diff --git a/README.md b/README.md index 1d60c79e..2fb272e7 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ Actions: OS Support: -* RedHat family - tested on CentOS 5.9 and CentOS 6.4 +* RedHat family - tested on CentOS 5.9, CentOS 6.6, and CentOS 7.0 * SuSE family - tested on SLES 11 SP1 * Debian family - tested on Ubuntu 12.04.2 LTS, Debian 6.0.7, and Debian 7.0 * FreeBSD family - tested on FreeBSD 9.2-RELEASE, FreeBSD 10.0-RELEASE @@ -30,12 +30,13 @@ Class documentation is available via puppetdoc. Examples -------- -To install the SNMP service: +To install the SNMP service listening on all IPv4 and IPv6 interfaces: ```puppet class { 'snmp': - agentaddress => [ 'udp:161', ], + agentaddress => [ 'udp:161', 'udp6:161' ], com2sec => [ 'notConfigUser 10.20.30.40/32 SeCrEt' ], + come2sec6 => [ 'notConfiguser fd48:45d7:f49b:cb0f::1/128 SeCrEt' ], contact => 'root@yourdomain.org', location => 'Phoenix, AZ', } @@ -100,15 +101,17 @@ snmp::snmpv3_user { 'myuser': Notes ----- -* Only tested on CentOS 5.9, CentOS 6.4, Ubuntu 12.04.2 LTS, Debian squeeze, and - Debian wheezy x86_64. +* By default the SNMP service now listens on BOTH the IPv4 and IPv6 loopback + addresses. +* Only tested on CentOS 5.9, CentOS 6.6, CentOS 7.0, Ubuntu 12.04.2 LTS, Debian + squeeze, and Debian wheezy x86_64. * SNMPv3 user auth is not yet tested on Debian or Suse osfamilies. * There is a bug on Debian squeeze of net-snmp's status script. If snmptrapd is not running the status script returns 'not running' so puppet restarts the snmpd service. The following is a workaround: `class { 'snmp': service_hasstatus => false, trap_service_hasstatus => false, }` * For security reasons, the SNMP daemons are configured to listen on the loopback - interface (127.0.0.1). Use `agentaddress` and `snmptrapdaddr` to change this + interfaces (127.0.0.1 and [::1]). Use `agentaddress` and `snmptrapdaddr` to change this configuration. * [Traditional Access Control](http://www.net-snmp.org/docs/man/snmpd.conf.html#lbAK) is not fully diff --git a/manifests/init.pp b/manifests/init.pp index d8e9ff19..504ca9c9 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -6,29 +6,45 @@ # # [*agentaddress*] # An array of addresses, on which snmpd will listen for queries. -# Default: [ udp:127.0.0.1:161 ] +# Default: [ udp:127.0.0.1:161, udp6:[::1]:161 ] # # [*snmptrapdaddr*] # An array of addresses, on which snmptrapd will listen to receive incoming # SNMP notifications. -# Default: [ udp:127.0.0.1:162 ] +# Default: [ udp:127.0.0.1:162, udp6:[::1]:162 ] # # [*ro_community*] # Read-only (RO) community string for snmptrap daemon. # Default: public # +# [*ro_community6*] +# Read-only (RO) community string for IPv6. +# Default: public +# # [*rw_community*] # Read-write (RW) community string. # Default: none # +# [*rw_community6*] +# Read-write (RW) community string for IPv6. +# Default: none +# # [*ro_network*] # Network that is allowed to RO query the daemon. # Default: 127.0.0.1 # +# [*ro_network6*] +# Network that is allowed to RO query the daemon via IPv6. +# Default: ::1/128 +# # [*rw_network*] # Network that is allowed to RW query the daemon. # Default: 127.0.0.1 # +# [*rw_network6*] +# Network that is allowed to RW query the daemon via IPv6. +# Default: ::1/128 +# # [*contact*] # Responsible person for the SNMP system. # Default: Unknown @@ -51,6 +67,12 @@ # See http://www.net-snmp.org/docs/man/snmpd.conf.html#lbAL for details. # Default: [ "notConfigUser default public" ] # +# [*com2sec6*] +# An array of VACM com2sec6 mappings. +# Must provide SECNAME, SOURCE and COMMUNITY. +# See http://www.net-snmp.org/docs/man/snmpd.conf.html#lbAL for details. +# Default: [ "notConfigUser default ${ro_community}" ] +# # [*groups*] # An array of VACM group mappings. # Must provide GROUP, {v1|v2c|usm|tsm|ksm}, SECNAME. @@ -226,14 +248,19 @@ $agentaddress = $snmp::params::agentaddress, $snmptrapdaddr = $snmp::params::snmptrapdaddr, $ro_community = $snmp::params::ro_community, + $ro_community6 = $snmp::params::ro_community6, $rw_community = $snmp::params::rw_community, + $rw_community6 = $snmp::params::rw_community6, $ro_network = $snmp::params::ro_network, + $ro_network6 = $snmp::params::ro_network6, $rw_network = $snmp::params::rw_network, + $rw_network6 = $snmp::params::rw_network6, $contact = $snmp::params::contact, $location = $snmp::params::location, $sysname = $snmp::params::sysname, $services = $snmp::params::services, $com2sec = $snmp::params::com2sec, + $com2sec6 = $snmp::params::com2sec6, $groups = $snmp::params::groups, $views = $snmp::params::views, $accesses = $snmp::params::accesses, diff --git a/manifests/params.pp b/manifests/params.pp index d525c0c3..fc8caaf4 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -17,12 +17,12 @@ # If we have a top scope variable defined, use it, otherwise fall back to a # hardcoded value. $agentaddress = $::snmp_agentaddress ? { - undef => [ 'udp:127.0.0.1:161' ], + undef => [ 'udp:127.0.0.1:161', 'udp6:[::1]:161' ], default => $::snmp_agentaddress, } $snmptrapdaddr = $::snmp_snmptrapdaddr ? { - undef => [ 'udp:127.0.0.1:162' ], + undef => [ 'udp:127.0.0.1:162', 'udp6:[::1]:162' ], default => $::snmp_snmptrapdaddr, } @@ -30,21 +30,41 @@ undef => 'public', default => $::snmp_ro_community, } + + $ro_community6 = $::snmp_ro_community6 ? { + undef => 'public', + default => $::snmp_ro_community6, + } $rw_community = $::snmp_rw_community ? { undef => undef, default => $::snmp_rw_community, } + + $rw_community6 = $::snmp_rw_community6 ? { + undef => undef, + default => $::snmp_rw_community6, + } $ro_network = $::snmp_ro_network ? { undef => '127.0.0.1', default => $::snmp_ro_network, } + $ro_network6 = $::snmp_ro_network6 ? { + undef => '::1', + default => $::snmp_ro_network6, + } + $rw_network = $::snmp_rw_network ? { undef => '127.0.0.1', default => $::snmp_rw_network, } + + $rw_network6 = $::snmp_rw_network6 ? { + undef => '::1', + default => $::snmp_rw_network6, + } $contact = $::snmp_contact ? { undef => 'Unknown', @@ -68,6 +88,13 @@ default => $::snmp_com2sec, } + $com2sec6 = $::snmp_com2sec6 ? { + undef => [ + "notConfigUser default public", + ], + default => $::snmp_com2sec6, + } + $groups = $::snmp_groups ? { undef => [ 'notConfigGroup v1 notConfigUser', diff --git a/spec/classes/snmp_init_spec.rb b/spec/classes/snmp_init_spec.rb index b97367e9..9a380bd5 100644 --- a/spec/classes/snmp_init_spec.rb +++ b/spec/classes/snmp_init_spec.rb @@ -62,9 +62,11 @@ # TODO add more contents for File[snmpd.conf] it 'should contain File[snmpd.conf] with expected contents' do verify_contents(subject, 'snmpd.conf', [ - 'agentaddress udp:127.0.0.1:161', + 'agentaddress udp:127.0.0.1:161,udp6:[::1]:161', '#rocommunity public 127.0.0.1', + '#rocommunity6 public ::1', 'com2sec notConfigUser default public', + 'com2sec6 notConfigUser default public', 'group notConfigGroup v1 notConfigUser', 'group notConfigGroup v2c notConfigUser', 'view systemview included .1.3.6.1.2.1.1', @@ -177,9 +179,11 @@ # TODO add more contents for File[snmpd.conf] it 'should contain File[snmpd.conf] with expected contents' do verify_contents(subject, 'snmpd.conf', [ - 'agentaddress udp:127.0.0.1:161', + 'agentaddress udp:127.0.0.1:161,udp6:[::1]:161', '#rocommunity public 127.0.0.1', + '#rocommunity6 public ::1', 'com2sec notConfigUser default public', + 'com2sec6 notConfigUser default public', 'group notConfigGroup v1 notConfigUser', 'group notConfigGroup v2c notConfigUser', 'view systemview included .1.3.6.1.2.1.1', @@ -279,9 +283,11 @@ # TODO add more contents for File[snmpd.conf] it 'should contain File[snmpd.conf] with expected contents' do verify_contents(subject, 'snmpd.conf', [ - 'agentaddress udp:127.0.0.1:161', + 'agentaddress udp:127.0.0.1:161,udp6:[::1]:161', '#rocommunity public 127.0.0.1', + '#rocommunity6 public ::1', 'com2sec notConfigUser default public', + 'com2sec6 notConfigUser default public', 'group notConfigGroup v1 notConfigUser', 'group notConfigGroup v2c notConfigUser', 'view systemview included .1.3.6.1.2.1.1', @@ -386,9 +392,11 @@ # TODO add more contents for File[snmpd.conf] it 'should contain File[snmpd.conf] with expected contents' do verify_contents(subject, 'snmpd.conf', [ - 'agentaddress udp:127.0.0.1:161', + 'agentaddress udp:127.0.0.1:161,udp6:[::1]:161', '#rocommunity public 127.0.0.1', + '#rocommunity6 public ::1', 'com2sec notConfigUser default public', + 'com2sec6 notConfigUser default public', 'group notConfigGroup v1 notConfigUser', 'group notConfigGroup v2c notConfigUser', 'view systemview included .1.3.6.1.2.1.1', @@ -583,6 +591,15 @@ end end + describe 'com2sec6 => [ SomeString ]' do + let(:params) {{ :com2sec6 => [ 'SomeString', ] }} + it 'should contain File[snmpd.conf] with contents "com2sec6 SomeString"' do + verify_contents(subject, 'snmpd.conf', [ + 'com2sec6 SomeString', + ]) + end + end + describe 'groups => [ SomeString ]' do let(:params) {{ :groups => [ 'SomeString', ] }} it 'should contain File[snmpd.conf] with contents "groups SomeString"' do diff --git a/templates/snmpd.conf.erb b/templates/snmpd.conf.erb index fb64b9ad..139329dd 100644 --- a/templates/snmpd.conf.erb +++ b/templates/snmpd.conf.erb @@ -15,9 +15,13 @@ agentaddress <%= @agentaddress.join(',') %> # ------------------------------------------------------------------------------ # Traditional Access Control #rocommunity <%= @ro_community %> <%= @ro_network %> +#rocommunity6 <%= @ro_community6 %> <%= @ro_network6 %> <% if @rw_community -%> #rwcommunity <%= @rw_community %> <%= @rw_network %> <% end -%> +<% if @rw_community6 -%> +#rwcommmunity6 <%= @rw_community6 %> <%= @rw_network6 %> +<% end -%> # ------------------------------------------------------------------------------ # VACM Configuration @@ -28,6 +32,12 @@ com2sec <%= com2sec %> <% end -%> <% end -%> +<% if @com2sec6.any? -%> +<% @com2sec6.each do |com2sec6| -%> +com2sec6 <%= com2sec6 %> +<% end -%> +<% end -%> + # groupName securityModel securityName <% if @groups.any? -%> <% @groups.each do |group| -%>