mozilla-platform-ops · aerickson · Mar 12, 2026 · Feb 18, 2026 · Feb 18, 2026 · Feb 18, 2026
diff --git a/.kitchen_configs/kitchen.docker.yml b/.kitchen_configs/kitchen.docker.yml
@@ -37,6 +37,8 @@ provisioner:
   hiera_deep_merge: true
   hiera_writer_files:
     - secrets/vault.yaml:
+        snmpd:
+          ro_community: aaaa
         telegraf:
           user: telegraf
           password: telegraf4fun

diff --git a/.kitchen_configs/kitchen.windows.yml b/.kitchen_configs/kitchen.windows.yml
@@ -34,7 +34,11 @@ platforms:
       location: 'East US 2'
       machine_size: 'Standard_F8s_v2'
       image_urn: MicrosoftWindowsDesktop:windows-11:win11-24h2-avd:latest
-      azure_resource_group_name: ronin-puppet-test-kitchen
+      # Each platform has a unique resource group name to prevent collisions when
+      # CI jobs run in parallel. kitchen-azurerm appends a timestamp to this name,
+      # so two jobs sharing the same base name that start within the same second
+      # will land in the same resource group and conflict on the public IP resource.
+      azure_resource_group_name: ronin-puppet-test-kitchen-win11-64-24h2
       use_ephemeral_osdisk: true
       deployment_timeout_in_minutes: 30
       username: kitchenadmin
@@ -56,7 +60,7 @@ platforms:
       location: 'East US 2'
       machine_size: 'Standard_F8s_v2'
       image_urn: MicrosoftWindowsDesktop:windows-11:win11-25h2-avd:latest
-      azure_resource_group_name: ronin-puppet-test-kitchen
+      azure_resource_group_name: ronin-puppet-test-kitchen-win11-64-25h2
       use_ephemeral_osdisk: true
       deployment_timeout_in_minutes: 30
       username: kitchenadmin
@@ -78,7 +82,7 @@ platforms:
       location: 'East US 2'
       machine_size: 'Standard_E8pds_v5'
       image_urn: MicrosoftWindowsDesktop:windows11preview-arm64:win11-25h2-ent:latest
-      azure_resource_group_name: ronin-puppet-test-kitchen
+      azure_resource_group_name: ronin-puppet-test-kitchen-win11-a64-25h2-builder
       use_ephemeral_osdisk: true
       deployment_timeout_in_minutes: 30
       username: kitchenadmin
@@ -100,7 +104,7 @@ platforms:
       location: 'East US 2'
       machine_size: 'Standard_E8pds_v5'
       image_urn: MicrosoftWindowsDesktop:windows11preview-arm64:win11-25h2-ent:latest
-      azure_resource_group_name: ronin-puppet-test-kitchen
+      azure_resource_group_name: ronin-puppet-test-kitchen-win11-a64-25h2-tester
       use_ephemeral_osdisk: true
       deployment_timeout_in_minutes: 30
       username: kitchenadmin

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,7 +1,7 @@
 exclude: '^r10k_modules/'
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v5.0.0
+  rev: v6.0.0
   hooks:
   - id: check-executables-have-shebangs
   - id: check-json

diff --git a/modules/linux_packages/manifests/snmpd.pp b/modules/linux_packages/manifests/snmpd.pp
@@ -0,0 +1,24 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+class linux_packages::snmpd {
+  case $facts['os']['name'] {
+    'Ubuntu': {
+      case $facts['os']['release']['full'] {
+        '18.04', '22.04', '24.04': {
+          package {
+            'snmpd':
+              ensure => present;
+          }
+        }
+        default: {
+          fail("Ubuntu ${facts['os']['release']['full']} is not supported")
+        }
+      }
+    }
+    default: {
+      fail("${facts['os']['name']} is not supported")
+    }
+  }
+}
diff --git a/modules/linux_snmpd/manifests/init.pp b/modules/linux_snmpd/manifests/init.pp
@@ -0,0 +1,62 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+# Example usage (disabled, via hiera):
+#   snmpd::enabled: false
+
+class linux_snmpd {
+  $enabled = lookup('snmpd.enabled', { default_value => true })
+
+  if $enabled {
+    case $facts['os']['name'] {
+      'Ubuntu': {
+        case $facts['os']['release']['full'] {
+          '18.04', '22.04', '24.04': {
+            # load in secrets from vault/hiera
+            $snmpd_ro_secret = lookup('snmpd.ro_community', { default_value => undef })
+
+            # only do this block if secret is set
+            if $snmpd_ro_secret and $snmpd_ro_secret != '' {
+              # include vs require? still need to do ordering...
+              include linux_packages::snmpd
+
+              service { 'snmpd':
+                ensure  => running,
+                enable  => true,
+                require => Class['linux_packages::snmpd'];
+              }
+
+              # deliver our config (require linux_packages::snmpd)
+              #   /etc/snmp/snmpd.conf
+              file {
+                default: * => $shared::file_defaults;
+
+                '/etc/snmp/snmpd.conf':
+                  ensure  => file,
+                  content => template('linux_snmpd/snmpd.conf.erb'),
+                  mode    => '0644',
+                  notify  => Service['snmpd'];
+              }
+            }
+            else {
+              notice('snmpd_ro_community is not set, skipping snmpd configuration')
+            }
+          }
+          default: {
+            fail("Ubuntu ${facts['os']['release']['full']} is not supported")
+          }
+        }
+      }
+      default: {
+        fail("${facts['os']['name']} is not supported")
+      }
+    }
+  }
+  else {
+    service { 'snmpd':
+      ensure => stopped,
+      enable => false,
+    }
+  }
+}
diff --git a/modules/linux_snmpd/templates/snmpd.conf.erb b/modules/linux_snmpd/templates/snmpd.conf.erb
@@ -0,0 +1,12 @@
+# mozilla relops snmpd.conf template
+# v1.0 - 2026-02-18
+
+agentAddress udp:161
+
+sysLocation    "MDC1"
+sysContact     "relops@mozilla.com"
+
+# create 'all' view and include all of .1
+view   all         included   .1
+# set a SNMPv1/v2c read-only community (default source) and tie to 'all' view
+rocommunity <%= @snmpd_ro_secret %> default -V all
diff --git a/modules/puppet/templates/puppet-ubuntu-run-puppet.sh.erb b/modules/puppet/templates/puppet-ubuntu-run-puppet.sh.erb
@@ -217,6 +217,13 @@ function run_puppet {
 
 
 # Main script starts here
+
+# Ensure we are running as root
+if [ "$(id -u)" -ne 0 ]; then
+    echo "ERROR: This script must be run as root (current user: $(id -un))." >&2
+    exit 1
+fi
+
 PUPPET_REPO="${PUPPET_REPO:-<%= @puppet_repo -%>}"
 PUPPET_BRANCH="${PUPPET_BRANCH:-<%= @puppet_branch -%>}"
 PUPPET_MAIL="${PUPPET_MAIL:-<%= @puppet_notify_email %>}"

diff --git a/modules/roles_profiles/manifests/profiles/linux_base.pp b/modules/roles_profiles/manifests/profiles/linux_base.pp
@@ -25,6 +25,9 @@
       # fix for ubuntu packaging bug
       require linux_packages::testresources
 
+      # should be requires above, but fight that battle another day
+      include linux_snmpd
+
       # TODO:
       # - add auditd
       # - add sending of logs to log aggregator/relay

diff --git a/test/integration/linux-perf/inspec/snmpd_spec.rb b/test/integration/linux-perf/inspec/snmpd_spec.rb
@@ -0,0 +1,21 @@
+# ensure package is installed
+describe package('snmpd') do
+    it { should be_installed }
+end
+
+describe service('snmpd') do
+    it { should be_running }
+    it { should be_enabled }
+end
+
+# check our templating worked
+describe file('/etc/snmp/snmpd.conf') do
+    it { should exist }
+    # TODO: don't check community secret (so it could work on prod hosts)
+    its(:content) { should match /rocommunity aaaa/ }
+
+    # check that our template is in place (and not the default)
+    its(:content) { should match /# mozilla relops snmpd.conf template/ }
+    # check that RO community is enabled
+    its(:content) { should match /^rocommunity/ }
+end