Default variables

Basic configuration options

snmpd_packages

List of additional packages to install with snmpd.

snmpd_packages: []
snmpd_user

The user account used by the snmpd daemon.

snmpd_user: '{{ "snmp"
                if (ansible_distribution == "Ubuntu" or
                    ansible_distribution_release in [ "wheezy", "jessie" ])
                else "Debian-snmp" }}'
snmpd_logging_options

String with snmpd log-related options, can be used to change log verbosity for debugging.

snmpd_logging_options: '-LScd'
snmpd_custom_options

Custom snmpd options written in YAML text block format, inserted into /etc/snmp/snmpd.conf configuration file.

snmpd_custom_options: ''
snmpd_download_mibs

Download MIB definitions by default?

snmpd_download_mibs: True
snmpd_extension_scripts

Path on the remote host where extension scripts are stored

snmpd_extension_scripts: '{{ (ansible_local.root.lib
                              if (ansible_local|d() and ansible_local.root|d() and
                                  ansible_local.root.lib|d())
                              else "/usr/local/lib") + "/snmpd" }}'

LLDP daemon

snmpd_lldpd

Enable or disable LLDP support using lldpd daemon.

snmpd_lldpd: True
snmpd_lldpd_options

String with lldpd daemon options.

snmpd_lldpd_options: '-x -c -s -e'

Network options, firewall, TCP wrappers

snmpd_allow

List of IP addresses or CIDR networks which can connect to SNMP service (global). If not specified, remote connections are blocked.

snmpd_allow: []
snmpd_group_allow

List of IP addresses or CIDR networks which can connect to SNMP service (per Ansible group). If not specified, remote connections are blocked.

snmpd_group_allow: []
snmpd_host_allow

List of IP addresses or CIDR networks which can connect to SNMP service (per Ansible host). If not specified, remote connections are blocked.

snmpd_host_allow: []
snmpd_local_allow

List of IP addresses or CIDR networks which can connect to SNMP service (from localhost). If not specified, remote connections are blocked.

snmpd_local_allow: '{{ ansible_all_ipv4_addresses|d([]) +
                       (ansible_all_ipv6_addresses|d([]) |
                        difference(ansible_all_ipv6_addresses|d([]) | ipaddr("link-local"))) }}'
snmpd_agent_address

List of addresses on which to listen for incoming connections. By default snmpd listens on all interfaces and firewall / TCP wrappers are used to limit what remote hosts can connect.

snmpd_agent_address: [ 'udp:0.0.0.0:161', 'udp6:[::]:161' ]

sysLocation, sysContact, sysName SNMP variables

snmpd_organization

Organization name used in sysLocation and sysContact SNMP variables.

snmpd_organization: '{{ ansible_domain.split(".") | first | capitalize }}'
snmpd_sys_location

String set as sysLocation SNMP variable.

snmpd_sys_location: '{{ snmpd_organization + " " + snmpd_sys_location_name }}'
snmpd_sys_location_name

Name of the "virtual" location, appended to the organization name derived from DNS domain name.

snmpd_sys_location_name: 'Data Center'
snmpd_sys_contact

Contact information for a device set as sysContact SNMP variable.

snmpd_sys_contact: '{{ snmpd_sys_contact_name + " <" + snmpd_sys_contact_email + ">" }}'
snmpd_sys_contact_name

Name of the contact set as sysContact variable.

snmpd_sys_contact_name: '{{ snmpd_organization + " System Administrator" }}'
snmpd_sys_contact_email

E-mail address of the contact set as sysContact variable.

snmpd_sys_contact_email: 'root@{{ ansible_domain }}'
snmpd_sys_name

Host FQDN set as the sysName SNMP variable.

snmpd_sys_name: '{{ ansible_fqdn }}'

CPU load average monitoring

snmpd_load

Enable or disable load average monitoring

snmpd_load: True
snmpd_load_profile

Name of the load average "profile" to use, see snmpd_load_percent_map and snmpd_load_weight_map variables for list of profiles.

snmpd_load_profile: 'default'
snmpd_load_percent

Name of the profile used to define amount of available CPU power taken into account for load average profile calculation. See snmpd_load_percent_map variable for list of available profiles.

snmpd_load_percent: '{{ snmpd_load_profile }}'
snmpd_load_weight

Name of the profile used to scale the load average profile calculation for different time periods. See snmpd_load_percent_map variable for list of available profiles.

snmpd_load_weight: '{{ snmpd_load_profile }}'
snmpd_load_base

Base value used to calculate load average profiles - number of vCPU cores.

snmpd_load_base:  '{{ ansible_processor_vcpus }}'
snmpd_load_percent_map

Dict with CPU percentage profiles.

Each profile is a list of entries, 1 minute load average, 5 minutes and 15 minutes. Each entry defines how much of total CPU power available on a host is taken into account, divided by number of virtual CPUs present; for example with 4 vCPUs, 100% means 4 vCPUs, 50% means ~2 vCPUs, 200% means ~8 vCPUs, and so on.

Values lower than 100% mean that alerts will be fired earlier, values higher than 100% give processes more time to do the work before firing the alerts.

snmpd_load_percent_map:
  'default': [ '90', '90', '100' ]
snmpd_load_weight_map

Dict with load average weight profiles.

Each profile is a list of entries, 1 minute load average, 5 minutes and 15 minutes. Each entry defines how the calculation for a particular average is scaled. You can use this parameter to make each value lower (with less than 1.0) or higher (with more than 1.0) and change the shape of the load average profile independently of the number of cores available.

It's hard to explain, essentially it's another parameter which you can use to tune the load average monitoring.

snmpd_load_weight_map:
  'default': [ '1.5', '1.7', '1.8' ]
snmpd_load_1min

1 minute load average value which will trigger a SNMP trap.

snmpd_load_1min:  '{{ (((snmpd_load_base | float) *
                      (snmpd_load_percent_map[snmpd_load_percent][0] | float) / 100) | float *
                       snmpd_load_weight_map[snmpd_load_weight][0] | float) }}'
snmpd_load_5min

5 minute load average value which will trigger a SNMP trap.

snmpd_load_5min:  '{{ (((snmpd_load_base | float) *
                      (snmpd_load_percent_map[snmpd_load_percent][1] | float) / 100) | float *
                       snmpd_load_weight_map[snmpd_load_weight][1] | float) }}'
snmpd_load_15min

15 minute load average value which will trigger a SNMP trap.

snmpd_load_15min: '{{ (((snmpd_load_base | float) *
                      (snmpd_load_percent_map[snmpd_load_percent][2] | float) / 100) | float *
                       snmpd_load_weight_map[snmpd_load_weight][2] | float) }}'

Process monitoring

snmpd_proc_hidepid

Should the debops.snmpd add the snmp user account to a group that has access to the /proc filesystem?

snmpd_proc_hidepid: '{{ True
                        if (ansible_local|d() and ansible_local.proc|d() and
                            ansible_local.proc.hidepid|bool)
                        else False }}'
snmpd_proc_hidepid_group

Name of the system group which snmp user will be added to to get information about processes.

snmpd_proc_hidepid_group: '{{ (ansible_local.proc.hidepid_group
                               if (ansible_local|d() and ansible_local.proc|d() and
                                   ansible_local.proc.hidepid_group|d())
                               else "") }}'

SNMPv3 admin, agent and local accounts

snmpd_account

Enable or disable automatic creation of "admin" (RW), "agent" (RO) and "local" (RO) SNMPv3 accounts.

snmpd_account: True
snmpd_account_username_length

Length of the randomly generated usernames.

snmpd_account_username_length: '16'
snmpd_account_password_length

Length of the randomly generated passwords.

snmpd_account_password_length: '48'
snmpd_account_admin_username

Randomly generated, global SNMPv3 username of administrator account, read-write, deactivated after snmpd is configured.

snmpd_account_admin_username: '{{ lookup("password", secret +
                                  "/snmp/credentials/admin/username chars=ascii,digits length=" +
                                  snmpd_account_username_length) }}'
snmpd_account_admin_password

Randomly generated, global SNMPv3 password of administrator account, read-write, deactivated after snmpd is configured.

snmpd_account_admin_password: '{{ lookup("password", secret +
                                  "/snmp/credentials/admin/password chars=ascii_letters,digits,hexdigits length=" +
                                  snmpd_account_password_length) }}'
snmpd_account_agent_username

Randomly generated, global SNMPv3 username of agent account, read-only.

snmpd_account_agent_username: '{{ lookup("password", secret +
                                  "/snmp/credentials/agent/username chars=ascii,digits length=" +
                                  snmpd_account_username_length) }}'
snmpd_account_agent_password

Randomly generated, global SNMPv3 password of agent account, read-only.

snmpd_account_agent_password: '{{ lookup("password", secret +
                                  "/snmp/credentials/agent/password chars=ascii_letters,digits,hexdigits length=" +
                                  snmpd_account_password_length) }}'

Configuration of other Ansible roles

snmpd_apt_preferences_dependent_list

Configuration for debops.apt_preferences role.

snmpd_apt_preferences_dependent_list:

  - package: 'lldpd libbsd0'
    backports: [ 'wheezy' ]
    reason:  'Version parity with Debian Jessie'
    by_role: 'debops.snmpd'
snmpd_ferm_dependent_rules

Configuration for debops.ferm role.

snmpd_ferm_dependent_rules:

  - type: 'accept'
    protocol: [ 'udp' ]
    dport: [ 'snmp' ]
    saddr: '{{ snmpd_allow + snmpd_group_allow + snmpd_host_allow + snmpd_local_allow }}'
    role: 'snmpd'
snmpd_tcpwrappers_dependent_allow

Configuration for debops.tcpwrappers role.

snmpd_tcpwrappers_dependent_allow:

  - daemon: 'snmpd'
    client: '{{ snmpd_allow + snmpd_group_allow + snmpd_host_allow + snmpd_local_allow }}'
    weight: '50'
    filename: 'snmpd_dependency_allow'
    comment: 'Allow remote connections to SNMP daemon'