diff --git a/network/service_net_map.j2.yaml b/network/service_net_map.j2.yaml index dfb0e9104d..1110d84cb6 100644 --- a/network/service_net_map.j2.yaml +++ b/network/service_net_map.j2.yaml @@ -71,6 +71,7 @@ parameters: QdrNetwork: internal_api RedisNetwork: internal_api MysqlNetwork: internal_api + SnmpdNetwork: internal_api CephClusterNetwork: storage_mgmt CephMonNetwork: storage CephRgwNetwork: storage diff --git a/puppet/services/snmp.yaml b/puppet/services/snmp.yaml index 732058b6eb..382da0de23 100644 --- a/puppet/services/snmp.yaml +++ b/puppet/services/snmp.yaml @@ -48,6 +48,13 @@ parameters: description: A string containing the commandline options passed to snmpd type: string default: '-LS0-5d' + SnmpdIpSubnet: + default: '' + description: IP address/subnet on the snmpd network. If empty (default), SnmpdNetwork + will be taken. + type: string +conditions: + snmpd_network_unset: {equals : [{get_param: SnmpdIpSubnet}, '']} outputs: role_data: @@ -59,10 +66,20 @@ outputs: tripleo::profile::base::snmp::snmpd_password: {get_param: SnmpdReadonlyUserPassword} snmp::agentaddress: {get_param: SnmpdBindHost} snmp::snmpd_options: {get_param: SnmpdOptions} + snmpd_network: + str_replace: + template: "NETWORK_subnet" + params: + NETWORK: {get_param: [ServiceNetMap, SnmpdNetwork]} tripleo.snmp.firewall_rules: - '127 snmp': + '124 snmp': dport: 161 proto: 'udp' + source: + if: + - snmpd_network_unset + - "%{hiera('snmpd_network')}" + - {get_param: SnmpdIpSubnet} step_config: | include ::tripleo::profile::base::snmp upgrade_tasks: diff --git a/releasenotes/notes/snmp_firewall-ab17f60ba1ec71d2.yaml b/releasenotes/notes/snmp_firewall-ab17f60ba1ec71d2.yaml new file mode 100644 index 0000000000..b8e299322f --- /dev/null +++ b/releasenotes/notes/snmp_firewall-ab17f60ba1ec71d2.yaml @@ -0,0 +1,7 @@ +--- +security: + - | + Change the IPtables rule for SNMP service and open 161 udp port on + SnmpdIpSubnet parameter instead of 0.0.0.0/0. + If SnmpdIpSubnet is left empty, SnmpdNetwork will be used. +