Skip to content
Permalink
Browse files

[debops.snmpd] Redesign SNMPv3 password storage

  • Loading branch information...
drybjed committed Aug 12, 2019
1 parent bb3fcbb commit 60c170b50084d30a48b3150c3025f65258f05b12
@@ -396,6 +396,14 @@ User management
replicated if needed. The backup host itself can also be snapshotted, with
support for snapshots on removable media.

:ref:`debops.snmpd` role
''''''''''''''''''''''''

- The local SNMPv3 username and password will be stored in a separate file and
retrieved via Ansible local facts, to not break Ansible fact gathering on
unprivileged accounts. The password file is protected by strict read
permission and accessible only by the ``root`` UNIX account.

:ref:`debops.system_groups` role
''''''''''''''''''''''''''''''''

@@ -154,18 +154,21 @@
when: ((snmpd_register_version|d() and not snmpd_register_version.stdout) and
(snmpd_account|d() and snmpd_account))

- name: Save local SNMPv3 password for retrieval via Ansible facts
template:
src: 'etc/snmp/ansible-local-password.json.j2'
dest: '/etc/snmp/ansible-local-password.json'
mode: '0600'
no_log: True

- name: Make sure that Ansible local fact directory exists
file:
path: '/etc/ansible/facts.d'
state: 'directory'
owner: 'root'
group: 'root'
mode: '0755'

- name: Save snmpd local facts
template:
src: 'etc/ansible/facts.d/snmpd.fact.j2'
dest: '/etc/ansible/facts.d/snmpd.fact'
owner: 'root'
group: 'root'
mode: '0600'
mode: '0755'
@@ -1,5 +1,29 @@
{
"installed":"true",
"username":"{{ ansible_local.snmpd.username if (ansible_local|d() and ansible_local.snmpd|d() and ansible_local.snmpd.username) else snmpd_account_local_username }}",
"password":"{{ ansible_local.snmpd.password if (ansible_local|d() and ansible_local.snmpd|d() and ansible_local.snmpd.password) else snmpd_account_local_password }}"
}
#!{{ ansible_python['executable'] }}

# {{ ansible_managed }}

from __future__ import print_function
from json import load, dumps
import subprocess
import os


def cmd_exists(cmd):
return any(
os.access(os.path.join(path, cmd), os.X_OK)
for path in os.environ["PATH"].split(os.pathsep)
)


password_file = '/etc/snmp/ansible-local-password.json'

output = {'installed': cmd_exists('snmpd')}

if os.path.exists(password_file) and os.path.isfile(password_file):
try:
with open(password_file, 'r') as f:
output.update(load(f))
except Exception:
pass

print(dumps(output, sort_keys=True, indent=4))
@@ -0,0 +1,11 @@
{% set snmpd__tpl_username = (ansible_local.snmpd.username
if (ansible_local|d() and ansible_local.snmpd|d() and
ansible_local.snmpd.username)
else snmpd_account_local_username) %}
{% set snmpd__tpl_password = (ansible_local.snmpd.password
if (ansible_local|d() and ansible_local.snmpd|d() and
ansible_local.snmpd.password)
else snmpd_account_local_password) %}
{% set output = {"username": snmpd__tpl_username,
"password": snmpd__tpl_password} %}
{{ output | to_nice_json }}

0 comments on commit 60c170b

Please sign in to comment.
You can’t perform that action at this time.