Getting started
debops.snmpd
role will install snmpd
package on Debian/Ubuntu hosts and
secure access to SNMP using random SNMPv3 username / password combination, as
well as firewall and TCP wrappers rules.
Example inventory
To enable SNMP service on a DebOps-managed host, you need to add that host to
[debops_snmpd]
Ansible inventory group:
[debops_snmpd]
hostname
If you use separate host groups, better idea might be to create a parent group and add your own host groups to it:
[servers]
host1
host2
[debops_snmpd:children]
servers
Example playbook
Here's an example playbook which uses debops.snmpd
role:
---
- name: Manage SNMP service
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debops_service_snmpd' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
roles:
- role: apt_preferences
tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
apt_preferences__dependent_list:
- '{{ snmpd_apt_preferences_dependent_list }}'
- role: ferm
tags: [ 'role::ferm', 'skip::ferm' ]
ferm__dependent_rules:
- '{{ snmpd_ferm_dependent_rules }}'
- role: tcpwrappers
tags: [ 'role::tcpwrappers', 'skip::tcpwrappers' ]
tcpwrappers_dependent_allow:
- '{{ snmpd_tcpwrappers_dependent_allow }}'
- role: snmpd
tags: [ 'role::snmpd', 'skip::snmpd' ]
- role: lldpd
tags: [ 'role::lldpd', 'skip::lldpd' ]
Firewall, TCP wrappers access
SNMP is primarily used over the network, but for security reasons access from
remote hosts is filtered by a firewall and TCP wrappers. To allow access to
SNMP from other hosts using debops.ferm
and debops.tcpwrappers
Ansible
roles, you need to add IP addresses or CIDR subnets which can access the
service to snmpd_*_allow
lists:
snmpd_allow: [ '192.0.2.0/24', '2001:db8::/48' ]
SNMPv3 authentication
debops.snmpd
role will create three SNMPv3 user accounts with random
usernames and passwords, which will be stored on Ansible Controller in the
secret/
directory (see debops.secret
role for more details).
Authentication uses SHA encryption, privacy mode uses AES encryption. The generated accounts are:
a global "admin" account, stored in
secret/snmp/credentials/admin/
directory on Ansible Controller. Read-write, disabled aftersnmpd
is configured. Will be the same on all servers in the cluster.a global "agent" account, stored in
secret/snmp/credentials/agent/
directory on Ansible Controller. Read-only, meant to be used to access the SNMP service using network management software. Will be the same on all servers in the cluster.a "local" account, stored in
/etc/snmp/snmp.local.conf
and/etc/ansible/facts.d/snmpd.fact
files on remote hosts. Unique to a particular host, read only. Allows access from the host to itself from theroot
account, can be used to grant access to a particular host data to other users or services.