Merge 0b58b74cd4 into fb29a4047c

files/build_templates/sonic_debian_extension.j2

@@ -400,6 +400,13 @@ echo "ntpsec.service" | sudo tee -a $GENERATED_SERVICE_FILE
 # Copy DNS templates
 sudo cp $BUILD_TEMPLATES/dns.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/
 
+# Copy cli-sessions config files
+sudo cp $IMAGE_CONFIGS/cli_sessions/tmout-env.sh.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/
+sudo cp $IMAGE_CONFIGS/cli_sessions/sysrq-sysctl.conf.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/
+sudo cp $IMAGE_CONFIGS/cli_sessions/serial-config.sh $FILESYSTEM_ROOT/usr/bin/
+sudo cp $IMAGE_CONFIGS/cli_sessions/serial-config.service $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM
+echo "serial-config.service" | sudo tee -a $GENERATED_SERVICE_FILE
+
 # Copy warmboot-finalizer files
 sudo LANG=C cp $IMAGE_CONFIGS/warmboot-finalizer/finalize-warmboot.sh $FILESYSTEM_ROOT/usr/local/bin/finalize-warmboot.sh
 sudo LANG=C cp $IMAGE_CONFIGS/warmboot-finalizer/warmboot-finalizer.service $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM

files/image_config/cli_sessions/serial-config.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Update serial console config
+Requires=sonic.target
+After=sonic.target
+Before=getty-pre.target
+StartLimitIntervalSec=0
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/serial-config.sh
+
+[Install]
+WantedBy=sonic.target

files/image_config/cli_sessions/serial-config.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# generate conf file for sysrq capabilities.
+sonic-cfggen -d -t /usr/share/sonic/templates/sysrq-sysctl.conf.j2 > /etc/sysctl.d/95-sysrq-sysctl.conf
+
+SYSRQ_CONF=0
+# update sysrq for current boot.
+sysrq_conf=`sonic-db-cli CONFIG_DB HGET "SERIAL_CONSOLE|POLICIES" sysrq_capabilities`
+if [ ${sysrq_conf} = "enabled" ]; then
+        SYSRQ_CONF=1
+fi
+sudo echo $SYSRQ_CONF > /proc/sys/kernel/sysrq
+
+# generate env file for profile.d to set auto-logout timeout for serial consoles.
+sonic-cfggen -d -t /usr/share/sonic/templates/tmout-env.sh.j2 > /etc/profile.d/tmout-env.sh

files/image_config/cli_sessions/sysrq-sysctl.conf.j2

@@ -0,0 +1,10 @@
+###############################################################################
+# This file was AUTOMATICALLY GENERATED. DO NOT MODIFY.
+# Controlled by serial-config.sh
+###############################################################################
+{% set sysrq = 0 %}
+{% set serial_policies = (SERIAL_CONSOLE | d({})).get('POLICIES', {}) -%}
+{% if serial_policies.sysrq_capabilities == 'enabled' %}
+{% set sysrq = 1 %}
+{% endif %}
+kernel.sysrq={{ sysrq }}

files/image_config/cli_sessions/tmout-env.sh.j2

@@ -0,0 +1,11 @@
+{# Default timeout (15 min) #}
+{% set inactivity_timeout_sec = 900 %}
+
+{% set serial_pol = (SERIAL_CONSOLE | d({})).get('POLICIES', {}) -%}
+{% if serial_pol and serial_pol.inactivity_timeout and serial_pol.inactivity_timeout | int >= 0 %}
+{% set inactivity_timeout_sec = serial_pol.inactivity_timeout | int * 60 %}
+{% endif %}
+
+{# apply only for serial tty #}
+tty | grep -q tty &&  \
+export TMOUT={{ inactivity_timeout_sec }}

src/sonic-yang-models/doc/Configuration.md

@@ -2590,20 +2590,41 @@ There are 4 classes
 }
 ```
 
+### SERIAL_CONSOLE
+
+In this table collected configuration of the next serial-console attributes:
+-   inactivity_timeout - Inactivity timeout for serial-console session, allowed values: 0-35000 (minutes), default value: 15
+-   sysrq_capabilities - Enabling or disabling SysRq functionality for serial-console session, allowed values: enabled/disabled, default value disabled
+
+```
+{
+    SERIAL_CONSOLE:{
+        "POLICIES":{
+            "inactivity_timeout": 15
+            "sysrq_capabilities": "disabled"
+        }
+    }
+}
+```
+
 ### SSH_SERVER
 
-In this table, we allow configuring ssh server global settings. This will feature includes 3 configurations:
+In this table, we allow configuring ssh server global settings. This will feature includes 5 configurations:
 
 -   authentication_retries - number of login attepmts 1-100
 -   login_timeout - Timeout in seconds for login session for user to connect 1-600
 -   ports - Ssh port numbers - string of port numbers seperated by ','
+-   inactivity_timeout - Inactivity timeout for SSH session, allowed values: 0-35000 (min), default value: 15 (min)
+-   max_sessions - Max number of concurrent logins, allowed values: 0-100 (where 0 means no limit), default value: 0
 ```
 {
     "SSH_SERVER": {
         "POLICIES":{
             "authentication_retries": "6",
             "login_timeout": "120",
-            "ports": "22"
+            "ports": "22",
+            "inactivity_timeout": "15",
+            "max_sessions": "0"
         }
     }
 }

src/sonic-yang-models/setup.py

@@ -199,6 +199,7 @@ setup(
                          './yang-models/sonic-system-port.yang',
                          './yang-models/sonic-macsec.yang',
                          './yang-models/sonic-bgp-sentinel.yang',
+                         './yang-models/sonic-serial-console.yang',
                          './yang-models/sonic-smart-switch.yang',]),
         ('cvlyang-models', ['./cvlyang-models/sonic-acl.yang',
                          './cvlyang-models/sonic-bgp-common.yang',
@@ -240,6 +241,7 @@ setup(
                          './cvlyang-models/sonic-nat.yang',
                          './cvlyang-models/sonic-nvgre-tunnel.yang',
                          './cvlyang-models/sonic-pbh.yang',
+                         './cvlyang-models/sonic-ssh-server.yang',
                          './cvlyang-models/sonic-policer.yang',
                          './cvlyang-models/sonic-port.yang',
                          './cvlyang-models/sonic-portchannel.yang',
@@ -274,6 +276,7 @@ setup(
                          './cvlyang-models/sonic-static-route.yang',
                          './cvlyang-models/sonic-system-port.yang',
                          './cvlyang-models/sonic-macsec.yang',
+                         './cvlyang-models/sonic-serial-console.yang',
                          './cvlyang-models/sonic-bgp-sentinel.yang']),
     ],
     zip_safe=False,

src/sonic-yang-models/tests/files/sample_config_db.json

@@ -2391,7 +2391,16 @@
             "POLICIES":{
                 "authentication_retries": "6",
                 "login_timeout": "120",
-                "ports": "22"
+                "ports": "22",
+                "inactivity_timeout": "15",
+                "max_sessions": "0"
+            }
+        },
+
+        "SERIAL_CONSOLE": {
+            "POLICIES":{
+                "inactivity_timeout": "15",
+                "sysrq_capabilities": "disabled"
             }
         },
 

src/sonic-yang-models/tests/yang_model_tests/tests/serial_console.json

@@ -0,0 +1,13 @@
+{
+    "SERIAL_CONSOLE": {
+        "desc": "SERIAL_CONSOLE configuration in the Config DB table."
+    },
+    "SERIAL_CONSOLE_INVALID_INACTIVITY_TIMEOUT": {
+        "desc": "SERIAL_CONSOLE attribute 'inactivity_timeout' set to invalid value (out of allowed range of [0, 35000] minutes).",
+        "eStr": "does not satisfy the constraint \"0..35000\""
+    },
+    "SERIAL_CONSOLE_INVALID_SYSRQ" : {
+        "desc": "SERIAL_CONSOLE attribute 'sysrq' set to invalid value",
+        "eStr": "Invalid value"
+    }
+}

src/sonic-yang-models/tests/yang_model_tests/tests/ssh-server.json

@@ -22,5 +22,13 @@
     "SSH_SERVER_INVALID_PORTS_2": {
         "desc": "Configure invalid port value in SSH_SERVER.",
         "eStr": "Invalid port numbers value"
+    },
+    "SSH_SERVER_INVALID_INACTIVITY_TIMEOUT": {
+        "desc": "Configure invalid inactivity_timeout value in SSH_SERVER.",
+        "eStr": "does not satisfy the constraint \"0..35000\""
+    },
+    "SSH_SERVER_INVALID_MAX_SESSIONS": {
+        "desc": "Configure invalid max_sessions value in SSH_SERVER.",
+        "eStr": "does not satisfy the constraint \"0..100\""
     }
-}
+}

src/sonic-yang-models/tests/yang_model_tests/tests_config/serial_console.json

@@ -0,0 +1,31 @@
+{
+    "SERIAL_CONSOLE": {
+        "sonic-serial-console:sonic-serial-console": {
+            "sonic-serial-console:SERIAL_CONSOLE": {
+                "POLICIES": {
+                        "inactivity_timeout": 900,
+                        "sysrq_capabilities": "disabled"
+                }
+            }
+        }
+    },
+
+    "SERIAL_CONSOLE_INVALID_INACTIVITY_TIMEOUT": {
+        "sonic-serial-console:sonic-serial-console": {
+            "sonic-serial-console:SERIAL_CONSOLE": {
+                "POLICIES": {
+                        "inactivity_timeout": -500
+                }
+            }
+        }
+    },
+    "SERIAL_CONSOLE_INVALID_SYSRQ" : {
+        "sonic-serial-console:sonic-serial-console": {
+            "sonic-serial-console:SERIAL_CONSOLE": {
+                "POLICIES": {
+                        "sysrq_capabilities": "negative"
+                }
+            }
+        }
+    }
+}

src/sonic-yang-models/tests/yang_model_tests/tests_config/ssh-server.json

@@ -56,5 +56,23 @@
                 }
             }
         }
+    },
+    "SSH_SERVER_INVALID_INACTIVITY_TIMEOUT": {
+        "sonic-ssh-server:sonic-ssh-server": {
+            "sonic-ssh-server:SSH_SERVER": {
+                "POLICIES":{
+                    "inactivity_timeout": 500000
+                }
+            }
+        }
+    },
+    "SSH_SERVER_INVALID_MAX_SESSIONS": {
+        "sonic-ssh-server:sonic-ssh-server": {
+            "sonic-ssh-server:SSH_SERVER": {
+                "POLICIES":{
+                    "max_sessions": 222
+                }
+            }
+        }
     }
-}
+}

src/sonic-yang-models/yang-models/sonic-serial-console.yang

@@ -0,0 +1,37 @@
+//filename:  sonic-serial-console.yang
+module sonic-serial-console {
+    yang-version 1.1;
+    namespace "http://github.com/Azure/sonic-serial-console";
+    prefix cli-sessions;
+    description "SERIAL_CONSOLE YANG Module for SONiC-based OS";
+    revision 2023-06-07 {
+        description "First Revision";
+    }
+    container sonic-serial-console {
+        container SERIAL_CONSOLE {
+            description "SERIAL_CONSOLE part of config_db.json";
+            container POLICIES {
+	            leaf inactivity_timeout {
+	                description "serial-console inactivity-timeout timer value in minutes";
+	                type int32 {
+	                    range "0..35000";
+	                }
+	                default 15;
+	            }
+	
+	            leaf sysrq_capabilities {
+	                description "managing SysRq capabilities";
+	                type enumeration {
+	                    enum disabled;
+	                    enum enabled;
+	                }
+	                default disabled;
+	            }
+		}
+		/* end of container POLICIES */
+        }
+        /* end of container SERIAL_CONSOLE */
+    }
+    /* end of top level container */
+}
+/* end of module sonic-serial-console */

src/sonic-yang-models/yang-models/sonic-ssh-server.yang

@@ -11,6 +11,11 @@ module sonic-ssh-server {
         description
             "First Revision";
     }
+    
+    revision 2023-06-07 {
+        description
+            "Introduce inactivity timeout and max syslogins options";
+    }
 
     container sonic-ssh-server {
         container SSH_SERVER {
@@ -40,6 +45,20 @@ module sonic-ssh-server {
                         }
                     }
                 }
+                leaf inactivity_timeout {
+                    description "inactivity timeout (in minutes), 0 means no timeout";
+                    default 15;
+                    type uint32 {
+                        range 0..35000;
+                    }
+                }
+                leaf max_sessions {
+                    description "limit of concurrent system logins, 0 means no limit";
+                    default 0;
+                    type uint32 {
+                        range 0..100;
+                    }
+                }
             }/*container policies */
         } /* container SSH_SERVER  */
     }/* container sonic-ssh-server */