debops.snmpd default variables
Sections
Basic configuration options
- snmpd_packages
List of additional packages to install with snmpd
.
snmpd_packages: []
- snmpd_user
The user account used by the snmpd daemon.
snmpd_user: '{{ "snmp"
if ((ansible_distribution == "Ubuntu" and
ansible_distribution_release not in ["bionic"]) or
ansible_distribution_release in [ "wheezy", "jessie" ])
else "Debian-snmp" }}'
- snmpd_group
The group used by the snmpd daemon.
snmpd_group: '{{ "snmp"
if ((ansible_distribution == "Ubuntu" and
ansible_distribution_release not in ["bionic"]) or
ansible_distribution_release in [ "wheezy", "jessie" ])
else "Debian-snmp" }}'
- snmpd_logging_options
String with snmpd
log-related options, can be used to change log
verbosity for debugging.
snmpd_logging_options: '-LScd'
- snmpd_custom_options
Custom snmpd
options written in YAML text block format,
inserted into /etc/snmp/snmpd.conf
configuration file on
all hosts in the inventory.
snmpd_custom_options: ''
- snmpd_group_custom_options
Custom snmpd
options written in YAML text block format,
inserted into /etc/snmp/snmpd.conf
configuration file on
hosts in specific inventory group.
snmpd_group_custom_options: ''
- snmpd_host_custom_options
Custom snmpd
options written in YAML text block format,
inserted into /etc/snmp/snmpd.conf
configuration file on
specific hosts in the inventory.
snmpd_host_custom_options: ''
- snmpd_combined_custom_options
List which combines all of the snmp_*_custom_options
entries
together and is used in the role tasks and templates.
snmpd_combined_custom_options: '{{ snmpd_custom_options
+ snmpd_group_custom_options
+ snmpd_host_custom_options }}'
- snmpd_download_mibs
Download MIB definitions by default?
snmpd_download_mibs: '{{ True
if (ansible_local|d() and ansible_local.apt|d() and
(ansible_local.apt.nonfree|d())|bool)
else False }}'
- snmpd_extension_scripts
Path on the remote host where extension scripts are stored
snmpd_extension_scripts: '{{ (ansible_local.fhs.lib | d("/usr/local/lib"))
+ "/snmpd" }}'
Network options, firewall, TCP wrappers
- snmpd_allow
List of IP addresses or CIDR networks which can connect to SNMP service (global). If not specified, remote connections are blocked.
snmpd_allow: []
- snmpd_group_allow
List of IP addresses or CIDR networks which can connect to SNMP service (per Ansible group). If not specified, remote connections are blocked.
snmpd_group_allow: []
- snmpd_host_allow
List of IP addresses or CIDR networks which can connect to SNMP service (per Ansible host). If not specified, remote connections are blocked.
snmpd_host_allow: []
- snmpd_local_allow
List of IP addresses or CIDR networks which can connect to SNMP service (from localhost). If not specified, remote connections are blocked.
snmpd_local_allow: '{{ ansible_all_ipv4_addresses | d([]) +
(ansible_all_ipv6_addresses | d([])
| difference(ansible_all_ipv6_addresses | d([])
| ansible.utils.ipaddr("link-local"))) }}'
- snmpd_agent_address
List of addresses on which to listen for incoming connections. By default
snmpd
listens on all interfaces and firewall / TCP wrappers are used to
limit what remote hosts can connect.
snmpd_agent_address: [ 'udp:0.0.0.0:161', 'udp6:[::]:161' ]
sysLocation, sysContact, sysName SNMP variables
- snmpd_organization
Organization name used in sysLocation
and sysContact
SNMP variables.
snmpd_organization: '{{ ansible_domain.split(".") | first | capitalize }}'
- snmpd_sys_location
String set as sysLocation
SNMP variable.
snmpd_sys_location: '{{ snmpd_organization + " " + snmpd_sys_location_name }}'
- snmpd_sys_location_name
Name of the "virtual" location, appended to the organization name derived from DNS domain name.
snmpd_sys_location_name: 'Data Center'
- snmpd_sys_contact
Contact information for a device set as sysContact
SNMP variable.
snmpd_sys_contact: '{{ snmpd_sys_contact_name + " <" + snmpd_sys_contact_email + ">" }}'
- snmpd_sys_contact_name
Name of the contact set as sysContact
variable.
snmpd_sys_contact_name: '{{ snmpd_organization + " System Administrator" }}'
- snmpd_sys_contact_email
E-mail address of the contact set as sysContact
variable.
snmpd_sys_contact_email: 'root@{{ ansible_domain }}'
- snmpd_sys_name
Host FQDN set as the sysName
SNMP variable.
snmpd_sys_name: '{{ ansible_fqdn }}'
CPU load average monitoring
- snmpd_load
Enable or disable load average monitoring
snmpd_load: True
- snmpd_load_profile
Name of the load average "profile" to use, see snmpd_load_percent_map
and
snmpd_load_weight_map
variables for list of profiles.
snmpd_load_profile: 'default'
- snmpd_load_percent
Name of the profile used to define amount of available CPU power taken into
account for load average profile calculation. See snmpd_load_percent_map
variable for list of available profiles.
snmpd_load_percent: '{{ snmpd_load_profile }}'
- snmpd_load_weight
Name of the profile used to scale the load average profile calculation for
different time periods. See snmpd_load_percent_map
variable for list of
available profiles.
snmpd_load_weight: '{{ snmpd_load_profile }}'
- snmpd_load_base
Base value used to calculate load average profiles - number of vCPU cores.
snmpd_load_base: '{{ ansible_processor_vcpus }}'
- snmpd_load_percent_map
Dict with CPU percentage profiles.
Each profile is a list of entries, 1 minute load average, 5 minutes and 15 minutes. Each entry defines how much of total CPU power available on a host is taken into account, divided by number of virtual CPUs present; for example with 4 vCPUs, 100% means 4 vCPUs, 50% means ~2 vCPUs, 200% means ~8 vCPUs, and so on.
Values lower than 100% mean that alerts will be fired earlier, values higher than 100% give processes more time to do the work before firing the alerts.
snmpd_load_percent_map:
'default': [ '90', '90', '100' ]
- snmpd_load_weight_map
Dict with load average weight profiles.
Each profile is a list of entries, 1 minute load average, 5 minutes and 15 minutes. Each entry defines how the calculation for a particular average is scaled. You can use this parameter to make each value lower (with less than 1.0) or higher (with more than 1.0) and change the shape of the load average profile independently of the number of cores available.
It's hard to explain, essentially it's another parameter which you can use to tune the load average monitoring.
snmpd_load_weight_map:
'default': [ '1.5', '1.7', '1.8' ]
- snmpd_load_1min
1 minute load average value which will trigger a SNMP trap.
snmpd_load_1min: '{{ (((snmpd_load_base | float) *
(snmpd_load_percent_map[snmpd_load_percent][0] | float) / 100) | float *
snmpd_load_weight_map[snmpd_load_weight][0] | float) }}'
- snmpd_load_5min
5 minute load average value which will trigger a SNMP trap.
snmpd_load_5min: '{{ (((snmpd_load_base | float) *
(snmpd_load_percent_map[snmpd_load_percent][1] | float) / 100) | float *
snmpd_load_weight_map[snmpd_load_weight][1] | float) }}'
- snmpd_load_15min
15 minute load average value which will trigger a SNMP trap.
snmpd_load_15min: '{{ (((snmpd_load_base | float) *
(snmpd_load_percent_map[snmpd_load_percent][2] | float) / 100) | float *
snmpd_load_weight_map[snmpd_load_weight][2] | float) }}'
Process monitoring
- snmpd_proc_hidepid
Should the debops.snmpd
add the snmp
user account to a group that has
access to the /proc
filesystem?
snmpd_proc_hidepid: '{{ True
if (ansible_local|d() and ansible_local.proc_hidepid|d() and
(ansible_local.proc_hidepid.enabled|d())|bool)
else False }}'
- snmpd_proc_hidepid_group
Name of the system group which snmp
user will be added to to get
information about processes.
snmpd_proc_hidepid_group: '{{ ansible_local.proc_hidepid.group|d("") }}'
SNMPv3 admin, agent and local accounts
- snmpd_account
Enable or disable automatic creation of "admin" (RW), "agent" (RO) and "local" (RO) SNMPv3 accounts.
snmpd_account: True
- snmpd_account_username_length
Length of the randomly generated usernames.
snmpd_account_username_length: '16'
- snmpd_account_password_length
Length of the randomly generated passwords.
snmpd_account_password_length: '48'
- snmpd_account_admin_username
Randomly generated, global SNMPv3 username of administrator account,
read-write, deactivated after snmpd
is configured.
snmpd_account_admin_username: '{{ lookup("password", secret +
"/snmp/credentials/admin/username chars=ascii_letters,digits length=" +
snmpd_account_username_length) }}'
- snmpd_account_admin_password
Randomly generated, global SNMPv3 password of administrator account,
read-write, deactivated after snmpd
is configured.
snmpd_account_admin_password: '{{ lookup("password", secret +
"/snmp/credentials/admin/password chars=ascii_letters,digits,hexdigits length=" +
snmpd_account_password_length) }}'
- snmpd_account_agent_username
Randomly generated, global SNMPv3 username of agent account, read-only.
snmpd_account_agent_username: '{{ lookup("password", secret +
"/snmp/credentials/agent/username chars=ascii_letters,digits length=" +
snmpd_account_username_length) }}'
- snmpd_account_agent_password
Randomly generated, global SNMPv3 password of agent account, read-only.
snmpd_account_agent_password: '{{ lookup("password", secret +
"/snmp/credentials/agent/password chars=ascii_letters,digits,hexdigits length=" +
snmpd_account_password_length) }}'
Configuration of other Ansible roles
- snmpd_apt_preferences_dependent_list
Configuration for debops.apt_preferences
role.
snmpd_apt_preferences_dependent_list:
- package: 'lldpd libbsd0'
backports: [ 'wheezy' ]
reason: 'Version parity with Debian Jessie'
by_role: 'debops.snmpd'
- snmpd_ferm_dependent_rules
Configuration for debops.ferm
role.
snmpd_ferm_dependent_rules:
- type: 'accept'
protocol: [ 'udp' ]
dport: [ 'snmp' ]
saddr: '{{ snmpd_allow + snmpd_group_allow + snmpd_host_allow + snmpd_local_allow }}'
role: 'snmpd'
- snmpd_tcpwrappers_dependent_allow
Configuration for debops.tcpwrappers
role.
snmpd_tcpwrappers_dependent_allow:
- daemon: 'snmpd'
client: '{{ snmpd_allow + snmpd_group_allow + snmpd_host_allow + snmpd_local_allow }}'
weight: '50'
filename: 'snmpd_dependency_allow'
comment: 'Allow remote connections to SNMP daemon'