Dev cli sessions (#17623)

sonic-net/SONiC#1367

Why I did it
Give ability to:
1. configure limit for active login sessions.
2. configure ssh-server / serial console autologout timeout
3. configure sysrq-capabilities (enable / disable)

Work item tracking
Microsoft ADO (number only):

How I did it
Add new service that responsible for serial configuration;
Update existing flows for extended ssh-server configurations in hostcfgd;
Add YANG model to support new configuration.

How to verify it
Which release branch to backport (provide reason below if selected)

Tested branch (Please provide the tested image version)

Description for the changelog
Link to config_db schema for YANG module changes
[ssh_server](https://github.com/sonic-net/sonic-buildimage/blob/master/src/sonic-yang-models/doc/Configuration.md#ssh_server)
[serial_console](https://github.com/sonic-net/sonic-buildimage/blob/master/src/sonic-yang-models/doc/Configuration.md#serial_console)

Author: i-davydenko

files/build_templates/sonic_debian_extension.j2

@@ -431,6 +431,13 @@ echo "ntpsec.service" | sudo tee -a $GENERATED_SERVICE_FILE
 # Copy DNS templates
 sudo cp $BUILD_TEMPLATES/dns.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/
 
+# Copy cli-sessions config files
+sudo cp $IMAGE_CONFIGS/cli_sessions/tmout-env.sh.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/
+sudo cp $IMAGE_CONFIGS/cli_sessions/sysrq-sysctl.conf.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/
+sudo cp $IMAGE_CONFIGS/cli_sessions/serial-config.sh $FILESYSTEM_ROOT/usr/bin/
+sudo cp $IMAGE_CONFIGS/cli_sessions/serial-config.service $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM
+echo "serial-config.service" | sudo tee -a $GENERATED_SERVICE_FILE
+
 # Copy warmboot-finalizer files
 sudo LANG=C cp $IMAGE_CONFIGS/warmboot-finalizer/finalize-warmboot.sh $FILESYSTEM_ROOT/usr/local/bin/finalize-warmboot.sh
 sudo LANG=C cp $IMAGE_CONFIGS/warmboot-finalizer/warmboot-finalizer.service $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM

files/image_config/cli_sessions/serial-config.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Update serial console config
+Requires=sonic.target
+After=sonic.target
+Before=getty-pre.target
+StartLimitIntervalSec=0
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/serial-config.sh
+
+[Install]
+WantedBy=sonic.target

files/image_config/cli_sessions/serial-config.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# generate conf file for sysrq capabilities.
+sonic-cfggen -d -t /usr/share/sonic/templates/sysrq-sysctl.conf.j2 > /etc/sysctl.d/95-sysrq-sysctl.conf
+
+SYSRQ_CONF=0
+# update sysrq for current boot.
+sysrq_conf=`sonic-db-cli CONFIG_DB HGET "SERIAL_CONSOLE|POLICIES" sysrq_capabilities`
+if [ ${sysrq_conf} = "enabled" ]; then
+        SYSRQ_CONF=1
+fi
+sudo echo $SYSRQ_CONF > /proc/sys/kernel/sysrq
+
+# generate env file for profile.d to set auto-logout timeout for serial consoles.
+sonic-cfggen -d -t /usr/share/sonic/templates/tmout-env.sh.j2 > /etc/profile.d/tmout-env.sh

files/image_config/cli_sessions/sysrq-sysctl.conf.j2

@@ -0,0 +1,10 @@
+###############################################################################
+# This file was AUTOMATICALLY GENERATED. DO NOT MODIFY.
+# Controlled by serial-config.sh
+###############################################################################
+{% set sysrq = 0 %}
+{% set serial_policies = (SERIAL_CONSOLE | d({})).get('POLICIES', {}) -%}
+{% if serial_policies.sysrq_capabilities == 'enabled' %}
+{% set sysrq = 1 %}
+{% endif %}
+kernel.sysrq={{ sysrq }}

files/image_config/cli_sessions/tmout-env.sh.j2

@@ -0,0 +1,11 @@
+{# Default timeout (15 min) #}
+{% set inactivity_timeout_sec = 900 %}
+
+{% set serial_pol = (SERIAL_CONSOLE | d({})).get('POLICIES', {}) -%}
+{% if serial_pol and serial_pol.inactivity_timeout and serial_pol.inactivity_timeout | int >= 0 %}
+{% set inactivity_timeout_sec = serial_pol.inactivity_timeout | int * 60 %}
+{% endif %}
+
+{# apply only for serial tty #}
+tty | grep -q tty &&  \
+export TMOUT={{ inactivity_timeout_sec }}

src/sonic-yang-models/doc/Configuration.md

@@ -2694,20 +2694,41 @@ There are 4 classes
 }
 ```
 
+### SERIAL_CONSOLE
+
+In this table collected configuration of the next serial-console attributes:
+-   inactivity_timeout - Inactivity timeout for serial-console session, allowed values: 0-35000 (minutes), default value: 15
+-   sysrq_capabilities - Enabling or disabling SysRq functionality for serial-console session, allowed values: enabled/disabled, default value disabled
+
+```
+{
+    SERIAL_CONSOLE:{
+        "POLICIES":{
+            "inactivity_timeout": 15
+            "sysrq_capabilities": "disabled"
+        }
+    }
+}
+```
+
 ### SSH_SERVER
 
-In this table, we allow configuring ssh server global settings. This will feature includes 3 configurations:
+In this table, we allow configuring ssh server global settings. This will feature includes 5 configurations:
 
 -   authentication_retries - number of login attepmts 1-100
 -   login_timeout - Timeout in seconds for login session for user to connect 1-600
 -   ports - Ssh port numbers - string of port numbers seperated by ','
+-   inactivity_timeout - Inactivity timeout for SSH session, allowed values: 0-35000 (min), default value: 15 (min)
+-   max_sessions - Max number of concurrent logins, allowed values: 0-100 (where 0 means no limit), default value: 0
 ```
 {
     "SSH_SERVER": {
         "POLICIES":{
             "authentication_retries": "6",
             "login_timeout": "120",
-            "ports": "22"
+            "ports": "22",
+            "inactivity_timeout": "15",
+            "max_sessions": "0"
         }
     }
 }

src/sonic-yang-models/setup.py

@@ -203,6 +203,7 @@ def run(self):
                          './yang-models/sonic-macsec.yang',
                          './yang-models/sonic-bgp-sentinel.yang',
                          './yang-models/sonic-bmp.yang',
+                         './yang-models/sonic-serial-console.yang',
                          './yang-models/sonic-smart-switch.yang',]),
         ('cvlyang-models', ['./cvlyang-models/sonic-acl.yang',
                          './cvlyang-models/sonic-banner.yang',
@@ -245,6 +246,7 @@ def run(self):
                          './cvlyang-models/sonic-nat.yang',
                          './cvlyang-models/sonic-nvgre-tunnel.yang',
                          './cvlyang-models/sonic-pbh.yang',
+                         './cvlyang-models/sonic-ssh-server.yang',
                          './cvlyang-models/sonic-policer.yang',
                          './cvlyang-models/sonic-port.yang',
                          './cvlyang-models/sonic-portchannel.yang',
@@ -280,6 +282,7 @@ def run(self):
                          './cvlyang-models/sonic-system-port.yang',
                          './cvlyang-models/sonic-macsec.yang',
                          './cvlyang-models/sonic-bmp.yang',
+                         './cvlyang-models/sonic-serial-console.yang',
                          './cvlyang-models/sonic-bgp-sentinel.yang']),
     ],
     zip_safe=False,

src/sonic-yang-models/tests/files/sample_config_db.json

@@ -2448,7 +2448,16 @@
             "POLICIES":{
                 "authentication_retries": "6",
                 "login_timeout": "120",
-                "ports": "22"
+                "ports": "22",
+                "inactivity_timeout": "15",
+                "max_sessions": "0"
+            }
+        },
+
+        "SERIAL_CONSOLE": {
+            "POLICIES":{
+                "inactivity_timeout": "15",
+                "sysrq_capabilities": "disabled"
             }
         },
 

src/sonic-yang-models/tests/yang_model_tests/tests/serial_console.json

@@ -0,0 +1,13 @@
+{
+    "SERIAL_CONSOLE": {
+        "desc": "SERIAL_CONSOLE configuration in the Config DB table."
+    },
+    "SERIAL_CONSOLE_INVALID_INACTIVITY_TIMEOUT": {
+        "desc": "SERIAL_CONSOLE attribute 'inactivity_timeout' set to invalid value (out of allowed range of [0, 35000] minutes).",
+        "eStr": "does not satisfy the constraint \"0..35000\""
+    },
+    "SERIAL_CONSOLE_INVALID_SYSRQ" : {
+        "desc": "SERIAL_CONSOLE attribute 'sysrq' set to invalid value",
+        "eStr": "Invalid value"
+    }
+}

src/sonic-yang-models/tests/yang_model_tests/tests/ssh-server.json

@@ -22,5 +22,13 @@
     "SSH_SERVER_INVALID_PORTS_2": {
         "desc": "Configure invalid port value in SSH_SERVER.",
         "eStr": "Invalid port numbers value"
+    },
+    "SSH_SERVER_INVALID_INACTIVITY_TIMEOUT": {
+        "desc": "Configure invalid inactivity_timeout value in SSH_SERVER.",
+        "eStr": "does not satisfy the constraint \"0..35000\""
+    },
+    "SSH_SERVER_INVALID_MAX_SESSIONS": {
+        "desc": "Configure invalid max_sessions value in SSH_SERVER.",
+        "eStr": "does not satisfy the constraint \"0..100\""
     }
-}
+}

src/sonic-yang-models/tests/yang_model_tests/tests_config/serial_console.json

@@ -0,0 +1,31 @@
+{
+    "SERIAL_CONSOLE": {
+        "sonic-serial-console:sonic-serial-console": {
+            "sonic-serial-console:SERIAL_CONSOLE": {
+                "POLICIES": {
+                        "inactivity_timeout": 900,
+                        "sysrq_capabilities": "disabled"
+                }
+            }
+        }
+    },
+
+    "SERIAL_CONSOLE_INVALID_INACTIVITY_TIMEOUT": {
+        "sonic-serial-console:sonic-serial-console": {
+            "sonic-serial-console:SERIAL_CONSOLE": {
+                "POLICIES": {
+                        "inactivity_timeout": -500
+                }
+            }
+        }
+    },
+    "SERIAL_CONSOLE_INVALID_SYSRQ" : {
+        "sonic-serial-console:sonic-serial-console": {
+            "sonic-serial-console:SERIAL_CONSOLE": {
+                "POLICIES": {
+                        "sysrq_capabilities": "negative"
+                }
+            }
+        }
+    }
+}

src/sonic-yang-models/tests/yang_model_tests/tests_config/ssh-server.json

@@ -56,5 +56,23 @@
                 }
             }
         }
+    },
+    "SSH_SERVER_INVALID_INACTIVITY_TIMEOUT": {
+        "sonic-ssh-server:sonic-ssh-server": {
+            "sonic-ssh-server:SSH_SERVER": {
+                "POLICIES":{
+                    "inactivity_timeout": 500000
+                }
+            }
+        }
+    },
+    "SSH_SERVER_INVALID_MAX_SESSIONS": {
+        "sonic-ssh-server:sonic-ssh-server": {
+            "sonic-ssh-server:SSH_SERVER": {
+                "POLICIES":{
+                    "max_sessions": 222
+                }
+            }
+        }
     }
-}
+}

src/sonic-yang-models/yang-models/sonic-serial-console.yang

@@ -0,0 +1,37 @@
+//filename:  sonic-serial-console.yang
+module sonic-serial-console {
+    yang-version 1.1;
+    namespace "http://github.com/Azure/sonic-serial-console";
+    prefix cli-sessions;
+    import sonic-types {
+        prefix stypes;
+    }
+    description "SERIAL_CONSOLE YANG Module for SONiC-based OS";
+    revision 2023-06-07 {
+        description "First Revision";
+    }
+    container sonic-serial-console {
+        container SERIAL_CONSOLE {
+            description "SERIAL_CONSOLE part of config_db.json";
+            container POLICIES {
+                leaf inactivity_timeout {
+                    description "serial-console inactivity-timeout timer value in minutes";
+                    type int32 {
+                        range "0..35000";
+                    }
+                    default 15;
+                }
+
+                leaf sysrq_capabilities {
+                    type stypes:admin_mode;
+                    description "managing SysRq capabilities";
+                    default disabled;
+                }
+        }
+        /* end of container POLICIES */
+        }
+        /* end of container SERIAL_CONSOLE */
+    }
+    /* end of top level container */
+}
+/* end of module sonic-serial-console */

src/sonic-yang-models/yang-models/sonic-ssh-server.yang

@@ -11,6 +11,11 @@ module sonic-ssh-server {
         description
             "First Revision";
     }
+    
+    revision 2023-06-07 {
+        description
+            "Introduce inactivity timeout and max syslogins options";
+    }
 
     container sonic-ssh-server {
         container SSH_SERVER {
@@ -40,6 +45,20 @@ module sonic-ssh-server {
                         }
                     }
                 }
+                leaf inactivity_timeout {
+                    description "inactivity timeout (in minutes), 0 means no timeout";
+                    default 15;
+                    type uint32 {
+                        range 0..35000;
+                    }
+                }
+                leaf max_sessions {
+                    description "limit of concurrent system logins, 0 means no limit";
+                    default 0;
+                    type uint32 {
+                        range 0..100;
+                    }
+                }
             }/*container policies */
         } /* container SSH_SERVER  */
     }/* container sonic-ssh-server */