HLD for cli sessions feature #1367
Conversation
Prepare HLD documents for CLI sessions feature Update ssh_config.md with auto-logout and max-syslogins parameters. Create serial-console-HLD.md
doc/ssh_config/ssh_config.md
Outdated
| @@ -161,6 +175,20 @@ module sonic-ssh-server { | |||
| } | |||
| } | |||
| } | |||
| leaf auto_logout { | |||
| description "inactivity timeoout (min unit)"; | |||
There was a problem hiding this comment.
min unit -> in minutes?
| default 15; | ||
| type uint32 { | ||
| range 0..35000; | ||
| } |
There was a problem hiding this comment.
Please add description for 0 value to indicate no auto logout.
| leaf max_syslogins { | ||
| description "limit of concurrent system logins"; | ||
| default 100; | ||
| type uint32 { |
There was a problem hiding this comment.
uint32 -> uint8?
There was a problem hiding this comment.
I prefer to leave it as 32, to not limit it in case we will extend the upper limit in future.
| leaf auto_logout { | ||
| description "inactivity timeoout (min unit)"; | ||
| default 15; | ||
| type uint32 { |
There was a problem hiding this comment.
uint32 -> uint16?
There was a problem hiding this comment.
Same here, prefer not to limit by u16 in case we will extend in future.
| | Policy | Action | Param values | Default | | ||
| |--------------------|-----------------------------------------------------------------------|---------------------|--------------| | ||
| | auto logout | Inactivity timeout for serial-console session | 0-35000 (min) | 15 | | ||
| | sysrq capabilities | Enabling or disabling SysRq functionality for serial-consoles | enabled/disabled | disabled | |
There was a problem hiding this comment.
i saw some test are using sysrq in sonic-mgmt.
tests/scripts/sai_qualify/sai_warmboot.sh: echo 1 > /proc/sys/kernel/sysrq
can we check if this won't affect the tst?
@vaibhavhd for visibility.
There was a problem hiding this comment.
This will overwrite any existing configuration and perform reboot (in the next line: 'echo b > /proc/sysrq-trigger' )
So the test wont break by proposed changes.
Thanks.
doc/console/serial-console-HLD.md
Outdated
| /* end of module sonic-serial-console */ | ||
|
|
||
| ``` | ||
| ### 6.4. <a name='ConfigDBEnhancements'></a>Config DB Enhancements |
There was a problem hiding this comment.
can we use the native markdown format instead of http marker? there are other cases, please correct as well.
|
community review recording https://zoom.us/rec/share/4Wwy3t9ogqaeABDgjvYQ6IOwAovCEqdamwVzTeR9dxlvMK2GlOhNhrkcWfOgpeyc.dXhqq6g4IUDmdjxa. The starting point of this HLD is in the middle of this recording. |
|
MSFT register as reviewer for this feature. |
doc/ssh_config/ssh_config.md
Outdated
| @@ -80,6 +86,8 @@ We want to enable configuring the following policies, with default values are ta | |||
| | authentication retries | Number of attempts to try to log in before rejecting the session | 3-100 | 6 | | |||
| | login timeout | SSH session timeout | 1-600 (secs) | 120 | | |||
| | ports | Port numbers for SSH | 1-65535 | 22 | | |||
| | auto logout | Inactivity timeout for SSH session | 0-35000 (min) | 15 | | |||
| | max sessions | Max number of concurrent logins | 3-100 | 100 | | |||
There was a problem hiding this comment.
Currently we already have template files and hostcfgd code to support generate session limit by hwsku:
sonic-net/sonic-buildimage#10177
In the public repo this is a empty template.
So for the implementation detail of these limit, please consider reuse and improve existed code and template.
There was a problem hiding this comment.
Also for the auto logout, currently there are code in this file do some pre-configurition:
https://github.com/sonic-net/sonic-buildimage/blob/master/build_debian.sh
So the implementation should not break those code, or need migrate those config to the new design.
There was a problem hiding this comment.
Agree, we will reuse existing infra to keep all limits.conf file updates in one pllace.
Added section to clarify this. Thank you for commens.
Update serial-console.hld according to the comments.
Update ssh_config HLD according to the community comments.
doc/console/serial-console-HLD.md
Outdated
|
|
||
| ### 1.2. Definitions/Abbreviations | ||
|
|
||
| serial - secure shell |
There was a problem hiding this comment.
No, this section covers the serial connection.
Fixed in 9e32292.
doc/console/serial-console-HLD.md
Outdated
| ### 3.1 Flow description | ||
| When the feature is enabled, by modifying the DB manually, user will set serial-console configurations by modifing CONFIG_DB in SERIAL_CONSOLE table. | ||
|
|
||
| The hostcfgd daemon will be extended to listen to confogurations from SERIAL_CONSOLE table and restarts the serial_console.service. Serial console script will read SERIAL_CONSOLE table and update config files accordingly. |
There was a problem hiding this comment.
Thanks, fixed in 9e32292.
doc/console/serial-console-HLD.md
Outdated
| ### 3.1 Flow description | ||
| When the feature is enabled, by modifying the DB manually, user will set serial-console configurations by modifing CONFIG_DB in SERIAL_CONSOLE table. | ||
|
|
||
| The hostcfgd daemon will be extended to listen to confogurations from SERIAL_CONSOLE table and restarts the serial_console.service. Serial console script will read SERIAL_CONSOLE table and update config files accordingly. |
There was a problem hiding this comment.
This is new service, not a vanilla Debian one.
The rationale behind it creation is to update serial console config files (sysrq config, $TMOUT, and others that could be added in the future) before user allowed to start serial connection.
We will achieve this by starting serial-console.service Before=getty-pre.target
There was a problem hiding this comment.
Is it possible to move its functionality into hostcfgd service?
There was a problem hiding this comment.
I believe hostcfgd starts too late for this purpose, and it will impact the users config if the serial/ssh was started too early. Thats why I think in this case moving logic to hostcfgd is not a good solution.
Fix typos.
Fix typos
Fix HLD with missed "POLICIES" container in config/cli tree.
|
@zhangyanzhao as other reviewers has no further comment, i believe we should move to the next step and merge |
|
@venkatmahalingam can you please approve this PR if there are no more comments from your side? |
|
@i-davydenko can you please help to add the code PRs to this HLD by refering to #806 ? Thanks. |
|
@i-davydenko please add a table with all the PRs under this feature in the PR description. |
|
@liat-grozovik Done |
|
code PR review is on-going. Still target 202405 release |
|
code PRs are not approved yet, move to backlog for future release |
sonic-net/SONiC#1367 Why I did it Give ability to: 1. configure limit for active login sessions. 2. configure ssh-server / serial console autologout timeout 3. configure sysrq-capabilities (enable / disable) Work item tracking Microsoft ADO (number only): How I did it Add new service that responsible for serial configuration; Update existing flows for extended ssh-server configurations in hostcfgd; Add YANG model to support new configuration. How to verify it Which release branch to backport (provide reason below if selected) Tested branch (Please provide the tested image version) Description for the changelog Link to config_db schema for YANG module changes [ssh_server](https://github.com/sonic-net/sonic-buildimage/blob/master/src/sonic-yang-models/doc/Configuration.md#ssh_server) [serial_console](https://github.com/sonic-net/sonic-buildimage/blob/master/src/sonic-yang-models/doc/Configuration.md#serial_console)
HLD: sonic-net/SONiC#1367 | Module name | PR | state | context | | ------------- | ------------- | ----|-----| | [sonic-buildimage](https://github.com/sonic-net/sonic-buildimage) | [Dev cli sessions](sonic-net/sonic-buildimage#17623) |  |  | | [sonic-host-services](https://github.com/sonic-net/sonic-host-services) | [cli-sessions](sonic-net/sonic-host-services#99) |  |  | | [sonic-utilities](https://github.com/sonic-net/sonic-utilities) | [SONIC CLI for CLI-Sessions feature #3175](#3175) |  |  | #### What I did Implement next commands for CLI-sessions feature: - config serial-console inactivity-timeout - config serial-console sysrq-capabilities - show serial-console - config ssh max-sessions - config ssh inactivity-timeout - show ssh #### How I did it Write handlers in config/main.py for serial-console and ssh commands to cover configuration set; Write handlers in show/main.py for serial-console and ssh to cover show commands. #### How to verify it Manual tests
Prepared HLD documents for CLI sessions feature
Updated ssh_config.md with auto-logout and max-syslogins parameters.
Created serial-console-HLD.md
Signed-off-by: Ivan Davydenko ivanda@nvidia.com