matthew/sonic-buildimage
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge 0b58b74cd4 into fb29a4047c

Browse Source
This commit is contained in:
i-davydenko 2024-03-25 23:05:04 +02:00 committed by GitHub
commit 0cb4e9ea6b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
14 changed files with 220 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
files/build_templates/sonic_debian_extension.j2
View File

@ -400,6 +400,13 @@ echo "ntpsec.service" | sudo tee -a $GENERATED_SERVICE_FILE
# Copy DNS templates # Copy DNS templates
sudo cp $BUILD_TEMPLATES/dns.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/ sudo cp $BUILD_TEMPLATES/dns.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/
# Copy cli-sessions config files
sudo cp $IMAGE_CONFIGS/cli_sessions/tmout-env.sh.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/
sudo cp $IMAGE_CONFIGS/cli_sessions/sysrq-sysctl.conf.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/
sudo cp $IMAGE_CONFIGS/cli_sessions/serial-config.sh $FILESYSTEM_ROOT/usr/bin/
sudo cp $IMAGE_CONFIGS/cli_sessions/serial-config.service $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM
echo "serial-config.service" | sudo tee -a $GENERATED_SERVICE_FILE
# Copy warmboot-finalizer files # Copy warmboot-finalizer files
sudo LANG=C cp $IMAGE_CONFIGS/warmboot-finalizer/finalize-warmboot.sh $FILESYSTEM_ROOT/usr/local/bin/finalize-warmboot.sh sudo LANG=C cp $IMAGE_CONFIGS/warmboot-finalizer/finalize-warmboot.sh $FILESYSTEM_ROOT/usr/local/bin/finalize-warmboot.sh
sudo LANG=C cp $IMAGE_CONFIGS/warmboot-finalizer/warmboot-finalizer.service $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM sudo LANG=C cp $IMAGE_CONFIGS/warmboot-finalizer/warmboot-finalizer.service $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM

13
files/image_config/cli_sessions/serial-config.service Normal file
View File

@ -0,0 +1,13 @@
[Unit]
Description=Update serial console config
Requires=sonic.target
After=sonic.target
Before=getty-pre.target
StartLimitIntervalSec=0
[Service]
Type=oneshot
ExecStart=/usr/bin/serial-config.sh
[Install]
WantedBy=sonic.target

15
files/image_config/cli_sessions/serial-config.sh Executable file
View File

@ -0,0 +1,15 @@
#!/bin/bash
# generate conf file for sysrq capabilities.
sonic-cfggen -d -t /usr/share/sonic/templates/sysrq-sysctl.conf.j2 > /etc/sysctl.d/95-sysrq-sysctl.conf
SYSRQ_CONF=0
# update sysrq for current boot.
sysrq_conf=`sonic-db-cli CONFIG_DB HGET "SERIAL_CONSOLE|POLICIES" sysrq_capabilities`
if [ ${sysrq_conf} = "enabled" ]; then
SYSRQ_CONF=1
fi
sudo echo $SYSRQ_CONF > /proc/sys/kernel/sysrq
# generate env file for profile.d to set auto-logout timeout for serial consoles.
sonic-cfggen -d -t /usr/share/sonic/templates/tmout-env.sh.j2 > /etc/profile.d/tmout-env.sh

10
files/image_config/cli_sessions/sysrq-sysctl.conf.j2 Normal file
View File

@ -0,0 +1,10 @@
###############################################################################
# This file was AUTOMATICALLY GENERATED. DO NOT MODIFY.
# Controlled by serial-config.sh
###############################################################################
{% set sysrq = 0 %}
{% set serial_policies = (SERIAL_CONSOLE | d({})).get('POLICIES', {}) -%}
{% if serial_policies.sysrq_capabilities == 'enabled' %}
{% set sysrq = 1 %}
{% endif %}
kernel.sysrq={{ sysrq }}

11
files/image_config/cli_sessions/tmout-env.sh.j2 Normal file
View File

@ -0,0 +1,11 @@
{# Default timeout (15 min) #}
{% set inactivity_timeout_sec = 900 %}
{% set serial_pol = (SERIAL_CONSOLE | d({})).get('POLICIES', {}) -%}
{% if serial_pol and serial_pol.inactivity_timeout and serial_pol.inactivity_timeout | int >= 0 %}
{% set inactivity_timeout_sec = serial_pol.inactivity_timeout | int * 60 %}
{% endif %}
{# apply only for serial tty #}
tty | grep -q tty && \
export TMOUT={{ inactivity_timeout_sec }}

25
src/sonic-yang-models/doc/Configuration.md
View File

@ -2590,20 +2590,41 @@ There are 4 classes
} }
``` ```
### SERIAL_CONSOLE
In this table collected configuration of the next serial-console attributes:
- inactivity_timeout - Inactivity timeout for serial-console session, allowed values: 0-35000 (minutes), default value: 15
- sysrq_capabilities - Enabling or disabling SysRq functionality for serial-console session, allowed values: enabled/disabled, default value disabled
```
{
SERIAL_CONSOLE:{
"POLICIES":{
"inactivity_timeout": 15
"sysrq_capabilities": "disabled"
}
}
}
```
### SSH_SERVER ### SSH_SERVER
In this table, we allow configuring ssh server global settings. This will feature includes 3 configurations: In this table, we allow configuring ssh server global settings. This will feature includes 5 configurations:
- authentication_retries - number of login attepmts 1-100 - authentication_retries - number of login attepmts 1-100
- login_timeout - Timeout in seconds for login session for user to connect 1-600 - login_timeout - Timeout in seconds for login session for user to connect 1-600
- ports - Ssh port numbers - string of port numbers seperated by ',' - ports - Ssh port numbers - string of port numbers seperated by ','
- inactivity_timeout - Inactivity timeout for SSH session, allowed values: 0-35000 (min), default value: 15 (min)
- max_sessions - Max number of concurrent logins, allowed values: 0-100 (where 0 means no limit), default value: 0
``` ```
{ {
"SSH_SERVER": { "SSH_SERVER": {
"POLICIES":{ "POLICIES":{
"authentication_retries": "6", "authentication_retries": "6",
"login_timeout": "120", "login_timeout": "120",
"ports": "22" "ports": "22",
"inactivity_timeout": "15",
"max_sessions": "0"
} }
} }
} }

3
src/sonic-yang-models/setup.py
View File

@ -199,6 +199,7 @@ setup(
'./yang-models/sonic-system-port.yang', './yang-models/sonic-system-port.yang',
'./yang-models/sonic-macsec.yang', './yang-models/sonic-macsec.yang',
'./yang-models/sonic-bgp-sentinel.yang', './yang-models/sonic-bgp-sentinel.yang',
'./yang-models/sonic-serial-console.yang',
'./yang-models/sonic-smart-switch.yang',]), './yang-models/sonic-smart-switch.yang',]),
('cvlyang-models', ['./cvlyang-models/sonic-acl.yang', ('cvlyang-models', ['./cvlyang-models/sonic-acl.yang',
'./cvlyang-models/sonic-bgp-common.yang', './cvlyang-models/sonic-bgp-common.yang',
@ -240,6 +241,7 @@ setup(
'./cvlyang-models/sonic-nat.yang', './cvlyang-models/sonic-nat.yang',
'./cvlyang-models/sonic-nvgre-tunnel.yang', './cvlyang-models/sonic-nvgre-tunnel.yang',
'./cvlyang-models/sonic-pbh.yang', './cvlyang-models/sonic-pbh.yang',
'./cvlyang-models/sonic-ssh-server.yang',
'./cvlyang-models/sonic-policer.yang', './cvlyang-models/sonic-policer.yang',
'./cvlyang-models/sonic-port.yang', './cvlyang-models/sonic-port.yang',
'./cvlyang-models/sonic-portchannel.yang', './cvlyang-models/sonic-portchannel.yang',
@ -274,6 +276,7 @@ setup(
'./cvlyang-models/sonic-static-route.yang', './cvlyang-models/sonic-static-route.yang',
'./cvlyang-models/sonic-system-port.yang', './cvlyang-models/sonic-system-port.yang',
'./cvlyang-models/sonic-macsec.yang', './cvlyang-models/sonic-macsec.yang',
'./cvlyang-models/sonic-serial-console.yang',
'./cvlyang-models/sonic-bgp-sentinel.yang']), './cvlyang-models/sonic-bgp-sentinel.yang']),
], ],
zip_safe=False, zip_safe=False,

11
src/sonic-yang-models/tests/files/sample_config_db.json
View File

@ -2391,7 +2391,16 @@
"POLICIES":{ "POLICIES":{
"authentication_retries": "6", "authentication_retries": "6",
"login_timeout": "120", "login_timeout": "120",
"ports": "22" "ports": "22",
"inactivity_timeout": "15",
"max_sessions": "0"
}
},
"SERIAL_CONSOLE": {
"POLICIES":{
"inactivity_timeout": "15",
"sysrq_capabilities": "disabled"
} }
}, },

13
src/sonic-yang-models/tests/yang_model_tests/tests/serial_console.json Normal file
View File

@ -0,0 +1,13 @@
{
"SERIAL_CONSOLE": {
"desc": "SERIAL_CONSOLE configuration in the Config DB table."
},
"SERIAL_CONSOLE_INVALID_INACTIVITY_TIMEOUT": {
"desc": "SERIAL_CONSOLE attribute 'inactivity_timeout' set to invalid value (out of allowed range of [0, 35000] minutes).",
"eStr": "does not satisfy the constraint \"0..35000\""
},
"SERIAL_CONSOLE_INVALID_SYSRQ" : {
"desc": "SERIAL_CONSOLE attribute 'sysrq' set to invalid value",
"eStr": "Invalid value"
}
}

10
src/sonic-yang-models/tests/yang_model_tests/tests/ssh-server.json
View File

@ -22,5 +22,13 @@
"SSH_SERVER_INVALID_PORTS_2": { "SSH_SERVER_INVALID_PORTS_2": {
"desc": "Configure invalid port value in SSH_SERVER.", "desc": "Configure invalid port value in SSH_SERVER.",
"eStr": "Invalid port numbers value" "eStr": "Invalid port numbers value"
},
"SSH_SERVER_INVALID_INACTIVITY_TIMEOUT": {
"desc": "Configure invalid inactivity_timeout value in SSH_SERVER.",
"eStr": "does not satisfy the constraint \"0..35000\""
},
"SSH_SERVER_INVALID_MAX_SESSIONS": {
"desc": "Configure invalid max_sessions value in SSH_SERVER.",
"eStr": "does not satisfy the constraint \"0..100\""
} }
} }

31
src/sonic-yang-models/tests/yang_model_tests/tests_config/serial_console.json Normal file
View File

@ -0,0 +1,31 @@
{
"SERIAL_CONSOLE": {
"sonic-serial-console:sonic-serial-console": {
"sonic-serial-console:SERIAL_CONSOLE": {
"POLICIES": {
"inactivity_timeout": 900,
"sysrq_capabilities": "disabled"
}
}
}
},
"SERIAL_CONSOLE_INVALID_INACTIVITY_TIMEOUT": {
"sonic-serial-console:sonic-serial-console": {
"sonic-serial-console:SERIAL_CONSOLE": {
"POLICIES": {
"inactivity_timeout": -500
}
}
}
},
"SERIAL_CONSOLE_INVALID_SYSRQ" : {
"sonic-serial-console:sonic-serial-console": {
"sonic-serial-console:SERIAL_CONSOLE": {
"POLICIES": {
"sysrq_capabilities": "negative"
}
}
}
}
}

20
src/sonic-yang-models/tests/yang_model_tests/tests_config/ssh-server.json
View File

@ -56,5 +56,23 @@
} }
} }
} }
},
"SSH_SERVER_INVALID_INACTIVITY_TIMEOUT": {
"sonic-ssh-server:sonic-ssh-server": {
"sonic-ssh-server:SSH_SERVER": {
"POLICIES":{
"inactivity_timeout": 500000
}
}
}
},
"SSH_SERVER_INVALID_MAX_SESSIONS": {
"sonic-ssh-server:sonic-ssh-server": {
"sonic-ssh-server:SSH_SERVER": {
"POLICIES":{
"max_sessions": 222
}
}
}
} }
} }

37
src/sonic-yang-models/yang-models/sonic-serial-console.yang Normal file
View File

@ -0,0 +1,37 @@
//filename: sonic-serial-console.yang
module sonic-serial-console {
yang-version 1.1;
namespace "http://github.com/Azure/sonic-serial-console";
prefix cli-sessions;
description "SERIAL_CONSOLE YANG Module for SONiC-based OS";
revision 2023-06-07 {
description "First Revision";
}
container sonic-serial-console {
container SERIAL_CONSOLE {
description "SERIAL_CONSOLE part of config_db.json";
container POLICIES {
leaf inactivity_timeout {
description "serial-console inactivity-timeout timer value in minutes";
type int32 {
range "0..35000";
}
default 15;
}
leaf sysrq_capabilities {
description "managing SysRq capabilities";
type enumeration {
enum disabled;
enum enabled;
}
default disabled;
}
}
/* end of container POLICIES */
}
/* end of container SERIAL_CONSOLE */
}
/* end of top level container */
}
/* end of module sonic-serial-console */

19
src/sonic-yang-models/yang-models/sonic-ssh-server.yang
View File

@ -11,6 +11,11 @@ module sonic-ssh-server {
description description
"First Revision"; "First Revision";
} }
revision 2023-06-07 {
description
"Introduce inactivity timeout and max syslogins options";
}
container sonic-ssh-server { container sonic-ssh-server {
container SSH_SERVER { container SSH_SERVER {
@ -40,6 +45,20 @@ module sonic-ssh-server {
} }
} }
} }
leaf inactivity_timeout {
description "inactivity timeout (in minutes), 0 means no timeout";
default 15;
type uint32 {
range 0..35000;
}
}
leaf max_sessions {
description "limit of concurrent system logins, 0 means no limit";
default 0;
type uint32 {
range 0..100;
}
}
}/*container policies */ }/*container policies */
} /* container SSH_SERVER */ } /* container SSH_SERVER */
}/* container sonic-ssh-server */ }/* container sonic-ssh-server */