Restrict SNMP to internal network
Add a parameter, SnmpdIpSubnet, which can be an IP/MASK that will be
used to secure with IPtables the source network authorized to reach
SNMP service on the host.
If SnmpdIpSubnet is left empty (default) the parameter will be set to
SnmpdNetwork.
Also change the IPtables id, 127 was used by Horizon, so let's switch
SNMP to 124. No impact on users.
Change-Id: I46fce28926cb5a881f7384948480266712ae75e3
Depends-On: Ib203161b9676dcfaaf46eec2bddf767ec49282f7
Closes-Bug: #1749324
(cherry picked from commit 43155ed146
)
This commit is contained in:
parent
f9ded9307b
commit
a67b208476
|
@ -69,6 +69,7 @@ parameters:
|
|||
RabbitmqNetwork: internal_api
|
||||
RedisNetwork: internal_api
|
||||
MysqlNetwork: internal_api
|
||||
SnmpdNetwork: internal_api
|
||||
CephClusterNetwork: storage_mgmt
|
||||
CephMonNetwork: storage
|
||||
CephRgwNetwork: storage
|
||||
|
|
|
@ -32,6 +32,13 @@ parameters:
|
|||
description: An array of bind host addresses on which SNMP daemon will listen.
|
||||
type: comma_delimited_list
|
||||
default: ['udp:161','udp6:[::1]:161']
|
||||
SnmpdIpSubnet:
|
||||
default: ''
|
||||
description: IP address/subnet on the snmpd network. If empty (default), SnmpdNetwork
|
||||
will be taken.
|
||||
type: string
|
||||
conditions:
|
||||
snmpd_network_unset: {equals : [{get_param: SnmpdIpSubnet}, '']}
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
|
@ -42,10 +49,20 @@ outputs:
|
|||
tripleo::profile::base::snmp::snmpd_user: {get_param: SnmpdReadonlyUserName}
|
||||
tripleo::profile::base::snmp::snmpd_password: {get_param: SnmpdReadonlyUserPassword}
|
||||
snmp::agentaddress: {get_param: SnmpdBindHost}
|
||||
snmpd_network:
|
||||
str_replace:
|
||||
template: "NETWORK_subnet"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, SnmpdNetwork]}
|
||||
tripleo.snmp.firewall_rules:
|
||||
'127 snmp':
|
||||
'124 snmp':
|
||||
dport: 161
|
||||
proto: 'udp'
|
||||
source:
|
||||
if:
|
||||
- snmpd_network_unset
|
||||
- "%{hiera('snmpd_network')}"
|
||||
- {get_param: SnmpdIpSubnet}
|
||||
step_config: |
|
||||
include ::tripleo::profile::base::snmp
|
||||
upgrade_tasks:
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
security:
|
||||
- |
|
||||
Change the IPtables rule for SNMP service and open 161 udp port on
|
||||
SnmpdIpSubnet parameter instead of 0.0.0.0/0.
|
||||
If SnmpdIpSubnet is left empty, SnmpdNetwork will be used.
|
||||
|
Loading…
Reference in New Issue