Bug 2222163

Summary: [DDF] The description and example config of snmp::com2sec and snmp::com2sec6 looks wrongs.
Product: Red Hat OpenStack Reporter: Direct Docs Feedback <ddf-bot>
Component: documentationAssignee: Roger Heslop <rheslop>
Status: CLOSED CURRENTRELEASE QA Contact: RHOS Documentation Team <rhos-docs>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 16.2 (Train)CC: jslagle, rheslop, vimartin, yatanaka
Target Milestone: ---Keywords: Documentation, Triaged
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-02 14:12:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Direct Docs Feedback 2023-07-12 05:23:10 UTC 
The description and example config of snmp::com2sec and 
snmp::com2sec6 looks wrongs.

When I create the following template file according to the document,
~~~
parameter_defaults:
  ExtraConfig:
    snmp::com2sec: mysecurestring
    snmp::com2sec6: myv6securestring
~~~

the deployment fails with the following message.

~~~
Jul 12 01:11:32 puppet-user: Error: Evaluation Error: Error while evaluating a Function Call, "mysecurestring" is not an Array.  It looks to be a String (file: /etc/puppet/modules/snmp/manifests/init.pp, line: 371, column: 3) on node overcloud-controller-0.yatanaka.example.com
~~~

According to the following upstream document, the values of these  parameters should be an array, not string.

~~~
https://forge.puppet.com/modules/razorsedge/snmp/readme

com2sec
An array of VACM com2sec mappings. Must provide SECNAME, SOURCE and COMMUNITY. See http://www.net-snmp.org/docs/man/snmpd.conf.html#lbAL for details. Default: [ "notConfigUser default public" ]

com2sec6
An array of VACM com2sec6 mappings. Must provide SECNAME, SOURCE and COMMUNITY. See http://www.net-snmp.org/docs/man/snmpd.conf.html#lbAL for details. Default: [ "notConfigUser default ${ro_community}" ]
~~~

Therefore we should modify our document from:

~~~
SNMP view-based access control settings (VACM)

snmp::com2sec
IPv4 security name.
snmp::com2sec6
IPv6 security name.
For example:

parameter_defaults:
  ExtraConfig:
    snmp::com2sec: mysecurestring
    snmp::com2sec6: myv6securestring
~~~

to:

~~~
SNMP view-based access control settings (VACM)

snmp::com2sec
An array of VACM com2sec mappings. Must provide SECNAME, SOURCE and COMMUNITY.

snmp::com2sec6
An array of VACM com2sec6 mappings. Must provide SECNAME, SOURCE and COMMUNITY.

For example:

parameter_defaults:
  ExtraConfig:
    snmp::com2sec:  ["notConfigUser default mysecurestring"]
    snmp::com2sec6: ["notConfigUser default myv6securestring"]
~~~

Reported by: rhn-support-yatanaka

https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16.2/html/advanced_overcloud_customization/assembly_security-enhancements#annotations:32a92219-f604-4db0-a107-dcbb2e8f7f74
Comment 1 James Slagle 2023-07-20 15:19:06 UTC 
snmp is for DFG:CloudOps
Comment 2 Victoria Martinez de la Cruz 2023-07-26 13:51:50 UTC 
Based on the docs context, this is either for the DFG:Networking or DFG:Security (not related to SNMP traps in CloudOps)
Comment 3 Greg Rakauskas 2023-07-31 13:11:47 UTC 
Hi,

This content was moved to a different guide in RHOSP 17.0:

   https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/17.0/html/security_and_hardening_guide/assembly_security-enhancements_security_and_hardening#ref_changing-the-simple-network-management-protocol-snmp-strings_security-enhancements

--Greg
Comment 7 Roger Heslop 2023-08-01 18:42:29 UTC 
Verbiage confirmed via /usr/share/openstack-puppet/modules/snmp/README.markdown:

##### `com2sec`
An array of VACM com2sec mappings.  Must provide SECNAME, SOURCE and COMMUNITY.  See http://www.net-snmp.org/docs/man/snmpd.conf.html#lbAL for details.
Default: [ "notConfigUser default public" ]

##### `com2sec6`
An array of VACM com2sec6 mappings.  Must provide SECNAME, SOURCE and COMMUNITY.  See http://www.net-snmp.org/docs/man/snmpd.conf.html#lbAL for details.
Default: [ "notConfigUser default ${ro_community}" ]


Configuration tests successfully
Comment 8 Roger Heslop 2023-08-02 14:12:34 UTC 
Content has been updated and published: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16.2/html/advanced_overcloud_customization/assembly_security-enhancements