Split config of auth and modules

Allow configuration of auth/version parameters separately from the walk
and metrics in the generator and exporter configuration.
* Simplify startup with `ReloadConfig()`
* Make sure to init metrics on config reload.

Fixes: #619

Signed-off-by: SuperQ <superq@gmail.com>

README.md

@@ -4,7 +4,11 @@ This exporter is the recommended way to expose SNMP data in a format which
 Prometheus can ingest.
 
 To simply get started, it's recommended to use the `if_mib` module with
-switches, access points, or routers.
+switches, access points, or routers using the `public_v2` auth module,
+which should be a read-only access community on the target device.
+
+Note, community strings in SNMP are not considered secrets, as they are sent
+unencrypted in SNMP v1 and v2c. For secure acces, SNMP v3 is required.
 
 # Concepts
 
@@ -68,9 +72,9 @@ Start `snmp_exporter` as a daemon or from CLI:
 ./snmp_exporter
 ```
 
-Visit http://localhost:9116/snmp?module=if_mib&target=1.2.3.4 where `1.2.3.4` is the IP or
-FQDN of the SNMP device to get metrics from and `if_mib` is the default module, defined
-in `snmp.yml`.
+Visit [http://localhost:9116/snmp?auth=public_v2&module=if_mib&target=1.2.3.4] where `1.2.3.4` is the IP or
+FQDN of the SNMP device to get metrics from. Also note the use of default auth (`public_v2`) and
+default module (`if_mib`). The auth and module must be defined in the `snmp.yml`.
 
 ## Configuration
 
@@ -83,7 +87,7 @@ using SNMP v2 GETBULK.
 
 ## Prometheus Configuration
 
-`target` and `module` can be passed as a parameter through relabelling.
+The URL parmas `target`, `auth`, and `module` can be controlled through relabelling.
 
 Example config:
 ```YAML
@@ -95,6 +99,7 @@ scrape_configs:
         - switch.local # SNMP device.
     metrics_path: /snmp
     params:
+      auth: [public_v2]
       module: [if_mib]
     relabel_configs:
       - source_labels: [__address__]

collector/collector.go

@@ -116,19 +116,19 @@ type ScrapeResults struct {
 	retries uint64
 }
 
-func ScrapeTarget(ctx context.Context, target string, config *config.Module, logger log.Logger) (ScrapeResults, error) {
+func ScrapeTarget(ctx context.Context, target string, auth *config.Auth, module *config.Module, logger log.Logger) (ScrapeResults, error) {
 	results := ScrapeResults{}
 	// Set the options.
 	snmp := gosnmp.GoSNMP{}
 	snmp.Context = ctx
-	snmp.MaxRepetitions = config.WalkParams.MaxRepetitions
-	snmp.Retries = *config.WalkParams.Retries
-	snmp.Timeout = config.WalkParams.Timeout
-	snmp.UseUnconnectedUDPSocket = config.WalkParams.UseUnconnectedUDPSocket
+	snmp.MaxRepetitions = module.WalkParams.MaxRepetitions
+	snmp.Retries = *module.WalkParams.Retries
+	snmp.Timeout = module.WalkParams.Timeout
+	snmp.UseUnconnectedUDPSocket = module.WalkParams.UseUnconnectedUDPSocket
 	snmp.LocalAddr = *srcAddress
 
 	// Allow a set of OIDs that aren't in a strictly increasing order
-	if config.WalkParams.AllowNonIncreasingOIDs {
+	if module.WalkParams.AllowNonIncreasingOIDs {
 		snmp.AppOpts = make(map[string]interface{})
 		snmp.AppOpts["c"] = true
 	}
@@ -159,7 +159,7 @@ func ScrapeTarget(ctx context.Context, target string, config *config.Module, log
 	}
 
 	// Configure auth.
-	config.WalkParams.ConfigureSNMP(&snmp)
+	auth.ConfigureSNMP(&snmp)
 
 	// Do the actual walk.
 	err := snmp.Connect()
@@ -172,9 +172,9 @@ func ScrapeTarget(ctx context.Context, target string, config *config.Module, log
 	defer snmp.Conn.Close()
 
 	// Evaluate rules.
-	newGet := config.Get
-	newWalk := config.Walk
-	for _, filter := range config.Filters {
+	newGet := module.Get
+	newWalk := module.Walk
+	for _, filter := range module.Filters {
 		var pdus []gosnmp.SnmpPDU
 		allowedList := []string{}
 
@@ -204,7 +204,7 @@ func ScrapeTarget(ctx context.Context, target string, config *config.Module, log
 	}
 
 	getOids := newGet
-	maxOids := int(config.WalkParams.MaxRepetitions)
+	maxOids := int(module.WalkParams.MaxRepetitions)
 	// Max Repetition can be 0, maxOids cannot. SNMPv1 can only report one OID error per call.
 	if maxOids == 0 || snmp.Version == gosnmp.Version1 {
 		maxOids = 1
@@ -365,12 +365,13 @@ func buildMetricTree(metrics []*config.Metric) *MetricNode {
 type collector struct {
 	ctx    context.Context
 	target string
+	auth   *config.Auth
 	module *config.Module
 	logger log.Logger
 }
 
-func New(ctx context.Context, target string, module *config.Module, logger log.Logger) *collector {
-	return &collector{ctx: ctx, target: target, module: module, logger: logger}
+func New(ctx context.Context, target string, auth *config.Auth, module *config.Module, logger log.Logger) *collector {
+	return &collector{ctx: ctx, target: target, auth: auth, module: module, logger: logger}
 }
 
 // Describe implements Prometheus.Collector.
@@ -381,7 +382,7 @@ func (c collector) Describe(ch chan<- *prometheus.Desc) {
 // Collect implements Prometheus.Collector.
 func (c collector) Collect(ch chan<- prometheus.Metric) {
 	start := time.Now()
-	results, err := ScrapeTarget(c.ctx, c.target, c.module, c.logger)
+	results, err := ScrapeTarget(c.ctx, c.target, c.auth, c.module, c.logger)
 	if err != nil {
 		level.Info(c.logger).Log("msg", "Error scraping target", "err", err)
 		ch <- prometheus.NewInvalidMetric(prometheus.NewDesc("snmp_error", "Error scraping target", nil, nil), err)

config/config.go

@@ -44,13 +44,12 @@ var (
 		SecurityLevel: "noAuthNoPriv",
 		AuthProtocol:  "MD5",
 		PrivProtocol:  "DES",
+		Version:       2,
 	}
 	DefaultWalkParams = WalkParams{
-		Version:                 2,
 		MaxRepetitions:          25,
 		Retries:                 &defaultRetries,
 		Timeout:                 time.Second * 5,
-		Auth:                    DefaultAuth,
 		UseUnconnectedUDPSocket: false,
 		AllowNonIncreasingOIDs:  false,
 	}
@@ -63,14 +62,15 @@ var (
 )
 
 // Config for the snmp_exporter.
-type Config map[string]*Module
+type Config struct {
+	Auths   map[string]*Auth   `yaml:"auths",omitempty"`
+	Modules map[string]*Module `yaml:"modules",omitempty"`
+}
 
 type WalkParams struct {
-	Version                 int           `yaml:"version,omitempty"`
 	MaxRepetitions          uint32        `yaml:"max_repetitions,omitempty"`
 	Retries                 *int          `yaml:"retries,omitempty"`
 	Timeout                 time.Duration `yaml:"timeout,omitempty"`
-	Auth                    Auth          `yaml:"auth,omitempty"`
 	UseUnconnectedUDPSocket bool          `yaml:"use_unconnected_udp_socket,omitempty"`
 	AllowNonIncreasingOIDs  bool          `yaml:"allow_nonincreasing_oids,omitempty"`
 }
@@ -90,43 +90,11 @@ func (c *Module) UnmarshalYAML(unmarshal func(interface{}) error) error {
 	if err := unmarshal((*plain)(c)); err != nil {
 		return err
 	}
-
-	wp := c.WalkParams
-
-	if wp.Version < 1 || wp.Version > 3 {
-		return fmt.Errorf("SNMP version must be 1, 2 or 3. Got: %d", wp.Version)
-	}
-	if wp.Version == 3 {
-		switch wp.Auth.SecurityLevel {
-		case "authPriv":
-			if wp.Auth.PrivPassword == "" {
-				return fmt.Errorf("priv password is missing, required for SNMPv3 with priv")
-			}
-			if wp.Auth.PrivProtocol != "DES" && wp.Auth.PrivProtocol != "AES" && wp.Auth.PrivProtocol != "AES192" && wp.Auth.PrivProtocol != "AES192C" && wp.Auth.PrivProtocol != "AES256" && wp.Auth.PrivProtocol != "AES256C" {
-				return fmt.Errorf("priv protocol must be DES or AES")
-			}
-			fallthrough
-		case "authNoPriv":
-			if wp.Auth.Password == "" {
-				return fmt.Errorf("auth password is missing, required for SNMPv3 with auth")
-			}
-			if wp.Auth.AuthProtocol != "MD5" && wp.Auth.AuthProtocol != "SHA" && wp.Auth.AuthProtocol != "SHA224" && wp.Auth.AuthProtocol != "SHA256" && wp.Auth.AuthProtocol != "SHA384" && wp.Auth.AuthProtocol != "SHA512" {
-				return fmt.Errorf("auth protocol must be SHA or MD5")
-			}
-			fallthrough
-		case "noAuthNoPriv":
-			if wp.Auth.Username == "" {
-				return fmt.Errorf("auth username is missing, required for SNMPv3")
-			}
-		default:
-			return fmt.Errorf("security level must be one of authPriv, authNoPriv or noAuthNoPriv")
-		}
-	}
 	return nil
 }
 
 // ConfigureSNMP sets the various version and auth settings.
-func (c WalkParams) ConfigureSNMP(g *gosnmp.GoSNMP) {
+func (c Auth) ConfigureSNMP(g *gosnmp.GoSNMP) {
 	switch c.Version {
 	case 1:
 		g.Version = gosnmp.Version1
@@ -135,16 +103,16 @@ func (c WalkParams) ConfigureSNMP(g *gosnmp.GoSNMP) {
 	case 3:
 		g.Version = gosnmp.Version3
 	}
-	g.Community = string(c.Auth.Community)
-	g.ContextName = c.Auth.ContextName
+	g.Community = string(c.Community)
+	g.ContextName = c.ContextName
 
 	// v3 security settings.
 	g.SecurityModel = gosnmp.UserSecurityModel
 	usm := &gosnmp.UsmSecurityParameters{
-		UserName: c.Auth.Username,
+		UserName: c.Username,
 	}
 	auth, priv := false, false
-	switch c.Auth.SecurityLevel {
+	switch c.SecurityLevel {
 	case "noAuthNoPriv":
 		g.MsgFlags = gosnmp.NoAuthNoPriv
 	case "authNoPriv":
@@ -156,8 +124,8 @@ func (c WalkParams) ConfigureSNMP(g *gosnmp.GoSNMP) {
 		priv = true
 	}
 	if auth {
-		usm.AuthenticationPassphrase = string(c.Auth.Password)
-		switch c.Auth.AuthProtocol {
+		usm.AuthenticationPassphrase = string(c.Password)
+		switch c.AuthProtocol {
 		case "SHA":
 			usm.AuthenticationProtocol = gosnmp.SHA
 		case "SHA224":
@@ -173,8 +141,8 @@ func (c WalkParams) ConfigureSNMP(g *gosnmp.GoSNMP) {
 		}
 	}
 	if priv {
-		usm.PrivacyPassphrase = string(c.Auth.PrivPassword)
-		switch c.Auth.PrivProtocol {
+		usm.PrivacyPassphrase = string(c.PrivPassword)
+		switch c.PrivProtocol {
 		case "DES":
 			usm.PrivacyProtocol = gosnmp.DES
 		case "AES":
@@ -261,6 +229,46 @@ type Auth struct {
 	PrivProtocol  string `yaml:"priv_protocol,omitempty"`
 	PrivPassword  Secret `yaml:"priv_password,omitempty"`
 	ContextName   string `yaml:"context_name,omitempty"`
+	Version       int    `yaml:"version,omitempty"`
+}
+
+func (c *Auth) UnmarshalYAML(unmarshal func(interface{}) error) error {
+	*c = DefaultAuth
+	type plain Auth
+	if err := unmarshal((*plain)(c)); err != nil {
+		return err
+	}
+
+	if c.Version < 1 || c.Version > 3 {
+		return fmt.Errorf("SNMP version must be 1, 2 or 3. Got: %d", c.Version)
+	}
+	if c.Version == 3 {
+		switch c.SecurityLevel {
+		case "authPriv":
+			if c.PrivPassword == "" {
+				return fmt.Errorf("priv password is missing, required for SNMPv3 with priv")
+			}
+			if c.PrivProtocol != "DES" && c.PrivProtocol != "AES" && c.PrivProtocol != "AES192" && c.PrivProtocol != "AES192C" && c.PrivProtocol != "AES256" && c.PrivProtocol != "AES256C" {
+				return fmt.Errorf("priv protocol must be DES or AES")
+			}
+			fallthrough
+		case "authNoPriv":
+			if c.Password == "" {
+				return fmt.Errorf("auth password is missing, required for SNMPv3 with auth")
+			}
+			if c.AuthProtocol != "MD5" && c.AuthProtocol != "SHA" && c.AuthProtocol != "SHA224" && c.AuthProtocol != "SHA256" && c.AuthProtocol != "SHA384" && c.AuthProtocol != "SHA512" {
+				return fmt.Errorf("auth protocol must be SHA or MD5")
+			}
+			fallthrough
+		case "noAuthNoPriv":
+			if c.Username == "" {
+				return fmt.Errorf("auth username is missing, required for SNMPv3")
+			}
+		default:
+			return fmt.Errorf("security level must be one of authPriv, authNoPriv or noAuthNoPriv")
+		}
+	}
+	return nil
 }
 
 type RegexpExtract struct {