From 40295f55a7b9383d3ead1aa7825a5e4e440b340a Mon Sep 17 00:00:00 2001 From: Ivan Davydenko Date: Mon, 7 Aug 2023 17:00:07 +0300 Subject: [PATCH 1/4] [cli-sessions] update configuration templates, default configs --- files/build_templates/sonic_debian_extension.j2 | 7 +++++++ .../cli_sessions/serial-config.service | 13 +++++++++++++ files/image_config/cli_sessions/serial-config.sh | 15 +++++++++++++++ .../cli_sessions/sysrq-sysctl.conf.j2 | 10 ++++++++++ files/image_config/cli_sessions/tmout-env.sh.j2 | 11 +++++++++++ 5 files changed, 56 insertions(+) create mode 100644 files/image_config/cli_sessions/serial-config.service create mode 100755 files/image_config/cli_sessions/serial-config.sh create mode 100644 files/image_config/cli_sessions/sysrq-sysctl.conf.j2 create mode 100644 files/image_config/cli_sessions/tmout-env.sh.j2 diff --git a/files/build_templates/sonic_debian_extension.j2 b/files/build_templates/sonic_debian_extension.j2 index 73564c03cd..05c48f0d9b 100644 --- a/files/build_templates/sonic_debian_extension.j2 +++ b/files/build_templates/sonic_debian_extension.j2 @@ -389,6 +389,13 @@ echo "ntpsec.service" | sudo tee -a $GENERATED_SERVICE_FILE # Copy DNS templates sudo cp $BUILD_TEMPLATES/dns.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/ +# Copy cli-sessions config files +sudo cp $IMAGE_CONFIGS/cli_sessions/tmout-env.sh.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/ +sudo cp $IMAGE_CONFIGS/cli_sessions/sysrq-sysctl.conf.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/ +sudo cp $IMAGE_CONFIGS/cli_sessions/serial-config.sh $FILESYSTEM_ROOT/usr/bin/ +sudo cp $IMAGE_CONFIGS/cli_sessions/serial-config.service $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM +echo "serial-config.service" | sudo tee -a $GENERATED_SERVICE_FILE + # Copy warmboot-finalizer files sudo LANG=C cp $IMAGE_CONFIGS/warmboot-finalizer/finalize-warmboot.sh $FILESYSTEM_ROOT/usr/local/bin/finalize-warmboot.sh sudo LANG=C cp $IMAGE_CONFIGS/warmboot-finalizer/warmboot-finalizer.service $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM diff --git a/files/image_config/cli_sessions/serial-config.service b/files/image_config/cli_sessions/serial-config.service new file mode 100644 index 0000000000..6211ecaaae --- /dev/null +++ b/files/image_config/cli_sessions/serial-config.service @@ -0,0 +1,13 @@ +[Unit] +Description=Update serial console config +Requires=sonic.target +After=sonic.target +Before=getty-pre.target +StartLimitIntervalSec=0 + +[Service] +Type=oneshot +ExecStart=/usr/bin/serial-config.sh + +[Install] +WantedBy=sonic.target diff --git a/files/image_config/cli_sessions/serial-config.sh b/files/image_config/cli_sessions/serial-config.sh new file mode 100755 index 0000000000..b02d65ffae --- /dev/null +++ b/files/image_config/cli_sessions/serial-config.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +# generate conf file for sysrq capabilities. +sonic-cfggen -d -t /usr/share/sonic/templates/sysrq-sysctl.conf.j2 > /etc/sysctl.d/95-sysrq-sysctl.conf + +SYSRQ_CONF=0 +# update sysrq for current boot. +sysrq_conf=`sonic-db-cli CONFIG_DB HGET "SERIAL_CONSOLE|POLICIES" sysrq_capabilities` +if [ ${sysrq_conf} = "enabled" ]; then + SYSRQ_CONF=1 +fi +sudo echo $SYSRQ_CONF > /proc/sys/kernel/sysrq + +# generate env file for profile.d to set auto-logout timeout for serial consoles. +sonic-cfggen -d -t /usr/share/sonic/templates/tmout-env.sh.j2 > /etc/profile.d/tmout-env.sh diff --git a/files/image_config/cli_sessions/sysrq-sysctl.conf.j2 b/files/image_config/cli_sessions/sysrq-sysctl.conf.j2 new file mode 100644 index 0000000000..49d9a62bc8 --- /dev/null +++ b/files/image_config/cli_sessions/sysrq-sysctl.conf.j2 @@ -0,0 +1,10 @@ +############################################################################### +# This file was AUTOMATICALLY GENERATED. DO NOT MODIFY. +# Controlled by cli-sesisons.sh +############################################################################### +{% set sysrq = 0 %} +{% set serial_policies = (SERIAL_CONSOLE | d({})).get('POLICIES', {}) -%} +{% if serial_policies.sysrq_capabilities == 'enabled' %} +{% set sysrq = 1 %} +{% endif %} +kernel.sysrq={{ sysrq }} \ No newline at end of file diff --git a/files/image_config/cli_sessions/tmout-env.sh.j2 b/files/image_config/cli_sessions/tmout-env.sh.j2 new file mode 100644 index 0000000000..528504ee72 --- /dev/null +++ b/files/image_config/cli_sessions/tmout-env.sh.j2 @@ -0,0 +1,11 @@ +{# Default timeout (15 min) #} +{% set inactivity_timeout_sec = 900 %} + +{% set serial_pol = (SERIAL_CONSOLE | d({})).get('POLICIES', {}) -%} +{% if serial_pol and serial_pol.inactivity_timeout and serial_pol.inactivity_timeout | int >= 0 %} +{% set inactivity_timeout_sec = serial_pol.inactivity_timeout | int * 60 %} +{% endif %} + +{# apply only for serial tty #} +tty | grep -q tty && \ +export TMOUT={{ inactivity_timeout_sec }} From 1cafc7da17e0e5a494d31901d2f01406c2515be0 Mon Sep 17 00:00:00 2001 From: Ivan Davydenko Date: Mon, 14 Aug 2023 13:18:51 +0300 Subject: [PATCH 2/4] [cli-sessions] Update YAML models with new serial-console tree, extended ssh-server tree. --- src/sonic-yang-models/doc/Configuration.md | 25 ++++++++++++- src/sonic-yang-models/setup.py | 3 ++ .../tests/files/sample_config_db.json | 11 +++++- .../yang-models/sonic-serial-console.yang | 37 +++++++++++++++++++ .../yang-models/sonic-ssh-server.yang | 19 ++++++++++ 5 files changed, 92 insertions(+), 3 deletions(-) create mode 100644 src/sonic-yang-models/yang-models/sonic-serial-console.yang diff --git a/src/sonic-yang-models/doc/Configuration.md b/src/sonic-yang-models/doc/Configuration.md index 4bf3a4a45a..21a3f0cee4 100644 --- a/src/sonic-yang-models/doc/Configuration.md +++ b/src/sonic-yang-models/doc/Configuration.md @@ -2570,20 +2570,41 @@ There are 4 classes } ``` +### SERIAL_CONSOLE + +In this table collected configuration of the next serial-console attributes: +- inactivity_timeout - Inactivity timeout for serial-console session, allowed values: 0-35000 (minutes), default value: 15 +- sysrq_capabilities - Enabling or disabling SysRq functionality for serial-console session, allowed values: enabled/disabled, default value disabled + +``` +{ + SERIAL_CONSOLE:{ + "POLICIES":{ + "inactivity_timeout": 15 + "sysrq_capabilities": "disabled" + } + } +} +``` + ### SSH_SERVER -In this table, we allow configuring ssh server global settings. This will feature includes 3 configurations: +In this table, we allow configuring ssh server global settings. This will feature includes 5 configurations: - authentication_retries - number of login attepmts 1-100 - login_timeout - Timeout in seconds for login session for user to connect 1-600 - ports - Ssh port numbers - string of port numbers seperated by ',' +- inactivity_timeout - Inactivity timeout for SSH session, allowed values: 0-35000 (min), default value: 15 (min) +- max_sessions - Max number of concurrent logins, allowed values: 0-100 (where 0 means no limit), default value: 0 ``` { "SSH_SERVER": { "POLICIES":{ "authentication_retries": "6", "login_timeout": "120", - "ports": "22" + "ports": "22", + "inactivity_timeout": "15", + "max_sessions": "0" } } } diff --git a/src/sonic-yang-models/setup.py b/src/sonic-yang-models/setup.py index 650101c506..a449c3f696 100644 --- a/src/sonic-yang-models/setup.py +++ b/src/sonic-yang-models/setup.py @@ -198,6 +198,7 @@ setup( './yang-models/sonic-system-port.yang', './yang-models/sonic-macsec.yang', './yang-models/sonic-bgp-sentinel.yang', + './yang-models/sonic-serial-console.yang', './yang-models/sonic-smart-switch.yang',]), ('cvlyang-models', ['./cvlyang-models/sonic-acl.yang', './cvlyang-models/sonic-bgp-common.yang', @@ -239,6 +240,7 @@ setup( './cvlyang-models/sonic-nat.yang', './cvlyang-models/sonic-nvgre-tunnel.yang', './cvlyang-models/sonic-pbh.yang', + './cvlyang-models/sonic-ssh-server.yang', './cvlyang-models/sonic-policer.yang', './cvlyang-models/sonic-port.yang', './cvlyang-models/sonic-portchannel.yang', @@ -273,6 +275,7 @@ setup( './cvlyang-models/sonic-static-route.yang', './cvlyang-models/sonic-system-port.yang', './cvlyang-models/sonic-macsec.yang', + './cvlyang-models/sonic-serial-console.yang', './cvlyang-models/sonic-bgp-sentinel.yang']), ], zip_safe=False, diff --git a/src/sonic-yang-models/tests/files/sample_config_db.json b/src/sonic-yang-models/tests/files/sample_config_db.json index b9db43c876..1fc7ba677b 100644 --- a/src/sonic-yang-models/tests/files/sample_config_db.json +++ b/src/sonic-yang-models/tests/files/sample_config_db.json @@ -2338,7 +2338,16 @@ "POLICIES":{ "authentication_retries": "6", "login_timeout": "120", - "ports": "22" + "ports": "22", + "inactivity_timeout": "15", + "max_sessions": "0" + } + }, + + "SERIAL_CONSOLE": { + "POLICIES":{ + "inactivity_timeout": "15", + "sysrq_capabilities": "disabled" } }, diff --git a/src/sonic-yang-models/yang-models/sonic-serial-console.yang b/src/sonic-yang-models/yang-models/sonic-serial-console.yang new file mode 100644 index 0000000000..7d9c039442 --- /dev/null +++ b/src/sonic-yang-models/yang-models/sonic-serial-console.yang @@ -0,0 +1,37 @@ +//filename: sonic-serial-console.yang +module sonic-serial-console { + yang-version 1.1; + namespace "http://github.com/Azure/sonic-serial-console"; + prefix cli-sessions; + description "SERIAL_CONSOLE YANG Module for SONiC-based OS"; + revision 2023-06-07 { + description "First Revision"; + } + container sonic-serial-console { + container SERIAL_CONSOLE { + description "SERIAL_CONSOLE part of config_db.json"; + container POLICIES { + leaf inactivity_timeout { + description "serial-console inactivity-timeout timer value in minutes"; + type int32 { + range "0..35000"; + } + default 15; + } + + leaf sysrq_capabilities { + description "managing SysRq capabilities"; + type enumeration { + enum disabled; + enum enabled; + } + default disabled; + } + } + /* end of container POLICIES */ + } + /* end of container SERIAL_CONSOLE */ + } + /* end of top level container */ +} +/* end of module sonic-serial-console */ diff --git a/src/sonic-yang-models/yang-models/sonic-ssh-server.yang b/src/sonic-yang-models/yang-models/sonic-ssh-server.yang index a53fddac5b..fb17159eea 100644 --- a/src/sonic-yang-models/yang-models/sonic-ssh-server.yang +++ b/src/sonic-yang-models/yang-models/sonic-ssh-server.yang @@ -11,6 +11,11 @@ module sonic-ssh-server { description "First Revision"; } + + revision 2023-06-07 { + description + "Introduce inactivity timeout and max syslogins options"; + } container sonic-ssh-server { container SSH_SERVER { @@ -40,6 +45,20 @@ module sonic-ssh-server { } } } + leaf inactivity_timeout { + description "inactivity timeout (in minutes), 0 means no timeout"; + default 15; + type uint32 { + range 0..35000; + } + } + leaf max_sessions { + description "limit of concurrent system logins, 0 means no limit"; + default 0; + type uint32 { + range 0..100; + } + } }/*container policies */ } /* container SSH_SERVER */ }/* container sonic-ssh-server */ From 9e2bdcffcba8b3deb8cc3e68f5aa488a0ac15b97 Mon Sep 17 00:00:00 2001 From: Ivan Davydenko Date: Tue, 7 Nov 2023 23:17:38 +0200 Subject: [PATCH 3/4] [cli-sessions] Implement tests for serial-console model, update tests for ssh-server model --- .../tests/serial_console.json | 13 ++++++++ .../yang_model_tests/tests/ssh-server.json | 10 +++++- .../tests_config/serial_console.json | 31 +++++++++++++++++++ .../tests_config/ssh-server.json | 20 +++++++++++- 4 files changed, 72 insertions(+), 2 deletions(-) create mode 100644 src/sonic-yang-models/tests/yang_model_tests/tests/serial_console.json create mode 100644 src/sonic-yang-models/tests/yang_model_tests/tests_config/serial_console.json diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests/serial_console.json b/src/sonic-yang-models/tests/yang_model_tests/tests/serial_console.json new file mode 100644 index 0000000000..76e39bb179 --- /dev/null +++ b/src/sonic-yang-models/tests/yang_model_tests/tests/serial_console.json @@ -0,0 +1,13 @@ +{ + "SERIAL_CONSOLE": { + "desc": "SERIAL_CONSOLE configuration in the Config DB table." + }, + "SERIAL_CONSOLE_INVALID_INACTIVITY_TIMEOUT": { + "desc": "SERIAL_CONSOLE attribute 'inactivity_timeout' set to invalid value (out of allowed range of [0, 35000] minutes).", + "eStr": "does not satisfy the constraint \"0..35000\"" + }, + "SERIAL_CONSOLE_INVALID_SYSRQ" : { + "desc": "SERIAL_CONSOLE attribute 'sysrq' set to invalid value", + "eStr": "Invalid value" + } +} diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests/ssh-server.json b/src/sonic-yang-models/tests/yang_model_tests/tests/ssh-server.json index f3a1c30ef4..e7bc0af10a 100644 --- a/src/sonic-yang-models/tests/yang_model_tests/tests/ssh-server.json +++ b/src/sonic-yang-models/tests/yang_model_tests/tests/ssh-server.json @@ -22,5 +22,13 @@ "SSH_SERVER_INVALID_PORTS_2": { "desc": "Configure invalid port value in SSH_SERVER.", "eStr": "Invalid port numbers value" + }, + "SSH_SERVER_INVALID_INACTIVITY_TIMEOUT": { + "desc": "Configure invalid inactivity_timeout value in SSH_SERVER.", + "eStr": "does not satisfy the constraint \"0..35000\"" + }, + "SSH_SERVER_INVALID_MAX_SESSIONS": { + "desc": "Configure invalid max_sessions value in SSH_SERVER.", + "eStr": "does not satisfy the constraint \"0..100\"" } -} \ No newline at end of file +} diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests_config/serial_console.json b/src/sonic-yang-models/tests/yang_model_tests/tests_config/serial_console.json new file mode 100644 index 0000000000..34453ac63b --- /dev/null +++ b/src/sonic-yang-models/tests/yang_model_tests/tests_config/serial_console.json @@ -0,0 +1,31 @@ +{ + "SERIAL_CONSOLE": { + "sonic-serial-console:sonic-serial-console": { + "sonic-serial-console:SERIAL_CONSOLE": { + "POLICIES": { + "inactivity_timeout": 900, + "sysrq_capabilities": "disabled" + } + } + } + }, + + "SERIAL_CONSOLE_INVALID_INACTIVITY_TIMEOUT": { + "sonic-serial-console:sonic-serial-console": { + "sonic-serial-console:SERIAL_CONSOLE": { + "POLICIES": { + "inactivity_timeout": -500 + } + } + } + }, + "SERIAL_CONSOLE_INVALID_SYSRQ" : { + "sonic-serial-console:sonic-serial-console": { + "sonic-serial-console:SERIAL_CONSOLE": { + "POLICIES": { + "sysrq_capabilities": "negative" + } + } + } + } +} diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests_config/ssh-server.json b/src/sonic-yang-models/tests/yang_model_tests/tests_config/ssh-server.json index e0abc1a132..1780bab895 100644 --- a/src/sonic-yang-models/tests/yang_model_tests/tests_config/ssh-server.json +++ b/src/sonic-yang-models/tests/yang_model_tests/tests_config/ssh-server.json @@ -56,5 +56,23 @@ } } } + }, + "SSH_SERVER_INVALID_INACTIVITY_TIMEOUT": { + "sonic-ssh-server:sonic-ssh-server": { + "sonic-ssh-server:SSH_SERVER": { + "POLICIES":{ + "inactivity_timeout": 500000 + } + } + } + }, + "SSH_SERVER_INVALID_MAX_SESSIONS": { + "sonic-ssh-server:sonic-ssh-server": { + "sonic-ssh-server:SSH_SERVER": { + "POLICIES":{ + "max_sessions": 222 + } + } + } } -} \ No newline at end of file +} From 0b58b74cd4f9429b2ba5710ec36ba653dd33b283 Mon Sep 17 00:00:00 2001 From: Ivan Davydenko Date: Thu, 22 Feb 2024 05:43:40 +0200 Subject: [PATCH 4/4] Fix comment that points to config-file generator. --- files/image_config/cli_sessions/sysrq-sysctl.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/image_config/cli_sessions/sysrq-sysctl.conf.j2 b/files/image_config/cli_sessions/sysrq-sysctl.conf.j2 index 49d9a62bc8..9d7b96660b 100644 --- a/files/image_config/cli_sessions/sysrq-sysctl.conf.j2 +++ b/files/image_config/cli_sessions/sysrq-sysctl.conf.j2 @@ -1,6 +1,6 @@ ############################################################################### # This file was AUTOMATICALLY GENERATED. DO NOT MODIFY. -# Controlled by cli-sesisons.sh +# Controlled by serial-config.sh ############################################################################### {% set sysrq = 0 %} {% set serial_policies = (SERIAL_CONSOLE | d({})).get('POLICIES', {}) -%}