Skip to content

Commit

Permalink
Dev cli sessions (sonic-net#17623)
Browse files Browse the repository at this point in the history
sonic-net/SONiC#1367

Why I did it
Give ability to:
1. configure limit for active login sessions.
2. configure ssh-server / serial console autologout timeout
3. configure sysrq-capabilities (enable / disable)

Work item tracking
Microsoft ADO (number only):

How I did it
Add new service that responsible for serial configuration;
Update existing flows for extended ssh-server configurations in hostcfgd;
Add YANG model to support new configuration.

How to verify it
Which release branch to backport (provide reason below if selected)

Tested branch (Please provide the tested image version)

Description for the changelog
Link to config_db schema for YANG module changes
[ssh_server](https://github.com/sonic-net/sonic-buildimage/blob/master/src/sonic-yang-models/doc/Configuration.md#ssh_server)
[serial_console](https://github.com/sonic-net/sonic-buildimage/blob/master/src/sonic-yang-models/doc/Configuration.md#serial_console)
  • Loading branch information
i-davydenko authored and Aidan Gallagher committed Nov 16, 2024
1 parent 6a3b0a7 commit dffc661
Show file tree
Hide file tree
Showing 14 changed files with 220 additions and 5 deletions.
7 changes: 7 additions & 0 deletions files/build_templates/sonic_debian_extension.j2
Original file line number Diff line number Diff line change
Expand Up @@ -431,6 +431,13 @@ echo "ntpsec.service" | sudo tee -a $GENERATED_SERVICE_FILE
# Copy DNS templates
sudo cp $BUILD_TEMPLATES/dns.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/

# Copy cli-sessions config files
sudo cp $IMAGE_CONFIGS/cli_sessions/tmout-env.sh.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/
sudo cp $IMAGE_CONFIGS/cli_sessions/sysrq-sysctl.conf.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/
sudo cp $IMAGE_CONFIGS/cli_sessions/serial-config.sh $FILESYSTEM_ROOT/usr/bin/
sudo cp $IMAGE_CONFIGS/cli_sessions/serial-config.service $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM
echo "serial-config.service" | sudo tee -a $GENERATED_SERVICE_FILE

# Copy warmboot-finalizer files
sudo LANG=C cp $IMAGE_CONFIGS/warmboot-finalizer/finalize-warmboot.sh $FILESYSTEM_ROOT/usr/local/bin/finalize-warmboot.sh
sudo LANG=C cp $IMAGE_CONFIGS/warmboot-finalizer/warmboot-finalizer.service $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM
Expand Down
13 changes: 13 additions & 0 deletions files/image_config/cli_sessions/serial-config.service
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
[Unit]
Description=Update serial console config
Requires=sonic.target
After=sonic.target
Before=getty-pre.target
StartLimitIntervalSec=0

[Service]
Type=oneshot
ExecStart=/usr/bin/serial-config.sh

[Install]
WantedBy=sonic.target
15 changes: 15 additions & 0 deletions files/image_config/cli_sessions/serial-config.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
#!/bin/bash

# generate conf file for sysrq capabilities.
sonic-cfggen -d -t /usr/share/sonic/templates/sysrq-sysctl.conf.j2 > /etc/sysctl.d/95-sysrq-sysctl.conf

SYSRQ_CONF=0
# update sysrq for current boot.
sysrq_conf=`sonic-db-cli CONFIG_DB HGET "SERIAL_CONSOLE|POLICIES" sysrq_capabilities`
if [ ${sysrq_conf} = "enabled" ]; then
SYSRQ_CONF=1
fi
sudo echo $SYSRQ_CONF > /proc/sys/kernel/sysrq

# generate env file for profile.d to set auto-logout timeout for serial consoles.
sonic-cfggen -d -t /usr/share/sonic/templates/tmout-env.sh.j2 > /etc/profile.d/tmout-env.sh
10 changes: 10 additions & 0 deletions files/image_config/cli_sessions/sysrq-sysctl.conf.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
###############################################################################
# This file was AUTOMATICALLY GENERATED. DO NOT MODIFY.
# Controlled by serial-config.sh
###############################################################################
{% set sysrq = 0 %}
{% set serial_policies = (SERIAL_CONSOLE | d({})).get('POLICIES', {}) -%}
{% if serial_policies.sysrq_capabilities == 'enabled' %}
{% set sysrq = 1 %}
{% endif %}
kernel.sysrq={{ sysrq }}
11 changes: 11 additions & 0 deletions files/image_config/cli_sessions/tmout-env.sh.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{# Default timeout (15 min) #}
{% set inactivity_timeout_sec = 900 %}

{% set serial_pol = (SERIAL_CONSOLE | d({})).get('POLICIES', {}) -%}
{% if serial_pol and serial_pol.inactivity_timeout and serial_pol.inactivity_timeout | int >= 0 %}
{% set inactivity_timeout_sec = serial_pol.inactivity_timeout | int * 60 %}
{% endif %}

{# apply only for serial tty #}
tty | grep -q tty && \
export TMOUT={{ inactivity_timeout_sec }}
25 changes: 23 additions & 2 deletions src/sonic-yang-models/doc/Configuration.md
Original file line number Diff line number Diff line change
Expand Up @@ -2694,20 +2694,41 @@ There are 4 classes
}
```
### SERIAL_CONSOLE
In this table collected configuration of the next serial-console attributes:
- inactivity_timeout - Inactivity timeout for serial-console session, allowed values: 0-35000 (minutes), default value: 15
- sysrq_capabilities - Enabling or disabling SysRq functionality for serial-console session, allowed values: enabled/disabled, default value disabled
```
{
SERIAL_CONSOLE:{
"POLICIES":{
"inactivity_timeout": 15
"sysrq_capabilities": "disabled"
}
}
}
```
### SSH_SERVER
In this table, we allow configuring ssh server global settings. This will feature includes 3 configurations:
In this table, we allow configuring ssh server global settings. This will feature includes 5 configurations:
- authentication_retries - number of login attepmts 1-100
- login_timeout - Timeout in seconds for login session for user to connect 1-600
- ports - Ssh port numbers - string of port numbers seperated by ','
- inactivity_timeout - Inactivity timeout for SSH session, allowed values: 0-35000 (min), default value: 15 (min)
- max_sessions - Max number of concurrent logins, allowed values: 0-100 (where 0 means no limit), default value: 0
```
{
"SSH_SERVER": {
"POLICIES":{
"authentication_retries": "6",
"login_timeout": "120",
"ports": "22"
"ports": "22",
"inactivity_timeout": "15",
"max_sessions": "0"
}
}
}
Expand Down
3 changes: 3 additions & 0 deletions src/sonic-yang-models/setup.py
Original file line number Diff line number Diff line change
Expand Up @@ -204,6 +204,7 @@ def run(self):
'./yang-models/sonic-macsec.yang',
'./yang-models/sonic-bgp-sentinel.yang',
'./yang-models/sonic-bmp.yang',
'./yang-models/sonic-serial-console.yang',
'./yang-models/sonic-smart-switch.yang',]),
('cvlyang-models', ['./cvlyang-models/sonic-acl.yang',
'./cvlyang-models/sonic-banner.yang',
Expand Down Expand Up @@ -247,6 +248,7 @@ def run(self):
'./cvlyang-models/sonic-nat.yang',
'./cvlyang-models/sonic-nvgre-tunnel.yang',
'./cvlyang-models/sonic-pbh.yang',
'./cvlyang-models/sonic-ssh-server.yang',
'./cvlyang-models/sonic-policer.yang',
'./cvlyang-models/sonic-port.yang',
'./cvlyang-models/sonic-portchannel.yang',
Expand Down Expand Up @@ -282,6 +284,7 @@ def run(self):
'./cvlyang-models/sonic-system-port.yang',
'./cvlyang-models/sonic-macsec.yang',
'./cvlyang-models/sonic-bmp.yang',
'./cvlyang-models/sonic-serial-console.yang',
'./cvlyang-models/sonic-bgp-sentinel.yang']),
],
zip_safe=False,
Expand Down
11 changes: 10 additions & 1 deletion src/sonic-yang-models/tests/files/sample_config_db.json
Original file line number Diff line number Diff line change
Expand Up @@ -2448,7 +2448,16 @@
"POLICIES":{
"authentication_retries": "6",
"login_timeout": "120",
"ports": "22"
"ports": "22",
"inactivity_timeout": "15",
"max_sessions": "0"
}
},

"SERIAL_CONSOLE": {
"POLICIES":{
"inactivity_timeout": "15",
"sysrq_capabilities": "disabled"
}
},

Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
{
"SERIAL_CONSOLE": {
"desc": "SERIAL_CONSOLE configuration in the Config DB table."
},
"SERIAL_CONSOLE_INVALID_INACTIVITY_TIMEOUT": {
"desc": "SERIAL_CONSOLE attribute 'inactivity_timeout' set to invalid value (out of allowed range of [0, 35000] minutes).",
"eStr": "does not satisfy the constraint \"0..35000\""
},
"SERIAL_CONSOLE_INVALID_SYSRQ" : {
"desc": "SERIAL_CONSOLE attribute 'sysrq' set to invalid value",
"eStr": "Invalid value"
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -22,5 +22,13 @@
"SSH_SERVER_INVALID_PORTS_2": {
"desc": "Configure invalid port value in SSH_SERVER.",
"eStr": "Invalid port numbers value"
},
"SSH_SERVER_INVALID_INACTIVITY_TIMEOUT": {
"desc": "Configure invalid inactivity_timeout value in SSH_SERVER.",
"eStr": "does not satisfy the constraint \"0..35000\""
},
"SSH_SERVER_INVALID_MAX_SESSIONS": {
"desc": "Configure invalid max_sessions value in SSH_SERVER.",
"eStr": "does not satisfy the constraint \"0..100\""
}
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
{
"SERIAL_CONSOLE": {
"sonic-serial-console:sonic-serial-console": {
"sonic-serial-console:SERIAL_CONSOLE": {
"POLICIES": {
"inactivity_timeout": 900,
"sysrq_capabilities": "disabled"
}
}
}
},

"SERIAL_CONSOLE_INVALID_INACTIVITY_TIMEOUT": {
"sonic-serial-console:sonic-serial-console": {
"sonic-serial-console:SERIAL_CONSOLE": {
"POLICIES": {
"inactivity_timeout": -500
}
}
}
},
"SERIAL_CONSOLE_INVALID_SYSRQ" : {
"sonic-serial-console:sonic-serial-console": {
"sonic-serial-console:SERIAL_CONSOLE": {
"POLICIES": {
"sysrq_capabilities": "negative"
}
}
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -56,5 +56,23 @@
}
}
}
},
"SSH_SERVER_INVALID_INACTIVITY_TIMEOUT": {
"sonic-ssh-server:sonic-ssh-server": {
"sonic-ssh-server:SSH_SERVER": {
"POLICIES":{
"inactivity_timeout": 500000
}
}
}
},
"SSH_SERVER_INVALID_MAX_SESSIONS": {
"sonic-ssh-server:sonic-ssh-server": {
"sonic-ssh-server:SSH_SERVER": {
"POLICIES":{
"max_sessions": 222
}
}
}
}
}
}
37 changes: 37 additions & 0 deletions src/sonic-yang-models/yang-models/sonic-serial-console.yang
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
//filename: sonic-serial-console.yang
module sonic-serial-console {
yang-version 1.1;
namespace "http://github.com/Azure/sonic-serial-console";
prefix cli-sessions;
import sonic-types {
prefix stypes;
}
description "SERIAL_CONSOLE YANG Module for SONiC-based OS";
revision 2023-06-07 {
description "First Revision";
}
container sonic-serial-console {
container SERIAL_CONSOLE {
description "SERIAL_CONSOLE part of config_db.json";
container POLICIES {
leaf inactivity_timeout {
description "serial-console inactivity-timeout timer value in minutes";
type int32 {
range "0..35000";
}
default 15;
}

leaf sysrq_capabilities {
type stypes:admin_mode;
description "managing SysRq capabilities";
default disabled;
}
}
/* end of container POLICIES */
}
/* end of container SERIAL_CONSOLE */
}
/* end of top level container */
}
/* end of module sonic-serial-console */
19 changes: 19 additions & 0 deletions src/sonic-yang-models/yang-models/sonic-ssh-server.yang
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,11 @@ module sonic-ssh-server {
description
"First Revision";
}

revision 2023-06-07 {
description
"Introduce inactivity timeout and max syslogins options";
}

container sonic-ssh-server {
container SSH_SERVER {
Expand Down Expand Up @@ -40,6 +45,20 @@ module sonic-ssh-server {
}
}
}
leaf inactivity_timeout {
description "inactivity timeout (in minutes), 0 means no timeout";
default 15;
type uint32 {
range 0..35000;
}
}
leaf max_sessions {
description "limit of concurrent system logins, 0 means no limit";
default 0;
type uint32 {
range 0..100;
}
}
}/*container policies */
} /* container SSH_SERVER */
}/* container sonic-ssh-server */
Expand Down

0 comments on commit dffc661

Please sign in to comment.