Page MenuHomePhabricator

snmp v3 "You must create view "defaultview" first" error when copy/past configuration commands
Closed, ResolvedPublicBUG

Description

Configuration for service snmp v3 view is stored at the end of snmp v3 settings. If submit configuration after copying there will be an error message:

You must create view "defaultview" first

SNMP v3 view settings should be place before user settings.

Current:

show configuration commands | grep snmp
...
set service snmp v3 engineid '0x0aa0d6c6f450'
set service snmp v3 group defaultgroup mode 'ro'
set service snmp v3 group defaultgroup seclevel 'auth'
set service snmp v3 group defaultgroup view 'defaultview'
set service snmp v3 user authOnlyUser auth encrypted-key '0x1'
set service snmp v3 user authOnlyUser auth type 'md5'
set service snmp v3 user authOnlyUser engineid '0x0aa0d6c6f450'
set service snmp v3 user authOnlyUser group 'defaultgroup'
set service snmp v3 user authOnlyUser mode 'ro'
set service snmp v3 user authOnlyUser privacy encrypted-key '0x1'
set service snmp v3 user authOnlyUser privacy type 'aes'
set service snmp v3 view defaultview oid 1

Should be replaced with:

show configuration commands | grep snmp
...
set service snmp v3 engineid '0x0aa0d6c6f450'
set service snmp v3 group defaultgroup mode 'ro'
set service snmp v3 group defaultgroup seclevel 'auth'
set service snmp v3 group defaultgroup view 'defaultview'
set service snmp v3 view defaultview oid 1
set service snmp v3 user authOnlyUser auth encrypted-key '0x1'
set service snmp v3 user authOnlyUser auth type 'md5'
set service snmp v3 user authOnlyUser engineid '0x0aa0d6c6f450'
set service snmp v3 user authOnlyUser group 'defaultgroup'
set service snmp v3 user authOnlyUser mode 'ro'
set service snmp v3 user authOnlyUser privacy encrypted-key '0x1'
set service snmp v3 user authOnlyUser privacy type 'aes'

This sequence works without error.

Another solution is to update internal logic of snmp commit hook. But changing place of parameter is straightforward in my point of view.

Details

Difficulty level
Unknown (require assessment)
Version
1.2.0-rolling+201806250436
Why the issue appeared?
Will be filled on close

Event Timeline

begetan created this task.Jun 26 2018, 3:58 PM
c-po added a subscriber: c-po.Jun 26 2018, 8:01 PM

The "problem" is inherited from the old SNMP CLI definition which was re-generated in XML by me and is now generated here: https://github.com/vyos/vyos-1x/blob/current/interface-definitions/snmp.xml#L230-L237.

VyOS CLI (aka vbash) will check the existance of the view once you enter the set service snmp v3 group defaultgroup view 'defaultview' command. This check could be removed to ease your proposal and the check can simply be moved down into the Python script generting the configuration.

c-po claimed this task.Jun 30 2018, 7:31 PM
c-po moved this task from Need Triage to In Progress on the VyOS 1.2 Crux board.
c-po added a comment.Jun 30 2018, 8:09 PM

Please retest with latest ISO

c-po moved this task from In Progress to Finished on the VyOS 1.2 Crux board.Jun 30 2018, 8:09 PM
Line2 added a subscriber: Line2.EditedJul 1 2018, 10:24 AM

I just tested with VyOS-1.2.0-rolling+201807010337. I deleted my SNMPv3 config completely and set it again.

edit service snmp
set contact 'xy'
set description 'xy'
set listen-address 172.16.100.10
set location 'xy'
set trap-target 172.16.10.45
set v3 engineid 'id'
set v3 group nmsreadonly mode 'ro'
set v3 group nmsreadonly seclevel 'priv'
set v3 group nmsreadonly view 'all'
set v3 user nms auth encrypted-key '0xkey'
set v3 user nms auth type 'sha'
set v3 user nms engineid '0xid'
set v3 user nms group 'nmsreadonly'
set v3 user nms mode 'ro'
set v3 user nms privacy encrypted-key '0xkey'
set v3 user nms privacy type 'aes'
set v3 view all oid 1

On commit I get:

You must create view "all" first

Commit failed

Then I discarded everything and tried to set view first:

vyos@vyos-test# set v3 view all oid 1

  Set failed

Maybe this test helps something :-)

c-po moved this task from Finished to In Progress on the VyOS 1.2 Crux board.Jul 1 2018, 12:29 PM
c-po added a subscriber: dmbaturin.Jul 1 2018, 12:46 PM

@Line2 thanks for retesting.

Actually our problem is our solution. We have a completion helper when specifing the view associated with the SNMP v3 group (https://github.com/vyos/vyos-1x/blob/current/interface-definitions/snmp.xml#L233-L235). This is actually the same behavior as in VyOS 1.1.x which results in:

$ cat /opt/vyatta/share/vyatta-cfg/templates/service/snmp/v3/group/node.tag/view/node.def
type: txt
help: Defines the name of view
allowed: /bin/cli-shell-api listNodes service snmp v3 view

Here you see that the completionHelper will indeed become a allowed: line when entering the node. Thus we can choose - have a completion helper - or no completion helper (which is more error prone as this will become a commiterror)

@dmbaturin andy thoughts on this?

syncer triaged this task as Normal priority.Jul 6 2018, 9:04 PM

I was able to copy-paste configuration on latest VyOS 1.2.0 rolling update in my configuration
I also mentioned that my current configuration has not separate set v3 engineid 'id' command as in initial comment,
and it is working without problem.

There is another issue. Encrypted password is not copied or processed well,
so I have to remove hash and set plain password for new config.
I am not sure is it a bug at all. I am going to investigate it on next tests.
We still have manual work after transfer config which should be definitely avoid.

c-po added a comment.Jul 9 2018, 2:59 PM

Encrypted passwords depend on the engineID, or lets say it in other words - encrypted passwords are hashed/salted with the engine ID. Migrating the encrypted string to a different machine with a different engine ID will fail.

c-po closed this task as Resolved.Aug 14 2018, 12:02 PM
syncer moved this task from In Progress to Finished on the VyOS 1.2 Crux board.Oct 15 2018, 5:26 AM