pass'; - -my $snmp_level = 'service snmp'; - -sub snmp_running { - open (my $pidf, '<', "/run/snmpd.pid") - or return; - my $pid = <$pidf>; - close $pidf; - - chomp $pid; - my $exe = readlink "/proc/$pid/exe"; - - return (defined($exe) && $exe eq "/usr/sbin/snmpd"); -} - -sub snmp_stop { - system("$snmp_stop > /dev/null 2>&1"); -} - -sub snmp_start { - # we must stop snmpd first for creating vyatta user - system("$snmp_stop > /dev/null 2>&1"); - open (my $fh, '>', $snmp_tmp) - or die "Couldn't open $snmp_tmp - $!"; - - select $fh; - snmp_get_constants(); - snmp_get_values(); - snmp_get_traps(); - close $fh; - select STDOUT; - - snmp_client_config(); - - move($snmp_tmp, $snmp_conf) - or die "Couldn't move $snmp_tmp to $snmp_conf - $!"; -} - -sub get_version { - my $version = "unknown-version"; - - if (open (my $f, '<', $versionfile)) { - while (<$f>) { - chomp; - if (m/^Version\s*:\s*(.*)$/) { - $version = $1; - last; - } - } - close $f; - } - return $version; -} - -# convert address to snmpd transport syntax -sub transport_syntax { - my ($addr, $port) = @_; - my $ip = new NetAddr::IP $addr; - die "$addr: not a valid IP address" unless $ip; - - my $version = $ip->version(); - return "udp:$addr:$port" if ($version == 4); - return "udp6:[$addr]:$port" if ($version == 6); - die "$addr: unknown IP version $version"; -} - -# Test if IPv6 is possible by opening a socket -sub ipv6_disabled { - socket ( my $s, PF_INET6, SOCK_DGRAM, 0) - or return 1; - close($s); - return; -} - -# Find SNMP agent listening addresses -sub get_listen_address { - my $config = new Vyatta::Config; - my @listen; - - $config->setLevel('service snmp listen-address'); - my @address = $config->listNodes(); - - if(@address) { - foreach my $addr (@address) { - my $port = $config->returnValue("$addr port"); - push @listen, transport_syntax($addr, $port); - } - } else { - # default if no address specified - @listen = ( 'udp:161' ); - push @listen, 'udp6:161' unless ipv6_disabled(); - return @listen; - } - - return @listen; -} - -sub snmp_get_constants { - my $version = get_version(); - my $now = localtime; - my @addr = get_listen_address(); - - # add local unix domain target for use by operational commands - unshift @addr, $local_agent; - - print "# autogenerated by vyatta-snmp.pl on $now\n"; - print "sysDescr VyOS $version\n"; - print "sysObjectID 1.3.6.1.4.1.44641\n"; - print "sysServices 14\n"; - print "master agentx\n"; # maybe needed by lldpd - print "agentaddress ", join(',',@addr), "\n"; - print "agentXPerms 0755 0755\n"; - - # add hook to read IF-MIB::ifAlias from sysfs - print "pass .1.3.6.1.2.1.31.1.1.1.18 /opt/vyatta/sbin/if-mib-alias\n"; - - print "smuxpeer .1.3.6.1.4.1.3317.1.2.2\n"; # ospfd - print "smuxpeer .1.3.6.1.4.1.3317.1.2.5\n"; # bgpd - print "smuxpeer .1.3.6.1.4.1.3317.1.2.3\n"; # ripd - print "smuxpeer .1.3.6.1.4.1.3317.1.2.9\n"; # mribd - print "smuxpeer .1.3.6.1.2.1.83\n"; # mribd - print "smuxpeer .1.3.6.1.4.1.3317.1.2.8\n"; # pimd - print "smuxpeer .1.3.6.1.2.1.157\n"; # pimd - print "smuxsocket localhost\n"; -} - -# generate a random character hex string -sub randhex { - my $length = shift; - return join "", map { unpack "H*", chr(rand(256)) } 1..($length/2); -} - -# output snmpd.conf file syntax for community -sub print_community { - my ($config, $community) = @_; - my $ro = $config->returnValue('authorization'); - $ro = 'ro' unless $ro; - - my @clients = $config->returnValues('client'); - my @networks = $config->returnValues('network'); - - my @restriction = (@clients, @networks); - if (!@restriction) { - print $ro . "community $community\n"; - print $ro . "community6 $community\n" unless ipv6_disabled(); - return; - } - - foreach my $addr (@restriction) { - my $ip = new NetAddr::IP $addr; - die "$addr: Not a valid IP address" unless $ip; - - if ($ip->version() == 4) { - print $ro . "community $community $addr\n"; - } elsif ($ip->version() == 6) { - print $ro . "community6 $community $addr\n"; - } else { - die "$addr: bad IP version ", $ip->version(); - } - } -} - -sub snmp_get_values { - my $config = new Vyatta::Config; - - my @communities = $config->listNodes("service snmp community"); - foreach my $community (@communities) { - $config->setLevel("service snmp community $community"); - print_community($config, $community); - } - - $config->setLevel("service snmp smux-peer"); - my @smuxpeers = $config->returnValues(); - foreach my $smuxpeer (@smuxpeers) { - print "smuxpeer $smuxpeer \n"; - } - - $config->setLevel($snmp_level); - my $contact = $config->returnValue("contact"); - if (defined $contact) { - print "SysContact $contact \n"; - } - - my $description = $config->returnValue("description"); - if (defined $description) { - print "SysDescr $description \n"; - } - - my $location = $config->returnValue("location"); - if (defined $location) { - print "SysLocation $location \n"; - } -} - -sub snmp_get_traps { - my $config = new Vyatta::Config; - $config->setLevel($snmp_level); - - # linkUp/Down configure the Event MIB tables to monitor - # the ifTable for network interfaces being taken up or down - # for making internal queries to retrieve any necessary information - - # create an internal snmpv3 user of the form 'vyattaxxxxxxxxxxxxxxxx' - my $vyatta_user = "vyatta" . randhex(16); - snmp_create_snmpv3_user($vyatta_user); - snmp_write_snmpv3_user($vyatta_user); - print "iquerySecName $vyatta_user\n"; - - # Modified from the default linkUpDownNotification - # to include more OIDs and poll more frequently - print <listNodes("trap-target"); - return unless @trap_targets; - - foreach my $trap_target (@trap_targets) { - my $port = $config->returnValue("trap-target $trap_target port"); - my $community - = $config->returnValue("trap-target $trap_target community"); - - print "trap2sink $trap_target"; - print ":$port" if $port; - print " $community" if $community; - print "\n"; - } -} - -# Configure SNMP client parameters -sub snmp_client_config { - my $config = new Vyatta::Config; - $config->setLevel($snmp_level); - - open (my $cf, '>', $snmp_client) - or die "Couldn't open $snmp_client - $!"; - - my $version = get_version(); - my $now = localtime; - print {$cf} "# autogenerated by vyatta-snmp.pl on $now\n"; - - my $trap_source = $config->returnValue('trap-source'); - print {$cf} "clientaddr $trap_source\n" if ($trap_source); - close $cf; -} - -sub snmp_create_snmpv3_user { - - my $vyatta_user = shift; - my $passphrase = randhex(32); - - my $createuser = "createUser $vyatta_user MD5 \"$passphrase\" DES"; - open(my $fh, '>', $snmp_snmpv3_createuser_conf) || die "Couldn't open $snmp_snmpv3_createuser_conf - $!"; - print $fh $createuser; - close $fh; - - open(my $pass_file, '>', $password_file) || die "Couldn't open $password_file - $!"; - print $pass_file $passphrase; - close $pass_file; -} - -sub snmp_write_snmpv3_user { - - my $vyatta_user = shift; - my $user = "rwuser $vyatta_user\n"; - open(my $fh, '>', $snmp_snmpv3_user_conf) || die "Couldn't open $snmp_snmpv3_user_conf - $!"; - print $fh $user; - close $fh; -} - - -# -# main -# -my $update_snmp; -my $stop_snmp; - -GetOptions("update-snmp!" => \$update_snmp, - "stop-snmp!" => \$stop_snmp); - -snmp_start() if ($update_snmp); -snmp_stop() if ($stop_snmp); diff --git a/scripts/system/vyatta_check_snmp_name.pl b/scripts/system/vyatta_check_snmp_name.pl deleted file mode 100755 index 599fe398..00000000 --- a/scripts/system/vyatta_check_snmp_name.pl +++ /dev/null @@ -1,31 +0,0 @@ -#!/usr/bin/perl - -# **** License **** -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# This code was originally developed by Vyatta, Inc. -# Portions created by Vyatta are Copyright (C) 2010 Vyatta, Inc. -# All Rights Reserved. -# -# **** End License **** - -use strict; -use warnings; - -foreach my $name (@ARGV) { - die "$name : illegal characters in name\n" - if (!($name =~ /^[a-zA-Z0-9]*$/)); - - # Usernames may only be up to 32 characters long. - die "$name: name may only be up to 32 characters long\n" - if (length($name) > 32); -} - -exit 0; -- cgit v1.2.3