Bug 1498979

Summary: changing the snmp community string does not disable access from default community string
Product: Red Hat OpenStack Reporter: Jack Waterworth <jwaterwo>
Component: rhosp-directorAssignee: Angus Thomas <athomas>
Status: CLOSED DUPLICATE QA Contact: Amit Ugol <augol>
Severity: high Docs Contact:
Priority: unspecified    
Version: 10.0 (Newton)CC: athomas, dbecker, emacchi, mburns, morazi, ohochman, rhel-osp-director-maint
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-10-06 19:12:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jack Waterworth 2017-10-05 17:27:26 UTC 
Description of problem:

After adding the following options to the overcloud templates, the default community string (public) is not disabled.

-------------------
parameter_defaults:
  ExtraConfig:
    snmp::ro_community: mysecurestring
    snmp::ro_community6: myv6securestring
-------------------

-------------------
[root@overcloud-controller-0 ~]# snmpwalk -Os -c public -v 2c localhost iso.3.6.1.2.1.1.1
sysDescr.0 = STRING: Linux overcloud-controller-0 3.10.0-693.1.1.el7.x86_64 #1 SMP Thu Aug 3 08:15:31 EDT 2017 x86_64
[root@overcloud-controller-0 ~]# snmpwalk -Os -c mysecurestring -v 2c localhost iso.3.6.1.2.1.1.1
sysDescr.0 = STRING: Linux overcloud-controller-0 3.10.0-693.1.1.el7.x86_64 #1 SMP Thu Aug 3 08:15:31 EDT 2017 x86_64
-------------------
[stack@undercloud-1 ~]$ snmpwalk -Os -c public -v 2c 192.0.2.15 iso.3.6.1.2.1.1.1
sysDescr.0 = STRING: Linux overcloud-controller-0 3.10.0-693.1.1.el7.x86_64 #1 SMP Thu Aug 3 08:15:31 EDT 2017 x86_64
-------------------

Version-Release number of selected component (if applicable):
OSP 10


How reproducible:
Every Time

Steps to Reproduce:
1. Add optinos to template
2. deploy
3. try to access snmp via public community string

Actual results:
results are returned


Expected results:
results should not be returned.


Additional info:

--------------------
[root@overcloud-controller-0 ~]# grep secure /etc/snmp/snmpd.conf
rocommunity mysecurestring 127.0.0.1
rocommunity6 myv6securestring ::1
--------------------
[root@overcloud-controller-0 ~]# snmpwalk -Os -c public -v 2c localhost iso.3.6.1.2.1.1.1
sysDescr.0 = STRING: Linux overcloud-controller-0 3.10.0-693.1.1.el7.x86_64 #1 SMP Thu Aug 3 08:15:31 EDT 2017 x86_64
[root@overcloud-controller-0 ~]# snmpwalk -Os -c mysecurestring -v 2c localhost iso.3.6.1.2.1.1.1
sysDescr.0 = STRING: Linux overcloud-controller-0 3.10.0-693.1.1.el7.x86_64 #1 SMP Thu Aug 3 08:15:31 EDT 2017 x86_64
[root@overcloud-controller-0 ~]# exit
logout
[heat-admin@overcloud-controller-0 ~]$ exit
logout
Connection to 192.0.2.15 closed.
[stack@undercloud-1 ~]$ snmpwalk -Os -c mysecurestring -v 2c 192.0.2.15 iso.3.6.1.2.1.1.1
Timeout: No Response from 192.0.2.15
[stack@undercloud-1 ~]$ snmpwalk -Os -c public -v 2c 192.0.2.15 iso.3.6.1.2.1.1.1
sysDescr.0 = STRING: Linux overcloud-controller-0 3.10.0-693.1.1.el7.x86_64 #1 SMP Thu Aug 3 08:15:31 EDT 2017 x86_64
[stack@undercloud-1 ~]$ 
--------------------
Comment 1 Jack Waterworth 2017-10-05 17:28:10 UTC 
full snmpd.conf configuration here:

cat /etc/snmp/snmpd.conf
###
### File managed by Puppet
###

################################################################################
# AGENT BEHAVIOUR

agentaddress udp:161,udp6:[::1]:161

################################################################################
# ACCESS CONTROL

# ------------------------------------------------------------------------------
# Traditional Access Control
rocommunity mysecurestring 127.0.0.1
rocommunity6 myv6securestring ::1

# ------------------------------------------------------------------------------
# VACM Configuration
#       sec.name       source        community
com2sec notConfigUser  default       public

com2sec6 notConfigUser  default       public

#       groupName      securityModel securityName
group   notConfigGroup v1            notConfigUser
group   notConfigGroup v2c           notConfigUser

#       name          incl/excl  subtree             mask(optional)
view    systemview    included   .1.3.6.1.2.1.1
view    systemview    included   .1.3.6.1.2.1.25.1.1

#       group          context sec.model sec.level prefix read       write notif
access  notConfigGroup ""      any       noauth    exact  systemview none  none

# ------------------------------------------------------------------------------
# Typed-View Configuration

################################################################################
# SYSTEM INFORMATION

# ------------------------------------------------------------------------------
# System Group
sysLocation Unknown
sysContact Unknown
sysServices 72
sysName overcloud-controller-0.localdomain

################################################################################
# EXTENDING AGENT FUNCTIONALITY


###############################################################################
## Logging
##

## We do not want annoying "Connection from UDP: " messages in syslog.
## If the following option is set to 'no', snmpd will print each incoming
## connection, which can be useful for debugging.

dontLogTCPWrappersConnects no

################################################################################
# OTHER CONFIGURATION

createUser ro_snmp_user MD5 "4bcb98e88e6f5d385ab5c0f9f42bdb571d20fea5"
rouser ro_snmp_user
proc  cron
includeAllDisks  10%
master agentx
trapsink localhost public
iquerySecName internalUser
rouser internalUser
defaultMonitors yes
linkUpDownNotifications yes
Comment 3 Emilien Macchi 2017-10-06 19:12:25 UTC 
Closing this bug as we're already fixing it here https://bugzilla.redhat.com/show_bug.cgi?id=1496672 and I'm actually working on this as I'm writing these words.

*** This bug has been marked as a duplicate of bug 1496672 ***