diff --git a/files/image_config/hostcfgd/hostcfgd b/files/image_config/hostcfgd/hostcfgd index 93dfa8ee17..e728267009 100755 --- a/files/image_config/hostcfgd/hostcfgd +++ b/files/image_config/hostcfgd/hostcfgd @@ -17,6 +17,10 @@ PAM_AUTH_CONF_TEMPLATE = "/usr/share/sonic/templates/common-auth-sonic.j2" NSS_TACPLUS_CONF = "/etc/tacplus_nss.conf" NSS_TACPLUS_CONF_TEMPLATE = "/usr/share/sonic/templates/tacplus_nss.conf.j2" NSS_CONF = "/etc/nsswitch.conf" +PAM_LIMITS_CONF_TEMPLATE = "/usr/share/sonic/templates/pam_limits.j2" +LIMITS_CONF_TEMPLATE = "/usr/share/sonic/templates/limits.conf.j2" +PAM_LIMITS_CONF = "/etc/pam.d/pam-limits-conf" +LIMITS_CONF = "/etc/security/limits.conf" # TACACS+ TACPLUS_SERVER_PASSKEY_DEFAULT = "" @@ -232,6 +236,63 @@ class AaaCfg(object): syslog.syslog(syslog.LOG_INFO, 'pam.d files updated auth={} global={}'. format(auth, tacplus_global)) +class PamLimitsCfg(object): + """ + PamLimit Config Daemon + 1) The pam_limits PAM module sets limits on the system resources that can be obtained in a user-session. + 2) Purpose of this daemon is to render pam_limits config file. + """ + def __init__(self, config_db): + self.config_db = config_db + self.hwsku = "" + self.type = "" + + # Load config from ConfigDb and render config file/ + def update_config_file(self): + device_metadata = self.config_db.get_table('DEVICE_METADATA') + if "localhost" not in device_metadata: + return + + self.read_localhost_config(device_metadata["localhost"]) + self.render_conf_file() + + # Read localhost config + def read_localhost_config(self, localhost): + if "hwsku" in localhost: + self.hwsku = localhost["hwsku"] + else: + self.hwsku = "" + + if "type" in localhost: + self.type = localhost["type"] + else: + self.type = "" + + # Render pam_limits config files + def render_conf_file(self): + env = jinja2.Environment(loader=jinja2.FileSystemLoader('/'), trim_blocks=True) + env.filters['sub'] = sub + + try: + template_file = os.path.abspath(PAM_LIMITS_CONF_TEMPLATE) + template = env.get_template(template_file) + pam_limits_conf = template.render( + hwsku=self.hwsku, + type=self.type) + with open(PAM_LIMITS_CONF, 'w') as f: + f.write(pam_limits_conf) + + template_file = os.path.abspath(LIMITS_CONF_TEMPLATE) + template = env.get_template(template_file) + limits_conf = template.render( + hwsku=self.hwsku, + type=self.type) + with open(LIMITS_CONF, 'w') as f: + f.write(limits_conf) + except Exception as e: + syslog.syslog(syslog.LOG_ERR, + "modify pam_limits config file failed with exception: {}" + .format(e)) class HostConfigDaemon: def __init__(self): @@ -242,6 +303,10 @@ class HostConfigDaemon: self.aaacfg = AaaCfg(self.config_db) self.iptables = Iptables() + # Initialize PamLimitsCfg + self.pamLimitsCfg = PamLimitsCfg(self.config_db) + self.pamLimitsCfg.update_config_file() + def timer_load(self): global global_lock diff --git a/files/image_config/hostcfgd/limits.conf.j2 b/files/image_config/hostcfgd/limits.conf.j2 new file mode 100755 index 0000000000..41b37221e4 --- /dev/null +++ b/files/image_config/hostcfgd/limits.conf.j2 @@ -0,0 +1,69 @@ +# /etc/security/limits.conf +# +# This file generate by j2 template file: src/sonic-host-services-data/templates/limits.conf.j2 +# +# Each line describes a limit for a user in the form: +# +# +# +# Where: +# can be: +# - a user name +# - a group name, with @group syntax +# - the wildcard *, for default entry +# - the wildcard %, can be also used with %group syntax, +# for maxlogin limit +# - NOTE: group and wildcard limits are not applied to root. +# To apply a limit to the root user, must be +# the literal username root. +# +# can have the two values: +# - "soft" for enforcing the soft limits +# - "hard" for enforcing hard limits +# +# can be one of the following: +# - core - limits the core file size (KB) +# - data - max data size (KB) +# - fsize - maximum filesize (KB) +# - memlock - max locked-in-memory address space (KB) +# - nofile - max number of open file descriptors +# - rss - max resident set size (KB) +# - stack - max stack size (KB) +# - cpu - max CPU time (MIN) +# - nproc - max number of processes +# - as - address space limit (KB) +# - maxlogins - max number of logins for this user +# - maxsyslogins - max number of logins on the system +# - priority - the priority to run user process with +# - locks - max number of file locks the user can hold +# - sigpending - max number of pending signals +# - msgqueue - max memory used by POSIX message queues (bytes) +# - nice - max nice priority allowed to raise to values: [-20, 19] +# - rtprio - max realtime priority +# - chroot - change root to directory (Debian-specific) +# +# +# is related with : +# All items support the values -1, unlimited or infinity indicating +# no limit, except for priority and nice. +# +# If a hard limit or soft limit of a resource is set to a valid value, +# but outside of the supported range of the local system, the system +# may reject the new limit or unexpected behavior may occur. If the +# control value required is used, the module will reject the login if +# a limit could not be set. +# +# +# + +# * soft core 0 +# root hard core 100000 +# * hard rss 10000 +# @student hard nproc 20 +# @faculty soft nproc 20 +# @faculty hard nproc 50 +# ftp hard nproc 0 +# ftp - chroot /ftp +# @student - maxlogins 4 + +# End of file diff --git a/files/image_config/hostcfgd/pam_limits.j2 b/files/image_config/hostcfgd/pam_limits.j2 new file mode 100755 index 0000000000..f87906932f --- /dev/null +++ b/files/image_config/hostcfgd/pam_limits.j2 @@ -0,0 +1,12 @@ +#THIS IS AN AUTO-GENERATED FILE +# +# This file generate by j2 template file: src/sonic-host-services-data/templates/pam_limits.j2 +# +# /etc/pam.d/pam-limits settings common to all services +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. +# +# here are the per-package modules (the "Primary" block) \ No newline at end of file