From 770ab904a4c3a5eb0bda87381ed207478d54d739 Mon Sep 17 00:00:00 2001 From: Mark Ottaway Date: Fri, 10 Nov 2023 15:05:21 +0000 Subject: [PATCH 01/24] Adding trigger conf with test option --- templates/trigger.conf.erb | 288 +++++++++++++++++++++++++++++++++++++ 1 file changed, 288 insertions(+) create mode 100644 templates/trigger.conf.erb diff --git a/templates/trigger.conf.erb b/templates/trigger.conf.erb new file mode 100644 index 00000000..d000ad08 --- /dev/null +++ b/templates/trigger.conf.erb @@ -0,0 +1,288 @@ +# -*- text -*- +## +## trigger.conf -- Events in the server can trigger a hook to be executed. +## +## $Id: 413a182eec6a193ef8ffd284295e181962265395 $ + +# +# The triggers are named as "type.subtype.value". These names refer +# to subsections and then configuration items in the "trigger" +# section below. When an event occurs, the trigger is executed. The +# trigger is simply a program that is run, with optional arguments. +# +# The server does not wait when a trigger is executed. It is simply +# a "one-shot" event that is sent. +# +# The trigger names should be self-explanatory. +# + +# +# SNMP configuration. +# +# For now, this is only for SNMP traps. +# +# They are enabled by uncommenting (or adding) "$INCLUDE trigger.conf" +# in the main "radiusd.conf" file. +# +# The traps *REQUIRE* that the files in the "mibs" directory be copied +# to the global mibs directory, usually /usr/share/snmp/mibs/. +# If this is not done, the "snmptrap" program has no idea what information +# to send, and will not work. The MIB installation is *NOT* done as +# part of the default installation, so that step *MUST* be done manually. +# +# The global MIB directory can be found by running the following command: +# +# snmptranslate -Dinit_mib .1.3 2>&1 | grep MIBDIR | sed "s/' .*//;s/.* '//;s/.*://" +# +# Or maybe just: +# +# snmptranslate -Dinit_mib .1.3 2>&1 | grep MIBDIR +# +# If you have copied the MIBs to that directory, you can test the +# FreeRADIUS MIBs by running the following command: +# +# snmptranslate -m +FREERADIUS-NOTIFICATION-MIB -IR -On serverStart +# +# It should print out: +# +# .1.3.6.1.4.1.11344.4.1.1 +# +# As always, run the server in debugging mode after enabling the +# traps. You will see the "snmptrap" command being run, and it will +# print out any errors or issues that it encounters. Those need to +# be fixed before running the server in daemon mode. +# +# We also suggest running in debugging mode as the "radiusd" user, if +# you have "user/group" set in radiusd.conf. The "snmptrap" program +# may behave differently when run as "root" or as the "radiusd" user. +# +snmp { + # + # Configuration for SNMP traps / notifications + # + # To disable traps, edit "radiusd.conf", and delete the line + # which says "$INCUDE trigger.conf" + # + trap { + # + # Absolute path for the "snmptrap" command, and + # default command-line arguments. + # + # You can disable traps by changing the command to + # "/bin/echo". + # + <%- if @ensure = 'present' -%> + cmd = "/usr/bin/snmptrap -v2c" + <%- else -%> + cmd = "/bin/echo" + <%- end -%> + + # + # Community string + # + community = "<%= @trap_community %>" + + # + # Agent configuration. + # + agent = "<%= @trap_dest %> ''" + } +} + +# +# The "snmptrap" configuration defines the full command used to run the traps. +# +# This entry should not be edited. Instead, edit the "trap" section above. +# +snmptrap = "${snmp.trap.cmd} -c ${snmp.trap.community} ${snmp.trap.agent} FREERADIUS-NOTIFICATION-MIB" + +# +# The individual triggers are defined here. You can disable one by +# deleting it, or by commenting it out. You can disable an entire +# section of traps by deleting the section. +# +# The entries below should not be edited. For example, the double colons +# *must* immediately follow the ${snmptrap} reference. Adding a space +# before the double colons will break all SNMP traps. +# +# However... the traps are just programs which are run when +# particular events occur. If you want to replace a trap with +# another program, you can. Just edit the definitions below, so that +# they run a program of your choice. +# +# For example, you can leverage the "start/stop" triggers to run a +# program when the server starts, or when it stops. But that will +# prevent the start/stop SNMP traps from working, of course. +# +trigger { + # + # Events in the server core + # + server { + # the server has just started + <% unless @snmp_traps.include?('home_server_alive') %># <% end %> + start = "${snmptrap}::serverStart" + + + + # the server is about to stop + stop = "${snmptrap}::serverStop" + + # The "max_requests" condition has been reached. + # This will trigger only once per 60 seconds. + max_requests = "${snmptrap}::serverMaxRequests" + + # For events related to clients + client { + # Added a new dynamic client + add = "/path/to/file %{Packet-Src-IP-Address}" + + # There is no event for when dynamic clients expire + } + + # Events related to signals received. + signal { + # a HUP signal + hup = "${snmptrap}::signalHup" + + # a TERM signal + term = "${snmptrap}::signalTerm" + } + + + # Events related to the thread pool + thread { + # A new thread has been started + start = "${snmptrap}::threadStart" + + # an existing thread has been stopped + stop = "${snmptrap}::threadStop" + + # an existing thread is unresponsive + unresponsive = "${snmptrap}::threadUnresponsive" + + # the "max_threads" limit has been reached + max_threads = "${snmptrap}::threadMaxThreads" + } + } + + # When a home server changes state. + # These traps are edge triggered. + home_server { + # common arguments: IP, port, identifier + args = "radiusAuthServerAddress a %{proxy-request:Packet-Dst-IP-Address} radiusAuthClientServerPortNumber i %{proxy-request:Packet-Dst-Port} radiusAuthServIdent s '%{home_server:instance}'" + + # The home server has been marked "alive" + alive = "${snmptrap}::homeServerAlive ${args}" + + # The home server has been marked "zombie" + zombie = "${snmptrap}::homeServerZombie ${args}" + + # The home server has been marked "dead" + dead = "${snmptrap}::homeServerDead ${args}" + } + + # When a pool of home servers changes state. + home_server_pool { + # common arguments + args = "radiusdConfigName s %{home_server:instance}" + + # It has reverted to "normal" mode, where at least one + # home server is alive. + normal = "${snmptrap}::homeServerPoolNormal ${args}" + + # It is in "fallback" mode, with all home servers "dead" + fallback = "${snmptrap}::homeServerPoolFallback ${args}" + } + + # Triggers for specific modules. These are NOT in the module + # configuration because they are global to all instances of the + # module. You can have module-specific triggers, by placing a + # "trigger" subsection in the module configuration. + modules { + # Common arguments + args = "radiusdModuleInstance s ''" + + # The files module + files { + # Common arguments + args = "radiusdModuleName s files ${..args}" + + # The module has been HUP'd via radmin + hup = "${snmptrap}::serverModuleHup ${args}" + + # Note that "hup" can be used for every module + # which can be HUP'd via radmin + } + + # The LDAP module + # If the server does "bind as user", it will open and close + # an LDAP connection ofr every "bind as user". Be aware that + # this will likely produce a lot of triggers. + ldap { + # Common arguments + args = "radiusdModuleName s ldap ${..args}" + + # A new connection to the DB has been opened + open = "${snmptrap}::serverModuleConnectionUp ${args}" + + # A connection to the DB has been closed + close = "${snmptrap}::serverModuleConnectionDown ${args}" + + # The module has been HUP'd via radmin + hup = "${snmptrap}::serverModuleHup ${args}" + } + + # The SQL module + sql { + # Common arguments + args = "radiusdModuleName s sql ${..args}" + + # A new connection to the DB has been opened + open = "${snmptrap}::serverModuleConnectionUp ${args}" + + # A connection to the DB has been closed + close = "${snmptrap}::serverModuleConnectionDown ${args}" + + # Failed to open a new connection to the DB + fail = "${snmptrap}::serverModuleConnectionFail ${args}" + + # The module has been HUP'd via radmin + hup = "${snmptrap}::serverModuleHup ${args}" + } + + # You can also use connection pool's start/stop/open/close triggers + # for any module which uses the "pool" section, here and under + # pool.trigger in module configuration. + } +} + +# +# The complete list of triggers as generated from the source code is below. +# +# These are the ONLY traps which are generated. You CANNOT add new traps +# by defining them in one of the sections above. New traps can be created +# only by edited both the source code to the server, *and* the MIBs. +# If you are not an expert in C and SNMP, then adding new traps will be +# difficult to create. +# +# home_server.alive +# home_server.dead +# home_server.zombie +# home_server_pool.fallback +# home_server_pool.normal +# modules.*.hup +# modules.ldap.timeout +# modules.sql.close +# modules.sql.fail +# modules.sql.open +# server.client.add +# server.max_requests +# server.signal.hup +# server.signal.term +# server.start +# server.stop +# server.thread.max_threads +# server.thread.start +# server.thread.stop +# server.thread.unresponsive \ No newline at end of file From 8eacab27391129eea14da38020717763a5b9a2dc Mon Sep 17 00:00:00 2001 From: Mark Ottaway Date: Fri, 10 Nov 2023 15:35:10 +0000 Subject: [PATCH 02/24] Added reference to trigger as well --- manifests/init.pp | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/manifests/init.pp b/manifests/init.pp index b855fe20..f5c0096e 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -158,6 +158,16 @@ } } + # Add trigger.conf snmp trap configuration + file { "${freeradius::fr_basepath}/trigger.conf": + ensure => file, + mode => '0644', + owner => 'root', + group => $freeradius::fr_group, + content => template('freeradius/trigger.conf.erb'), + require => [Package[$freeradius::fr_package], Group[$freeradius::fr_group]], + notify => Service['radiusd'], + } # Set up concat policy file, as there is only one global policy # We also add standard header and footer concat { 'freeradius policy.conf': From 048b5b640ca8a70648193552c23bf9d5410a39d0 Mon Sep 17 00:00:00 2001 From: Mark Ottaway Date: Fri, 10 Nov 2023 15:43:28 +0000 Subject: [PATCH 03/24] Add snmp_traps array to init.pp --- manifests/init.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index f5c0096e..92994a04 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -22,6 +22,7 @@ Boolean $manage_logpath = true, Optional[String] $package_ensure = 'installed', String $radacctdir = $freeradius::params::radacctdir, + Array $snmp_traps = [], ) inherits freeradius::params { if $freeradius::fr_version !~ /^3/ { notify { 'This module is only compatible with FreeRADIUS 3.': } @@ -161,7 +162,7 @@ # Add trigger.conf snmp trap configuration file { "${freeradius::fr_basepath}/trigger.conf": ensure => file, - mode => '0644', + mode => '0640', owner => 'root', group => $freeradius::fr_group, content => template('freeradius/trigger.conf.erb'), From b950e883a59f928c23e114c15840331cab02bcda Mon Sep 17 00:00:00 2001 From: Mark Ottaway Date: Fri, 10 Nov 2023 15:54:18 +0000 Subject: [PATCH 04/24] Moved hash to next line --- templates/trigger.conf.erb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/templates/trigger.conf.erb b/templates/trigger.conf.erb index d000ad08..6bdccce1 100644 --- a/templates/trigger.conf.erb +++ b/templates/trigger.conf.erb @@ -120,8 +120,8 @@ trigger { # server { # the server has just started - <% unless @snmp_traps.include?('home_server_alive') %># <% end %> - start = "${snmptrap}::serverStart" + <% unless @snmp_traps.include?('home_server_alive') %> + # <% end %>start = "${snmptrap}::serverStart" @@ -285,4 +285,4 @@ trigger { # server.thread.max_threads # server.thread.start # server.thread.stop -# server.thread.unresponsive \ No newline at end of file +# server.thread.unresponsive From e05bb4e137f723c7fe2241ca67ea6f3afa4dfa40 Mon Sep 17 00:00:00 2001 From: Mark Ottaway Date: Fri, 10 Nov 2023 15:59:33 +0000 Subject: [PATCH 05/24] Added server start to hash --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 92994a04..0c3f93cd 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -22,7 +22,7 @@ Boolean $manage_logpath = true, Optional[String] $package_ensure = 'installed', String $radacctdir = $freeradius::params::radacctdir, - Array $snmp_traps = [], + Array $snmp_traps = ['home_server_alive'], ) inherits freeradius::params { if $freeradius::fr_version !~ /^3/ { notify { 'This module is only compatible with FreeRADIUS 3.': } From 1f63759b2ca87989647908aca197fdfeadbf04fe Mon Sep 17 00:00:00 2001 From: Mark Ottaway Date: Fri, 10 Nov 2023 17:11:44 +0000 Subject: [PATCH 06/24] test if array empty and populate it --- manifests/init.pp | 30 ++++++++++++++- templates/trigger.conf.erb | 76 ++++++++++++++++++++++++-------------- 2 files changed, 77 insertions(+), 29 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 0c3f93cd..2055d14a 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -22,7 +22,7 @@ Boolean $manage_logpath = true, Optional[String] $package_ensure = 'installed', String $radacctdir = $freeradius::params::radacctdir, - Array $snmp_traps = ['home_server_alive'], + Array $snmp_traps = [], ) inherits freeradius::params { if $freeradius::fr_version !~ /^3/ { notify { 'This module is only compatible with FreeRADIUS 3.': } @@ -158,7 +158,33 @@ preserve => true, } } - + if empty($snmp_traps) { + $snmp_traps = [ + 'server_start', + 'server_stop', + 'server_max_requests', + 'server_client_add', + 'server_signal_hup', + 'server_signal_term', + 'server_thread_start', + 'server_thread_stop', + 'server_thread_Unresponsive', + 'server_thread_max_threads', + 'home_server_alive', + 'home_server_zombie', + 'home_server_dead', + 'home_server_pool_normal', + 'home_server_pool_fallback', + 'server_files_module_hup', + 'server_ldap_module_connection_up', + 'server_ldap_module_connection_down', + 'server_ldap_module_hup', + 'server_sql_module_connection_up', + 'server_sql_module_connection_close', + 'server_sql_module_connection_fail', + 'server_sql_module_hup', + ] + } # Add trigger.conf snmp trap configuration file { "${freeradius::fr_basepath}/trigger.conf": ensure => file, diff --git a/templates/trigger.conf.erb b/templates/trigger.conf.erb index 6bdccce1..dbc71747 100644 --- a/templates/trigger.conf.erb +++ b/templates/trigger.conf.erb @@ -120,22 +120,25 @@ trigger { # server { # the server has just started - <% unless @snmp_traps.include?('home_server_alive') %> + <% unless @snmp_traps.include?('server_start') %> # <% end %>start = "${snmptrap}::serverStart" # the server is about to stop - stop = "${snmptrap}::serverStop" + <% unless @snmp_traps.include?('server_stop') %> + # <% end %>stop = "${snmptrap}::serverStop" # The "max_requests" condition has been reached. # This will trigger only once per 60 seconds. - max_requests = "${snmptrap}::serverMaxRequests" + <% unless @snmp_traps.include?('server_max_requests') %> + # <% end %>max_requests = "${snmptrap}::serverMaxRequests" # For events related to clients client { # Added a new dynamic client - add = "/path/to/file %{Packet-Src-IP-Address}" + <% unless @snmp_traps.include?('server_client_add') %> + # <% end %>add = "/path/to/file %{Packet-Src-IP-Address}" # There is no event for when dynamic clients expire } @@ -143,26 +146,32 @@ trigger { # Events related to signals received. signal { # a HUP signal - hup = "${snmptrap}::signalHup" + <% unless @snmp_traps.include?('server_signal_hup') %> + # <% end %>hup = "${snmptrap}::signalHup" # a TERM signal - term = "${snmptrap}::signalTerm" + <% unless @snmp_traps.include?('server_signal_term') %> + # <% end %>term = "${snmptrap}::signalTerm" } # Events related to the thread pool thread { - # A new thread has been started - start = "${snmptrap}::threadStart" + # A new thread has been started + <% unless @snmp_traps.include?('server_thread_start') %> + # <% end %>start = "${snmptrap}::threadStart" - # an existing thread has been stopped - stop = "${snmptrap}::threadStop" + # an existing thread has been stopped + <% unless @snmp_traps.include?('server_thread_stop') %> + # <% end %>stop = "${snmptrap}::threadStop" - # an existing thread is unresponsive - unresponsive = "${snmptrap}::threadUnresponsive" + # an existing thread is unresponsive + <% unless @snmp_traps.include?('server_thread_Unresponsive') %> + # <% end %>unresponsive = "${snmptrap}::threadUnresponsive" - # the "max_threads" limit has been reached - max_threads = "${snmptrap}::threadMaxThreads" + # the "max_threads" limit has been reached + <% unless @snmp_traps.include?('server_thread_max_threads') %> + # <% end %>max_threads = "${snmptrap}::threadMaxThreads" } } @@ -173,13 +182,16 @@ trigger { args = "radiusAuthServerAddress a %{proxy-request:Packet-Dst-IP-Address} radiusAuthClientServerPortNumber i %{proxy-request:Packet-Dst-Port} radiusAuthServIdent s '%{home_server:instance}'" # The home server has been marked "alive" - alive = "${snmptrap}::homeServerAlive ${args}" + <% unless @snmp_traps.include?('home_server_alive') %> + # <% end %>salive = "${snmptrap}::homeServerAlive ${args}" # The home server has been marked "zombie" - zombie = "${snmptrap}::homeServerZombie ${args}" + <% unless @snmp_traps.include?('home_server_zombie') %> + # <% end %>szombie = "${snmptrap}::homeServerZombie ${args}" # The home server has been marked "dead" - dead = "${snmptrap}::homeServerDead ${args}" + <% unless @snmp_traps.include?('home_server_dead') %> + # <% end %>sdead = "${snmptrap}::homeServerDead ${args}" } # When a pool of home servers changes state. @@ -189,10 +201,12 @@ trigger { # It has reverted to "normal" mode, where at least one # home server is alive. - normal = "${snmptrap}::homeServerPoolNormal ${args}" + <% unless @snmp_traps.include?('home_server_pool_normal') %> + # <% end %>snormal = "${snmptrap}::homeServerPoolNormal ${args}" # It is in "fallback" mode, with all home servers "dead" - fallback = "${snmptrap}::homeServerPoolFallback ${args}" + <% unless @snmp_traps.include?('home_server_pool_fallback') %> + # <% end %>fallback = "${snmptrap}::homeServerPoolFallback ${args}" } # Triggers for specific modules. These are NOT in the module @@ -209,7 +223,8 @@ trigger { args = "radiusdModuleName s files ${..args}" # The module has been HUP'd via radmin - hup = "${snmptrap}::serverModuleHup ${args}" + <% unless @snmp_traps.include?('server_files_module_hup') %> + # <% end %>hup = "${snmptrap}::serverModuleHup ${args}" # Note that "hup" can be used for every module # which can be HUP'd via radmin @@ -224,13 +239,16 @@ trigger { args = "radiusdModuleName s ldap ${..args}" # A new connection to the DB has been opened - open = "${snmptrap}::serverModuleConnectionUp ${args}" + <% unless @snmp_traps.include?('server_ldap_module_connection_up') %> + # <% end %>open = "${snmptrap}::serverModuleConnectionUp ${args}" # A connection to the DB has been closed - close = "${snmptrap}::serverModuleConnectionDown ${args}" + <% unless @snmp_traps.include?('server_ldap_module_connection_down') %> + # <% end %>close = "${snmptrap}::serverModuleConnectionDown ${args}" # The module has been HUP'd via radmin - hup = "${snmptrap}::serverModuleHup ${args}" + <% unless @snmp_traps.include?('server_ldap_module_hup') %> + # <% end %>hup = "${snmptrap}::serverModuleHup ${args}" } # The SQL module @@ -239,16 +257,20 @@ trigger { args = "radiusdModuleName s sql ${..args}" # A new connection to the DB has been opened - open = "${snmptrap}::serverModuleConnectionUp ${args}" + <% unless @snmp_traps.include?('server_sql_module_connection_up') %> + # <% end %>open = "${snmptrap}::serverModuleConnectionUp ${args}" # A connection to the DB has been closed - close = "${snmptrap}::serverModuleConnectionDown ${args}" + <% unless @snmp_traps.include?('server_sql_module_connection_close') %> + # <% end %>close = "${snmptrap}::serverModuleConnectionDown ${args}" # Failed to open a new connection to the DB - fail = "${snmptrap}::serverModuleConnectionFail ${args}" + <% unless @snmp_traps.include?('server_sql_module_connection_fail') %> + # <% end %>fail = "${snmptrap}::serverModuleConnectionFail ${args}" # The module has been HUP'd via radmin - hup = "${snmptrap}::serverModuleHup ${args}" + <% unless @snmp_traps.include?('server_sql_module_hup') %> + # <% end %>hup = "${snmptrap}::serverModuleHup ${args}" } # You can also use connection pool's start/stop/open/close triggers From 66544d62726a135d6680c4173bd7320d81e6425d Mon Sep 17 00:00:00 2001 From: Mark Ottaway Date: Fri, 10 Nov 2023 17:31:20 +0000 Subject: [PATCH 07/24] Added remaining template variables --- manifests/init.pp | 3 +++ templates/trigger.conf.erb | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 2055d14a..3d71c3f6 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -22,6 +22,9 @@ Boolean $manage_logpath = true, Optional[String] $package_ensure = 'installed', String $radacctdir = $freeradius::params::radacctdir, + String $snmp_traps_enable = 'disable', + String $snmp_traps_community = 'public', + String $snmp_traps_dest = '127.0.0.1', Array $snmp_traps = [], ) inherits freeradius::params { if $freeradius::fr_version !~ /^3/ { diff --git a/templates/trigger.conf.erb b/templates/trigger.conf.erb index dbc71747..9619ae44 100644 --- a/templates/trigger.conf.erb +++ b/templates/trigger.conf.erb @@ -71,7 +71,7 @@ snmp { # You can disable traps by changing the command to # "/bin/echo". # - <%- if @ensure = 'present' -%> + <%- if @snmp_traps_enable = 'enable' -%> cmd = "/usr/bin/snmptrap -v2c" <%- else -%> cmd = "/bin/echo" @@ -80,12 +80,12 @@ snmp { # # Community string # - community = "<%= @trap_community %>" + community = "<%= @snmp_traps_community %>" # # Agent configuration. # - agent = "<%= @trap_dest %> ''" + agent = "<%= @snmp_traps_dest %> ''" } } From 5d98df546c8745f365c505ba339cafa184ff57e9 Mon Sep 17 00:00:00 2001 From: Mark Ottaway Date: Fri, 10 Nov 2023 17:39:21 +0000 Subject: [PATCH 08/24] Equals test with single = --- templates/trigger.conf.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/trigger.conf.erb b/templates/trigger.conf.erb index 9619ae44..959be6b0 100644 --- a/templates/trigger.conf.erb +++ b/templates/trigger.conf.erb @@ -71,7 +71,7 @@ snmp { # You can disable traps by changing the command to # "/bin/echo". # - <%- if @snmp_traps_enable = 'enable' -%> + <%- if @snmp_traps_enable == 'enable' -%> cmd = "/usr/bin/snmptrap -v2c" <%- else -%> cmd = "/bin/echo" From 096d21313253a1258a4971e0207c07eef9b5ce61 Mon Sep 17 00:00:00 2001 From: Mark Ottaway Date: Fri, 10 Nov 2023 17:43:29 +0000 Subject: [PATCH 09/24] Removed an unneeded s --- templates/trigger.conf.erb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/templates/trigger.conf.erb b/templates/trigger.conf.erb index 959be6b0..59b8956f 100644 --- a/templates/trigger.conf.erb +++ b/templates/trigger.conf.erb @@ -183,15 +183,15 @@ trigger { # The home server has been marked "alive" <% unless @snmp_traps.include?('home_server_alive') %> - # <% end %>salive = "${snmptrap}::homeServerAlive ${args}" + # <% end %>alive = "${snmptrap}::homeServerAlive ${args}" # The home server has been marked "zombie" <% unless @snmp_traps.include?('home_server_zombie') %> - # <% end %>szombie = "${snmptrap}::homeServerZombie ${args}" + # <% end %>zombie = "${snmptrap}::homeServerZombie ${args}" # The home server has been marked "dead" <% unless @snmp_traps.include?('home_server_dead') %> - # <% end %>sdead = "${snmptrap}::homeServerDead ${args}" + # <% end %>dead = "${snmptrap}::homeServerDead ${args}" } # When a pool of home servers changes state. @@ -202,7 +202,7 @@ trigger { # It has reverted to "normal" mode, where at least one # home server is alive. <% unless @snmp_traps.include?('home_server_pool_normal') %> - # <% end %>snormal = "${snmptrap}::homeServerPoolNormal ${args}" + # <% end %>normal = "${snmptrap}::homeServerPoolNormal ${args}" # It is in "fallback" mode, with all home servers "dead" <% unless @snmp_traps.include?('home_server_pool_fallback') %> From cbad6ae295bbbb3c618badd0c1f48d0a01e90c67 Mon Sep 17 00:00:00 2001 From: Mark Ottaway Date: Fri, 10 Nov 2023 18:10:56 +0000 Subject: [PATCH 10/24] changing snmp_traps to undef --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 3d71c3f6..4cf51b45 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -25,7 +25,7 @@ String $snmp_traps_enable = 'disable', String $snmp_traps_community = 'public', String $snmp_traps_dest = '127.0.0.1', - Array $snmp_traps = [], + Array $snmp_traps = undef, ) inherits freeradius::params { if $freeradius::fr_version !~ /^3/ { notify { 'This module is only compatible with FreeRADIUS 3.': } From f74c32f8197d67d4b667f77c3dc9d337023ff327 Mon Sep 17 00:00:00 2001 From: Mark Ottaway Date: Fri, 10 Nov 2023 18:29:26 +0000 Subject: [PATCH 11/24] Used second trap variable to check passed trap list --- manifests/init.pp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 4cf51b45..fdd364b4 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -25,7 +25,7 @@ String $snmp_traps_enable = 'disable', String $snmp_traps_community = 'public', String $snmp_traps_dest = '127.0.0.1', - Array $snmp_traps = undef, + Array $snmp_traps_list = [], ) inherits freeradius::params { if $freeradius::fr_version !~ /^3/ { notify { 'This module is only compatible with FreeRADIUS 3.': } @@ -161,7 +161,7 @@ preserve => true, } } - if empty($snmp_traps) { + if empty($snmp_traps_list) { $snmp_traps = [ 'server_start', 'server_stop', @@ -187,6 +187,8 @@ 'server_sql_module_connection_fail', 'server_sql_module_hup', ] + } else { + $snmp_traps = $snmp_traps_list } # Add trigger.conf snmp trap configuration file { "${freeradius::fr_basepath}/trigger.conf": From b9b6fa380ac1af5ae4889ebf6a372251c1936694 Mon Sep 17 00:00:00 2001 From: Robert Wolf Date: Tue, 13 Feb 2024 09:05:33 +0100 Subject: [PATCH 12/24] - option to manage logrotate - disable manage logrotate for Debian by default --- manifests/init.pp | 65 ++++++++++++++++++++++++--------------------- manifests/params.pp | 5 ++++ 2 files changed, 39 insertions(+), 31 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index b855fe20..820ee386 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -20,6 +20,7 @@ Boolean $preserve_mods = true, Boolean $correct_escapes = true, Boolean $manage_logpath = true, + Boolean $manage_logrotate = true, Optional[String] $package_ensure = 'installed', String $radacctdir = $freeradius::params::radacctdir, ) inherits freeradius::params { @@ -428,37 +429,39 @@ } } - logrotate::rule { 'radacct': - path => "${freeradius::fr_logpath}/radacct/*/*.log", - rotate_every => 'day', - rotate => 7, - create => false, - missingok => true, - compress => true, - postrotate => "kill -HUP `cat ${freeradius::fr_pidfile}`", - sharedscripts => true, - } - - logrotate::rule { 'checkrad': - path => "${freeradius::fr_logpath}/checkrad.log", - rotate_every => 'week', - rotate => 1, - create => true, - missingok => true, - compress => true, - postrotate => "kill -HUP `cat ${freeradius::fr_pidfile}`", - sharedscripts => true, - } - - logrotate::rule { 'radiusd': - path => "${freeradius::fr_logpath}/radius*.log", - rotate_every => 'week', - rotate => 26, - create => true, - missingok => true, - compress => true, - postrotate => "kill -HUP `cat ${freeradius::fr_pidfile}`", - sharedscripts => true, + if $manage_logpath { + logrotate::rule { 'radacct': + path => "${freeradius::fr_logpath}/radacct/*/*.log", + rotate_every => 'day', + rotate => 7, + create => false, + missingok => true, + compress => true, + postrotate => "kill -HUP `cat ${freeradius::fr_pidfile}`", + sharedscripts => true, + } + + logrotate::rule { 'checkrad': + path => "${freeradius::fr_logpath}/checkrad.log", + rotate_every => 'week', + rotate => 1, + create => true, + missingok => true, + compress => true, + postrotate => "kill -HUP `cat ${freeradius::fr_pidfile}`", + sharedscripts => true, + } + + logrotate::rule { 'radiusd': + path => "${freeradius::fr_logpath}/radius*.log", + rotate_every => 'week', + rotate => 26, + create => true, + missingok => true, + compress => true, + postrotate => "kill -HUP `cat ${freeradius::fr_pidfile}`", + sharedscripts => true, + } } # Placeholder resource for dh and random as they are dynamically generated, so they diff --git a/manifests/params.pp b/manifests/params.pp index c584c77f..c4e7ef8f 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -188,4 +188,9 @@ # Default radsniff pid file location $fr_radsniff_pidfile = "/var/run/${fr_service}/radsniff.pid" + + $manage_logrotate = $::osfamily ? { + 'Debian' => false, + default => true, + } } From 7a37faee69addb87b27ce22ca39f182805b4a661 Mon Sep 17 00:00:00 2001 From: Robert Wolf Date: Tue, 13 Feb 2024 09:08:59 +0100 Subject: [PATCH 13/24] default from params --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 820ee386..d999f8cf 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -20,7 +20,7 @@ Boolean $preserve_mods = true, Boolean $correct_escapes = true, Boolean $manage_logpath = true, - Boolean $manage_logrotate = true, + Boolean $manage_logrotate = $freeradius::params::manage_logrotate, Optional[String] $package_ensure = 'installed', String $radacctdir = $freeradius::params::radacctdir, ) inherits freeradius::params { From 2837a322329c07a9c745f37c4bfdb5c6dbd5656a Mon Sep 17 00:00:00 2001 From: Robert Wolf Date: Tue, 13 Feb 2024 09:19:37 +0100 Subject: [PATCH 14/24] fix variable --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index d999f8cf..c3e457f4 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -429,7 +429,7 @@ } } - if $manage_logpath { + if $manage_logrotate { logrotate::rule { 'radacct': path => "${freeradius::fr_logpath}/radacct/*/*.log", rotate_every => 'day', From 3b91c4d30081af3ae00df5a98c0e823130242102 Mon Sep 17 00:00:00 2001 From: Julien Godin Date: Thu, 25 Apr 2024 16:13:04 +0200 Subject: [PATCH 15/24] improvment: add a new parameter to allow the use of vulnerable SSL/TLS versions Signed-off-by: Julien Godin --- README.md | 3 +++ manifests/init.pp | 1 + templates/radiusd.conf.erb | 2 +- 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index b6f89861..60b067fe 100644 --- a/README.md +++ b/README.md @@ -138,6 +138,9 @@ Add a syslog rule (using the `saz/rsyslog` module). Default: `false`. ##### `log_auth` Log authentication requests (yes/no). Default: `no`. +##### `allow_vulnerable_openssl` +Allow the server to start with versions of OpenSSL known to have critical vulnerabilities. (yes/no). Default: `yes`. + ##### `package_ensure` Choose whether the package is just installed and left (`installed`), or updated every Puppet run (`latest`). Default: `installed` diff --git a/manifests/init.pp b/manifests/init.pp index fdd364b4..a0eae333 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -17,6 +17,7 @@ Boolean $syslog = false, String $syslog_facility = 'daemon', Freeradius::Boolean $log_auth = 'no', + Freeradius::Boolean $allow_vulnerable_ssl = 'yes', Boolean $preserve_mods = true, Boolean $correct_escapes = true, Boolean $manage_logpath = true, diff --git a/templates/radiusd.conf.erb b/templates/radiusd.conf.erb index 3d715654..87e8614e 100644 --- a/templates/radiusd.conf.erb +++ b/templates/radiusd.conf.erb @@ -574,7 +574,7 @@ security { # and may not reflect patches applied to libssl by # distribution maintainers. # - allow_vulnerable_openssl = yes + allow_vulnerable_openssl = <%= @allow_vulnerable_openssl%> } # PROXY CONFIGURATION From 89e42437832d5aa66cab0ad9e48a52ca3129aaff Mon Sep 17 00:00:00 2001 From: Julien Godin Date: Thu, 25 Apr 2024 16:39:30 +0200 Subject: [PATCH 16/24] fix: allow vulnerable ssl versions Signed-off-by: Julien Godin --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index a0eae333..6ce600be 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -17,7 +17,7 @@ Boolean $syslog = false, String $syslog_facility = 'daemon', Freeradius::Boolean $log_auth = 'no', - Freeradius::Boolean $allow_vulnerable_ssl = 'yes', + Freeradius::Boolean $allow_vulnerable_openssl = 'yes', Boolean $preserve_mods = true, Boolean $correct_escapes = true, Boolean $manage_logpath = true, From 75d354dcb6e6d07d06e3dba06dcbc6bf64a22879 Mon Sep 17 00:00:00 2001 From: Andrew Teixeira Date: Tue, 14 May 2024 14:56:06 -0400 Subject: [PATCH 17/24] Remove is_ip_address function removed from stdlib in 9.x Bump the lower bound on stdlib to 5.0.0 --- manifests/listen.pp | 31 +++++++++++-------------------- metadata.json | 2 +- 2 files changed, 12 insertions(+), 21 deletions(-) diff --git a/manifests/listen.pp b/manifests/listen.pp index e73d2f25..352f3a00 100644 --- a/manifests/listen.pp +++ b/manifests/listen.pp @@ -1,30 +1,21 @@ # == Define freeradius::listen # define freeradius::listen ( - Freeradius::Ensure $ensure = 'present', - Enum['auth','acct','proxy','detail','status','coa'] $type = 'auth', - Optional[String] $ip = undef, - Optional[String] $ip6 = undef, - Integer $port = 0, - Optional[String] $interface = undef, - Optional[String] $virtual_server = undef, - Array[String] $clients = [], - Integer $max_connections = 16, - Integer $lifetime = 0, - Integer $idle_timeout = 30, + Freeradius::Ensure $ensure = 'present', + Enum['auth','acct','proxy','detail','status','coa'] $type = 'auth', + Optional[Variant[Stdlib::IP::Address::V4, Enum['*']]] $ip = undef, + Optional[Variant[Stdlib::IP::Address::V6, Enum['*']]] $ip6 = undef, + Integer $port = 0, + Optional[String] $interface = undef, + Optional[String] $virtual_server = undef, + Array[String] $clients = [], + Integer $max_connections = 16, + Integer $lifetime = 0, + Integer $idle_timeout = 30, ) { $fr_basepath = $::freeradius::params::fr_basepath $fr_group = $::freeradius::params::fr_group - # Parameter validation - if $ip and $ip != '*' and !is_ip_address($ip) { - fail('ip must be a valid IP address or \'*\'') - } - - if $ip6 and $ip6 != '::' and !is_ip_address($ip6) { - fail('ip6 must be a valid IP address or \'::\'') - } - if $ip and $ip6 { fail('Only one of ip or ip6 can be used') } diff --git a/metadata.json b/metadata.json index 8025bcae..66d05a5b 100644 --- a/metadata.json +++ b/metadata.json @@ -10,7 +10,7 @@ "dependencies": [ { "name": "puppetlabs/stdlib", - "version_requirement": ">=4.25.0 <10.0.0" + "version_requirement": ">=5.0.0 <10.0.0" }, { "name": "puppetlabs/firewall", From 93b3c83e82eb767f650d7b6fe780849bcd20ffbf Mon Sep 17 00:00:00 2001 From: Nathan Ward Date: Wed, 15 May 2024 22:44:48 +1200 Subject: [PATCH 18/24] Update the puppetlabs firewall module requirement to be >7 --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index 66d05a5b..f5662ef8 100644 --- a/metadata.json +++ b/metadata.json @@ -14,7 +14,7 @@ }, { "name": "puppetlabs/firewall", - "version_requirement": ">=1.0.0 <7.0.0" + "version_requirement": ">=7.0.0 <9.0.0" }, { "name": "saz/rsyslog", From a314d78785102585a23c7b7f3b3256672228321c Mon Sep 17 00:00:00 2001 From: Nathan Ward Date: Wed, 15 May 2024 22:36:26 +1200 Subject: [PATCH 19/24] Update calls to the firewall module with modern parameters --- manifests/client.pp | 13 +++++++------ spec/defines/client_spec.rb | 13 +++++++------ 2 files changed, 14 insertions(+), 12 deletions(-) diff --git a/manifests/client.pp b/manifests/client.pp index f8fc7e4d..876d4da9 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -61,17 +61,18 @@ if $port { if $ip { firewall { "100 ${name} ${port_description} v4": - proto => 'udp', - dport => $port, - action => 'accept', - source => $ip, + proto => 'udp', + dport => $port, + jump => 'ACCEPT', + protocol => 'IPv4', + source => $ip, } } elsif $ip6 { firewall { "100 ${name} ${port_description} v6": proto => 'udp', dport => $port, - action => 'accept', - provider => 'ip6tables', + jump => 'ACCEPT', + protocol => 'IPv6', source => $ip6, } } diff --git a/spec/defines/client_spec.rb b/spec/defines/client_spec.rb index fcf8c73f..f234d7ab 100644 --- a/spec/defines/client_spec.rb +++ b/spec/defines/client_spec.rb @@ -85,8 +85,9 @@ is_expected.to contain_firewall('100 test 1234 v4') .with_proto('udp') .with_dport(1234) - .with_action('accept') + .with_jump('ACCEPT') .with_source('1.2.3.4') + .with_protocol('IPv4') end context 'with ipv6' do @@ -102,9 +103,9 @@ is_expected.to contain_firewall('100 test 1234 v6') .with_proto('udp') .with_dport(1234) - .with_action('accept') + .with_jump('ACCEPT') .with_source('2001:db8::100') - .with_provider('ip6tables') + .with_protocol('IPv6') end end end @@ -120,7 +121,7 @@ is_expected.to contain_firewall('100 test 1234,4321 v4') .with_proto('udp') .with_dport([1234, 4321]) - .with_action('accept') + .with_jump('ACCEPT') .with_source('1.2.3.4') end @@ -137,9 +138,9 @@ is_expected.to contain_firewall('100 test 1234,4321 v6') .with_proto('udp') .with_dport([1234, 4321]) - .with_action('accept') + .with_jump('ACCEPT') .with_source('2001:db8::100') - .with_provider('ip6tables') + .with_protocol('IPv6') end end end From 612eff6aab08c6a02b05462d198d3c8a0ea25a5c Mon Sep 17 00:00:00 2001 From: Nathan Ward Date: Sat, 19 Aug 2023 01:44:10 +1200 Subject: [PATCH 20/24] Fix link target --- manifests/site.pp | 2 +- spec/defines/site_spec.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/site.pp b/manifests/site.pp index b1b351a5..16a132b1 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -43,6 +43,6 @@ file { "freeradius sites-enabled/${name}": ensure => $ensure_link, path => "${fr_basepath}/sites-enabled/${name}", - target => "${fr_basepath}/sites-available/${name}", + target => "../sites-available/${name}", } } diff --git a/spec/defines/site_spec.rb b/spec/defines/site_spec.rb index 0f08c415..72dec9e1 100644 --- a/spec/defines/site_spec.rb +++ b/spec/defines/site_spec.rb @@ -29,6 +29,6 @@ is_expected.to contain_file('freeradius sites-enabled/test') .with_path('/etc/raddb/sites-enabled/test') .with_ensure('link') - .with_target('/etc/raddb/sites-available/test') + .with_target('../sites-available/test') end end From 4e90820436eddc2fafe0f3d32248d13c64f74949 Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Wed, 15 May 2024 12:38:01 +0100 Subject: [PATCH 21/24] We don't use the v prefix in version numbers --- .github/workflows/publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 87601740..3528885f 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -3,7 +3,7 @@ name: Build and publish to Puppet Forge on: push: tags: - - v[0-9]+.[0-9]+.[0-9]+ + - [0-9]+.[0-9]+.[0-9]+ jobs: build: From 7d3911c3b910ecc6be0945c2154700509cacb5e6 Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Wed, 15 May 2024 12:39:45 +0100 Subject: [PATCH 22/24] Prepare release 4.0.0 --- CHANGELOG.md | 2 ++ metadata.json | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c8d5eab3..9a0379ac 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ ## Changelog +Please refer to the [GitHub releases page](https://github.com/djjudas21/puppet-freeradius/releases) for the changelog for 4.0.0 and onwards + ### 3.9.2 * Bugfix: Restart FreeRADIUS after any huntgroups modification diff --git a/metadata.json b/metadata.json index f5662ef8..4154c522 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "jgazeley-freeradius", - "version": "3.9.2", + "version": "4.0.0", "author": "jgazeley", "summary": "Install and configure FreeRADIUS", "license": "Apache-2.0", From 72f3d2bf67597ea1130029895f2b9fc1f8d44c02 Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Wed, 15 May 2024 12:41:53 +0100 Subject: [PATCH 23/24] Publish on new release only --- .github/workflows/publish.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 3528885f..fc852970 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -1,9 +1,8 @@ name: Build and publish to Puppet Forge on: - push: - tags: - - [0-9]+.[0-9]+.[0-9]+ + release: + types: [published] jobs: build: From 43a29e708a5f040d26c7e4db0175bc824761b516 Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Wed, 15 May 2024 12:50:54 +0100 Subject: [PATCH 24/24] Update Forge publish action --- .github/workflows/publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index fc852970..3a124cc5 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -16,7 +16,7 @@ jobs: with: ref: ${{ steps.vars.outputs.tag }} - name: Build and publish module - uses: barnumbirr/action-forge-publish@v2 + uses: barnumbirr/action-forge-publish@v2.15.0 env: FORGE_API_KEY: ${{ secrets.FORGE_API_KEY }} REPOSITORY_URL: https://forgeapi.puppet.com/v3/releases