Emilien Macchi 43155ed146 Restrict SNMP to internal network
Add a parameter, SnmpdIpSubnet, which can be an IP/MASK that will be
used to secure with IPtables the source network authorized to reach
SNMP service on the host.
If SnmpdIpSubnet is left empty (default) the parameter will be set to
SnmpdNetwork.

Also change the IPtables id, 127 was used by Horizon, so let's switch
SNMP to 124. No impact on users.

Change-Id: I46fce28926cb5a881f7384948480266712ae75e3
Closes-Bug: #1749324
2018-02-19 02:24:28 +00:00

89 lines
2.9 KiB
YAML

heat_template_version: queens
description: >
SNMP client configured with Puppet, to facilitate Ceilometer Hardware
monitoring in the undercloud. This service is required to enable hardware
monitoring.
parameters:
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
SnmpdReadonlyUserName:
default: ro_snmp_user
description: The user name for SNMPd with readonly rights running on all Overcloud nodes
type: string
SnmpdReadonlyUserPassword:
description: The user password for SNMPd with readonly rights running on all Overcloud nodes
type: string
hidden: true
SnmpdBindHost:
description: An array of bind host addresses on which SNMP daemon will listen.
type: comma_delimited_list
default: ['udp:161','udp6:[::1]:161']
SnmpdOptions:
description: A string containing the commandline options passed to snmpd
type: string
default: '-LS0-5d'
SnmpdIpSubnet:
default: ''
description: IP address/subnet on the snmpd network. If empty (default), SnmpdNetwork
will be taken.
type: string
conditions:
snmpd_network_unset: {equals : [{get_param: SnmpdIpSubnet}, '']}
outputs:
role_data:
description: Role data for the SNMP services
value:
service_name: snmp
config_settings:
tripleo::profile::base::snmp::snmpd_user: {get_param: SnmpdReadonlyUserName}
tripleo::profile::base::snmp::snmpd_password: {get_param: SnmpdReadonlyUserPassword}
snmp::agentaddress: {get_param: SnmpdBindHost}
snmp::snmpd_options: {get_param: SnmpdOptions}
snmpd_network:
str_replace:
template: "NETWORK_subnet"
params:
NETWORK: {get_param: [ServiceNetMap, SnmpdNetwork]}
tripleo.snmp.firewall_rules:
'124 snmp':
dport: 161
proto: 'udp'
source:
if:
- snmpd_network_unset
- "%{hiera('snmpd_network')}"
- {get_param: SnmpdIpSubnet}
step_config: |
include ::tripleo::profile::base::snmp
upgrade_tasks:
- name: Stop snmp service
when: step|int == 1
service: name=snmpd state=stopped