#
# Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
#
# ident "@(#)migration.pl 1.5 03/06/26 SMI"
#
# $Id: masfcnv,v 1.3 2004/01/09 14:04:14 rr144420 Exp $
=head1 NAME
masfcnv - SNMP configuration migration script
=head1 SYNOPSIS
masfcnv S<[ -cimnrs ]> S<[ -l agent|master ]> S<[ -p enable|disable|error ]>
S<[ -t none|add ]> S<[ -u agent|master|error ]> S<[ -y agent|master|error ]>
masfcnv [ -V ]
masfcnv [ -? ]
=head1 DESCRIPTION
The masfcnv script is used to assist the system administrator in migrating an
existing set of configuration files for the Sun SNMP Management Agent for Sun
Fire and Netra Systems (MASF) to the Systems Management Agent (SMA).
The script accepts as input the currently installed set of MASF and SMA
configuration files and outputs a new set of SMA configuration files. Existing
SMA configuration files are backed up by appending ".bak" to the filename. The
administrator may choose to output the new configuration to the standard output
instead of replacing the current configuration by specifying the -n option.
The migration script must be run as the superuser and failure to do so will
cause the script to exit with an error message. Before running the script the
administrator should ensure that both the SMA and MASF agents are not running.
If the agents are running they will be shut down by the script.
The migration script will install a new startup script for the MASF agent in
/etc/init.d and backup the old script. During migration, MASF will be
configured as an AgentX subagent of SMA. All migration settings will be
migrated to the SMA configuration file.
The migration script will abort if any unrecognised directives are found in
either the MASF configuration files or the SMA configuration files. This may
be overridden with the -i option. If this option is selected, the behaviour is
to retain unrecognised directives which were present in the SMA configuration,
but remove those present in the MASF configuration.
The migration script will then proceed to migrate access control and trap
configuration. As a side-effect of running the migration script, the following
directives may be expanded by the script into multiple directives with
an equivalent interpretation:
=over
=item rwcommunity
=item rocommunity
=item rwuser
=item rouser
=item trapcommunity
=item trapsink
=item trap2sink
=item informsink
=back
=head2 Access Control Migration
Access control directives will be expanded into the equivalent com2sec, group,
access and view directives. Existing group names will be renamed by prepending
a prefix to avoid conflict with any which may already be defined in SMA.
When migrating SNMPv1 or v2c access control, a conflict may occur if both MASF
and SMA configuration files have defined access permissions for the same
community and source address. The default behaviour is to abort with a
message, unless the -y option specifies otherwise. If "-y agent" was specified
then the MASF configuration will take precedence. If "-y master" was specified
then the SMA configuration will be retained.
When migrating USM configuration (SNMPv3), a conflict may occur if both SMA
and MASF configurations define a user with the same securityName. If this
occurs then the behaviour of the script is determined by the -u option.
If "-u agent" has been selected then the configuration of the user defined in
the MASF configuration files will be the one that is retained. Otherwise, if
the "-u master" option has been selected, the one defined in the SMA
configuration files will be retained.
The migration script will by default attempt to migrate USM users from MASF to
SMA. The script will determine whether there are any existing SNMPv3 users
present in the SMA configuration and whether or not the default engineID has
been overridden in the SMA configuration files. If neither of these are found to
be the case then the any usmUser statements containing localised
authentication keys can be migrated to SMA, along with the MASF engineID. This
will result in the engineID of SMA master agent changing.
If the script determines that there are existing SNMPv3 users or a manually
configured engineID present in the SMA configuration, then only those users
defined in createUser statements will be transferred. Those users which were
defined in usmUser statements will be transferred but will have their
passwords reset to a random value. The administrator is advised to notify
their users of their new password and/or reset the password themselves by
editing the newly-generated configuration file themselves.
=head2 Trap/Inform Migration
The migration script will perform a check to determine whether a trap
destination defined for MASF is already specified in an existing SMA trapsink,
trap2sink or informsink directive. If this is the case then the directive in
the MASF configuration will be discarded to avoid duplicate traps/informs being
received.
trapsink, trap2sink and informsink directives specified in the existing SMA
configuration are considered valid destinations for MASF traps/informs and will
receive them from the MASF subagent after migration.
If the "-t none" option was specified on the command line, then the migration
script will carry over any remaining MASF trap/inform directives without
modification.
If the "-t add" option was specified (the default), then the migration script
will expand any trapsink, trap2sink or informsink directives to use the
TARGET-MIB and NOTIFICATION-MIB. The TARGET-MIB specifies targets using IP
addresses, so it may be desirable to use the "-t none" option if, for example,
the network allocates IP addresses to hostnames dynamically via DHCP.
The expanded directives will define filters specific to the MASF agent so that
traps from other subagents will not be received by migrated trap destinations.
Existing filters present in the SMA configuration will by default not be
modified and may or may not receive MASF traps depending upon the filters
which were originally defined for them.
If the -l option is specified, then any filters already defined in the
TARGET-MIB and the NOTIFICATION-MIB for SMA will be extended to include traps
from MASF. In the event that a trap destination is already configured in the
TARGET-MIB with the same target address and community as an existing MASF
trap/inform sink, a conflict will arise.
If "-l agent" was specified and a conflict arises, then the migration script
will use the target SNMP parameters (i.e. SNMP version and choise of
trap/inform) defined by the MASF trap/informsink directive to send traps to
this destination. Otherwise if the "-l master" option was specified, then the
conflict will be resolved using the target SNMP parameters specified in the
SMA configuration.
=head2 Miscellaneous
If the migration script encounters any of the following directives in the MASF
configuration file and they are either not present or differ in the SMA
configuration, the script will log a warning message:
=over
=item syslocation
=item syscontact
=item sysname
=item sysservices
=item agentgroup
=item agentuser
=item authtrapenable
=back
=head1 OPTIONS
=over
=item B<-?>
=item B<--help>
Displays usage information.
=item B<-c>
=item B<--no-community>
Do not transfer v1/v2c communities
=item B<-i>
=item B<--ignore-unrecognized-directives>
Continue processing if unrecognised directives are present.
=item B<-l> I<agent|master>
=item B<--master-trap-target>=I<agent|master>
If 'agent' is specified then the existing SMA trap targets will be configured
to receive traps that were previously sent to destinations for the Sun Fire
SNMP agent. If 'master' is specified then the targets will be configured to
receive Sun Fire SNMP traps but existing SNMP target parameters will be used.
=item B<-m>
=item B<--no-usmuser>
Do not transfer usm (v3) users
=item B<-n>
=item B<--dry-run>
Run the migration without modifying any files. If any error arises then
continue processing. This can be used to determine the likely migration issues.
=item B<-p> I<enable|disable|error>
=item B<--use-agent-port>=I<enable|disable|error>
Indicates whether the port originally used by the Sun Fire SNMP agent should be
used by the SMA agent after migration (if the two agents are using different
ports). If 'enable' is specified then the port used by the Sun Fire SNMP agent
will also be used by the SMA agent after migration. If 'disable' is specified
then the ports used by SMA will not be updated by the migration tool. If
the 'error' option is specified and the SMA agent is not already using the same
ports as those used by the original Sun Fire SNMP agent then an error will be
reported and the migration process will be terminated. If no option is
specified the default behaviour is equivalent to the 'error' flag.
=item B<-r>
=item B<--no-trap>
Do not transfer trap destinations
=item B<-s>
=item B<--skip-user>
If a user is found in the MASF configuration file that cannot be created in the
new configuration due to a change in the engine ID, then output a message
indicating that the user could not be migrated (needs to be manually recreated)
and continue processing. If this option is not present then the migration tool
will consider such a situation as an error and abort.
=item B<-t> I<none|add>
=item B<--trap-filter>=I<none|add>
If 'none' is specified then the script will copy trap directives directly. The
administrator may need to manually update the configuration file to ensure
traps are only delivered to their intended destinations. If 'add' is specifed
then trap filters will be constructed so that traps originating from the
original Sun Fire SNMP agent are only delivered to the destinations that
originally received them. 'add' is the default behaviour.
=item B<-u> I<agent|master|error>
=item B<--select-user>=I<agent|master|error>
Specifies that if a user with the same name is found in both configuration
files that the conflict is to be resolved using the specified configuration
file as input. Selecting a user from a particular will also cause the group
declaration for that user to be taken from the same file. If 'agent' is
specified then the user will be taken from the configuration file for the Sun
Fire SNMP Agent. If 'master' is specified then the user will be taken from the
SMA configuration. Otherwise if 'error' is given, the script will terminate.
If this option is not present then the default behaviour is equivalent to
the 'error' flag.
=item B<-V>
=item B<--version>
Display the version of this script.
=item B<-y> I<agent|master|error>
=item B<--select-community>=I<agent|master|error>
Specifies that if a community and source (hostname, IP addr or range of IP
addresses) is found to be conflicting in the two configurations, which
combination should be selected when mapping to a security name. If 'agent' is
specified then the community and source information will be taken from the
configuration for the Sun Fire SNMP agent. If 'master' is specified it will be
taken from the SMA agent. Otherwise if 'error' is specified an error will be
reported and the migration will terminate. If this option is not present then
the default behaviour is equivalent to the 'error' flag.
=back
=head1 EXIT STATUS
The script will exit with 0 if migration was successful, non-zero if a problem
occurred during migration.
=head1 EXAMPLES
For a simple migration which will fail if there are any potential conflicts:
masfcnv
To migrate the MASF configuration such that it will always succeed, MASF
settings will override in the event of a conflict with SMA and access will
still be provided on the original MASF port:
masfcnv -is -l agent -p enable -u agent -y agent
To attempt a dry run and migrate the configuration such that any conflicts
will be resolved by retaining existing SMA settings:
masfcnv -l master -u master -y master
=head1 FILES
=over
=item /etc/sma/snmp/snmpd.conf
=item /var/sma_snmp/snmpd.conf
SMA configuration files
=back
=over
=item /etc/opt/SUNWmasf/conf/snmpd.conf
=item /var/opt/SUNWmasf/snmpd.dat
MASF configuration files
=back
=over
=item /tmp/sma_migration.log
masfcnv log file
=back
=cut
use strict;
# Text::ParseWords requires 5.005
require 5.005;
use Getopt::Long 2.17;
use Text::ParseWords;
use Net::hostent;
use Socket;
use Data::Dumper;
use File::Copy;
use Text::Wrap;
##############################################################################
# global defaults
# storage for new lines
%::ADDED_CONFIGS = ('prepend'=>[],
'append'=>[]);
use vars qw ($INTERNET_OID
$LOG_FILE
$DATA_DIR
$FILTER_TYPE_INCLUDED
$FILTER_TYPE_EXCLUDED
$ENTITY_MIB_OID
$SUNPLAT_MIB_OID
$SNMP_UDP_DOMAIN
$DEFAULT_ROW_STATUS
$DEFAULT_STORAGE_TYPE
$MPMODEL_SNMPV1
$MPMODEL_SNMPV2C
$MPMODEL_SNMPV2U
$MPMODEL_SNMPV3
$SECURITY_MODEL_ANY
$SECURITY_MODEL_SNMPV1
$SECURITY_MODEL_SNMPV2C
$SECURITY_MODEL_USM
$SECURITY_LEVEL_NOAUTHNOPRIV
$SECURITY_LEVEL_AUTHNOPRIV
$SECURITY_LEVEL_AUTHPRIV
$NOTIFY_TYPE_TRAP
$NOTIFY_TYPE_INFORM);
# location where template files, etc. are stored.
*LOG_FILE = \"/tmp/sma_migration.log";
*INTERNET_OID = \".1.3.6.1";
*DATA_DIR = \"/usr/lib/net_snmp";
*FILTER_TYPE_INCLUDED = \1;
*FILTER_TYPE_EXCLUDED = \2;
*ENTITY_MIB_OID = \".1.3.6.1.2.1.47";
*SUNPLAT_MIB_OID = \".1.3.6.1.4.1.42.2.70.101";
*SNMP_UDP_DOMAIN = \".1.3.6.1.6.1.1";
*DEFAULT_ROW_STATUS = \1;
*DEFAULT_STORAGE_TYPE = \3;
*MPMODEL_SNMPV1 = \0;
*MPMODEL_SNMPV2C = \1;
*MPMODEL_SNMPV2U = \2;
*MPMODEL_SNMPV3 = \3;
*SECURITY_MODEL_ANY = \0;
*SECURITY_MODEL_SNMPV1 = \1;
*SECURITY_MODEL_SNMPV2C = \2;
*SECURITY_MODEL_USM = \3;
*SECURITY_LEVEL_NOAUTHNOPRIV = \1;
*SECURITY_LEVEL_AUTHNOPRIV = \2;
*SECURITY_LEVEL_AUTHPRIV = \3;
*NOTIFY_TYPE_TRAP = \1;
*NOTIFY_TYPE_INFORM = \2;
##############################################################################
# misc functions
sub log_message
{
my ($msg, $line) = @_;
if (defined $line && exists $line->{'file'} && exists
$line->{'lineno'}) {
$msg = $line->{'file'}.', line '.($line->{'lineno'} + 1).
': '.$msg;
}
$msg = wrap('', '', $msg);
if ($::AUTOMATED) {
open (LOG, ">> $LOG_FILE") ||
die "Couldn't open log file $LOG_FILE\n";
print LOG $msg;
print STDERR $msg;
close LOG;
} else {
print STDERR $msg;
}
}
sub get_backup_filename
{
my ($fname) = @_;
if ( -e $fname.'.bak') {
my ($i) = 0;
while ( -e $fname.".bak.$i" ) {
$i++;
}
return $fname.".bak.$i";
}
return $fname.".bak";
}
sub backup_files
{
log_message "Backing up original files\n";
my ($f, $newf);
for $f (@::MASF_CONFIG_FILES, $::MASF_PERSISTENT_FILE, @::SMA_CONFIG_FILES,
$::SMA_PERSISTENT_FILE) {
if (! -e $f) {
next;
}
$newf = get_backup_filename($f);
log_message "Backing up $f to $newf\n";
if (0 == copy $f, $newf) {
log_message "Couldn't backup $f - aborting\n";
exit 1;
}
}
}
sub remove_masf_persistent_file
{
if (! -e $::MASF_PERSISTENT_FILE) {
return;
}
log_message "Removing $::MASF_PERSISTENT_FILE\n";
if (0 == unlink $::MASF_PERSISTENT_FILE) {
log_message "Couldn't remove MASF persistent storage file\n".
"$::MASF_PERSISTENT_FILE - Aborting\n";
exit 1;
}
}
sub version
{
my ($rev) = '$Revision: 1.3 $';
$rev=~s/^\$Revision: //;
$rev=~s/ \$$//;
print STDERR "$0 $rev\n".
"Copyright 2003 Sun Microsystems, Inc.\n".
"All rights reserved.\n".
"Use is subject to license terms.\n";
exit 0;
}
sub stop_sma_running
{
`/etc/init.d/init.sma stop`;
}
sub stop_masf_running
{
`/etc/init.d/masfd stop`;
if (($? >> 8) > 0) {
log_message "Couldn't stop the MASF agent\n";
exit 1;
}
}
sub set_umask
{
# only root should be able to read the config file
umask 0077;
}
sub install_new_wrapper_script
{
log_message "Installing new MASF startup script\n";
my $pkgInstance='SUNWmasfr';
my @commands=("/usr/sbin/installf $pkgInstance /etc/init.d/masfd f 744 root sys",
"/usr/sbin/installf $pkgInstance /etc/rc0.d/K40masfd=/etc/init.d/masfd l",
"/usr/sbin/installf $pkgInstance /etc/rc1.d/K40masfd=/etc/init.d/masfd l",
"/usr/sbin/installf $pkgInstance /etc/rc2.d/K40masfd=/etc/init.d/masfd l",
"/usr/sbin/installf $pkgInstance /etc/rc3.d/S90masfd=/etc/init.d/masfd l",
"/usr/sbin/installf $pkgInstance /etc/rcS.d/K40masfd=/etc/init.d/masfd l",
"/usr/sbin/install -f /etc/init.d -m 0744 -u root -g sys $DATA_DIR/masfd",
"/usr/sbin/installf -f $pkgInstance",
"/usr/sbin/removef $pkgInstance /etc/rc3.d/S80masfd",
"/usr/bin/rm /etc/rc3.d/S80masfd",
"/usr/sbin/removef -f $pkgInstance"
);
my $command;
for $command (@commands) {
`$command`;
if ($? >> 8) {
log_message "A problem occurred whilst installing the MASF startup ".
"script\n";
exit 1;
}
}
}
sub install_template_config_file
{
if (copy($DATA_DIR.'/snmpd.conf', $::MASF_CONFIG_FILES[0]) == 0) {
log_message "Couldn't copy template configuration file to ".
$::MASF_CONFIG_FILES[0]."\n";
exit 1;
}
}
sub are_we_root
{
if ($> != 0) {
log_message "You are not running this as root.\n";
exit 1;
}
}
sub sma_config_sanity_check
{
my ($files, $i);
# check we can read the main config file
if ( ! -r $::SMA_CONFIG_FILES[0] ) {
log_message "Couldn't read SMA config file ".
$::SMA_CONFIG_FILES[0]."\n";
exit 1;
}
for ($i = 0; $i < @::SMA_CONFIG_FILES; $i++) {
if (! -r $::SMA_CONFIG_FILES[$i]) {
splice @::SMA_CONFIG_FILES, $i--, 1;
}
}
# check that if the persistent storage file isn't present, that there
# aren't any stale backups indicating it failed to update it properly
if ( ! -e $::SMA_PERSISTENT_FILE ) {
$files = `/bin/ls $::SMA_PERSISTENT_DIR/sma.*.dat 2>/dev/null`;
if ($files ne '') {
log_message "Stale SMA agent config files found. The ".
"SMA agent may not have been shut down cleanly.\n";
exit 1;
} else {
# Assume this is because the agent was never run
log_message "WARNING: no SMA persistent storage file found\n";
}
}
}
sub masf_config_sanity_check
{
my ($files, $i);
# check we can read the main config file
if ( ! -r $::MASF_CONFIG_FILES[0] ) {
log_message "Couldn't read MASF config file ".
$::MASF_CONFIG_FILES[0]."\n";
exit 1;
}
for ($i = 0; $i < @::MASF_CONFIG_FILES; $i++) {
if (! -r $::MASF_CONFIG_FILES[$i]) {
splice @::MASF_CONFIG_FILES, $i--, 1;
}
}
# check that if the persistent storage file isn't present, that there
# aren't any stale backups indicating it failed to update it properly
if ( ! -e $::MASF_PERSISTENT_FILE ) {
$files = `/bin/ls $::MASF_PERSISTENT_DIR/snmpd.*.dat 2>/dev/null`;
if ($files ne '') {
log_message "Stale MASF agent config files found. The MASF agent ".
"may not have been shut down cleanly.\n";
exit 1;
} else {
# Assume this is because the agent was never run
log_message "WARNING: no MASF persistent storage file found\n";
}
}
}
sub hostnameToUDPDomain
{
my ($target) = @_;
my ($hostname, $port, $hostent);
my @dotted_decimal;
($hostname, $port) = ($target=~/^([^:]+):(\d+)$/);
if ($port eq "") {
$port = 162;
}
($hostent) = gethostbyname($hostname);
@dotted_decimal = unpack ('C4', $hostent->addr_list->[0]);
return sprintf "0x%02x%02x%02x%02x%04x", @dotted_decimal, $port;
}
sub help
{
my ($name) = ($0=~/([^\/]*)$/);
print STDERR "Usage:
$name [ -cimnrs ] [ -l agent|master ] [ -p enable|disable|error ]
[ -t none|add ] [ -u agent|master|error ] [ -y agent|master|error ]
$name [ -V ]
$name [ -? ]
Migrates the configuration of the SNMP Agent for
Sun Fire Servers to the SMA SNMP Agent
Option Interpretation
-?
--help
Display this help message.
-c
--no-community
Do not transfer v1/v2c communities
-i
--ignore-unrecognized-directives
Continue processing if unrecognised directives are present.
-l agent|master
--master-trap-target=agent|master
If 'agent' is specified then the existing SMA trap targets will
be configured to receive traps that were previously sent to
destinations for the Sun Fire SNMP agent. If 'master' is
specified then the targets will be configured to receive Sun
Fire SNMP traps but existing SNMP target parameters will be used. This
option may not be used with the \"-t none\" option.
-m
--no-usmuser
Do not transfer usm (v3) users
-n
--dry-run
Run the migration without modifying any files. If any error
arises then continue processing. This can be used to determine the
likely migration issues.
-p enable|disable|error
--use-agent-port=enable|disable|error
Indicates whether the port originally used by the Sun Fire SNMP
agent should be used by the SMA agent after migration (if the
two agents are using different ports). If 'enable' is specified
then the port used by the Sun Fire SNMP agent will also be used
by the SMA agent after migration. If 'disable' is specified then
the ports used by SMA will not be updated by the migration tool.
If the 'error' option is specified and the SMA agent is not
already using the same ports as those used by the original Sun
Fire SNMP agent then an error will be reported and the migration
process will be terminated. If no option is specified the default
behaviour is equivalent to the 'error' flag.
-r
--no-trap
Do not transfer trap destinations
-s
--skip-user
If a user is found in the MASF configuration file that
cannot be created in the new configuration due to a change
in the engine ID, then output a message indicating that
the user could not be migrated (needs to be manually
recreated) and continue processing. If this option is not
present then the migration tool will consider such a
situation as an error and abort.
-t none|add
--trap-filter=none|add
If 'none' is specified then the script will copy trap directives
directly. The administrator may need to manually update the
configuration file to ensure traps are only delivered to their
intended destinations. If 'add' is specifed then trap filters
will be constructed so that traps originating from the original
Sun Fire SNMP agent are only delivered to the destinations that
originally received them. 'add' is the default behaviour.
-u agent|master|error
--select-user=agent|master|error
Specifies that if a user with the same name is found in both
configuration files that the conflict is to be resolved using
the specified configuration file as input. Selecting a user
from a particular will also cause the group declaration for
that user to be taken from the same file. If 'agent' is
specified then the user will be taken from the configuration
file for the Sun Fire SNMP Agent. If 'master' is specified then
the user will be taken from the SMA configuration. Otherwise
if 'error' is given, the script will terminate. If this option
is not present then the default behaviour is equivalent to the
'error' flag.
-V
--version
Display the version of this script.
-y agent|master|error
--select-community=agent|master|error
Specifies that if a community and source (hostname, IP addr
or range of IP addresses) is found to be conflicting in the
two configurations, which combination should be selected when
mapping to a security name. If 'agent' is specified then the
community and source information will be taken from the
configuration for the Sun Fire SNMP agent. If 'master' is
specified it will be taken from the SMA agent. Otherwise if
'error' is specified an error will be reported and the
migration will terminate. If this option is not present then
the default behaviour is equivalent to the 'error' flag.
";
exit 1;
}
%::SMA_CONFIGS = ();
%::MASF_CONFIGS = ();
sub strip_cr_nl
{
# remove \r and \n
my ($lines, $i);
for $lines (values %::SMA_CONFIGS) {
for ($i = 0; $i < @$lines; $i++) {
chomp $lines->[$i];
}
}
for $lines (values %::MASF_CONFIGS) {
for ($i = 0; $i < @$lines; $i++) {
chomp $lines->[$i];
}
}
}
sub read_config_files
{
my ($i, @lines);
for ($i = 0; $i < @::SMA_CONFIG_FILES; $i++) {
open (FH, '< '.$::SMA_CONFIG_FILES[$i]) || do {
log_message("Couldn't read config file ".
$::SMA_CONFIG_FILES[$i]."\n");
exit 1;
};
@lines=<FH>;
close FH;
$::SMA_CONFIGS{$::SMA_CONFIG_FILES[$i]} = [@lines];
}
if (-e $::SMA_PERSISTENT_FILE) {
open (FH, '< '.$::SMA_PERSISTENT_FILE) || do {
log_message("Couldn't read config file ".$::SMA_PERSISTENT_FILE."\n");
exit 1;
};
@lines=<FH>;
close FH;
$::SMA_CONFIGS{$::SMA_PERSISTENT_FILE} = [@lines];
}
for ($i = 0; $i < @::MASF_CONFIG_FILES; $i++) {
open (FH, '< '.$::MASF_CONFIG_FILES[$i]) || do {
log_message("Couldn't read config file ".
$::MASF_CONFIG_FILES[$i]."\n");
exit 1;
};
@lines=<FH>;
close FH;
$::MASF_CONFIGS{$::MASF_CONFIG_FILES[$i]} = [@lines];
}
if (-e $::MASF_PERSISTENT_FILE) {
open (FH, '< '.$::MASF_PERSISTENT_FILE) || do {
log_message("Couldn't read config file ".
$::MASF_PERSISTENT_FILE."\n");
exit 1;
};
@lines=<FH>;
close FH;
$::MASF_CONFIGS{$::MASF_PERSISTENT_FILE} = [@lines];
}
strip_cr_nl();
}
sub prompt_yes_no
{
my ($prompt, $default) = @_;
my $response = '';
print STDOUT $prompt," [".$default."]:";
$response = <STDIN>;
chomp $response;
if ($response eq '') {
$response = $default;
}
while (uc($response)!~/^Y|N/) {
print STDERR "Response must be (y)es or (n)o:";
$response = <STDIN>;
chomp $response;
}
return $response=~/^[yY]/ ? 'yes' : 'no';
}
sub prompt
{
my ($prompt, $default, $options) = @_;
my $response = '';
print STDOUT $prompt," [".$default."]:";
$response = <STDIN>;
chomp $response;
if ($response eq '') {
$response = $default;
}
while (scalar (grep $response eq $_, @$options) != 1) {
print STDERR "Invalid response:";
$response = <STDIN>;
chomp $response;
}
return $response;
}
sub parse_agentaddress
{
my ($line)=@_;
my ($directive, $addresses)=($line=~/^\s*(agentaddress)\s+(.*\S)\s*$/);
my ($addr, $spec, @addrs, $has_transport_specifier);
@addrs=split /,/,$addresses;
foreach $addr (@addrs) {
$has_transport_specifier=($addr=~/:/);
if (! $has_transport_specifier) {
if ($addr=~/^\//) {
$spec = "unix";
} else {
$spec = "udp";
}
$addr = $spec.':'.$addr;
}
}
return @addrs;
}
sub parse_config_line
{
my ($line)=@_;
my @words;
# strip whitespace
$line=~s/^\s*//;
$line=~s/\s*$//;
# check to see if comment
if ((substr $line, 0, 1) eq '#') {
return ('', ());
}
@words = &parse_line('\s+', 0, $line);
if (! defined $words[0]) {
$words[0] = '';
}
return @words;
}
sub sanity_check_config_files
{
my @smaTokens = (
'master',
'agentxTimeout',
'agentxRetries',
'agentxPingInterval',
'targetParams',
'targetAddr',
'snmpNotifyFilterProfileTable',
'snmpNotifyTable',
'snmpNotifyFilterTable'
);
my @commonTokens = (
'rocommunity',
'rwcommunity',
'rouser',
'rwuser',
'agentaddress',
'trapsink',
'trap2sink',
'informsink',
'trapcommunity',
'com2sec',
'group',
'access',
'view',
'engineID',
'createUser',
'agentgroup',
'agentuser',
'authtrapenable',
'syslocation',
'syscontact',
'sysname',
'sysservices',
'engineBoots',
'oldEngineID',
'usmUser'
);
my ($file, $i, $j, $directive, @tokens, $found, $warned, $answer);
# check sma config files
$warned = 0;
for $file (keys %::SMA_CONFIGS) {
for ($i = 0; $i < @{$::SMA_CONFIGS{$file}}; $i++) {
$found = 0;
($directive, @tokens) = parse_config_line($::SMA_CONFIGS{$file}->[$i]);
if ($directive eq '') {
next;
}
for ($j = 0; $j < @smaTokens; $j++) {
if ($directive eq $smaTokens[$j]) {
$found = 1;
last;
}
}
if ($found) {
next;
}
for ($j = 0; $j < @commonTokens; $j++) {
if ($directive eq $commonTokens[$j]) {
$found = 1;
last;
}
}
if ($found) {
next;
}
# token was not recognised
log_message("WARNING: Unrecognised token ".$directive.
" found in file ".$file." at line ".($i + 1)."\n");
$warned = 1;
}
}
for $file (keys %::MASF_CONFIGS) {
for ($i = 0; $i < @{$::MASF_CONFIGS{$file}}; $i++) {
$found = 0;
($directive, @tokens) = parse_config_line($::MASF_CONFIGS{$file}->[$i]);
if ($directive eq '') {
next;
}
for ($j = 0; $j < @commonTokens; $j++) {
if ($directive eq $commonTokens[$j]) {
$found = 1;
last;
}
}
if ($found) {
next;
}
# token was not recognised
log_message("WARNING: Unrecognised token ".$directive.
" found in file ".$file." at line ".($i + 1)."\n");
$warned = 1;
# remove the unrecognised token
splice @{$::MASF_CONFIGS{$file}}, $i--, 1;
}
}
if ($warned && ! $::IGNORE_UNRECOGNIZED_DIRECTIVES) {
if ($::AUTOMATED) {
log_message("Unrecognised tokens found in configuration ".
"file(s) - aborting\n");
exit 1;
} else {
$answer = prompt_yes_no("Unrecognised tokens were found. Continue?", 'n');
if ($answer eq 'no') {
exit 1;
}
}
}
}
sub print_line
{
my ($fh, $line) = @_;
if (exists $line->{'orig'} && exists $line->{'new'}) {
if ($line->{'orig'} ne $line->{'new'}) {
print $fh "# ### CHANGED BY $0 ###\n";
print $fh '# ',$line->{'orig'},"\n";
if (exists $line->{'comment'}) {
print $fh $line->{'comment'},"\n";
}
print $fh $line->{'new'},"\n";
} else {
print $fh $line->{'orig'},"\n";
}
} elsif (exists $line->{'new'}) {
if (exists $line->{'comment'}) {
print $fh $line->{'comment'},"\n";
}
print $fh $line->{'new'},"\n";
}
}
@::SMA_PERSISTENT_FILE_TOKENS = (
'targetParams', 'targetAddr',
'snmpNotifyFilterProfileTable', 'snmpNotifyTable',
'snmpNotifyFilterTable', 'engineBoots', 'usmUser', 'oldEngineID',
'createUser');
# extract those directives destined for persistent storage
sub dump_persistent_storage
{
my ($file, $persistent_file, $config) = @_;
#list of tokens which should be in persistent storage
my ($f, $l, $lines);
for $f (keys %$config) {
print $file "# ### IMPORTED FROM $f ###\n\n";
for $l (@{$config->{$f}}) {
if (! exists $l->{'new'}) {
next;
}
my ($directive, @toks) = parse_config_line($l->{'new'});
if ($directive) {
my (@match) = grep ($_ eq $directive, @::SMA_PERSISTENT_FILE_TOKENS);
if (@match == 0) {
# skip this line
next;
}
} elsif ($f ne $persistent_file) {
# skip all comments/blank lines which are not in the persistent
# storage file
next;
}
print_line($file, $l);
}
}
}
sub dump_config
{
my ($file, $persistent_file, $config) = @_;
#list of tokens which should be in persistent storage
my ($f, $l, $lines);
for $f (keys %$config) {
print $file "# ### IMPORTED FROM $f ###\n\n";
for $l (@{$config->{$f}}) {
if (! exists $l->{'new'}) {
next;
}
my ($directive, @toks) = parse_config_line($l->{'new'});
if ($directive) {
my (@match) = grep ($_ eq $directive, @::SMA_PERSISTENT_FILE_TOKENS);
if (@match > 0) {
if ($f ne $persistent_file && exists $l->{'orig'}) {
print $file "# moved to $::SMA_PERSISTENT_FILE >>> ".
$l->{'orig'}."\n";
}
# skip this line
next;
}
} elsif ($f eq $persistent_file) {
# skip all comments/blank lines which are not in the persistent
# storage file
next;
}
print_line($file, $l);
}
}
}
sub set_union {
my ($seta, $setb) = @_;
my ($i, $j, $found, @out);
for $i (@$seta, @$setb) {
$found = 0;
for $j (@out) {
if ($j eq $i) {
$found = 1;
}
}
if (! $found) {
push @out, $i;
}
}
return @out;
}
sub in_addr_to_number
{
my ($in_addr) = @_;
my ($i, $N) = (0, 0);
my (@n) = (unpack 'C4', $in_addr);
for ($i = 0; $i < @n; $i++) {
$N = $N << 8;
$N += $n[$i];
}
return $N;
}
sub splice_line
{
my ($config, $line, $length, $offset, @lines) = @_;
my ($i, $f);
for $i (@lines) {
# mark all the lines as changed
$i->{'changed'} = undef;
}
for $f (values %$config) {
for ($i = 0; $i < @$f; $i++) {
if ($f->[$i] eq $line) {
if (@lines) {
splice @$f, $i + $offset, $length, @lines;
} else {
splice @$f, $i + $offset, $length;
}
return;
}
}
}
}
sub prepend_line {
my ($line) = @_;
$line->{'changed'} = undef;
push @{$::ADDED_CONFIGS{'prepend'}}, $line;
}
sub append_line {
my ($line) = @_;
$line->{'changed'} = undef;
push @{$::ADDED_CONFIGS{'append'}}, $line;
}
sub replace_line {
my ($config, $line, @lines) = @_;
$line->{'meta'} = $lines[0]->{'meta'};
if (exists $lines[0]->{'new'}) {
$line->{'new'} = $lines[0]->{'new'};
} else {
delete $line->{'new'};
}
$lines[0] = $line;
splice_line($config, $line, 1, 0, @lines);
}
sub insert_lines {
my ($config, $line, $after, @lines) = @_;
my ($offset) = ($after ? 1 : 0);
splice_line($config, $line, 0, $offset, @lines);
}
sub get_lines
{
my ($directive, $config)=@_;
my ($line, $lines, @matches);
for $lines (values %$config) {
for $line (@$lines) {
if (exists $line->{'meta'}->{'directive'} &&
$line->{'meta'}->{'directive'} eq $directive) {
push @matches, $line;
}
}
}
return @matches;
}
##############################################################################
# Traps
sub remove_trap_destinations
{
my (@sinkLines) = (get_lines('trapsink', \%::MASF_CONFIGS),
get_lines('trap2sink', \%::MASF_CONFIGS),
get_lines('informsink', \%::MASF_CONFIGS));
my ($line);
for $line (@sinkLines) {
replace_line(\%::MASF_CONFIGS, $line, {'meta'=>{}});
}
}
sub get_filters
{
my ($keys, $configs)=@_;
my ($f, $l, @filters);
for $f (values %$configs) {
for $l (@$f) {
if (! exists $l->{'meta'}->{'directive'} ||
($l->{'meta'}->{'directive'} ne 'snmpNotifyFilterTable')) {
next;
}
if (exists $keys->{'profileName'} &&
$l->{'meta'}->{'profileName'} ne $keys->{'profileName'})
{
next;
}
push @filters, $l;
}
}
return @filters;
}
sub get_filterProfiles
{
my ($keys, $configs)=@_;
my ($f, $l, @targetAddrs);
for $f (values %$configs) {
for $l (@$f) {
if (! exists $l->{'meta'}->{'directive'} ||
($l->{'meta'}->{'directive'} ne 'snmpNotifyFilterProfileTable')) {
next;
}
if (exists $keys->{'paramName'} &&
$l->{'meta'}->{'paramName'} ne $keys->{'paramName'}) {
next;
}
if (exists $keys->{'profileName'} &&
$l->{'meta'}->{'profileName'} ne $keys->{'profileName'})
{
next;
}
push @targetAddrs, $l;
}
}
return @targetAddrs;
}
sub tag_in_taglist
{
my ($tag, $taglist) = @_;
my (@tags) = split /[ \t\r\n]/,$taglist;
my ($t);
for $t (@tags) {
if ($t eq $tag) {
return 1;
}
}
return 0;
}
sub notifyName_exists
{
my ($name) = @_;
my ($file, $line, $meta);
for $file (values %::MASF_CONFIGS, values %::SMA_CONFIGS) {
for $line (@$file) {
$meta=$line->{'meta'};
if (exists $meta->{'notifyName'} &&
$meta->{'notifyName'} eq $name) {
return 1;
}
}
}
return 0;
}
sub tag_exists
{
my ($tag) = @_;
my ($file, $line, $meta);
for $file (values %::MASF_CONFIGS, values %::SMA_CONFIGS) {
for $line (@$file) {
$meta = $line->{'meta'};
if (exists $meta->{'tagList'} &&
tag_in_taglist ($tag, $meta->{'tagList'})) {
return 1;
}
if (exists $meta->{'notifyTag'} &&
$tag eq $meta->{'notifyTag'}) {
return 1;
}
}
}
return 0;
}
sub get_new_profileName
{
my ($i) = (0);
my ($try) = ('masfProfile'.$i);
while (profileName_exists($try)) {
$i++;
$try = 'masfProfile'.$i;
}
if (length $try > 32) {
log_message "Unable to generate unique profileName\n";
exit 1;
}
return $try;
}
sub generate_notify_tags
{
my ($prefix) = @_;
my ($i) = (0);
while (tag_exists ($prefix.$i) ||
notifyName_exists ($prefix.$i)) {
$i++;
}
if (length ($prefix.$i) > 255) {
log_message "Unable to generate valid tag for prefix ".$prefix."\n";
exit 1;
}
return $prefix.$i;
}
sub get_new_paramName
{
my ($i) = (0);
while (paramName_exists('masfParam'.$i)) {
$i++;
}
if (length 'masfParam'.$i > 32) {
log_message "Unable to generate unique paramName.\n";
exit 1;
}
return 'masfParam'.$i;
}
sub get_new_targetName
{
my ($host)=@_;
my ($i)=(0);
my ($try)=('masfTarget'.$i.$host);
while (targetName_exists($try) || length $try > 32) {
if (length $try > 32) {
chop $host;
if (length $host == 0) {
log_message "Unable to generate unique targetName\n";
exit 1;
}
} else {
$i++;
}
$try = 'masfTarget'.$i.$host;
}
return $try;
}
sub paramName_exists
{
my ($paramName) = @_;
my ($keys) = ({'paramName'=>$paramName});
my (@lines) = (get_targetParams($keys, \%::SMA_CONFIGS),
get_targetParams($keys, \%::MASF_CONFIGS),
get_targetAddrs($keys, \%::SMA_CONFIGS),
get_targetAddrs($keys, \%::MASF_CONFIGS));
if (@lines) {
return 1;
} else {
return 0;
}
}
sub profileName_exists
{
my ($name) = @_;
my ($file, $line, $meta);
for $file (values %::MASF_CONFIGS, values %::SMA_CONFIGS) {
for $line (@$file) {
$meta=$line->{'meta'};
if (exists $meta->{'profileName'} &&
$meta->{'profileName'} eq $name) {
return 1;
}
}
}
return 0;
}
sub targetName_exists
{
my ($targetName) = @_;
my ($keys) = ({'targetName'=>$targetName});
my (@lines) = (get_targetAddrs($keys, \%::SMA_CONFIGS),
get_targetAddrs($keys, \%::MASF_CONFIGS));
if (@lines) {
return 1;
} else {
return 0;
}
}
# get all target addresses with the specified keys
sub get_targetAddrs
{
my ($keys, $configs)=@_;
my ($f, $l, @targetAddrs);
for $f (values %$configs) {
for $l (@$f) {
if (! exists $l->{'meta'}->{'directive'} ||
($l->{'meta'}->{'directive'} ne 'targetAddr')) {
next;
}
if (exists $keys->{'paramName'} &&
$l->{'meta'}->{'paramName'} ne $keys->{'paramName'}) {
next;
}
if (exists $keys->{'TDomain'} &&
$l->{'meta'}->{'TDomain'} ne $keys->{'TDomain'})
{
next;
}
if (exists $keys->{'TAddress'} &&
$l->{'meta'}->{'TAddress'} ne $keys->{'TAddress'})
{
next;
}
if (exists $keys->{'targetName'} &&
$l->{'meta'}->{'targetName'} ne $keys->{'targetName'})
{
next;
}
push @targetAddrs, $l;
}
}
return @targetAddrs;
}
# get all target parameters with the specified keys
sub get_targetParams
{
my ($keys, $configs)=@_;
my ($f, $l, @targetParams);
for $f (values %$configs) {
for $l (@$f) {
if (! exists $l->{'meta'}->{'directive'} ||
($l->{'meta'}->{'directive'} ne 'targetParams')) {
next;
}
if (exists $keys->{'paramName'} &&
$l->{'meta'}->{'paramName'} ne $keys->{'paramName'}) {
next;
}
if (exists $keys->{'securityModel'} &&
$l->{'meta'}->{'securityModel'} ne $keys->{'securityModel'})
{
next;
}
if (exists $keys->{'securityLevel'} &&
$l->{'meta'}->{'securityLevel'} ne $keys->{'securityLevel'})
{
next;
}
if (exists $keys->{'securityName'} &&
$l->{'meta'}->{'securityName'} ne $keys->{'securityName'})
{
next;
}
push @targetParams, $l;
}
}
return @targetParams;
}
sub process_trapsink
{
my ($sinkLine, $informTag, $trapTag) = @_;
my ($paramName, @paramLines, $community, @result, $secModel,
$MPModel, $notifyType, %profiles, $foundParams);
log_message "Migrating trapsink: ".$sinkLine->{'new'}."\n";
if ($sinkLine->{'meta'}->{'directive'} eq 'trapsink') {
$secModel = $SECURITY_MODEL_SNMPV1;
$MPModel = $MPMODEL_SNMPV1;
} elsif ($sinkLine->{'meta'}->{'directive'} eq 'trap2sink' ||
$sinkLine->{'meta'}->{'directive'} eq 'informsink') {
$secModel = $SECURITY_MODEL_SNMPV2C;
$MPModel = $MPMODEL_SNMPV2C;
}
if ($sinkLine->{'meta'}->{'directive'} eq 'informsink') {
$notifyType = $NOTIFY_TYPE_INFORM;
} else {
$notifyType = $NOTIFY_TYPE_TRAP;
}
$community = $sinkLine->{'meta'}->{'community'};
# try to find an existing target param in SMA config but don't bother if we
# don't care about overlap
if ($::EXTEND_SMA_FILTERS) {
@paramLines = (get_targetParams({'securityName'=>$community,
'securityModel'=>$SECURITY_MODEL_SNMPV2C}, \%::SMA_CONFIGS),
get_targetParams({'securityName'=>$community,
'securityModel'=>$SECURITY_MODEL_SNMPV1}, \%::SMA_CONFIGS));
}
my ($smaParamLine, $smaTargetLine);
my ($targetName, @targetAddrs);
my ($host) = $sinkLine->{'meta'}->{'host'};
my ($port) = $sinkLine->{'meta'}->{'port'};
if (@paramLines) {
my ($paramLine);
for $paramLine (@paramLines) {
$paramName = $paramLine->{'meta'}->{'paramName'};
push @targetAddrs, get_targetAddrs({'TDomain'=>$SNMP_UDP_DOMAIN,
'TAddress'=>hostnameToUDPDomain($host.':'.$port),
'paramName'=>$paramName}, \%::SMA_CONFIGS)
}
# try to use an existing targetAddr if it was defined
if (@targetAddrs > 0) {
$smaTargetLine = $targetAddrs[0];
($smaParamLine) = get_targetParams({'paramName'=>$smaTargetLine->{'meta'}->{'paramName'}}, \%::SMA_CONFIGS);
$foundParams = 1;
}
}
if (! $foundParams || ! $::KEEP_SNMP_TARGET_PARAMS) {
# we need to generate a new set of params
$paramName = get_new_paramName();
push @result, {'meta'=>{'directive'=>'targetParams',
'paramName'=>$paramName,
'MPModel'=>$MPModel,
'securityModel'=>$secModel,
'securityName'=>$community,
'securityLevel'=>$SECURITY_LEVEL_AUTHNOPRIV,
'storageType'=>$DEFAULT_STORAGE_TYPE,
'rowStatus'=>$DEFAULT_ROW_STATUS}
};
}
my (@profiles, $profileName);
if (! $foundParams) {
# no equivalent SMA target found - only MASF traps to be delivered
# generate our own targetAddr
my ($i) = (0);
$targetName = get_new_targetName($host);
push @result, {'meta'=>{'directive'=>'targetAddr',
'targetName'=>$targetName,
'TDomain'=>$SNMP_UDP_DOMAIN,
'TAddress'=>hostnameToUDPDomain($host.':'.$port),
'timeout'=>1500,
'retryCount'=>3,
'tagList'=>$notifyType == $NOTIFY_TYPE_INFORM ? $informTag :
$trapTag,
'paramName'=>$paramName,
'storageType'=>$DEFAULT_STORAGE_TYPE,
'rowStatus'=>$DEFAULT_ROW_STATUS}};
# need to add a filter profile
$profileName = get_new_profileName();
} elsif (! $::KEEP_SNMP_TARGET_PARAMS) {
# we need to change the targetAddr to refer to the new set of params
$targetName = $smaTargetLine->{'meta'}->{'targetName'};
$smaTargetLine->{'meta'}->{'paramName'} = $paramName;
$smaTargetLine->{'meta'}->{'tagList'} =
($notifyType == $NOTIFY_TYPE_INFORM ? $informTag : $trapTag);
replace_line(\%::SMA_CONFIGS, $smaTargetLine, $smaTargetLine);
# set our params to use the new set of filter profiles
@profiles = get_filterProfiles(
{'paramName'=>$smaParamLine->{'meta'}->{'paramName'}},
\%::SMA_CONFIGS);
if (@profiles > 0) {
$profileName = $profiles[0]->{'meta'}->{'profileName'};
} else {
# no filter profiles defined
return @result;
}
} else {
# don't change existing target specification
# SMA profiles already have MASF added.
return @result;
}
push @result, {'meta'=>{'directive'=>'snmpNotifyFilterProfileTable',
'paramName'=>$paramName,
'profileName'=>$profileName,
'storageType'=>$DEFAULT_STORAGE_TYPE,
'rowStatus'=>$DEFAULT_ROW_STATUS}
};
if ($foundParams) {
return @result;
}
# add some filters
push @result,
{'comment'=>'# Include ENTITY-MIB and SUN-PLATFORM-MIB in profile',
'meta'=>{'directive'=>'snmpNotifyFilterTable',
'profileName'=>$profileName,
'subtree'=>$ENTITY_MIB_OID,
'mask'=>'',
'filterType'=>$FILTER_TYPE_INCLUDED,
'storageType'=>$DEFAULT_STORAGE_TYPE,
'rowStatus'=>$DEFAULT_ROW_STATUS
}},
{'meta'=>{'directive'=>'snmpNotifyFilterTable',
'profileName'=>$profileName,
'subtree'=>$SUNPLAT_MIB_OID,
'mask'=>'',
'filterType'=>$FILTER_TYPE_INCLUDED,
'storageType'=>$DEFAULT_STORAGE_TYPE,
'rowStatus'=>$DEFAULT_ROW_STATUS
}};
return @result;
}
sub process_trapsinks
{
# grab all the trapsink, trap2sink and informsink lines in MASF
my (@sinkLines) = (get_lines('trapsink', \%::MASF_CONFIGS),
get_lines('trap2sink', \%::MASF_CONFIGS),
get_lines('informsink', \%::MASF_CONFIGS));
my ($sinkLine, $paramName, @paramLines, $community, @result, $secModel,
$MPModel, $notifyType, $informTag, $trapTag, %profiles, $foundParams);
%profiles=();
foreach $sinkLine (@sinkLines) {
$paramName = undef;
@result = ();
$foundParams = 0;
log_message "Processing trapsink: ".$sinkLine->{'new'}."\n";
if (!defined $informTag) {
$informTag = generate_notify_tags('masfInformTag');
log_message "Using tag ".$informTag." for informs\n";
$trapTag = generate_notify_tags('masfTrapTag');
log_message "Using tag ".$trapTag." for traps\n";
push @result, {'meta'=>{'directive'=>'snmpNotifyTable',
'notifyName'=>$informTag,
'notifyTag'=>$informTag,
'notifyType'=>$NOTIFY_TYPE_INFORM,
'storageType'=>$DEFAULT_STORAGE_TYPE,
'rowStatus'=>$DEFAULT_ROW_STATUS
}},
{'meta'=>{'directive'=>'snmpNotifyTable',
'notifyName'=>$trapTag,
'notifyTag'=>$trapTag,
'notifyType'=>$NOTIFY_TYPE_TRAP,
'storageType'=>$DEFAULT_STORAGE_TYPE,
'rowStatus'=>$DEFAULT_ROW_STATUS
}};
}
push @result, process_trapsink($sinkLine, $informTag, $trapTag);
replace_line(\%::MASF_CONFIGS, $sinkLine, @result);
}
}
sub extend_sma_trap_filters
{
my (@lines, $line);
@lines = get_lines('snmpNotifyFilterTable', \%::SMA_CONFIGS);
my (%hash);
foreach $line (@lines) {
if (!exists $hash{$line->{'meta'}->{'profileName'}}) {
log_message "Adding ENTITY-MIB and SUN-PLATFORM-MIB traps to ".
"trap filter profile ".$line->{'meta'}->{'profileName'}."\n";
$hash{$line->{'meta'}->{'profileName'}}=undef;
insert_lines(\%::SMA_CONFIGS, $line, 0,
{'comment'=>'# Include ENTITY-MIB and SUN-PLATFORM-MIB in profile',
'meta'=>{'directive'=>'snmpNotifyFilterTable',
'profileName'=>$line->{'meta'}->{'profileName'},
'subtree'=>$ENTITY_MIB_OID,
'mask'=>'',
'filterType'=>$FILTER_TYPE_INCLUDED,
'storageType'=>$DEFAULT_STORAGE_TYPE,
'rowStatus'=>$DEFAULT_ROW_STATUS}},
{'meta'=>{'directive'=>'snmpNotifyFilterTable',
'profileName'=>$line->{'meta'}->{'profileName'},
'subtree'=>$SUNPLAT_MIB_OID,
'mask'=>'',
'filterType'=>$FILTER_TYPE_INCLUDED,
'storageType'=>$DEFAULT_STORAGE_TYPE,
'rowStatus'=>$DEFAULT_ROW_STATUS}});
}
}
}
sub process_trapcommunity
{
my ($configs)=@_;
my ($i, $file, $trapcommunity, $meta);
$trapcommunity = 'public';
foreach $file (values %$configs) {
for ($i = 0; $i < @$file; $i++) {
$meta = $file->[$i]->{'meta'};
if (! exists $file->[$i]->{'meta'}->{'directive'}) {
next;
}
if ($meta->{'directive'} eq 'trapcommunity') {
$trapcommunity = $meta->{'community'};
replace_line($configs, $file->[$i], {'meta'=>{}});
next;
}
if ($meta->{'directive'} eq 'trapsink' ||
$meta->{'directive'} eq 'trap2sink' ||
$meta->{'directive'} eq 'informsink') {
if (! exists $meta->{'community'}) {
$meta->{'community'} = $trapcommunity;
replace_line($configs, $file->[$i], $file->[$i]);
}
if (! exists $meta->{'port'}) {
$meta->{'port'} = 162;
replace_line($configs, $file->[$i], $file->[$i]);
}
}
}
}
}
sub check_duplicate_trap_destinations
{
my (@smaTraps) = (get_lines('informsink', \%::SMA_CONFIGS),
get_lines('trapsink', \%::SMA_CONFIGS),
get_lines('trap2sink', \%::SMA_CONFIGS));
my (@masfTraps) = (get_lines('informsink', \%::MASF_CONFIGS),
get_lines('trapsink', \%::MASF_CONFIGS),
get_lines('trap2sink', \%::MASF_CONFIGS));
my ($trap, @matches, $match);
for $trap (@masfTraps) {
@matches = grep (
($_->{'meta'}->{'community'} eq $trap->{'meta'}->{'community'} &&
$_->{'meta'}->{'host'} eq $trap->{'meta'}->{'host'} &&
$_->{'meta'}->{'port'} eq $trap->{'meta'}->{'port'}), @smaTraps);
if (@matches) {
# remove this duplicate
log_message "Removing duplicate ".$trap->{'meta'}->{'directive'}." directive\n", $trap;
replace_line(\%::MASF_CONFIGS, $trap, {'meta'=>{}});
}
}
}
##############################################################################
# Access control, groups and users
$::SEEDED = 0;
sub remove_v3_users
{
my (@users) = get_securityNames({'securityModel'=>'usm'}, \%::MASF_CONFIGS);
my ($user, @groups, $group);
for $user (@users) {
replace_line(\%::MASF_CONFIGS, $user, {'meta'=>{}});
@groups = get_groups($user->{'meta'}, \%::MASF_CONFIGS);
for $group (@groups) {
replace_line(\%::MASF_CONFIGS, $group, {'meta'=>{}});
}
}
}
sub remove_v1v2c_users
{
my (@users) = get_securityNames({'securityModel'=>'v1'}, \%::MASF_CONFIGS);
my ($user, @groups, $group);
for $user (@users) {
replace_line(\%::MASF_CONFIGS, $user, {'meta'=>{}});
@groups = get_groups($user->{'meta'}, \%::MASF_CONFIGS);
for $group (@groups) {
replace_line(\%::MASF_CONFIGS, $group, {'meta'=>{}});
}
}
}
sub generate_password
{
my ($i, $r, $pwd);
if (! $::SEEDED) {
srand;
$::SEEDED=1;
}
for ($i = 0; $i < 8; $i++) {
do {
$r = chr (int (rand 127));
} while ($r!~/^[a-zA-Z0-9]$/);
$pwd.=$r;
}
return $pwd;
}
# check to see whether MASF UsmUser directives can be transferred without
# alteration, if not then convert to a template createUser statement
sub process_engineIDs
{
log_message "\n";
log_message "Checking to see if USM users defined in usmUser directives can be migrated without modification:\n";
my ($lines, $line, $can_migrate);
$can_migrate = 1;
# check that no v3 users have been specified in SMA
my (@v3_sma_users) = (get_securityNames({'securityModel'=>'usm'}, \%::SMA_CONFIGS));
if (@v3_sma_users > 0) {
log_message "V3 users were specified in SMA config - cannot migrate without modification.\n";
$can_migrate = 0;
}
# If the engineID was specified in MASF then we cannot migrate. Remove it
# from the migrated configuration
for $line (get_lines('engineID', \%::MASF_CONFIGS)) {
$can_migrate = 0;
log_message "engineID specified in configuration file - cannot migrate without modification.\n", $line;
replace_line(\%::MASF_CONFIGS, $line, {'meta'=>{}});
}
# check that engineID isn't specified anywhere in SMA config
for $line (get_lines('engineID', \%::SMA_CONFIGS)) {
log_message "engineID specified in configuration file - cannot migrate without modification.\n", $line;
$can_migrate = 0;
}
if (! $can_migrate) {
for $line (get_lines('usmUser', \%::MASF_CONFIGS)) {
if (! $::IGNORE_ENGINEID) {
log_message "User with securityName ".
$line->{'meta'}->{'securityName'}." cannot be migrated ".
"because the engineID has changed - aborting.\n", $line;
exit 1;
}
log_message "\n";
log_message "***************************************************************************\n";
log_message 'User with securityName '.
$line->{'meta'}->{'securityName'}." has had their password reset.\n";
log_message "You will need to edit the configuration file after ".
"this script has finished\n".
"in order to enable their account\n";
log_message "***************************************************************************\n";
replace_line(\%::MASF_CONFIGS, $line,
{'comment'=>'# XXX Change the password if necessary',
'meta'=>{'directive'=>'createUser',
'securityModel'=>'usm',
'securityName'=>$line->{'meta'}->{'securityName'},
'authPassword'=>generate_password(),
'authProtocol'=>'MD5'}});
}
# if we can't migrate the engineID, then remove any oldEngineID
# statements and engineBoots statements
for $line (get_lines('oldEngineID', \%::MASF_CONFIGS),
get_lines('engineBoots', \%::MASF_CONFIGS)) {
replace_line(\%::MASF_CONFIGS, $line, {'meta'=>{}});
}
return;
} else {
log_message "OK to migrate usm users\n";
}
# check to see if oldEngineID or engineBoots is defined in SMA config - if
# so then squash it in favour of new one from MASF
for $line (get_lines('oldEngineID', \%::SMA_CONFIGS),
get_lines('engineBoots', \%::SMA_CONFIGS)) {
replace_line(\%::SMA_CONFIGS, $line, {'meta'=>{}});
}
}
# ensure that if a createUser and usmUser directive is present for the same
# securityName then the createUser directive takes precedence
sub check_usm_securityNames
{
my (@masfUserLines)=(get_securityNames({'securityModel'=>'usm'},
\%::MASF_CONFIGS));
my (@smaUserLines)=(get_securityNames({'securityModel'=>'usm'},
\%::SMA_CONFIGS));
my ($usmUser, $user, $config);
for $config (\%::MASF_CONFIGS, \%::SMA_CONFIGS) {
my (@userLines) = (get_securityNames({'securityModel'=>'usm'},
$config));
my (@createUsers) = (grep 'createUser' eq $_->{'meta'}->{'directive'}, @userLines);
for $user (@createUsers) {
my (@usmUsers) = (grep (('usmUser' eq $_->{'meta'}->{'directive'}
&& $user->{'meta'}->{'securityName'} eq
$_->{'meta'}->{'securityName'}), @userLines));
for $usmUser (@usmUsers) {
replace_line($config, $usmUser, {'meta'=>{}});
}
}
}
}
sub choose_group_membership
{
my ($smaSecurityName, $masfSecurityName) = @_;
# interactive mode
convert_metadata();
log_message "\nThis user is defined in SMA with the following configuration:\n";
# get the config:
my ($o, $n) = get_old_new_config($smaSecurityName,
\%::SMA_CONFIGS);
log_message "Original configuration:\n".join ("\n",@$o);
log_message "\n\nProposed configuration 1:\n".join ("\n",@$n);
($o, $n) = get_old_new_config($masfSecurityName, \%::MASF_CONFIGS);
log_message "\n\nIt conflicts with the following MASF configuration:\nOriginal configuration:\n".join ("\n", @$o);
log_message "\n\nProposed configuration 2:\n".join ("\n",@$n)."\n";
my ($response) = (prompt ("Please choose one of the".
" proposed configurations", 1, [1,2]));
if ($response == 1) {
remove_com2sec_user ({'securityName'=>$masfSecurityName}, \%::MASF_CONFIGS);
} else {
remove_com2sec_user ({'securityName'=>$smaSecurityName}, \%::SMA_CONFIGS);
}
}
sub process_usm_securityNames
{
my ($file, $line, $fileb, $lineb, $snameLine, $sname, $conflicted);
for $snameLine (get_securityNames({'securityModel'=>'usm'}, \%::MASF_CONFIGS)) {
$sname = $snameLine->{'meta'}->{'securityName'};
$conflicted = undef;
for $file (values %::SMA_CONFIGS) {
for $line (@$file) {
if (exists $line->{'meta'}->{'securityName'} &&
$line->{'meta'}->{'securityName'} eq $sname) {
$conflicted=$line;
last;
}
}
}
if (defined $conflicted) {
# there is a clash
log_message "MASF securityName ".$sname." conflicts with one already defined in SMA\n", $snameLine;
if ($::KEEP_SMA_USM_USERS) {
remove_com2sec_user($snameLine->{'meta'}, \%::MASF_CONFIGS);
} elsif ($::KEEP_MASF_USM_USERS) {
remove_com2sec_user($conflicted->{'meta'}, \%::SMA_CONFIGS);
} elsif ($::AUTOMATED) {
log_message "Conflicting securityNames found - aborting. Please resolve these conflicts\n".
"manually.\n";
exit 1;
} else {
choose_group_membership($conflicted->{'meta'}->{'securityName'}, $sname);
}
}
}
}
sub remove_com2sec_user
{
my ($keys, $config)=@_;
my ($securityName)=($keys->{'securityName'});
my ($f, $l);
for $l (get_securityNames($keys, $config)) {
replace_line ($config, $l, {'meta'=>{}});
}
for $f (values %$config) {
for $l (@$f) {
if (exists $l->{'meta'}->{'directive'} &&
$l->{'meta'}->{'directive'} eq 'group' &&
$l->{'meta'}->{'securityName'} eq $securityName) {
replace_line($config, $l, {'meta'=>{}});
}
}
}
}
# get all lines which define a security name i.e. com2sec, createUser or
# usmUser, according to specified keys
sub get_securityNames
{
my ($keys, $configs)=@_;
my ($f, $l, @securityNames);
for $f (values %$configs) {
for $l (@$f) {
if (! exists $l->{'meta'}->{'directive'} ||
($l->{'meta'}->{'directive'} ne 'createUser' &&
$l->{'meta'}->{'directive'} ne 'usmUser' &&
$l->{'meta'}->{'directive'} ne 'com2sec')) {
next;
}
if (exists $keys->{'securityName'} &&
$l->{'meta'}->{'securityName'} ne $keys->{'securityName'}) {
next;
}
if (exists $keys->{'securityModel'}) {
my ($sm) = ('usm');
if ($keys->{'securityModel'} eq 'v2c' ||
$keys->{'securityModel'} eq 'v1') {
$sm = 'v1';
}
if (($sm eq 'v1' &&
$l->{'meta'}->{'directive'} ne 'com2sec') ||
($sm eq 'usm' &&
($l->{'meta'}->{'directive'} ne 'createUser' &&
$l->{'meta'}->{'directive'} ne 'usmUser'))) {
next;
}
}
push @securityNames, $l;
}
}
return @securityNames;
}
sub get_groups
{
my ($keys, $configs)=@_;
my ($f, $l, @groups);
for $f (values %$configs) {
for $l (@$f) {
if (! exists $l->{'meta'}->{'directive'} ||
$l->{'meta'}->{'directive'} ne 'group') {
next;
}
if (exists $keys->{'securityName'} &&
$l->{'meta'}->{'securityName'} ne $keys->{'securityName'}) {
next;
}
if (exists $keys->{'securityModel'} &&
$l->{'meta'}->{'securityModel'} ne $keys->{'securityModel'}) {
next;
}
if (exists $keys->{'groupName'} &&
$l->{'meta'}->{'groupName'} ne $keys->{'groupName'}) {
next;
}
push @groups, $l
}
}
return @groups;
}
sub get_access {
my ($keys, $configs)=@_;
my ($f, $l, @access);
for $f (values %$configs) {
for $l (@$f) {
if (! exists $l->{'meta'}->{'directive'} ||
$l->{'meta'}->{'directive'} ne 'access') {
next;
}
if (exists $keys->{'groupName'} &&
$l->{'meta'}->{'groupName'} ne $keys->{'groupName'}) {
next;
}
if (exists $keys->{'viewName'} &&
($l->{'meta'}->{'readView'} ne $keys->{'viewName'} &&
$l->{'meta'}->{'writeView'} ne $keys->{'viewName'} &&
$l->{'meta'}->{'notifyView'} ne $keys->{'viewName'})) {
next;
}
push @access, $l
}
}
return @access;
}
sub get_views {
my ($keys, $configs)=@_;
my ($f, $l, @views);
if (exists $keys->{'viewName'} &&
$keys->{'viewName'} eq '') {
return ();
}
for $f (values %$configs) {
for $l (@$f) {
if (! exists $l->{'meta'}->{'directive'} ||
$l->{'meta'}->{'directive'} ne 'view') {
next;
}
if (exists $keys->{'viewName'} &&
$l->{'meta'}->{'viewName'} ne $keys->{'viewName'}) {
next;
}
push @views, $l
}
}
return @views;
}
sub get_old_new_config
{
my ($securityName, $configs) = @_;
my ($line, @secNames, @groups, $group, $access, @accesses, @views, @old, @new);
my (@a, $keys);
$keys = {'securityName'=>$securityName};
@secNames = get_securityNames($keys, $configs);
@groups = get_groups ({'securityName'=>$securityName}, $configs);
# get other members of this group
if (@groups > 0) {
@groups = set_union([get_groups({'groupName'=>$groups[0]->{'meta'}->{'groupName'}}, $configs)], \@groups);
}
for $group (@groups) {
(@accesses) = (set_union(\@accesses, [get_access($group->{'meta'}, $configs)]));
}
for $access (@accesses) {
$keys = {'viewName'=>$access->{'meta'}->{'readView'}};
(@views) = (set_union(\@views, [get_views($keys, $configs)]));
$keys->{'viewName'}=$access->{'meta'}->{'writeView'};
(@views) = (set_union(\@views, [get_views($keys, $configs)]));
$keys->{'viewName'}=$access->{'meta'}->{'notifyView'};
(@views) = (set_union(\@views, [get_views($keys, $configs)]));
}
for $line (@secNames, @groups, @accesses, @views) {
if (exists $line->{'orig'}) {
push @old, $line->{'orig'};
}
if (exists $line->{'new'}) {
push @new, $line->{'new'};
}
}
return [@old], [@new];
}
sub parse_source
{
my ($line) = @_;
my ($source) = $line->{'meta'}->{'source'};
my ($hostIP, $mask, $ipSegment);
# was it 'default'
if ($source eq 'default' || $source eq '0.0.0.0') {
return (inet_aton('0.0.0.0'), inet_aton('0.0.0.0'));
}
# try to resolve as a plain IP address or a hostname
$ipSegment=$source;
($ipSegment, $mask) = split /\//, $source;
# try to resolve hostname as an IP address
my ($hostent) = gethostbyname($ipSegment);
if (defined $hostent) {
if ($hostent->addrtype ne AF_INET) {
log_message "Unsupported address family in source $source\n", $line;
exit 1;
}
my (@hostIPs) = @{$hostent->addr_list};
log_message "resolved $source to ".inet_ntoa($hostIPs[0])."\n", $line;
$hostIP = $hostIPs[0];
} else {
log_message "Couldn't resolve $ipSegment as a hostname or IP address\n", $line;
exit 1;
}
# try to resolve as subnet/mask
if (defined $mask && $mask ne '') {
my $netmask;
$netmask = inet_aton($mask);
if (! defined $netmask) {
# try to interpret as number between 0 and 32
my ($bit) = (0x80000000);
$netmask = 0;
if ($mask < 0 || $mask > 32) {
log_message "$source did not contain a valid netmask.\n", $line;
exit 1;
}
while ($mask > 0) {
$netmask |= $bit;
$bit = $bit >> 1;
}
}
my ($N, $H) = (in_addr_to_number ($netmask), in_addr_to_number
($hostIP));
if ($H & ~$N) {
log_message("source/mask mismatch - ".inet_ntoa($hostIP).'/'.inet_ntoa($netmask)."\n", $line);
exit 1;
}
return ($hostIP, $netmask);
} else {
# no netmask specified - exact match
return ($hostIP, inet_aton('255.255.255.255'));
}
}
sub source_overlap
{
my ($linea, $lineb) = @_;
my ($ipa, $maska) = parse_source($linea);
my ($ipb, $maskb) = parse_source($lineb);
my $mask_overlap;
$ipa = in_addr_to_number($ipa);
$ipb = in_addr_to_number($ipb);
$mask_overlap = in_addr_to_number($maska) & in_addr_to_number($maskb);
my $complement = 0xffffffff & (~$mask_overlap);
if (($ipa & $mask_overlap | $complement) == ($ipb & $mask_overlap | $complement)) {
return 1;
}
return 0;
}
sub community_conflicts
{
my ($linea)=@_;
my ($community, $source) = ($linea->{'meta'}->{'community'}, $linea->{'meta'}->{'source'});
my ($lines, $line);
for $lines (values %::SMA_CONFIGS) {
for $line (@$lines) {
if (! exists $line->{'meta'}->{'community'} ||
$line->{'meta'}->{'community'} ne $community) {
next;
}
if (! exists $line->{'meta'}->{'source'}) {
next;
}
if (source_overlap ($line, $linea)) {
return ($line);
}
}
}
return undef;
}
sub process_com2sec
{
my ($lines, $line);
my $conflict;
for $lines (values %::MASF_CONFIGS) {
for $line (@$lines) {
if (! exists $line->{'meta'}->{'directive'} ||
$line->{'meta'}->{'directive'} ne 'com2sec') {
next;
}
$conflict = community_conflicts($line);
if (defined $conflict) {
log_message "MASF source ".$line->{'meta'}->{'source'}.
" conflicts with SMA source ".$conflict->{'meta'}->{'source'}.
" defined for community ".$line->{'meta'}->{'community'}."\n", $line;
if ($::KEEP_SMA_GROUPS) {
# remove user from MASF config
remove_com2sec_user ($line->{'meta'}, \%::MASF_CONFIGS);
} elsif ($::KEEP_MASF_GROUPS) {
# remove user from SMA config
remove_com2sec_user ($line->{'meta'}, \%::SMA_CONFIGS);
} elsif ($::AUTOMATED) {
# didn't define what to do so stop!
log_message "Conflicting source/communities found - ".
"aborting. Please resolve these conflicts manually.\n";
exit 1;
} else {
choose_group_membership($conflict->{'meta'}->{'securityName'}, $line->{'meta'}->{'securityName'});
}
}
}
}
}
sub uniquify_viewNames
{
my ($prefix) = @_;
my %mappings=();
my ($lines, $line, $securityName, $i, @keys, $key, $from);
@keys = ('viewName', 'readView', 'writeView', 'notifyView');
for $lines (values %::MASF_CONFIGS) {
foreach $line (@$lines) {
for $key (@keys) {
if (exists $line->{'meta'}->{$key} &&
$line->{'meta'}->{$key} ne '') {
$from = $line->{'meta'}->{$key};
} else {
next;
}
# is there already a mapping for this securityName ?
if (exists $mappings{$from}) {
$line->{'meta'}->{$key} = $mappings{$from};
replace_line(\%::MASF_CONFIGS, $line, $line);
next;
}
# generate a new securityName
$i = 0;
while (viewName_exists($prefix.$i.$from))
{
$i++;
}
if (length $prefix.$i.$from > 32) {
log_message ("Couldn't render viewName $from unique\n", $line);
exit 1;
}
$mappings{$from}=$prefix.$i.$from;
$line->{'meta'}->{$key} = $prefix.$i.$from;
replace_line(\%::MASF_CONFIGS, $line, $line);
}
}
}
# remove redundant view names
my (@viewLines, @accessLines, $view, $config);
for $config (\%::MASF_CONFIGS, \%::SMA_CONFIGS) {
@viewLines = get_views({}, $config);
for $view (@viewLines) {
@accessLines = (get_access($view->{'meta'}, \%::MASF_CONFIGS), get_access($view->{'meta'}, \%::SMA_CONFIGS));
if (@accessLines == 0) {
replace_line($config, $view, {'meta'=>{}});
}
}
}
}
sub uniquify_groupNames
{
my ($prefix) = @_;
my %mappings=();
my ($lines, $line, $securityName, $i, $from);
for $lines (values %::MASF_CONFIGS) {
foreach $line (@$lines) {
if (exists $line->{'meta'}->{'groupName'}) {
$from = $line->{'meta'}->{'groupName'};
} else {
next;
}
# is there already a mapping for this securityName ?
if (exists $mappings{$from}) {
$line->{'meta'}->{'groupName'} = $mappings{$from};
replace_line(\%::MASF_CONFIGS, $line, $line);
next;
}
# generate a new securityName
$i = 0;
while (groupName_exists($prefix.$i.$from))
{
$i++;
}
if (length $prefix.$i.$from > 32) {
log_message ("Couldn't render groupName $from unique\n", $line);
exit 1;
}
$mappings{$from}=$prefix.$i.$from;
$line->{'meta'}->{'groupName'} = $prefix.$i.$from;
replace_line(\%::MASF_CONFIGS, $line, $line);
}
}
}
# remove group directives referring to undefined users
sub clean_group_membership
{
my ($config);
for $config (\%::MASF_CONFIGS, \%::SMA_CONFIGS) {
my (@groups) = get_lines('group', $config);
my ($group);
for $group (@groups) {
my (@securityNames) = get_securityNames($group->{'meta'}, $config);
if (@securityNames == 0) {
# no securityName was defined for this directive - remove the
# directive
log_message "Removing undefined user ".
$group->{'meta'}->{'securityName'}." from group ".
$group->{'meta'}->{'groupName'}."\n", $group;
replace_line($config, $group, {'meta'=>{}});
}
}
}
}
sub uniquify_securityNames
{
my ($prefix) = @_;
my ($to);
my ($lines, $line, $securityName, $i, $from, $fromLine);
for $fromLine (get_securityNames({'securityModel'=>'v1'},
\%::MASF_CONFIGS)) {
# generate a new securityName
$from = $fromLine->{'meta'}->{'securityName'};
$to = get_new_securityName($prefix.$from);
for $lines (values %::MASF_CONFIGS) {
foreach $line (@$lines) {
if (! exists $line->{'meta'}->{'securityName'} ||
$line->{'meta'}->{'securityName'} ne $from) {
next;
}
$line->{'meta'}->{'securityName'} = $to;
replace_line(\%::MASF_CONFIGS, $line, $line);
}
}
}
}
sub check_tokens
{
my ($line, $minTokens, $maxTokens, @tokens) = @_;
my ($directive) = $line->{'meta'}->{'directive'};
if (@tokens < $minTokens || @tokens > $maxTokens) {
log_message "Invalid number of parameters for $directive directive ".
"- Aborting\n", $line;
exit 1;
}
}
# convert simple array of lines into hash containing data which is what we
# subsequently modify
sub add_metadata
{
my ($lines, $file, $line, $i, $s, $directive, @tokens);
my ($key, $j);
for $key (keys %::SMA_CONFIGS) {
for ($i = 0; $i < @{$::SMA_CONFIGS{$key}}; $i++) {
$line = $::SMA_CONFIGS{$key}->[$i];
$::SMA_CONFIGS{$key}->[$i] = {'orig'=>$line,
'new'=>$line,
# NB the 'meta' hash doesn't contain metadata, only real data...
'meta'=>{},
'lineno'=>$i,
'file'=>$key};
}
}
for $key (keys %::MASF_CONFIGS) {
for ($i = 0; $i < @{$::MASF_CONFIGS{$key}}; $i++) {
$line = $::MASF_CONFIGS{$key}->[$i];
$::MASF_CONFIGS{$key}->[$i] = {'orig'=>$line,
'new'=>$line,
'meta'=>{},
'lineno'=>$i,
'file'=>$key};
}
}
for $lines (values %::SMA_CONFIGS, values %::MASF_CONFIGS) {
for $line (@$lines) {
($directive, @tokens) = parse_config_line($line->{'new'});
if ($directive ne '') {
$line->{'meta'}->{'directive'} = $directive;
}
if ($directive eq 'com2sec') {
check_tokens($line, 3, 3, @tokens);
$line->{'meta'}->{'securityName'} = $tokens[0];
$line->{'meta'}->{'source'} = $tokens[1];
$line->{'meta'}->{'community'} = $tokens[2];
} elsif ($directive eq 'group') {
check_tokens($line, 3, 3, @tokens);
$line->{'meta'}->{'groupName'} = $tokens[0];
$line->{'meta'}->{'securityModel'} = $tokens[1];
$line->{'meta'}->{'securityName'} = $tokens[2];
} elsif ($directive eq 'rouser' || $directive eq 'rwuser') {
check_tokens($line, 1, 3, @tokens);
$line->{'meta'}->{'securityName'} = $tokens[0];
if (defined $tokens[1]) {
$line->{'meta'}->{'securityLevel'} = $tokens[1];
}
if (defined $tokens[2]) {
$line->{'meta'}->{'oid'} = $tokens[2];
}
} elsif ($directive eq 'createUser') {
check_tokens($line, 3, 5, @tokens);
$line->{'meta'}->{'securityName'} = $tokens[0];
$line->{'meta'}->{'authProtocol'} = $tokens[1];
$line->{'meta'}->{'authPassword'} = $tokens[2];
$line->{'meta'}->{'securityModel'} = 'usm';
if (defined $tokens[3]) {
$line->{'meta'}->{'privProtocol'} = $tokens[3];
}
if (defined $tokens[4]) {
$line->{'meta'}->{'privPassword'} = $tokens[4];
}
} elsif ($directive eq 'usmUser') {
check_tokens($line, 11, 11, @tokens);
$line->{'meta'}->{'securityName'} = securityName_from_usmUser($directive, @tokens);
$line->{'meta'}->{'securityModel'} = 'usm';
} elsif ($directive eq 'access') {
check_tokens($line, 8, 8, @tokens);
$line->{'meta'}->{'groupName'} = $tokens[0];
$line->{'meta'}->{'contextPrefix'} = $tokens[1];
$line->{'meta'}->{'securityModel'} = $tokens[2];
$line->{'meta'}->{'securityLevel'} = $tokens[3];
$line->{'meta'}->{'contextMatch'} = $tokens[4];
$line->{'meta'}->{'readView'} = $tokens[5];
$line->{'meta'}->{'writeView'} = $tokens[6];
$line->{'meta'}->{'notifyView'} = $tokens[7];
} elsif ($directive eq 'view') {
check_tokens($line, 3, 4, @tokens);
$line->{'meta'}->{'viewName'} = $tokens[0];
$line->{'meta'}->{'viewType'} = $tokens[1];
$line->{'meta'}->{'oid'} = $tokens[2];
if (defined $tokens[3]) {
$line->{'meta'}->{'mask'} = $tokens[3];
}
} elsif ($directive eq 'rocommunity' || $directive eq 'rwcommunity') {
check_tokens($line, 1, 3, @tokens);
$line->{'meta'}->{'community'} = $tokens[0];
if (defined $tokens[1]) {
$line->{'meta'}->{'source'} = $tokens[1];
} else {
$line->{'meta'}->{'source'} = "0.0.0.0/0.0.0.0";
}
if (defined $tokens[2]) {
$line->{'meta'}->{'oid'} = $tokens[2];
}
} elsif ($directive eq 'trapcommunity') {
check_tokens($line, 1, 1, @tokens);
$line->{'meta'}->{'community'} = $tokens[0];
} elsif ($directive eq 'trapsink' ||
$directive eq 'trap2sink' ||
$directive eq 'informsink') {
check_tokens($line, 1, 3, @tokens);
$line->{'meta'}->{'host'} = $tokens[0];
if (defined $tokens[1]) {
$line->{'meta'}->{'community'} = $tokens[1];
}
if (defined $tokens[2]) {
$line->{'meta'}->{'port'} = $tokens[2];
}
} elsif ($directive eq 'snmpNotifyFilterTable') {
check_tokens($line, 6, 6, @tokens);
$line->{'meta'}->{'profileName'} = $tokens[0];
$line->{'meta'}->{'subtree'} = $tokens[1];
$line->{'meta'}->{'mask'} = $tokens[2];
$line->{'meta'}->{'filterType'} = $tokens[3];
$line->{'meta'}->{'storageType'} = $tokens[4];
$line->{'meta'}->{'rowStatus'} = $tokens[5];
} elsif ($directive eq 'targetParams') {
check_tokens($line, 7, 7, @tokens);
$line->{'meta'}->{'paramName'} = $tokens[0];
$line->{'meta'}->{'MPModel'} = $tokens[1];
$line->{'meta'}->{'securityModel'} = $tokens[2];
$line->{'meta'}->{'securityName'} = $tokens[3];
$line->{'meta'}->{'securityLevel'} = $tokens[4];
$line->{'meta'}->{'storageType'} = $tokens[5];
$line->{'meta'}->{'rowStatus'} = $tokens[6];
} elsif ($directive eq 'targetAddr') {
check_tokens($line, 9, 9, @tokens);
$line->{'meta'}->{'targetName'} = $tokens[0];
$line->{'meta'}->{'TDomain'} = $tokens[1];
$line->{'meta'}->{'TAddress'} = $tokens[2];
$line->{'meta'}->{'timeout'} = $tokens[3];
$line->{'meta'}->{'retryCount'} = $tokens[4];
$line->{'meta'}->{'tagList'} = $tokens[5];
$line->{'meta'}->{'paramName'} = $tokens[6];
$line->{'meta'}->{'storageType'} = $tokens[7];
$line->{'meta'}->{'rowStatus'} = $tokens[8];
} elsif ($directive eq 'snmpNotifyTable') {
check_tokens($line, 5, 5, @tokens);
$line->{'meta'}->{'notifyName'} = $tokens[0];
$line->{'meta'}->{'notifyTag'} = $tokens[1];
$line->{'meta'}->{'notifyType'} = $tokens[2];
$line->{'meta'}->{'storageType'} = $tokens[3];
$line->{'meta'}->{'rowStatus'} = $tokens[4];
} elsif ($directive eq 'snmpNotifyFilterProfileTable') {
check_tokens($line, 4, 4, @tokens);
$line->{'meta'}->{'paramName'} = $tokens[0];
$line->{'meta'}->{'profileName'} = $tokens[1];
$line->{'meta'}->{'storageType'} = $tokens[2];
$line->{'meta'}->{'rowStatus'} = $tokens[3];
} elsif ($directive eq 'master') {
check_tokens($line, 1, 1, @tokens);
$line->{'meta'}->{'masterMode'} = $tokens[0];
} elsif ($directive eq 'agentxTimeout') {
check_tokens($line, 1, 1, @tokens);
$line->{'meta'}->{'agentxTimeout'} = $tokens[0];
} elsif ($directive eq 'agentxRetries') {
check_tokens($line, 1, 1, @tokens);
$line->{'meta'}->{'agentxRetries'} = $tokens[0];
}
}
}
}
sub convert_metadata
{
my ($line, $file, $meta, $directive);
my %mps = ($MPMODEL_SNMPV1=>'v1',
$MPMODEL_SNMPV2C=>'v2c',
$MPMODEL_SNMPV2U=>'v2u',
$MPMODEL_SNMPV3=>'v3');
my %sms = ($SECURITY_MODEL_ANY=>'any',
$SECURITY_MODEL_SNMPV1=>'v1',
$SECURITY_MODEL_SNMPV2C=>'v2c',
$SECURITY_MODEL_USM=>'usm');
my %sls = ($SECURITY_LEVEL_NOAUTHNOPRIV=>'noAuthNoPriv',
$SECURITY_LEVEL_AUTHNOPRIV=>'authNoPriv',
$SECURITY_LEVEL_AUTHPRIV=>'authPriv');
my %nts = ($NOTIFY_TYPE_TRAP=>'trap',
$NOTIFY_TYPE_INFORM=>'inform');
for $file (values %::ADDED_CONFIGS, values %::MASF_CONFIGS, values
%::SMA_CONFIGS) {
for $line (@$file) {
$meta = $line->{'meta'};
if (exists $meta->{'directive'} &&
exists $line->{'changed'}) {
delete $line->{'changed'};
$directive = $meta->{'directive'};
if ($directive eq 'com2sec') {
# don't quote securityName or community
$line->{'new'} = "com2sec ".$meta->{'securityName'}.
' '.$meta->{'source'}.' '.$meta->{'community'};
} elsif ($directive eq 'group') {
# don't quote groupName
$line->{'new'} = 'group '.$meta->{'groupName'}.
' '.$meta->{'securityModel'}.' '.
# don't quote securityName
$meta->{'securityName'}.'';
} elsif ($directive eq 'access') {
my ($readView, $writeView, $notifyView) =
map { $_ eq '' ? 'none' : $_ }
($meta->{'readView'}, $meta->{'writeView'},
$meta->{'notifyView'});
# don't quote groupName, or viewNames
$line->{'new'} = 'access '.$meta->{'groupName'}.
' "'.$meta->{'contextPrefix'}.'" '.
$meta->{'securityModel'}.' '.$meta->{'securityLevel'}.
' '.$meta->{'contextMatch'}.' '.$readView.
' '.$writeView.' '.$notifyView;
} elsif ($directive eq 'view') {
# don't quote viewName
$line->{'new'} = 'view '.$meta->{'viewName'}.' '.
$meta->{'viewType'}.' '.$meta->{'oid'};
if (exists $meta->{'mask'}) {
$line->{'new'}.=' '.$meta->{'mask'};
}
} elsif ($directive eq 'createUser') {
$line->{'new'} = 'createUser "'.$meta->{'securityName'}.
'" '.$meta->{'authProtocol'}.' "'.$meta->{'authPassword'}.
'"';
if (exists $meta->{'privProtocol'}) {
$line->{'new'}.=' '.$meta->{'privProtocol'};
}
if (exists $meta->{'privPassword'}) {
$line->{'new'}.=' "'.$meta->{'privPassword'}.'" ';
}
} elsif ($directive eq 'trap2sink' ||
$directive eq 'trapsink' ||
$directive eq 'informsink') {
$line->{'new'} = $directive.' '.$meta->{'host'};
if (exists $meta->{'community'}) {
# don't quote community
$line->{'new'}.=' '.$meta->{'community'}.'';
}
if (exists $meta->{'port'}) {
$line->{'new'}.=' '.$meta->{'port'};
}
} elsif ($directive eq 'snmpNotifyFilterTable') {
$line->{'new'} = 'snmpNotifyFilterTable "'.
$meta->{'profileName'}.'" '.$meta->{'subtree'}.' "'.
$meta->{'mask'}.'" '.$meta->{'filterType'}.' '.
$meta->{'storageType'}.' '.$meta->{'rowStatus'};
} elsif ($directive eq 'targetParams') {
$line->{'comment'} = '# targetParams '.$meta->{'paramName'}.
' '.$mps{$meta->{'MPModel'}}.' '.
$sms{$meta->{'securityModel'}}.' '.$meta->{'securityName'}.
' '.$sls{$meta->{'securityLevel'}};
$line->{'new'} = 'targetParams "'.$meta->{'paramName'}.'" '.
$meta->{'MPModel'}.' '.$meta->{'securityModel'}.' "'.
$meta->{'securityName'}.'" '.$meta->{'securityLevel'}.' '.
$meta->{'storageType'}.' '.$meta->{'rowStatus'};
} elsif ($directive eq 'targetAddr') {
$line->{'new'} = 'targetAddr "'.$meta->{'targetName'}.
'" '.$meta->{'TDomain'}.' '.$meta->{'TAddress'}.
' '.$meta->{'timeout'}.' '.$meta->{'retryCount'}.
' "'.$meta->{'tagList'}.'" "'.$meta->{'paramName'}.
'" '.$meta->{'storageType'}.' '.$meta->{'rowStatus'};
} elsif ($directive eq 'snmpNotifyTable') {
$line->{'comment'} = '# snmpNotifyTable '.$meta->{'notifyName'}.
' '.$meta->{'notifyTag'}.' '.$nts{$meta->{'notifyType'}};
$line->{'new'} = 'snmpNotifyTable "'.$meta->{'notifyName'}.
'" "'.$meta->{'notifyTag'}.'" '.$meta->{'notifyType'}.
' '.$meta->{'storageType'}.' '.$meta->{'rowStatus'};
} elsif ($directive eq 'snmpNotifyFilterProfileTable') {
$line->{'new'} = 'snmpNotifyFilterProfileTable "'.
$meta->{'paramName'}.'" "'.$meta->{'profileName'}.
'" '.$meta->{'storageType'}.' '.$meta->{'rowStatus'};
} elsif ($directive eq 'master') {
$line->{'new'} = 'master '.$meta->{'masterMode'};
} elsif ($directive eq 'agentxTimeout') {
$line->{'new'} = 'agentxTimeout '.$meta->{'agentxTimeout'};
} elsif ($directive eq 'agentxRetries') {
$line->{'new'} = 'agentxRetries '.$meta->{'agentxRetries'};
}
}
}
}
}
# convert all rwuser directives to rouser
sub convert_rwusers
{
my ($line, $file);
my ($directive, @tokens);
for $line (get_lines('rwuser', \%::MASF_CONFIGS)) {
$line->{'meta'}->{'directive'} = 'rouser';
replace_line(\%::MASF_CONFIGS, $line, $line);
}
}
# convert all rwcommunity directives to rocommunity
sub convert_rwcommunities
{
my ($line);
for $line (get_lines('rwcommunity', \%::MASF_CONFIGS)) {
$line->{'meta'}->{'directive'} = 'rocommunity';
replace_line(\%::MASF_CONFIGS, $line, $line);
}
}
sub securityName_from_usmUser
{
my ($directive, @tokens) = @_;
my ($string);
$tokens[3]=~s/^0x//;
$string = pack 'H*', $tokens[3];
return unpack 'Z*', $string;
}
sub viewName_exists
{
my ($viewName) = @_;
my ($file, $line, $meta);
for $file (values %::MASF_CONFIGS, values %::SMA_CONFIGS) {
for $line (@$file) {
$meta=$line->{'meta'};
if ((exists $meta->{'readView'} &&
$meta->{'readView'} eq $viewName) ||
(exists $meta->{'writeView'} &&
$meta->{'writeView'} eq $viewName) ||
(exists $meta->{'notifyView'} &&
$meta->{'notifyView'} eq $viewName) ||
(exists $meta->{'viewName'} &&
$meta->{'viewName'} eq $viewName)) {
return 1;
}
}
}
return 0;
}
sub get_new_viewName
{
my ($prefix)=@_;
my ($viewName, $i);
$i = 0;
do {
$viewName = $prefix.$i;
if (length $viewName > 32) {
log_message("viewName $viewName was longer than 32 characters\n");
exit 1;
}
$i++;
} while (viewName_exists($viewName));
return $viewName;
}
sub groupName_exists
{
my ($groupName) = @_;
my ($file, $line, $meta);
for $file (values %::MASF_CONFIGS, values %::SMA_CONFIGS) {
for $line (@$file) {
$meta=$line->{'meta'};
if (exists $meta->{'groupName'} &&
$meta->{'groupName'} eq $groupName) {
return 1;
}
}
}
return 0;
}
sub get_new_groupName
{
my ($prefix)=@_;
my ($groupName, $i);
$i = 0;
do {
$groupName = $prefix.$i;
if (length $groupName > 32) {
log_message("groupName $groupName was longer than 32 characters\n");
exit 1;
}
$i++;
} while (groupName_exists($groupName));
return $groupName;
}
sub securityName_exists
{
my ($securityName) = @_;
my ($file, $line, $meta);
for $file (values %::MASF_CONFIGS, values %::SMA_CONFIGS) {
for $line (@$file) {
$meta=$line->{'meta'};
if (exists $meta->{'securityName'} &&
$meta->{'securityName'} eq $securityName) {
return 1;
}
}
}
return 0;
}
sub get_new_securityName
{
my ($prefix)=@_;
my ($securityName, $i);
$i = 0;
do {
$securityName = $prefix.$i;
# check to see if length is more than 32 characters permitted
# by VACM
if (length $securityName > 32) {
log_message("securityName $securityName was longer".
" than 32 characters\n");
exit 1;
}
$i++;
} while (securityName_exists($securityName));
return $securityName;
}
sub expand_rouser
{
my ($line, $default_oids) = @_;
my ($securityName, $groupName, $viewName, $secLevel, $oid);
my (@output, $readView, $writeView, $i);
@output = ($line);
$securityName = $line->{'meta'}->{'securityName'};
if (! defined $line->{'meta'}->{'securityLevel'}) {
$secLevel = "auth";
} else {
$secLevel = $line->{'meta'}->{'securityLevel'};
}
if (! defined $line->{'meta'}->{'oid'}) {
$oid = '';
} else {
$oid = $line->{'meta'}->{'oid'};
}
$groupName = get_new_groupName("Group");
$viewName = get_new_viewName("View");
if ($line->{'meta'}->{'directive'} eq 'rouser') {
$readView = $viewName;
$writeView = '';
} else {
$readView = $viewName;
$writeView = $viewName;
}
$output[0]->{'meta'} = {'directive'=>'group',
'groupName'=>$groupName,
'securityModel'=>'usm',
'securityName'=>$securityName};
push @output, {'meta'=>{'directive'=>'access',
'groupName'=>$groupName,
'contextPrefix'=>'',
'securityModel'=>'usm',
'securityLevel'=>$secLevel,
'contextMatch'=>'exact',
'readView'=>$readView,
'writeView'=>$writeView,
'notifyView'=>''}
};
if ($oid ne '') {
push @output, {'meta'=>{'directive'=>'view',
'viewName'=>$viewName,
'viewType'=>'included',
'oid'=>$oid}};
} else {
for ($i = 0; $i < @$default_oids; $i++) {
push @output,{'meta'=>{'directive'=>'view',
'viewName'=>$viewName,
'viewType'=>'included',
'oid'=>$default_oids->[$i]}};
}
}
return @output;
}
sub expand_rocommunity
{
my ($line, $default_oids) = @_;
my ($securityName, $groupName, $viewName, $community, $source, $oid);
my (@output, $readView, $writeView, $i);
@output = ($line);
$community = $line->{'meta'}->{'community'};
$source = $line->{'meta'}->{'source'};
if (defined $line->{'meta'}->{'oid'}) {
$oid = $line->{'meta'}->{'oid'};
} else {
$oid = '';
}
$securityName = get_new_securityName("User");
$groupName = get_new_groupName("Group");
$viewName = get_new_viewName("View");
if ($line->{'meta'}->{'directive'} eq 'rocommunity') {
$readView = $viewName;
$writeView = '';
} else {
$readView = $viewName;
$writeView = $viewName;
}
$output[0]->{'meta'} = {'directive'=>"com2sec",
'securityName'=>$securityName,
'source'=>$source,
'community'=>$community
};
push @output, {'meta'=>{'directive'=>'group',
'groupName'=>$groupName,
'securityModel'=>'v1',
'securityName'=>$securityName}
},
{'meta'=>{'directive'=>'group',
'groupName'=>$groupName,
'securityModel'=>'v2c',
'securityName'=>$securityName}
},
{'meta'=>{'directive'=>'access',
'groupName'=>$groupName,
'contextPrefix'=>'',
'securityModel'=>'v1',
'securityLevel'=>'noauth',
'contextMatch'=>'exact',
'readView'=>$readView,
'writeView'=>$writeView,
'notifyView'=>''}
},
{'meta'=>{'directive'=>'access',
'groupName'=>$groupName,
'contextPrefix'=>'',
'securityModel'=>'v2c',
'securityLevel'=>'noauth',
'contextMatch'=>'exact',
'readView'=>$readView,
'writeView'=>$writeView,
'notifyView'=>''}
};
if ($oid ne '') {
push @output, {'meta'=>{'directive'=>'view',
'viewName'=>$viewName,
'viewType'=>'included',
'oid'=>$oid}};
} else {
for ($i = 0; $i < @$default_oids; $i++) {
push @output, {'meta'=>{'directive'=>'view',
'viewName'=>$viewName,
'viewType'=>'included',
'oid'=>$default_oids->[$i]}};
}
}
return @output;
}
sub expand_rousers
{
my ($configs, $default_oids) = @_;
my ($file, $lines, $i, $output, $line, $directive, @tokens);
my (@expanded);
for $file (keys %$configs) {
$lines = $configs->{$file};
$output=[];
for ($i = 0; $i < @$lines; $i++) {
$line = $lines->[$i];
if (! exists $line->{'meta'}->{'directive'}) {
next;
}
$directive = $line->{'meta'}->{'directive'};
if ($directive eq 'rouser' || $directive eq 'rwuser') {
# expand rocommunity directive
@expanded = expand_rouser($line, $default_oids);
splice @$lines, $i, 1, @expanded;
$i += $#expanded;
}
}
}
}
sub expand_rocommunities
{
my ($configs, $default_oids)= @_;
my ($file, $lines, $i, $output, $line, $directive, @tokens);
my (@expanded);
for $file (keys %$configs) {
$lines = $configs->{$file};
$output=[];
for ($i = 0; $i < @$lines; $i++) {
$line = $lines->[$i];
if (! exists $line->{'meta'}->{'directive'}) {
next;
}
if ($line->{'meta'}->{'directive'} eq 'rocommunity' ||
$line->{'meta'}->{'directive'} eq 'rwcommunity') {
# expand rocommunity directive
@expanded = expand_rocommunity($line, $default_oids);
splice @$lines, $i, 1, @expanded;
$i += $#expanded;
}
}
}
}
##############################################################################
# General configuration
sub install_agentx_config
{
my (@lines) = get_lines('master', \%::SMA_CONFIGS);
if (@lines) {
if (grep (($lines[0]->{'meta'}->{'masterMode'} eq $_),
('agentx', 'all', 'yes', 'on'))) {
# master mode is enabled anyway
} else {
# master mode was disabled!
log_message "AgentX mastering capability has been explicitly ".
"disabled in the SMA config - Aborting.\n", $lines[0];
exit 1;
}
} else {
# master mode has not been specified, add it.
log_message "Enabling agentX mastering for SMA.\n";
prepend_line({'meta'=>{'directive'=>'master', 'masterMode'=>'agentx'}});
}
@lines = get_lines('agentxTimeout', \%::SMA_CONFIGS);
if (@lines) {
if ($lines[0]->{'agentxTimeout'} < 2) {
$lines[0]->{'agentxTimeout'} = 2;
replace_line(\%::SMA_CONFIGS, $lines[0], $lines[0]);
}
} else {
prepend_line({'meta'=>{'directive'=>'agentxTimeout', 'agentxTimeout'=>2}});
}
@lines = get_lines('agentxRetries', \%::SMA_CONFIGS);
if (@lines) {
if ($lines[0]->{'agentxRetries'} < 4) {
$lines[0]->{'agentxRetries'} = 4;
replace_line(\%::SMA_CONFIGS, $lines[0], $lines[0]);
}
} else {
prepend_line({'meta'=>{'directive'=>'agentxRetries', 'agentxRetries'=>4}});
}
}
sub check_agent_configs
{
my ($directive, $line);
for $directive ('agentgroup', 'agentuser', 'authtrapenable') {
my (@masf) = get_lines($directive, \%::MASF_CONFIGS);
my (@sma) = get_lines($directive, \%::SMA_CONFIGS);
if (@masf > 0 && @sma == 0) {
log_message "The following $directive directive was found in ".
"the MASF configuration but is not configured for SMA:\n";
log_message $masf[0]->{'new'}."\n";
} elsif (@masf > 0 && @sma > 0 && $sma[0] ne $masf[0]) {
log_message "The following $directive directive was found in ".
"the MASF configuration but differs in the SMA configuration:\n";
log_message $masf[0]->{'new'}."\n";
}
for $line (@masf) {
# delete the line
replace_line(\%::MASF_CONFIGS, $line, {'meta'=>{}});
}
}
}
sub check_system_configs
{
my ($directive, $line);
for $directive ('syslocation', 'syscontact', 'sysname', 'sysservices') {
my (@masf) = get_lines($directive, \%::MASF_CONFIGS);
my (@sma) = get_lines($directive, \%::SMA_CONFIGS);
if (@masf > 0 && @sma == 0) {
log_message "The following $directive directive was found in ".
"the MASF configuration but is not configured for SMA:\n";
log_message $masf[0]->{'new'}."\n";
log_message "You may wish to set this parameter in the SMA ".
"configuration file after this script completes migration.\n";
} elsif (@masf > 0 && @sma > 0 && $sma[0]->{'new'} ne $masf[0]->{'new'}) {
log_message "The following $directive directive was found in ".
"the MASF configuration but differs in the SMA configuration:\n";
log_message $masf[0]->{'new'}."\n";
log_message "You may wish to set this parameter in the SMA ".
"configuration file after this script completes migration.\n";
}
for $line (@masf) {
# delete the line
replace_line(\%::MASF_CONFIGS, $line, {'meta'=>{}});
}
}
}
sub process_agentaddress
{
my ($line, $lines, @masfAgentAddress, $smaAgentAddress, $config);
(@masfAgentAddress) = get_lines ('agentaddress', \%::MASF_CONFIGS);
if (@masfAgentAddress == 0) {
log_message "No agentaddress directive found for MASF\n";
return;
}
# if more than one MASF agentaddress line was specified then all but the
# last are ignored so we should delete them
while (@masfAgentAddress > 1) {
$line = shift @masfAgentAddress;
replace_line (\%::MASF_CONFIGS, $line, {'meta'=>{}});
}
my (@smaTokens, @masfTokens);
($smaAgentAddress) = get_lines ('agentaddress', \%::SMA_CONFIGS);
if (! defined $smaAgentAddress) {
log_message "SMA uses default 161 port\n";
@smaTokens = ('udp:161');
} else {
@smaTokens = parse_agentaddress ($smaAgentAddress->{'new'});
}
if (defined $smaAgentAddress) {
$line = $smaAgentAddress;
$config = \%::SMA_CONFIGS;
} else {
$line = $masfAgentAddress[0];
$config = \%::MASF_CONFIGS;
}
if ($::DISABLE_MASF_PORT && @masfAgentAddress) {
log_message "Disabling access via old MASF port\n";
delete $masfAgentAddress[0]->{'new'};
return;
}
@masfTokens = parse_agentaddress ($masfAgentAddress[0]->{'new'});
# MASF addresses must be a subset of SMA
my ($i, $j, $okToMigrate);
$okToMigrate = 1;
for $i (@masfTokens) {
if (grep(($i eq $_), @smaTokens) == 0) {
log_message "MASF port configuration for port $i conflicts with SMA\n";
$okToMigrate = 0;
}
}
if (! $okToMigrate && ! $::USE_MASF_PORT && ! $::DISABLE_MASF_PORT) {
log_message "Unable to resolve conflict - aborting\n";
exit 1;
}
if ($::USE_MASF_PORT) {
push @smaTokens, @masfTokens;
}
$line->{'new'} = 'agentaddress '.(join ',',@smaTokens);
replace_line($config, $line, $line);
return;
}
##############################################################################
# Main section starts here
# configure Getopt for CLIP compliance
Getopt::Long::Configure('bundling', 'require_order',
'no_getopt_compat', 'no_auto_abbrev', 'no_ignore_case');
my ($selectCommunity, $selectUser, $useAgentPort, $trapFilter,
$masterTrapTarget, $version, $help);
$selectCommunity = 'error';
$selectUser = 'error';
$useAgentPort = 'error';
$trapFilter = 'add';
my $result = GetOptions(
'i|ignore-unrecognized-directives'=>\$::IGNORE_UNRECOGNIZED_DIRECTIVES,
's|skip-user'=>\$::IGNORE_ENGINEID,
'y|select-community=s'=>\$selectCommunity,
'u|select-user=s'=>\$selectUser,
'p|use-agent-port=s'=>\$useAgentPort,
't|trap-filter=s'=>\$trapFilter,
'l|master-trap-target=s'=>\$masterTrapTarget,
'c|no-community'=>\$::DONT_KEEP_V1V2C_USERS,
'r|no-trap'=>\$::DONT_KEEP_TRAP_DESTS,
'm|no-usmuser'=>\$::DONT_KEEP_V3_USERS,
'n|dry-run'=>\$::DRY_RUN,
'V|version'=>\$version,
'help|?'=>\$help);
if (! $result) {
print STDERR "An unrecognized option was present.\n";
help();
}
if ($version) {
version();
}
# no interactive mode
$::AUTOMATED = 1;
$::KEEP_MASF_GROUPS = 0;
$::KEEP_SMA_GROUPS = 0;
if ($selectCommunity eq 'agent') {
$::KEEP_MASF_GROUPS = 1;
} elsif ($selectCommunity eq 'master') {
$::KEEP_SMA_GROUPS = 1;
} elsif ($selectCommunity ne 'error') {
print STDERR "Invalid --select-community option $selectCommunity".
" specified.\n";
help();
}
$::KEEP_MASF_USM_USERS = 0;
$::KEEP_SMA_USM_USERS = 0;
if ($selectUser eq 'agent') {
$::KEEP_MASF_USM_USERS = 1;
} elsif ($selectUser eq 'master') {
$::KEEP_SMA_USM_USERS = 1;
} elsif ($selectUser ne 'error') {
print STDERR "Invalid --select-user option $selectUser".
" specified.\n";
help();
}
$::USE_MASF_PORT = 0;
$::DISABLE_MASF_PORT = 0;
if ($useAgentPort eq 'enable') {
$::USE_MASF_PORT = 1;
} elsif ($useAgentPort eq 'disable') {
$::DISABLE_MASF_PORT = 1;
} elsif ($useAgentPort ne 'error') {
print STDERR "Invalid --use-agent-port option $useAgentPort specified\n";
help();
}
if ($trapFilter eq 'none') {
$::NO_TRAP_FILTERS = 1;
} elsif ($trapFilter eq 'add') {
$::NO_TRAP_FILTERS = 0;
} else {
print STDERR "Invalid --trap-filter option $trapFilter\n";
help();
}
$::EXTEND_SMA_FILTERS = 0;
$::KEEP_SNMP_TARGET_PARAMS = 0;
if (defined $masterTrapTarget) {
if ($trapFilter eq 'none') {
print STDERR "--master-trap-target cannot be used with --trap-filter=none\n";
help();
}
if ($masterTrapTarget eq 'agent') {
$::EXTEND_SMA_FILTERS = 1;
} elsif ($masterTrapTarget eq 'master') {
$::KEEP_SNMP_TARGET_PARAMS = 1;
$::EXTEND_SMA_FILTERS = 1;
} else {
print STDERR "Invalid --master-trap-target option $masterTrapTarget specified.\n";
help();
}
}
if ($help) {
help();
}
# set the umask before writing to the log file
set_umask();
log_message "masfcnv ".localtime()."\n\n";
are_we_root();
stop_sma_running();
stop_masf_running();
@::MASF_CONFIG_FILES = ("/etc/opt/SUNWmasf/conf/snmpd.conf");
$::MASF_PERSISTENT_FILE = "/var/opt/SUNWmasf/snmpd.dat";
$::MASF_PERSISTENT_DIR = "/var/opt/SUNWmasf";
@::SMA_CONFIG_FILES = ("/usr/lib/net-snmp/snmpd.conf");
$::SMA_PERSISTENT_FILE = "/var/net-snmp/snmpd.conf";
$::SMA_PERSISTENT_DIR = "/var/net-snmp";
sma_config_sanity_check();
masf_config_sanity_check();
read_config_files();
sanity_check_config_files();
add_metadata();
install_agentx_config();
process_agentaddress();
convert_rwcommunities();
expand_rocommunities(\%::MASF_CONFIGS, [$ENTITY_MIB_OID, $SUNPLAT_MIB_OID]);
expand_rocommunities(\%::SMA_CONFIGS, [$INTERNET_OID]);
convert_rwusers();
expand_rousers(\%::MASF_CONFIGS, [$ENTITY_MIB_OID, $SUNPLAT_MIB_OID]);
expand_rousers(\%::SMA_CONFIGS, [$INTERNET_OID]);
clean_group_membership();
if (! $::DONT_KEEP_V1V2C_USERS) {
uniquify_securityNames('masf');
process_com2sec();
} else {
remove_v1v2c_users();
}
uniquify_groupNames('masf');
check_usm_securityNames();
process_engineIDs();
if (! $::DONT_KEEP_V3_USERS) {
process_usm_securityNames();
} else {
remove_v3_users();
}
uniquify_viewNames('masf');
process_trapcommunity(\%::MASF_CONFIGS);
process_trapcommunity(\%::SMA_CONFIGS);
if ($::DONT_KEEP_TRAP_DESTS) {
remove_trap_destinations();
}
check_duplicate_trap_destinations();
if ($::NO_TRAP_FILTERS) {
# simplistic trap processing
# no further filtering
} else {
if ($::EXTEND_SMA_FILTERS) {
# "master"
# if the administrator selects EXTEND_SMA_FILTERS and
# KEEP_SNMP_TARGET_PARAMS is selected then: MASF trap destinations are
# migrated using existing SMA targetParams, targetAddrs, filterProfiles
# if possible. SMA trap destinations keep existing targetParams and
# have filterProfiles updated to INCLUDE MASF traps. Targets present in
# both SMA and MASF configs end up receiving all traps with SMA params.
# 1. Update SMA filterProfiles to include MASF traps
# 2. Expand existing MASF trapsinks to targetAddrs, params, and profiles
# identifying overlapping trap destinations and using them where
# appropriate
# "agent"
# if the administrator selects EXTEND_SMA_FILTERS and
# KEEP_SNMP_TARGET_PARAMS is not selected then: MASF trap destinations
# are migrated using MASF targetParams, targetAddrs, filterProfiles.
# All SMA trap destinations not in MASF use SMA params and have MASF
# traps INCLUDED. New params are created for targets present in both
# SMA and MASF which use tag specifically for MASF. Targets present in
# both SMA and MASF configs end up receiving all traps with MASF params.
# 1. Update SMA filterProfiles to include MASF traps
# 2. Expand existing MASF trapsinks to new targetAddrs, params,
# profiles, identifying overlapping trap destinations and profiles,
# transferring them to new SMA params and retain original profiles.
# selecting KEEP_SNMP_TARGET_PARAMS without EXTEND_SMA_FILTERS is not an
# option
extend_sma_trap_filters();
}
# "add"
# if the administrator selects neither option then: All MASF trap
# configurations are translated to new params, targetAddrs, filters which
# have ONLY MASF traps included in the profile. Targets present in both
# MASF and SMA may receive duplicate traps, depending upon the SMA filter
# profile.
# 1. Expand existing MASF trapsinks to new targetAddrs, params, profiles.
process_trapsinks();
}
check_system_configs();
check_agent_configs();
convert_metadata();
if (! $::DRY_RUN) {
backup_files();
remove_masf_persistent_file();
}
if ($::DRY_RUN) {
print "Contents of ".$::SMA_CONFIG_FILES[0]."\n";
print "\n";
*FH = *STDOUT;
} else {
open (FH, "> ".$::SMA_CONFIG_FILES[0]) || die "Couldn't open file ".$::SMA_CONFIG_FILES[0]." for writing.\n";
}
my ($l);
for $l (@{$::ADDED_CONFIGS{'prepend'}}) {
print_line (\*FH, $l);
}
dump_config(\*FH, $::SMA_PERSISTENT_FILE, \%::SMA_CONFIGS);
dump_config(\*FH, $::MASF_PERSISTENT_FILE, \%::MASF_CONFIGS);
for $l (@{$::ADDED_CONFIGS{'append'}}) {
print_line (\*FH, $l);
}
if ($::DRY_RUN) {
print "=======================\n";
print "Contents of ".$::SMA_PERSISTENT_FILE."\n";
print "=======================\n";
} else {
close FH;
open (FH, "> ".$::SMA_PERSISTENT_FILE) || die "Couldn't open file ".$::SMA_PERSISTENT_FILE." for writing.\n";
}
dump_persistent_storage(\*FH, $::SMA_PERSISTENT_FILE, \%::SMA_CONFIGS);
dump_persistent_storage(\*FH, $::MASF_PERSISTENT_FILE, \%::MASF_CONFIGS);
if (! $::DRY_RUN) {
close FH;
install_template_config_file();
install_new_wrapper_script();
}