Age | Commit message (Collapse) | Author |
|
Replace links to the phabricator site from https://phabricator.vyos.net to
https://vyos.dev
|
|
After the RESTRICTED view was introduced snmpd requires a network to be
specified. Before adding the RESTRICTED view snmpd always assumed the default
network 0.0.0.0/0.
This commit re-adds the build in default networks for IPv4 and IPv6 and
exposes it as a proper default to the CLI so the user is informed about it:
vyos@vyos# set service snmp community foooo
Possible completions:
authorization Authorization type (default: ro)
+ client IP address of SNMP client allowed to contact system
+ network Subnet of SNMP client(s) allowed to contact system (default:
0.0.0.0/0, ::/0)
|
|
T4857: SNMP: Implement FRR SNMP Recomendations
|
|
warning message
|
|
|
|
This prevents any stale override files when the system is beeing rebooted,
but the actual configuration was not saved. /run is a tmpfs and thus
always fresh after boot.
|
|
FRR: T4020: Added CLI options for FRR daemons
|
|
|
|
|
|
|
|
- Reverted changes from `python/vyos/util.py`. This may lead to
unnecessary FRR restart during each boot, depending on a default file
content and template, but makes this changeset cleaner.
- Fixed typos in node names (extra `>` characters).
- Added SNMP module for `isisd` and `ldpd`, since they have it compiled
now.
|
|
|
|
|
|
Added first CLI items for controlling FRR daemons parameters that
cannot be changed via vtysh and are available via arguments only. Now
it is possible to enable/disable modules: SNMP (for each daemon),
BMP (for BGP), IRDP (for Zebra).
|
|
We need to use a temporary variable when validating the tuple if address
is used. If not the else branch will always add the tuple to the list of
addresses used for listen-address.
|
|
|
|
|
|
We had two places were the is_ip, is_ipv4 and is_ipv6 helpers had been defined.
All places now have been converged into vyos.template as they are used both
in the Jinja2 templates and also in our scripts.
|
|
|
|
The 3rd party library used for calculating the SNMP hashes in advance only
worked for SHA and nod for MD5 as SHA was hardcoded [1]. The code has been
replaced by a class-less implementation providing only the required
functionality.
[1]: https://github.com/TheMysteriousX/SNMPv3-Hash-Generator/issues/2
|
|
As of now when adding new credentials for any SNMPv3 user we submit the
credential either plaintext or encrypted. A plaintext credential will be hashed
by SNMPd in the background and then passed back into the CLI so it's not stored
in cleartext. This feels like the wrong way in changing the CLI content with
data produced by a 3rd party daemon which implements the service.
It feels like the tail wiggles the entire dog.
This should be changed in the following way:
- After retrieving the plaintext password from CLI, use Python to hash the key
in advance
- Re-populate the encrypted key into the CLI and drop the plaintext one
- Generate service configuration and continue startup of SNMPd
This also fixes a race condition when SNMPd started up but not properly
provided the hasehd keys in the configuration resulting in a ConfigurationError.
Now as we also support binding SNMPd to a VRF this fixes a deadlock situation
on bootup as we can only bind late to the VRF and require up to 5 restarts of
the service - but the service will never start.
|
|
Linux tries to bind sshd to the VRF but it is yet not ready - for any arbitrary
reason. After restarting SSH to often (rate-limiting) it is blocked by systemd.
Using Restart/RestartSec is not enough - systemd services use start rate
limiting (enabled by default). If service is started more than StartLimitBurst
times in StartLimitIntervalSec seconds is it not permitted to start any more.
Parameters are inherited from DefaultStartLimitIntervalSec (default 10s) and
DefaultStartLimitBurst (default 5).
|
|
For an unknown reason snmpd not always starts after reboot.
|
|
|
|
airbag must now be explicitly installed.
the patch also allow to fully disables the installation of the logging
code at setup (and not just installing and doing nothing)
|
|
After migrating PowerDNS to systemd and also its configuration files to a
volatile directory in commit 77d725f ("dns-forwarding: T2185: move configuration
files to volatile /run directory") the path for the control file has not
been altered and pushed to the client rec_control binary"
|
|
convert all call to jinja to use template.render
|
|
os.system does print the ouput of the command, run() does not.
A new function called call() does the printing and return the error code.
|
|
As little change a possible but the function call
The behaviour should be totally unchanged.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A consistency check was missing to prevent deleting the SNMP configuration
but still setting "service lldp snmp enable".
|
|
As we need to operate with usmUser, we can search for it directly if its
present or not. There is always one usmUser entry for the system user.
|
|
|
|
|
|
|
|
|
|
This is actually an "upstream" bug, see [1] but it can be fixed via our own
scripts.
[1]: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1384122
|
|
This reverts commit 6945b2e3561cd76d193d41dd6ab5249661230460.
|
|
|
|
|
|
Remove informative but noisy messages:
Dec 30 11:45:02 vyos snmpd[2870]: Connection from UDP: [172.16.100.1]:42781 ...
Dec 30 11:45:02 vyos snmpd[2870]: Connection from UDP: [172.16.100.1]:57331 ...
|
|
suppress error message:
Dec 30 11:44:10 LR1 snmpd[2870]: error on subcontainer 'ia_addr' insert (-1)
|
|
|
|
|