#!/bin/sh

#############################################################################

#

# bmc-snmp-proxy:	Set SNMP proxy to BMC (Baseboard Management Controller)

#

# version:	0.62

#

# Authors:	Charles Rose <charles_rose@dell.com>

#		Jordan Hargrave <jordan_hargrave@dell.com>

#

# Description:  Script to set snmp proxy to the BMC for certain OID

#		See here for details:

#		https://fedoraproject.org/wiki/Features/AgentFreeManagement

#

# Assumptions:  This script will work only when /etc/snmp/ is writable.

#

#############################################################################

# GLOBALS

#############################################################################

SYSCONF_DIR="/etc/sysconfig"

CONFIG="${SYSCONF_DIR}/bmc-snmp-proxy"

SNMPD_BMC_CONF_DIR="/etc/snmp/bmc"

SNMPD_BMC_CONF="${SNMPD_BMC_CONF_DIR}/snmpd.local.conf"

TRAPD_BMC_CONF="${SNMPD_BMC_CONF_DIR}/snmptrapd.local.conf"

TRAPD_CONF="/etc/snmp/snmptrapd.conf"

LOCKFILE="/var/lock/subsys/bmc-snmp-proxy"

BMC_INFO="/var/run/bmc-info"

IPMITOOL=`which ipmitool`

#Default config

BMC_COMMUNITY="public"

BMC_OID=".1.3.6.1.4.1.674.10892.2"  # Dell iDRAC

TRAP_FORWARD="no"

RELOAD_SERVICES="yes"

#############################################################################

#TODO: Use inotify and daemonize when $BMC_INFO changes

# source config

[ -r ${CONFIG} ] && . ${CONFIG}

. gettext.sh

SCRIPT_NAME=$(basename $0)

RETVAL=0

# Check if bmc-info created by exchange-bmc-os-info

bmc_info_exists()

{

	if [ -r "${BMC_INFO}" ]; then

		. ${BMC_INFO}

	else

		RETVAL=2

	fi

	return $RETVAL

}

check_snmp()

{

	if [ ! -d /etc/snmp ] || [ ! -x /usr/sbin/snmpd ]; then

		RETVAL=12

	fi

	return $RETVAL

}

#############################################################################

# configure SNMP proxy

#############################################################################

write_snmp_conf()

{

	# SNMPv3 security: bmcview, bmc_ctx, bmc_sec, bmc_grp, bmc_cmty

	printf "###############################################\n"

	printf "# Automatically created by %s #\n" "${SCRIPT_NAME}"

	printf "###############################################\n"

	printf "#view bmcview included %s 80\n" "${BMC_OID}"

	printf "#com2sec -Cn bmc_ctx bmc_sec default bmc_cmty\n"

	printf "#group bmc_grp v1 bmc_sec\n"

	printf "#access bmc_grp bmc_ctx any noauth exact bmcview none none\n"

	printf "#proxy -Cn bmc_ctx -v 1 %s\n" "${PROXY_TOKEN}"

	printf "proxy -v 1 %s\n" "${PROXY_TOKEN}"

	printf "###############################################\n"

}

valid_ip()

{

        #Thanks to mkyong.com

        octet="([01]?[[:digit:]][[:digit:]]?|2[0-4][[:digit:]]|25[0-5])"

        printf -- "%s" "${1}"| grep -Eq \

		"^${octet}\\.${octet}\\.${octet}\\.${octet}$"

        return $?

}

check_vars()

{

	[ -z ${BMC_COMMUNITY} ] && BMC_COMMUNITY="public"

	[ -z ${BMC_OID} ] && return 1

	if [ -n "${BMC_IPv4}" ] && valid_ip ${BMC_IPv4}; then

		return 0

	else

		return 1

	fi

}

set_snmp_proxy()

{

	if check_vars; then

		PROXY_TOKEN="-c ${BMC_COMMUNITY} ${BMC_IPv4} ${BMC_OID}"

		if [ -d ${SNMPD_BMC_CONF_DIR} ]; then

			write_snmp_conf > ${SNMPD_BMC_CONF} || RETVAL=4

		fi

	else

		RETVAL=3

	fi

}

set_snmpd_conf_path()

{

	if [ ! -d ${SNMPD_BMC_CONF_DIR} ]; then

		mkdir ${SNMPD_BMC_CONF_DIR} || RETVAL=7

	fi

	# We need SNMPCONFPATH set for both snmpd and snmptrapd

	for sysconf in ${SYSCONF_DIR}/snmp*d;

	do

		if ! grep -q "^SNMPCONFPATH.*${SNMPD_BMC_CONF_DIR}" \

			"${sysconf}" > /dev/null 2>&1; then

			printf "SNMPCONFPATH=/etc/snmp:%s\n" \

				"${SNMPD_BMC_CONF_DIR}" >> ${sysconf} || \

				RETVAL=7

		fi

	done

	return $RETVAL

}

disable_snmp_proxy()

{

	if [ -f ${SNMPD_BMC_CONF} ]; then

		rm -f ${SNMPD_BMC_CONF} || RETVAL=5

	fi

}

#############################################################################

# Trap Forwarding

#############################################################################

pick_alert_dest()

{

	test_ip="$1"

	# We have 4 IPv4 and 4 IPv6 alert dest. We will set IPv4 for now.

	for ALERT_DEST in `seq 1 4`

	do

		temp_ip=$(${IPMITOOL} lan alert print ${CHANNEL} ${ALERT_DEST}\

			2>/dev/null| sed -n "s#^Alert IP Address.*: ##p")

		[ "${temp_ip}" = "${test_ip}" ] && return 0

	done

	return 1

}

set_alert_dest_ip()

{

	${IPMITOOL} lan alert set ${CHANNEL} ${ALERT_DEST} ipaddr ${1} \

		retry 4 type pet >/dev/null 2>&1 || RETVAL=8

}

config_bmc_alert_dest()

{

	# call with enable|disable

	# Pick the first active LAN channel

        for CHANNEL in `seq 1 14`

        do

                [ $(${IPMITOOL} -I open channel info ${CHANNEL} 2>/dev/null \

                        | grep -q "802\.3") ] || break

        done

	# If TRAPD_IP is already set as an alert dest,

	if pick_alert_dest "${TRAPD_IP}"; then

		# disable: reset it if we are called with disable

		[ "${1}" = "disable" ] && \

			set_alert_dest_ip "0.0.0.0"

	# else, find the next free alert dest,

	elif pick_alert_dest "0.0.0.0"; then

		[ "${1}" = "disable" ] && \

			return $RETVAL

		# set: the TRAPD_IP

		set_alert_dest_ip "${TRAPD_IP}"

	else

		# No free alert destinations

		RETVAL=9

	fi

	return $RETVAL

}

set_ipmi_pef()

{

	# Needs ipmitool-1.8.13 + patches

	${IPMITOOL} pef policy set ${ALERT_DEST} "${1}" >/dev/null 2>&1 || \

		RETVAL=10

}

get_host_ip()

{

	# Get host's IP that the BMC can reach. This is at best a hack.

	IFACE=$(/usr/sbin/ip -o -f inet address |awk '!/: lo/ {print $2}')

	for dev in ${IFACE}

	do

		temp_ping=$(ping -c 1 -I ${dev} ${BMC_IPv4})

		[ $? -ne 0 ] && continue

		printf -- "%s" "$temp_ping"| awk 'NR==1{print $5}' && break

	done

}

config_bmc_alert()

{

	# Do two things

	# Set/Reset TRAP IP in BMC

	# Enable/Disable PEF alerting in BMC for TRAP

	# Get Host's IP that the BMC can send traps to

	TRAPD_IP=$(get_host_ip)

	# Set Host's IP as the alert destination in the BMC

	valid_ip ${TRAPD_IP} && config_bmc_alert_dest "${ACTION}"

	# Enable/Disable alerting on the LAN channel

	[ $RETVAL -eq 0 ] && set_ipmi_pef "${ACTION}"

	return $RETVAL

}

write_trapd_conf()

{

	printf "###############################################\n"

	printf "# Automatically created by %s #\n" "${SCRIPT_NAME}"

	printf "forward default %s\n" "${FORWARD_HOST}"

	printf "###############################################\n"

}

config_trapd()

{

	# Proceed only if snmptrapd is available on the system

	if [ -f ${TRAPD_CONF} ]; then

		write_trapd_conf > ${TRAPD_BMC_CONF} || RETVAL=11

	else

		RETVAL=11

	fi

}

trap_sink_exists()

{

	# TODO: We only set the first match. We should be able to set

	# multiple

	FORWARD_HOST=$(awk '/^trap.*sink/{print $2}; /^informsink/{print $2}' \

			/etc/snmp/snmpd*conf | head -1)

	if [ -z "${FORWARD_HOST}" ]; then

		# there is no trapsink setup.

		return 1

	else

		return 0

	fi

}

# Forward SNMP traps from the BMC to trapsink.

trap_forward()

{

	NO_TRAP=0

	ACTION=${1} # enable or disable

	if [ "${ACTION}" = "enable" ]; then

		# Get trapd config,

		if trap_sink_exists; then

			config_bmc_alert && config_trapd

		else

			# exit silently if there is no sink

			NO_TRAP=1

		fi

	else

		if [ -f ${TRAPD_BMC_CONF} ]; then

			rm -f ${TRAPD_BMC_CONF} >/dev/null 2>&1

			config_bmc_alert

		else

			NO_TRAP=1

		fi

	fi

}

#############################################################################

service_reload()

{

	#TODO: do this in systemd

	if [ ${RETVAL} -eq 0 ] && [ "${RELOAD_SERVICES}" = "yes" ]; then

		service $1 reload

		[ $? -ne 0 ] && RETVAL=6

	fi

}

#############################################################################

start()

{

	if bmc_info_exists && check_snmp; then

		touch ${LOCKFILE}

		set_snmpd_conf_path && set_snmp_proxy

		[ $RETVAL -eq 0 ] && service_reload snmpd

		if [ "${TRAP_FORWARD}" = "yes" ]; then

			trap_forward "enable"

			[ $RETVAL -eq 0 ] && [ $NO_TRAP -eq 0 ] && \

				service_reload snmptrapd

		fi

	fi

}

#############################################################################

stop()

{

	[ ! -f ${LOCKFILE} ] && return

	if bmc_info_exists && check_snmp; then

		disable_snmp_proxy

		[ $RETVAL -eq 0 ] && service_reload snmpd

		if [ "${TRAP_FORWARD}" = "yes" ]; then

			trap_forward "disable"

			[ $RETVAL -eq 0 ] && [ $NO_TRAP -eq 0 ] && \

				service_reload snmptrapd

		fi

		rm -f ${LOCKFILE}

	fi

}

#############################################################################

status()

{

	eval_gettext "${SCRIPT_NAME}: snmp proxy to BMC is "

	# Checking for lockfile is better.

	#if grep -q "^proxy" "${SNMPD_BMC_CONF}" > /dev/null 2>&1 ; then

	if [ -f ${LOCKFILE} ]; then

		eval_gettext "set"

	else

		eval_gettext "not set"

	fi

	echo

	RETVAL=0

}

#############################################################################

usage()

{

	eval_gettext "Usage: $0 {start|stop|status}"; echo 1>&2

	RETVAL=1

}

#############################################################################

# MAIN

#############################################################################

case "$1" in

	start) start ;;

	stop)  stop ;;

	status)	status ;;

	*) usage ;;

esac

case "$RETVAL" in

	0|1) ;;

	2) eval_gettext "${SCRIPT_NAME}: failed to read ${BMC_INFO} " 1>&2 ;;

	3) eval_gettext "${SCRIPT_NAME}: failed to get proxy config." 1>&2 ;;

	4) eval_gettext "${SCRIPT_NAME}: failed to set ${SNMPD_BMC_CONF}." 1>&2 ;;

	5) eval_gettext "${SCRIPT_NAME}: failed to disable snmp proxy." 1>&2 ;;

	6) eval_gettext "${SCRIPT_NAME}: failed to reload snmpd." 1>&2 ;;

	7) eval_gettext "${SCRIPT_NAME}: failed to set snmpd config." 1>&2 ;;

	8) eval_gettext "${SCRIPT_NAME}: failed to set IPMI alert dest." 1>&2 ;;

	9) eval_gettext "${SCRIPT_NAME}: no free IPMI alert dest." 1>&2 ;;

	10) eval_gettext "${SCRIPT_NAME}: failed to set IPMI PEF." 1>&2 ;;

	11) eval_gettext "${SCRIPT_NAME}: failed to write snmptrapd.conf." 1>&2 ;;

	12) eval_gettext "${SCRIPT_NAME}: snmpd not found." 1>&2 ;;

	*) eval_gettext "${SCRIPT_NAME}: unknown error." 1>&2 ;;

esac

if [ ${RETVAL} -gt 1 ]; then

        eval_gettext " Return code: ${RETVAL}"; echo

fi

exit ${RETVAL}

#############################################################################

# end of file

#############################################################################