Snmp configuation db schema proposal #231
Conversation
* propose schema for SNMP config in the DB * list of changes to files Signed-off-by: michel.moriniaux@gmail.com
* propose schema for SNMP config in the DB * list of changes to files Signed-off-by: michel.moriniaux@gmail.com
* propose schema for SNMP config in the DB * list of changes to files Signed-off-by: michel.moriniaux@gmail.com
* propose schema for SNMP config in the DB * list of changes to files Signed-off-by: michel.moriniaux@gmail.com
* propose schema for SNMP config in the DB * list of changes to files Signed-off-by: michel.moriniaux@gmail.com
* propose schema for SNMP config in the DB * list of changes to files Signed-off-by: michel.moriniaux@gmail.com
| "location": LOCATION_STRING, | ||
| "contact": CONTACT_STRING, | ||
| "v2c": { | ||
| COMMUNITY_STRING: { |
There was a problem hiding this comment.
COMMUNITY_STRING [](start = 8, length = 16)
Is it true that COMMUNITY_STRING is only related to v2c? #Resolved
There was a problem hiding this comment.
I don't understand the comment
it is my understanding that in v1 and v2c the community is a 'password' and that in v3 this 'password' is replaced by user authentication+encryption key, so in this contect COMMUNITY_STRING should be part of v2c configuration only #Resolved
There was a problem hiding this comment.
I found "SNMPv3 also uses community strings, but allows for secure authentication and communication between SNMP manager and agent"
https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol.
I am ok with the version string here.
In reply to: 211706220 [](ancestors = 211706220)
doc/snmp-schema-addition.md
Outdated
| "v2c": { | ||
| COMMUNITY_STRING: { | ||
| "type": "rw"|"ro", | ||
| "acl": ACL_STRING |
There was a problem hiding this comment.
acl [](start = 13, length = 3)
Is it true that acl is not related to COMMUNITY_STRING? #Closed
There was a problem hiding this comment.
current behavior of /usr/bin/snmpd-config-updater and only this configuration method is to read the ACL table to link a rocommunity to a host
for eg.: this writes in the snmpd.conf file:
rocommunity mysnmpcomm 172.16.10.0/24
rocommunity mysnmpcomm 122.168.5.12
There was a problem hiding this comment.
Thanks! I believe this is implementation details. By design, we support one or several snmp community strings, and all whitelist IP will use the same set of community strings. I think your design is like
COMMUNITY_STRING1: { acl: acl1 },
COMMUNITY_STRING2: { acl: acl2 },
I believe it should be:
"community_strings": ["COMMUNITY1", "COMMUNITY2"],
"acl": [....]
@jleveque for more insight.
In reply to: 211704981 [](ancestors = 211704981)
There was a problem hiding this comment.
makes sense, significantly simplifies config generation
There was a problem hiding this comment.
Qi is correct. the current SNMP ACL implementation disregards community strings, and works on a service-based level. We whitelist IPs for each service, so all whitelisted IPs for SNMP will apply regardless of the community string.
Also, the /usr/bin/snmpd-config-updater application currently only applies to Arista platforms, and I believe it will be removed in the coming months. Once this is done, all service ACLs (control plane ACLs) will be managed in the base image using the caclmgrd daemon. Therefore, there will be no need for ACL information inside the SNMP container. I believe you can simplify your design further and eliminate ACL information altogether.
|
|
||
| New keys: | ||
| - "v2c": we define a "v2c" tree to allow for future expansion for other versions of the SNMP protocol, this spec only defines for SNMP v2 | ||
| we could imagine the implementation of "v3" with the inclusion of users or references to central PAM methods. |
There was a problem hiding this comment.
imagine [](start = 18, length = 7)
Is there any reference for the imagination? I found v3 also supports COMMUNITY_STRING #Closed
There was a problem hiding this comment.
we could have for eg.:
"v3": { "key": ENCRYPTION_KEY, "pam": PAM_METHOD, "acl": ACL_STRING, "users": { USERNAME: PASSWORD, USERNAME: PASSWORD } }
doc/snmp-schema-addition.md
Outdated
| "v2c": { | ||
| COMMUNITY_STRING: { | ||
| "type": "rw"|"ro", | ||
| "acl": ACL_STRING |
There was a problem hiding this comment.
ACL_STRING [](start = 19, length = 10)
Currently ConfigDB already contains "ACL_TABLE|SNMP_MGMT_ONLY", do you want to replace it or link to it?
@jleveque who developed it. #Closed
There was a problem hiding this comment.
good point:
how about: if the "acl" key is present we override and if not present we used the default: "ACL_TABLE|SNMP_MGMT_ONLY"
There was a problem hiding this comment.
Is it possible to refer to it, and keep the table contents in original place? This way your changes are minimized.
There was a problem hiding this comment.
As I mentioned above, the /usr/bin/snmpd-config-updater application currently only applies to Arista platforms, and I believe it will be removed in the coming months. Once this is done, all service ACLs (control plane ACLs) will be managed in the base image using the caclmgrd daemon. Therefore, there will be no need for ACL information inside the SNMP container. I believe you can simplify your design further and eliminate ACL information altogether.
All ACL information will continue to reside in the ACL_TABLE of ConfigDB.
|
It is good to move the configuration to configDB. Eventually where are you going to store the schema data? A large part of SONiC schema could be found in swss-schema.md file though some of them are a little outdated. My worry is that we may lose track of the schema soon if there is no well known central place to store and find them. If there is mechanism to automatically generate code from the schema, it would be great, that will ensure the schema is always up to date and match the code implementation, but I guess this will a lot of effort. |
- removed ACL requirements - type becomes an optional element
- added requirement for swss-schema.md update
|
@jipanyang added requirement to the design proposal |
jleveque requested changes
|
@MichelMoriniaux can you add backward compatibility into the design, so that we can make sure the existing way still works. |
|
definitely, I had this in the current commit but maybe it's not clear
enough:
*dockers/docker-snmp-v2/snmpd.conf.j2*:
verify the existence of the SNMP table in the datatbase and fork behavior
if present, if not continue using old method.
…On Tue, Aug 28, 2018 at 8:30 AM lguohan ***@***.***> wrote:
@MichelMoriniaux <https://github.com/MichelMoriniaux> can you add
backward compatibility into the design, so that we can make sure the
existing way still works.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#231 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AMMv2p78BeKgi5JaqmKO9gRLTnIWy4p4ks5uVWIBgaJpZM4WCKpz>
.
|
|
I don't see any value that used to store the snmp server ip address. Is there any reason for this or do you use it in anywhere else? |
|
I tried to write the SNMP configuration according to your proposal, and found that those SNMP configurations can not be automatically loaded from JSON file into DB. So, we need to handle this SNMP configuration specially? |
|
the proposal has not been implemented yet so there is no translation from
the json or redis DB to the sonic-snmpagent container configuration files
…On Tue, Jan 29, 2019 at 4:15 AM RichardWu-Hebut ***@***.***> wrote:
I tried to write the SNMP configuration according to your proposal, and
found that those SNMP configurations can not be automatically loaded from
JSON file into DB. So, we need to handle this SNMP configuration specially?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#231 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AMMv2thDR7BNQJjbQwjwj6Jnwb6eQDxOks5vIDtlgaJpZM4WCKpz>
.
|
Proposal for a config DB SNMP configuration table schema