diff --git a/roles/access/tasks/d-link.yml b/roles/access/tasks/d-link.yml index b9f525c..c23420e 100644 --- a/roles/access/tasks/d-link.yml +++ b/roles/access/tasks/d-link.yml @@ -13,13 +13,27 @@ set_fact: snmp_hashes: '{{ (snmp_config.stdout | from_yaml).snmpv3.hashes }}' -- name: Get SNMP users +# check if the SNMP user and group we want to set differ from current switch config +# in this case we have to remove them before trying to chane password or settings +- name: Define SNMP user and group configuration commands set_fact: - snmp_current: "{{ ansible_net_config | split('\n') | select('match', '^snmp-server user '+manager.snmp_user+' public v3') }}" - snmp_target: "snmp-server user {{ manager.snmp_user }} public v3 encrypted auth sha {{ snmp_hashes.auth }} priv {{ snmp_hashes.priv[:32] }} " + target_user: "snmp-server user {{ manager.snmp_user }} public v3 encrypted auth sha {{ snmp_hashes.auth }} priv {{ snmp_hashes.priv[:32] }} " + target_group: "snmp-server group public v3 priv read public " + +- name: Get existing SNMP user and group entries from switch + set_fact: + current_user: "{{ ansible_net_config | split('\n') + | select('match', '^snmp-server user '+manager.snmp_user+' public v3') }}" + current_group: "{{ ansible_net_config | split('\n') + | select('match', '^snmp-server group public v3') }}" + +- name: Check if existing SNMP user and/or group should be removed + set_fact: + remove_user: "{{ current_user and target_user is not in current_user }}" + remove_group: "{{ current_group and target_group is not in current_group }}" - name: Remove existing SNMP user to reset password - when: 'snmp_current and snmp_target is not in snmp_current' + when: remove_user or remove_group # can’t change group with existing users block: - name: Remove SNMP user ansible.netcommon.cli_config: @@ -27,10 +41,28 @@ notify: write config - set_fact: - snmp_current: false + current_user: false + +- name: Remove existing SNMP group to change parameters + when: remove_group + block: + - name: Remove existing SNMP group + ansible.netcommon.cli_config: + config: 'no snmp-server group public v3 priv' + notify: write config + + - set_fact: + current_group: false + +# create new SNMP user and group +- name: Create SNMP group and user + when: not current_group + ansible.netcommon.cli_config: + config: '{{ target_group }}' + notify: write config - name: Create SNMP user - when: 'not snmp_current' + when: not current_user ansible.netcommon.cli_config: - config: '{{ snmp_target }}' + config: '{{ target_user }}' notify: write config diff --git a/roles/access/tasks/fs.yml b/roles/access/tasks/fs.yml index c14920e..80f1c60 100644 --- a/roles/access/tasks/fs.yml +++ b/roles/access/tasks/fs.yml @@ -4,11 +4,11 @@ - name: Get existing SNMP users set_fact: - snmp_current: "{{ ansible_net_config | split('\n') | select('match', '^snmp-server usm-user '+manager.snmp_user) }}" - snmp_target: "snmp-server usm-user {{ manager.snmp_user }} authentication sha {{ manager.snmp_pass }} privacy des {{ manager.snmp_pass }} " + current_user: "{{ ansible_net_config | split('\n') | select('match', '^snmp-server usm-user '+manager.snmp_user) }}" + target_user: "snmp-server usm-user {{ manager.snmp_user }} authentication sha {{ manager.snmp_pass }} privacy des {{ manager.snmp_pass }} " - name: Remove existing SNMP user to reset password - when: "snmp_current and snmp_target is not in snmp_current" + when: "current_user and target_user is not in current_user" block: - name: Remove SNMP user ansible.netcommon.cli_config: @@ -19,14 +19,14 @@ notify: write config - set_fact: - snmp_current: false + current_user: false - name: Create SNMP user - when: "not snmp_current" + when: "not current_user" ansible.netcommon.cli_config: config: "{{ item }}" loop: - - "{{ snmp_target }}" + - "{{ target_user }}" - "snmp-server group public user {{ manager.snmp_user }} security-model usm" no_log: true notify: write config diff --git a/roles/access/templates/config-d-link.j2 b/roles/access/templates/config-d-link.j2 index 78680f0..36df00c 100644 --- a/roles/access/templates/config-d-link.j2 +++ b/roles/access/templates/config-d-link.j2 @@ -112,7 +112,11 @@ snmp-server name {{ inventory_hostname }} snmp-server location {{ rack }} {# SNMP engine ID must be exactly 24 hex digits #} snmp-server engineID local {{ snmp_engine_id }} -snmp-server group public v3 priv read CommunityView +{# limit MIBs exposed over SNMP #} +snmp-server view public 1.3.6.1.2.1.1 included {# system +#} +snmp-server view public 1.3.6.1.2.1.2 included {# interfaces +#} +snmp-server view public 1.3.6.1.2.1.17.7 included {# qBridgeMIB +#} +snmp-server view public 1.3.6.1.2.1.31 included {# ifMIB +#} sntp enable {% for address in ntp %} diff --git a/roles/access/templates/config-fs-s5800-48t4s.j2 b/roles/access/templates/config-fs-s5800-48t4s.j2 index 100f008..c194033 100644 --- a/roles/access/templates/config-fs-s5800-48t4s.j2 +++ b/roles/access/templates/config-fs-s5800-48t4s.j2 @@ -17,7 +17,11 @@ vlan database snmp-server enable snmp-server system-location {{ rack }} snmp-server engineID {{ snmp_engine_id }} -snmp-server access public security-model usm priv read _all_ +snmp-server view public included 1.3.6.1.2.1.1 {# system +#} +snmp-server view public included 1.3.6.1.2.1.2 {# interfaces +#} +snmp-server view public included 1.3.6.1.2.1.17.7 {# qBridgeMIB +#} +snmp-server view public included 1.3.6.1.2.1.31 {# ifMIB +#} +snmp-server access public security-model usm priv read public {# sort to ensure LAG interfaces are added last #} {% for iface in interfaces | sort(attribute="type.value") | sort(attribute="mgmt_only") %} diff --git a/roles/access/templates/config-fs-s5860-48xmg-u.j2 b/roles/access/templates/config-fs-s5860-48xmg-u.j2 index 83c8a90..4f1184a 100644 --- a/roles/access/templates/config-fs-s5860-48xmg-u.j2 +++ b/roles/access/templates/config-fs-s5860-48xmg-u.j2 @@ -58,4 +58,9 @@ interface {{ iface.name }} enable service snmp-agent snmp-server location {{ rack }} -snmp-server group public v3 priv read default +{# limit MIBs exposed over SNMP #} +snmp-server view public 1.3.6.1.2.1.1 include {# system +#} +snmp-server view public 1.3.6.1.2.1.2 include {# interfaces +#} +snmp-server view public 1.3.6.1.2.1.17.7 include {# qBridgeMIB +#} +snmp-server view public 1.3.6.1.2.1.31 include {# ifMIB +#} +snmp-server group public v3 priv read public