debops.snmpd role will install
snmpd package on Debian/Ubuntu hosts and
secure access to SNMP using random SNMPv3 username / password combination, as
well as firewall and TCP wrappers rules. Additionally,
lldpd daemon will be
installed to provide LLDP support (this can be disabled by a variable).
To enable SNMP service on a DebOps-managed host, you need to add that host to
[debops_snmpd] Ansible inventory group:
If you use separate host groups, better idea might be to create a parent group and add your own host groups to it:
[servers] host1 host2 [debops_snmpd:children] servers
Here's an example playbook which uses
--- - name: Configure SNMP service hosts: debops_snmpd roles: - role: debops.snmpd tags: snmpd
SNMP is primarly used over the network, but for security reasons access from
remote hosts is filtered by a firewall and TCP wrappers. To allow access to
SNMP from other hosts using
roles, you need to add IP addresses or CIDR subnets which can access the
snmpd_allow: [ '192.0.2.0/24', '2001:db8::/48' ]
debops.snmpd role will create three SNMPv3 user accounts with random
usernames and passwords, which will be stored on Ansible Controller in the
secret/ directory (see
debops.secret role for more details).
Authentication uses SHA encryption, privacy mode uses AES encryption. The generated accounts are:
- a global "admin" account, stored in
secret/snmp/credentials/admin/directory on Ansible Controller. Read-write, disabled after
snmpdis configured. Will be the same on all servers in the cluster.
- a global "agent" account, stored in
secret/snmp/credentials/agent/directory on Ansible Controller. Read-only, meant to be used to access the SNMP service using network management software. Will be the same on all servers in the cluster.
- a "local" account, stored in
/etc/ansible/facts.d/snmpd.factfiles on remote hosts. Unique to a particular host, read only. Allows access from the host to itself from the
rootaccount, can be used to grant access to a particular host data to other users or services.