From 373fcb829e95b52c6edd5fafd087012988d66c07 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Tue, 18 Feb 2020 16:39:18 +0100 Subject: snmp: T1769: cleanup leftove code path for certificate migration --- src/conf_mode/snmp.py | 138 +++++++++++++++++++------------------------------- 1 file changed, 52 insertions(+), 86 deletions(-) diff --git a/src/conf_mode/snmp.py b/src/conf_mode/snmp.py index 0f1fe8a79..7cffa5e04 100755 --- a/src/conf_mode/snmp.py +++ b/src/conf_mode/snmp.py @@ -701,92 +701,58 @@ def generate(snmp): return None def apply(snmp): - if snmp is not None: - - nonvolatiledir = '/config/snmp/tls' - volatiledir = '/etc/snmp/tls' - if not os.path.exists(nonvolatiledir): - os.makedirs(nonvolatiledir) - os.chmod(nonvolatiledir, stat.S_IWUSR | stat.S_IRUSR) - # get uid for user 'snmp' - # jessie snmp user = snmp - # buster snmp user = Debian-snmp - # keep it backwards compatible for Crux - - un = [x[0] for x in pwd.getpwall()] - # debian snmp uid is 114 per default across releases - snmp_uid = 114 - if 'snmp' in un: - snmp_uid = pwd.getpwnam('snmp').pw_uid - elif 'Debian-snmp' in un: - snmp_uid = pwd.getpwnam('Debian-snmp').pw_uid - - os.chown(nonvolatiledir, snmp_uid, -1) - - # move SNMP certificate files from volatile location to non volatile /config/snmp - if os.path.exists(volatiledir) and os.path.isdir(volatiledir): - files = os.listdir(volatiledir) - for f in files: - move(volatiledir + '/' + f, nonvolatiledir) - os.chmod(nonvolatiledir + '/' + f, stat.S_IWUSR | stat.S_IRUSR) - - os.rmdir(volatiledir) - os.symlink(nonvolatiledir, volatiledir) - - if os.path.islink(volatiledir): - link = os.readlink(volatiledir) - if link != nonvolatiledir: - os.unlink(volatiledir) - os.symlink(nonvolatiledir, volatiledir) - - # start SNMP daemon - os.system("systemctl daemon-reload") - os.system("systemctl restart snmpd.service") - - # Passwords are not available immediately in the configuration file, - # after daemon startup - we wait until they have been processed by - # snmpd, which we see when a magic line appears in this file. - ready = False - while not ready: - while not os.path.exists(config_file_user): - sleep(0.1) - - with open(config_file_user, 'r') as f: - for line in f: - # Search for our magic string inside the file - if 'usmUser' in line: - ready = True - break - - # net-snmp is now regenerating the configuration file in the background - # thus we need to re-open and re-read the file as the content changed. - # After that we can no read the encrypted password from the config and - # replace the CLI plaintext password with its encrypted version. - with open(config_file_user, 'r') as f: - engineID = '' - for line in f: - if line.startswith('usmUser'): - string = line.split(' ') - cfg = { - 'user': string[4].replace(r'"', ''), - 'auth_pw': string[8], - 'priv_pw': string[10] - } - # No need to take care about the VyOS internal user - if cfg['user'] == snmp['vyos_user']: - ready = True - continue - - # Now update the running configuration - # - # Currently when executing os.system() the environment does not have the vyos_libexec_dir variable set, see T685 - os.system('vyos_libexec_dir=/usr/libexec/vyos /opt/vyatta/sbin/my_set service snmp v3 user "{0}" auth encrypted-key {1} > /dev/null'.format(cfg['user'], cfg['auth_pw'])) - os.system('vyos_libexec_dir=/usr/libexec/vyos /opt/vyatta/sbin/my_set service snmp v3 user "{0}" privacy encrypted-key {1} > /dev/null'.format(cfg['user'], cfg['priv_pw'])) - os.system('vyos_libexec_dir=/usr/libexec/vyos /opt/vyatta/sbin/my_delete service snmp v3 user "{0}" auth plaintext-key > /dev/null'.format(cfg['user'])) - os.system('vyos_libexec_dir=/usr/libexec/vyos /opt/vyatta/sbin/my_delete service snmp v3 user "{0}" privacy plaintext-key > /dev/null'.format(cfg['user'])) - - # Enable AgentX in FRR - os.system('vtysh -c "configure terminal" -c "agentx" >/dev/null') + if snmp is None: + return None + + # start SNMP daemon + os.system("systemctl restart snmpd.service") + + # Passwords are not available immediately in the configuration file, + # after daemon startup - we wait until they have been processed by + # snmpd, which we see when a magic line appears in this file. + ready = False + while not ready: + while not os.path.exists(config_file_user): + sleep(0.5) + ready = True + + with open(config_file_user, 'r') as f: + for line in f: + # Search for our magic string inside the file + if 'usmUser' in line: + ready = True + break + + # net-snmp is now regenerating the configuration file in the background + # thus we need to re-open and re-read the file as the content changed. + # After that we can no read the encrypted password from the config and + # replace the CLI plaintext password with its encrypted version. + os.environ["vyos_libexec_dir"] = "/usr/libexec/vyos" + with open(config_file_user, 'r') as f: + engineID = '' + for line in f: + if line.startswith('usmUser'): + string = line.split(' ') + cfg = { + 'user': string[4].replace(r'"', ''), + 'auth_pw': string[8], + 'priv_pw': string[10] + } + # No need to take care about the VyOS internal user + if cfg['user'] == snmp['vyos_user']: + continue + + # Now update the running configuration + # + # Currently when executing os.system() the environment does not + # have the vyos_libexec_dir variable set, see Phabricator T685. + os.system('/opt/vyatta/sbin/my_set service snmp v3 user "{0}" auth encrypted-key "{1}" > /dev/null'.format(cfg['user'], cfg['auth_pw'])) + os.system('/opt/vyatta/sbin/my_set service snmp v3 user "{0}" privacy encrypted-key "{1}" > /dev/null'.format(cfg['user'], cfg['priv_pw'])) + os.system('/opt/vyatta/sbin/my_delete service snmp v3 user "{0}" auth plaintext-key > /dev/null'.format(cfg['user'])) + os.system('/opt/vyatta/sbin/my_delete service snmp v3 user "{0}" privacy plaintext-key > /dev/null'.format(cfg['user'])) + + # Enable AgentX in FRR + os.system('vtysh -c "configure terminal" -c "agentx" >/dev/null') return None -- cgit v1.2.3