Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SNMP: Wrong commands for community group and host VRF #794

Open
TheRealBecks opened this issue Dec 19, 2023 · 3 comments · May be fixed by #795
Open

SNMP: Wrong commands for community group and host VRF #794

TheRealBecks opened this issue Dec 19, 2023 · 3 comments · May be fixed by #795
Labels
has_pr This issue has an associated PR. snmp_servers snmp_servers resource module

Comments

@TheRealBecks
Copy link

SUMMARY

Two commands need to be split into two commands each, so four commands in total.

ISSUE TYPE
  • Bug Report
COMPONENT NAME

nxos_snmp_server

ANSIBLE VERSION
ansible [core 2.16.1]
  config file = /home/mbeckert/Entwicklung/Strato/lightning/lightning/ansible.cfg
  configured module search path = ['/home/mbeckert/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/mbeckert/.local/share/virtualenvs/lightning-vg2lOQBb/lib/python3.11/site-packages/ansible
  ansible collection location = /home/mbeckert/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/mbeckert/.local/share/virtualenvs/lightning-vg2lOQBb/bin/ansible
  python version = 3.11.6 (main, Nov 15 2023, 09:22:27) [GCC] (/home/mbeckert/.local/share/virtualenvs/lightning-vg2lOQBb/bin/python)
  jinja version = 3.1.2
  libyaml = True
COLLECTION VERSION
Current git version
CONFIGURATION
CONFIG_FILE() = /home/mbeckert/Entwicklung/Strato/lightning/lightning/ansible.cfg
DEFAULT_FORKS(/home/mbeckert/Entwicklung/Strato/lightning/lightning/ansible.cfg) = 10
DEFAULT_HASH_BEHAVIOUR(/home/mbeckert/Entwicklung/Strato/lightning/lightning/ansible.cfg) = merge
DEFAULT_HOST_LIST(/home/mbeckert/Entwicklung/Strato/lightning/lightning/ansible.cfg) = ['/home/mbeckert/Entwicklung/Strato/lightning/lightning/inventory.yml']
DEFAULT_ROLES_PATH(/home/mbeckert/Entwicklung/Strato/lightning/lightning/ansible.cfg) = ['/home/mbeckert/Entwicklung/Strato/lightning/lightning/roles']
DEFAULT_VAULT_PASSWORD_FILE(/home/mbeckert/Entwicklung/Strato/lightning/lightning/ansible.cfg) = /home/mbeckert/Entwicklung/Strato/lightning/lightning/.vault_passphrase/open_vault.sh
EDITOR(env: EDITOR) = nano
PAGER(env: PAGER) = less
OS / ENVIRONMENT

Cisco NXOS 9.3(8)

STEPS TO REPRODUCE
- name: Test SNMP
  tags:
    - test_snmp
  cisco.nxos.nxos_snmp_server:
    state: "rendered"
    config:
      communities:
        - name: testname1
          group: network-operator
          use_ipv4acl: snmp-ipv4-acl
          use_ipv6acl: snmp-ipv6-acl
      hosts:
        - host: 192.0.2.1
          version: 3
          priv: monitoring
          use_vrf: management
      users:
        auth:
          - user: monitoring
            group: network-operator
            authentication:
              algorithm: sha
              password: authtest1234
              priv:
                aes_128: true
                privacy_password: privtest1234
        use_acls:
          - user: monitoring
            ipv4: snmp-ipv4-acl
            ipv6: snmp-ipv6-acl
EXPECTED RESULTS
snmp-server user monitoring network-operator auth sha authtest1234 priv aes-128 privtest1234
snmp-server user monitoring use-ipv4acl snmp-ipv4-acl use-ipv6acl snmp-ipv6-acl
snmp-server host 192.0.2.1 version 3 priv monitoring
snmp-server host 192.0.2.1 use-vrf management
snmp-server community testname1 group network-operator
snmp-server community testname1 use-ipv4acl snmp-ipv4-acl use-ipv6acl snmp-ipv6-acl
ACTUAL RESULTS
snmp-server user monitoring network-operator auth sha authtest1234 priv aes-128 privtest1234
snmp-server user monitoring use-ipv4acl snmp-ipv4-acl use-ipv6acl snmp-ipv6-acl
snmp-server host 192.0.2.1 use-vrf management version 3 priv monitoring
snmp-server community testname1 group network-operator use-ipv4acl snmp-ipv4-acl use-ipv6acl snmp-ipv6-acl

-->

sw-cisco-test1(config)# snmp-server host 192.0.2.1 use-vrf management version 3 priv monitoring
                                                                      ^
% Invalid command at '^' marker.
sw-cisco-test1(config)# snmp-server community testname1 group network-operator use-ipv4acl snmp-ipv4-acl use-ipv6acl snmp-ipv6-acl
                                                                               ^
% Invalid command at '^' marker.
@TheRealBecks TheRealBecks linked a pull request Dec 19, 2023 that will close this issue
Draft
@TheRealBecks TheRealBecks changed the title SNMP: Wrong commands for user group and host VRF SNMP: Wrong commands for community group and host VRF Dec 19, 2023
@roverflow roverflow added the has_pr This issue has an associated PR. label Dec 20, 2023
@TheRealBecks
Copy link
Author

Even worse: The SNMP user functions are also broken:

Case 1: Create the SNMP user configuration as already defined in this ticket: ✅ That works

Case 2: Delete the whole SNMP configuraion with state: "deleted": ❌ It fails:
->

"module_stderr": "no snmp-server user monitoring use-ipv4acl snmp-ipv4-acl use-ipv6acl snmp-ipv6-acl\r\r\nuser not found.\r\n\rsw-cisco-test1(config)# "

Due to these generated commands:

no snmp-server user monitoring
no snmp-server user monitoring use-ipv4acl snmp-ipv4-acl use-ipv6acl snmp-ipv6-acl

The first command gets generated here:

cisco.nxos/plugins/module_utils/network/nxos/rm_templates/snmp_server.py

Line 1490 in c4373bb

"remval": "snmp-server user {{ user }}",

The second one here:

cisco.nxos/plugins/module_utils/network/nxos/rm_templates/snmp_server.py

Line 1523 in c4373bb

"setval": "snmp-server user {{ user }}"

(no specific delval, so it's using the no <setval>

After the execution of the first command the whole user configuration gets wiped.

Case 3: Run the state: "replaced" multiple times:

Run 1: ✅ That works

Generated and executed commands:

snmp-server location de-ber-rs-r22-i22
snmp-server user monitoring network-operator auth sha xxxxx priv aes-128 xxxxx
no snmp-server user admin
snmp-server user monitoring use-ipv4acl snmp-ipv4-acl use-ipv6acl snmp-ipv6-acl
snmp-server host 10.248.1.152 traps version 3 priv monitoring
snmp-server host 10.248.1.152 use-vrf management
snmp-server community testname1 group network-operator
snmp-server community testname1 use-ipv4acl snmp-ipv4-acl use-ipv6acl snmp-ipv6-acl

Results in the following configuration:

snmp-server location de-ber-rs-r22-i22
snmp-server user admin network-admin auth md5 xxxxx priv aes-128 xxxxx localizedV2key
snmp-server user monitoring network-operator auth sha xxxxx priv aes-128 xxxxx localizedV2key
snmp-server user monitoring use-ipv4acl snmp-ipv4-acl use-ipv6acl snmp-ipv6-acl
snmp-server host 10.248.1.152 traps version 3 priv monitoring
snmp-server host 10.248.1.152 use-vrf management
snmp-server community testname1 group network-operator
snmp-server community testname1 use-ipv4acl snmp-ipv4-acl use-ipv6acl snmp-ipv6-acl

Run 2: ❌ SNMP user monitoring will be deleted

Generated and executed commands:

snmp-server user monitoring network-operator auth sha xxxxx priv aes-128 xxxxx
no snmp-server user admin
no snmp-server user monitoring

Results in the following configuration:

snmp-server location de-ber-rs-r22-i22
snmp-server user admin network-admin auth md5 xxxxx priv aes-128 xxxxx localizedV2key
snmp-server host 10.248.1.152 traps version 3 priv monitoring
snmp-server host 10.248.1.152 use-vrf management
snmp-server community testname1 group network-operator
snmp-server community testname1 use-ipv4acl snmp-ipv4-acl use-ipv6acl snmp-ipv6-acl

-> User monitoring is missing

Run 3: ✅ SNMP user will be created once again

Generated and executed commands:

snmp-server user monitoring network-operator auth sha xxxxx priv aes-128 xxxxx
no snmp-server user admin
snmp-server user monitoring use-ipv4acl snmp-ipv4-acl use-ipv6acl snmp-ipv6-acl
  1. The monitoring user will be deleted after the creation of the user, but I don't know why it's in the wrong order. The no snmp-server user monitoring has to be inserted before the user gets created once again.
  2. ...that leads us to bug 2: A no snmp-server user monitoring leads into the missing snmp-server user monitoring use-ipv4acl snmp-ipv4-acl use-ipv6acl snmp-ipv6-acl. The snmp-server user monitoring network-operator auth sha xxxxx priv aes-128 xxxxx misses the second command snmp-server user monitoring use-ipv4acl snmp-ipv4-acl use-ipv6acl snmp-ipv6-acl. In general it's questioning to delete the user as it's best to overwrite the existing configuration with snmp-server user monitoring network-operator auth sha xxxxx priv aes-128 xxxxx when the username already exists.

So we can see that the user.x functions do not work as intended. ...and I copied these functions with the whole logic to get community and host working... There are now cases that let the community and host configuration fail with each execution of the playbook.

How do we fix the user functions? Afterwards I can fix community and host

@TheRealBecks
Copy link
Author

@NilashishC Any idea how to proceed here? My PR #795 won't work due to the design problems in the user functions.

@TheRealBecks TheRealBecks mentioned this issue Apr 16, 2024
Closed
@NilashishC NilashishC added the snmp_servers snmp_servers resource module label Jun 6, 2024
@TheRealBecks
Copy link
Author

@NilashishC any update on this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
has_pr This issue has an associated PR. snmp_servers snmp_servers resource module
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix commands for community group and host VRF TheRealBecks/cisco.nxos
3 participants
@TheRealBecks @NilashishC @roverflow