e2f6aec3e5
By default, the auth type for the snmpd user is MD5. This fails on a FIPS enabled system, resulting in snmpd not starting correctly. This change provides an option to specify the auth type to something that is supported ('SHA') Depends-On: https://review.opendev.org/c/openstack/puppet-tripleo/+/813087 Change-Id: Ie07cb10e1c6b81cff29177fb724feffc69a5dc68
109 lines
3.7 KiB
YAML
109 lines
3.7 KiB
YAML
heat_template_version: wallaby
|
|
|
|
description: >
|
|
SNMP client configured with Puppet, to facilitate Ceilometer Hardware
|
|
monitoring in the undercloud. This service is required to enable hardware
|
|
monitoring.
|
|
|
|
parameters:
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. Use
|
|
parameter_merge_strategies to merge it with the defaults.
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
SnmpdReadonlyUserAuthType:
|
|
default: MD5
|
|
description: The user auth type for SNMPd with readonly rights running on all Overcloud nodes
|
|
type: string
|
|
SnmpdReadonlyUserName:
|
|
default: ro_snmp_user
|
|
description: The user name for SNMPd with readonly rights running on all Overcloud nodes
|
|
type: string
|
|
SnmpdReadonlyUserPassword:
|
|
description: The user password for SNMPd with readonly rights running on all Overcloud nodes
|
|
type: string
|
|
hidden: true
|
|
SnmpdBindHost:
|
|
description: An array of bind host addresses on which SNMP daemon will listen.
|
|
type: comma_delimited_list
|
|
default: ['udp:161','udp6:[::1]:161']
|
|
SnmpdOptions:
|
|
description: A string containing the commandline options passed to snmpd
|
|
type: string
|
|
default: '-LS0-5d'
|
|
SnmpdIpSubnet:
|
|
default: ''
|
|
description: IP address/subnet on the snmpd network. If empty (default), SnmpdNetwork
|
|
will be taken.
|
|
type: string
|
|
conditions:
|
|
snmpd_network_set:
|
|
not: {equals : [{get_param: SnmpdIpSubnet}, '']}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the SNMP services
|
|
value:
|
|
service_name: snmp
|
|
firewall_rules:
|
|
if:
|
|
- snmpd_network_set
|
|
- '124 snmp':
|
|
dport: 161
|
|
proto: 'udp'
|
|
source: {get_param: SnmpdIpSubnet}
|
|
- map_merge:
|
|
repeat:
|
|
for_each:
|
|
<%net_cidr%>:
|
|
get_param:
|
|
- ServiceData
|
|
- net_cidr_map
|
|
- {get_param: [ServiceNetMap, SnmpdNetwork]}
|
|
template:
|
|
'124 snmp <%net_cidr%>':
|
|
dport: 161
|
|
proto: 'udp'
|
|
source: <%net_cidr%>
|
|
config_settings:
|
|
tripleo::profile::base::snmp::snmpd_auth_type: {get_param: SnmpdReadonlyUserAuthType}
|
|
tripleo::profile::base::snmp::snmpd_user: {get_param: SnmpdReadonlyUserName}
|
|
tripleo::profile::base::snmp::snmpd_password: {get_param: SnmpdReadonlyUserPassword}
|
|
snmp::agentaddress: {get_param: SnmpdBindHost}
|
|
snmp::snmpd_options: {get_param: SnmpdOptions}
|
|
step_config: |
|
|
include tripleo::profile::base::snmp
|
|
upgrade_tasks:
|
|
- when: step|int == 0
|
|
block:
|
|
- name: Check if snmpd is enabled
|
|
command: systemctl is-enabled --quiet snmpd
|
|
failed_when: false
|
|
register: snmpd_enabled_result
|
|
- name: Set fact snmpd_enabled
|
|
set_fact:
|
|
snmpd_enabled: "{{ snmpd_enabled_result.rc == 0 }}"
|
|
- name: Stop snmp service
|
|
when:
|
|
- step|int == 1
|
|
- snmpd_enabled|bool
|
|
service: name=snmpd state=stopped
|