From 0ad5af3d2a97076f69c4da5fcda9ebbb91800472 Mon Sep 17 00:00:00 2001 From: Saikrishna Arcot Date: Thu, 19 Oct 2023 15:09:57 -0700 Subject: [PATCH] Move sonic-host-services-data from sonic-buildimage into this repo This repo's tests depends on files that are in src/sonic-host-services-data in sonic-buildimage. Due to PR check requirements, this creates a cyclical dependency when needing to update the templates and the sample output files. To fix that cyclical dependency, move that directory into this repo. That way, both the templates and the sample output files can be updated in a single commit. Signed-off-by: Saikrishna Arcot --- azure-pipelines.yml | 17 ---- data/.gitignore | 6 ++ data/MAINTAINERS | 7 ++ data/README.md | 19 +++++ data/debian/changelog | 5 ++ data/debian/compat | 1 + data/debian/control | 11 +++ data/debian/copyright | 0 data/debian/install | 2 + data/debian/rules | 24 ++++++ ...sonic-host-services-data.aaastatsd.service | 14 ++++ .../sonic-host-services-data.aaastatsd.timer | 12 +++ .../sonic-host-services-data.caclmgrd.service | 15 ++++ ...rvices-data.determine-reboot-cause.service | 12 +++ .../sonic-host-services-data.featured.service | 10 +++ .../sonic-host-services-data.featured.timer | 12 +++ .../sonic-host-services-data.hostcfgd.service | 11 +++ .../sonic-host-services-data.hostcfgd.timer | 12 +++ ...ost-services-data.procdockerstatsd.service | 14 ++++ ...services-data.process-reboot-cause.service | 8 ++ ...t-services-data.process-reboot-cause.timer | 9 ++ ...st-services-data.sonic-hostservice.service | 16 ++++ data/org.sonic.hostservice.conf | 18 ++++ data/templates/common-auth-sonic.j2 | 83 +++++++++++++++++++ data/templates/common-password.j2 | 43 ++++++++++ data/templates/limits.conf.j2 | 69 +++++++++++++++ data/templates/pam_limits.j2 | 12 +++ data/templates/pam_radius_auth.conf.j2 | 3 + data/templates/radius_nss.conf.j2 | 58 +++++++++++++ data/templates/tacplus_nss.conf.j2 | 60 ++++++++++++++ tests/hostcfgd/hostcfgd_passwh_test.py | 2 +- 31 files changed, 567 insertions(+), 18 deletions(-) create mode 100644 data/.gitignore create mode 100644 data/MAINTAINERS create mode 100644 data/README.md create mode 100644 data/debian/changelog create mode 100644 data/debian/compat create mode 100644 data/debian/control create mode 100644 data/debian/copyright create mode 100644 data/debian/install create mode 100755 data/debian/rules create mode 100644 data/debian/sonic-host-services-data.aaastatsd.service create mode 100644 data/debian/sonic-host-services-data.aaastatsd.timer create mode 100644 data/debian/sonic-host-services-data.caclmgrd.service create mode 100644 data/debian/sonic-host-services-data.determine-reboot-cause.service create mode 100644 data/debian/sonic-host-services-data.featured.service create mode 100644 data/debian/sonic-host-services-data.featured.timer create mode 100644 data/debian/sonic-host-services-data.hostcfgd.service create mode 100644 data/debian/sonic-host-services-data.hostcfgd.timer create mode 100644 data/debian/sonic-host-services-data.procdockerstatsd.service create mode 100644 data/debian/sonic-host-services-data.process-reboot-cause.service create mode 100644 data/debian/sonic-host-services-data.process-reboot-cause.timer create mode 100644 data/debian/sonic-host-services-data.sonic-hostservice.service create mode 100644 data/org.sonic.hostservice.conf create mode 100644 data/templates/common-auth-sonic.j2 create mode 100644 data/templates/common-password.j2 create mode 100755 data/templates/limits.conf.j2 create mode 100755 data/templates/pam_limits.j2 create mode 100644 data/templates/pam_radius_auth.conf.j2 create mode 100644 data/templates/radius_nss.conf.j2 create mode 100644 data/templates/tacplus_nss.conf.j2 diff --git a/azure-pipelines.yml b/azure-pipelines.yml index 6c1be77b..34e387e6 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -7,13 +7,6 @@ trigger: - master - 202??? -resources: - repositories: - - repository: sonic-buildimage - type: github - name: sonic-net/sonic-buildimage - endpoint: build - variables: - name: BUILD_BRANCH ${{ if eq(variables['Build.Reason'], 'PullRequest') }}: @@ -42,16 +35,6 @@ stages: clean: true submodules: recursive displayName: 'Checkout code' - - - checkout: sonic-buildimage - clean: true - displayName: 'Checkout code' - - - task: CopyFiles@2 - inputs: - SourceFolder: '$(System.DefaultWorkingDirectory)/sonic-buildimage/src/sonic-host-services-data/' - contents: '**' - targetFolder: $(System.DefaultWorkingDirectory)/sonic-host-services-data/ - task: DownloadPipelineArtifact@2 inputs: diff --git a/data/.gitignore b/data/.gitignore new file mode 100644 index 00000000..b941ede4 --- /dev/null +++ b/data/.gitignore @@ -0,0 +1,6 @@ +debian/*.debhelper +debian/debhelper-build-stamp +debian/sonic-host-services-data/ +sonic-host-services-data_*.buildinfo +sonic-host-services-data_*.changes +sonic-host-services-data_*.deb diff --git a/data/MAINTAINERS b/data/MAINTAINERS new file mode 100644 index 00000000..09c49789 --- /dev/null +++ b/data/MAINTAINERS @@ -0,0 +1,7 @@ +# This file describes the maintainers for sonic-host-services-data +# See the SONiC project governance document for more information + +Name = "Joe LeVeque" +Email = "jolevequ@microsoft.com" +Github = jleveque +Mailinglist = sonicproject@googlegroups.com diff --git a/data/README.md b/data/README.md new file mode 100644 index 00000000..0b9e7149 --- /dev/null +++ b/data/README.md @@ -0,0 +1,19 @@ +# sonic-host-services-data +Data files required for SONiC host services + + +## To build + +``` +dpkg-buildpackage -rfakeroot -b -us -uc +``` + +## To clean + +``` +dpkg-buildpackage -rfakeroot -Tclean +``` + +--- + +See the [SONiC Website](https://sonic-net.github.io/SONiC/) for more information about the SONiC project. diff --git a/data/debian/changelog b/data/debian/changelog new file mode 100644 index 00000000..89e14bad --- /dev/null +++ b/data/debian/changelog @@ -0,0 +1,5 @@ +sonic-host-services-data (1.0-1) UNRELEASED; urgency=low + + * Initial release + + -- Joe LeVeque Tue, 20 Oct 2020 02:35:43 +0000 diff --git a/data/debian/compat b/data/debian/compat new file mode 100644 index 00000000..b4de3947 --- /dev/null +++ b/data/debian/compat @@ -0,0 +1 @@ +11 diff --git a/data/debian/control b/data/debian/control new file mode 100644 index 00000000..ebb495e3 --- /dev/null +++ b/data/debian/control @@ -0,0 +1,11 @@ +Source: sonic-host-services-data +Maintainer: Joe LeVeque +Section: misc +Priority: optional +Standards-Version: 0.1 +Build-Depends: debhelper (>=11) + +Package: sonic-host-services-data +Architecture: all +Depends: ${misc:Depends} +Description: Data files required for SONiC host services diff --git a/data/debian/copyright b/data/debian/copyright new file mode 100644 index 00000000..e69de29b diff --git a/data/debian/install b/data/debian/install new file mode 100644 index 00000000..91edbd1c --- /dev/null +++ b/data/debian/install @@ -0,0 +1,2 @@ +templates/*.j2 /usr/share/sonic/templates/ +org.sonic.hostservice.conf /etc/dbus-1/system.d diff --git a/data/debian/rules b/data/debian/rules new file mode 100755 index 00000000..47d26ccb --- /dev/null +++ b/data/debian/rules @@ -0,0 +1,24 @@ +#!/usr/bin/make -f + +ifeq (${ENABLE_HOST_SERVICE_ON_START}, y) + HOST_SERVICE_OPTS := --no-start +else + HOST_SERVICE_OPTS := --no-start --no-enable +endif + + +build: + +%: + dh $@ + +override_dh_installsystemd: + dh_installsystemd --no-start --name=caclmgrd + dh_installsystemd --no-start --name=hostcfgd + dh_installsystemd --no-start --name=featured + dh_installsystemd --no-start --name=aaastatsd + dh_installsystemd --no-start --name=procdockerstatsd + dh_installsystemd --no-start --name=determine-reboot-cause + dh_installsystemd --no-start --name=process-reboot-cause + dh_installsystemd $(HOST_SERVICE_OPTS) --name=sonic-hostservice + diff --git a/data/debian/sonic-host-services-data.aaastatsd.service b/data/debian/sonic-host-services-data.aaastatsd.service new file mode 100644 index 00000000..b93fe92c --- /dev/null +++ b/data/debian/sonic-host-services-data.aaastatsd.service @@ -0,0 +1,14 @@ +[Unit] +Description=AAA Statistics Collection daemon +Requires=hostcfgd.service +After=hostcfgd.service updategraph.service +BindsTo=sonic.target +After=sonic.target + +[Service] +Type=simple +ExecStart=/usr/local/bin/aaastatsd +Restart=on-failure +RestartSec=10 +TimeoutStopSec=3 + diff --git a/data/debian/sonic-host-services-data.aaastatsd.timer b/data/debian/sonic-host-services-data.aaastatsd.timer new file mode 100644 index 00000000..8b6426db --- /dev/null +++ b/data/debian/sonic-host-services-data.aaastatsd.timer @@ -0,0 +1,12 @@ +[Unit] +Description=Delays aaastatsd daemon until SONiC has started +PartOf=aaastatsd.service + +[Timer] +OnUnitActiveSec=0 sec +OnBootSec=1min 30 sec +Unit=aaastatsd.service + +[Install] +WantedBy=timers.target sonic.target + diff --git a/data/debian/sonic-host-services-data.caclmgrd.service b/data/debian/sonic-host-services-data.caclmgrd.service new file mode 100644 index 00000000..e24ed10b --- /dev/null +++ b/data/debian/sonic-host-services-data.caclmgrd.service @@ -0,0 +1,15 @@ +[Unit] +Description=Control Plane ACL configuration daemon +Requires=updategraph.service +After=updategraph.service +BindsTo=sonic.target +After=sonic.target + +[Service] +Type=simple +ExecStart=/usr/local/bin/caclmgrd +Restart=always +RestartSec=30 + +[Install] +WantedBy=sonic.target diff --git a/data/debian/sonic-host-services-data.determine-reboot-cause.service b/data/debian/sonic-host-services-data.determine-reboot-cause.service new file mode 100644 index 00000000..e834b933 --- /dev/null +++ b/data/debian/sonic-host-services-data.determine-reboot-cause.service @@ -0,0 +1,12 @@ +[Unit] +Description=Reboot cause determination service +Requires=rc-local.service database.service +After=rc-local.service database.service + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/local/bin/determine-reboot-cause + +[Install] +WantedBy=multi-user.target diff --git a/data/debian/sonic-host-services-data.featured.service b/data/debian/sonic-host-services-data.featured.service new file mode 100644 index 00000000..0913e945 --- /dev/null +++ b/data/debian/sonic-host-services-data.featured.service @@ -0,0 +1,10 @@ +[Unit] +Description=Feature configuration daemon +Requires=updategraph.service +After=updategraph.service +BindsTo=sonic.target +After=sonic.target + +[Service] +Type=simple +ExecStart=/usr/local/bin/featured diff --git a/data/debian/sonic-host-services-data.featured.timer b/data/debian/sonic-host-services-data.featured.timer new file mode 100644 index 00000000..12fbbe10 --- /dev/null +++ b/data/debian/sonic-host-services-data.featured.timer @@ -0,0 +1,12 @@ +[Unit] +Description=Delays feature daemon until SONiC has started +PartOf=featured.service + +[Timer] +OnUnitActiveSec=0 sec +OnBootSec=1min 30 sec +Unit=featured.service + +[Install] +WantedBy=timers.target sonic.target + diff --git a/data/debian/sonic-host-services-data.hostcfgd.service b/data/debian/sonic-host-services-data.hostcfgd.service new file mode 100644 index 00000000..5e243452 --- /dev/null +++ b/data/debian/sonic-host-services-data.hostcfgd.service @@ -0,0 +1,11 @@ +[Unit] +Description=Host config enforcer daemon +Requires=updategraph.service +After=updategraph.service +BindsTo=sonic.target +After=sonic.target + +[Service] +Type=simple +ExecStart=/usr/local/bin/hostcfgd + diff --git a/data/debian/sonic-host-services-data.hostcfgd.timer b/data/debian/sonic-host-services-data.hostcfgd.timer new file mode 100644 index 00000000..b45fd4b2 --- /dev/null +++ b/data/debian/sonic-host-services-data.hostcfgd.timer @@ -0,0 +1,12 @@ +[Unit] +Description=Delays hostcfgd daemon until SONiC has started +PartOf=hostcfgd.service + +[Timer] +OnUnitActiveSec=0 sec +OnBootSec=1min 30 sec +Unit=hostcfgd.service + +[Install] +WantedBy=timers.target sonic.target + diff --git a/data/debian/sonic-host-services-data.procdockerstatsd.service b/data/debian/sonic-host-services-data.procdockerstatsd.service new file mode 100644 index 00000000..68b9e61b --- /dev/null +++ b/data/debian/sonic-host-services-data.procdockerstatsd.service @@ -0,0 +1,14 @@ +[Unit] +Description=Process and docker CPU/memory utilization data export daemon +Requires=database.service updategraph.service +After=database.service updategraph.service +BindsTo=sonic.target +After=sonic.target + +[Service] +Type=simple +ExecStart=/usr/local/bin/procdockerstatsd +Restart=always + +[Install] +WantedBy=sonic.target diff --git a/data/debian/sonic-host-services-data.process-reboot-cause.service b/data/debian/sonic-host-services-data.process-reboot-cause.service new file mode 100644 index 00000000..14af8868 --- /dev/null +++ b/data/debian/sonic-host-services-data.process-reboot-cause.service @@ -0,0 +1,8 @@ +[Unit] +Description=Retrieve the reboot cause from the history files and save them to StateDB +Requires=database.service determine-reboot-cause.service +After=database.service determine-reboot-cause.service + +[Service] +Type=simple +ExecStart=/usr/local/bin/process-reboot-cause diff --git a/data/debian/sonic-host-services-data.process-reboot-cause.timer b/data/debian/sonic-host-services-data.process-reboot-cause.timer new file mode 100644 index 00000000..222c51a7 --- /dev/null +++ b/data/debian/sonic-host-services-data.process-reboot-cause.timer @@ -0,0 +1,9 @@ +[Unit] +Description=Delays process-reboot-cause until network is stably connected + +[Timer] +OnBootSec=1min 30 sec +Unit=process-reboot-cause.service + +[Install] +WantedBy=timers.target diff --git a/data/debian/sonic-host-services-data.sonic-hostservice.service b/data/debian/sonic-host-services-data.sonic-hostservice.service new file mode 100644 index 00000000..799f3511 --- /dev/null +++ b/data/debian/sonic-host-services-data.sonic-hostservice.service @@ -0,0 +1,16 @@ +[Unit] +Description=SONiC Host Service + +[Service] +Type=dbus +BusName=org.SONiC.HostService + +ExecStart=/usr/bin/python3 -u /usr/local/bin/sonic-host-server + +Restart=on-failure +RestartSec=10 +TimeoutStopSec=3 + +[Install] +WantedBy=mgmt-framework.service telemetry.service + diff --git a/data/org.sonic.hostservice.conf b/data/org.sonic.hostservice.conf new file mode 100644 index 00000000..08599007 --- /dev/null +++ b/data/org.sonic.hostservice.conf @@ -0,0 +1,18 @@ + + + + + + + + + + + + + + + + diff --git a/data/templates/common-auth-sonic.j2 b/data/templates/common-auth-sonic.j2 new file mode 100644 index 00000000..b20c9f4e --- /dev/null +++ b/data/templates/common-auth-sonic.j2 @@ -0,0 +1,83 @@ +#THIS IS AN AUTO-GENERATED FILE +# +# /etc/pam.d/common-auth- authentication settings common to all services +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. +# +# here are the per-package modules (the "Primary" block) + +{% if auth['login'] == 'local' %} +auth [success=1 default=ignore] pam_unix.so nullok try_first_pass + +{% elif auth['login'] == 'local,tacacs+' %} +auth [success=done new_authtok_reqd=done default=ignore{{ ' auth_err=die' if not auth['failthrough'] }}] pam_unix.so nullok try_first_pass +{% for server in servers | sub(0, -1) %} +auth [success=done new_authtok_reqd=done default=ignore{{ ' auth_err=die' if not auth['failthrough'] }}] pam_tacplus.so server={{ server.ip }}:{{ server.tcp_port }} secret={{ server.passkey }} login={{ server.auth_type }} timeout={{ server.timeout }} {% if server.vrf %} vrf={{ server.vrf }} {% endif %} {{ 'source_ip=%s' % src_ip if src_ip }} try_first_pass +{% endfor %} +{% if servers | count %} +{% set last_server = servers | last %} +auth [success=1 default=ignore] pam_tacplus.so server={{ last_server.ip }}:{{ last_server.tcp_port }} secret={{ last_server.passkey }} login={{ last_server.auth_type }} timeout={{ last_server.timeout }} {% if last_server.vrf %} vrf={{ last_server.vrf }} {% endif %} {{ 'source_ip=%s' % src_ip if src_ip }} try_first_pass + +{% endif %} +{% elif auth['login'] == 'tacacs+' or auth['login'] == 'tacacs+,local' %} +{% for server in servers %} +auth [success=done new_authtok_reqd=done default=ignore{{ ' auth_err=die' if not auth['failthrough'] }}] pam_tacplus.so server={{ server.ip }}:{{ server.tcp_port }} secret={{ server.passkey }} login={{ server.auth_type }} timeout={{ server.timeout }} {%if server.vrf %} vrf={{ server.vrf }} {% endif %} {{ 'source_ip=%s' % src_ip if src_ip }} try_first_pass +{% endfor %} +auth [success=1 default=ignore] pam_unix.so nullok try_first_pass + +{% elif auth['login'] == 'local,radius' %} +auth [success=done new_authtok_reqd=done default=ignore{{ ' auth_err=die maxtries=die' if not auth['failthrough'] }}] pam_unix.so nullok try_first_pass +# For the RADIUS servers, on success jump to the cacheing the MPL(Privilege) +{% for server in servers %} +auth [success={{ (servers | count) - loop.index0 }} new_authtok_reqd=done default=ignore{{ ' auth_err=die' if not auth['failthrough'] }}] pam_radius_auth.so conf=/etc/pam_radius_auth.d/{{ server.ip }}_{{ server.auth_port }}.conf privilege_level protocol={{ server.auth_type }} retry={{ server.retransmit }}{% if server.nas_ip is defined %} nas_ip_address={{ server.nas_ip }}{% endif %}{% if server.nas_id is defined %} client_id={{ server.nas_id }}{% endif %}{% if debug %} debug{% endif %}{% if trace %} trace{% endif %}{% if server.statistics %} statistics={{ server.ip }}{% endif %} try_first_pass +{% endfor %} +auth requisite pam_deny.so +# Cache MPL(Privilege) +auth [success=1 default=ignore] pam_exec.so /usr/sbin/cache_radius + +{% elif auth['login'] == 'radius,local' %} +# root user can only be authenticated locally. Jump to local. +{% if servers | count %} +auth [success={{ (servers | count) }} default=ignore] pam_succeed_if.so user = root +{% else %} +auth [success=ok default=ignore] pam_succeed_if.so user = root +{% endif %} +# For the RADIUS servers, on success jump to the cache the MPL(Privilege) +{% for server in servers %} +auth [success={{ (servers | count) + 1 - loop.index0 }} new_authtok_reqd=done default=ignore{{ ' auth_err=die' if not auth['failthrough'] }}] pam_radius_auth.so conf=/etc/pam_radius_auth.d/{{ server.ip }}_{{ server.auth_port }}.conf privilege_level protocol={{ server.auth_type }} retry={{ server.retransmit }}{% if server.nas_ip is defined %} nas_ip_address={{ server.nas_ip }}{% endif %}{% if server.nas_id is defined %} client_id={{ server.nas_id }}{% endif %}{% if debug %} debug{% endif %}{% if trace %} trace{% endif %}{% if server.statistics %} statistics={{ server.ip }}{% endif %} try_first_pass +{% endfor %} +# Local +auth [success=done new_authtok_reqd=done default=ignore{{ ' auth_err=die maxtries=die' if not auth['failthrough'] }}] pam_unix.so nullok try_first_pass +auth requisite pam_deny.so +# Cache MPL(Privilege) +auth [success=1 default=ignore] pam_exec.so /usr/sbin/cache_radius + +{% elif auth['login'] == 'radius' %} +# root user can only be authenticated locally. Jump to local. +auth [success={{ (servers | count) + 2 }} default=ignore] pam_succeed_if.so user = root +# For the RADIUS servers, on success jump to the cache the MPL(Privilege) +{% for server in servers %} +auth [success={{ (servers | count) - loop.index0 }} new_authtok_reqd=done default=ignore{{ ' auth_err=die' if not auth['failthrough'] }}] pam_radius_auth.so conf=/etc/pam_radius_auth.d/{{ server.ip }}_{{ server.auth_port }}.conf privilege_level protocol={{ server.auth_type }} retry={{ server.retransmit }}{% if server.nas_ip is defined %} nas_ip_address={{ server.nas_ip }}{% endif %}{% if server.nas_id is defined %} client_id={{ server.nas_id }}{% endif %}{% if debug %} debug{% endif %}{% if trace %} trace{% endif %}{% if server.statistics %} statistics={{ server.ip }}{% endif %} try_first_pass +{% endfor %} +auth requisite pam_deny.so +# Cache MPL(Privilege) +auth [success=2 default=ignore] pam_exec.so /usr/sbin/cache_radius +# Local +auth [success=done new_authtok_reqd=done default=ignore{{ ' auth_err=die maxtries=die' if not auth['failthrough'] }}] pam_unix.so nullok try_first_pass + +{% else %} +auth [success=1 default=ignore] pam_unix.so nullok try_first_pass + +{% endif %} +# +# here's the fallback if no module succeeds +auth requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +auth required pam_permit.so +# and here are more per-package modules (the "Additional" block) + diff --git a/data/templates/common-password.j2 b/data/templates/common-password.j2 new file mode 100644 index 00000000..933a4f0a --- /dev/null +++ b/data/templates/common-password.j2 @@ -0,0 +1,43 @@ +#THIS IS AN AUTO-GENERATED FILE +# +# /etc/pam.d/common-password - password-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define the services to be +# used to change user passwords. The default is pam_unix. + +# Explanation of pam_unix options: +# The "yescrypt" option enables +#hashed passwords using the yescrypt algorithm, introduced in Debian +#11. Without this option, the default is Unix crypt. Prior releases +#used the option "sha512"; if a shadow password hash will be shared +#between Debian 11 and older releases replace "yescrypt" with "sha512" +#for compatibility . The "obscure" option replaces the old +#`OBSCURE_CHECKS_ENAB' option in login.defs. See the pam_unix manpage +#for other options. + +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) + +{% if passw_policies %} +{% if passw_policies['state'] == 'enabled' %} +password requisite pam_pwquality.so retry=3 maxrepeat=0 {% if passw_policies['len_min'] %}minlen={{passw_policies['len_min']}}{% endif %} {% if passw_policies['upper_class'] %}ucredit=-1{% else %}ucredit=0{% endif %} {% if passw_policies['lower_class'] %}lcredit=-1{% else %}lcredit=0{% endif %} {% if passw_policies['digits_class'] %}dcredit=-1{% else %}dcredit=0{% endif %} {% if passw_policies['special_class'] %}ocredit=-1{% else %}ocredit=0{% endif %} {% if passw_policies['reject_user_passw_match'] %}reject_username{% endif %} enforce_for_root + +password required pam_pwhistory.so {% if passw_policies['history_cnt'] %}remember={{passw_policies['history_cnt']}}{% endif %} use_authtok enforce_for_root +{% endif %} +{% endif %} + +password [success=1 default=ignore] pam_unix.so obscure yescrypt +# here's the fallback if no module succeeds +password requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +password required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config diff --git a/data/templates/limits.conf.j2 b/data/templates/limits.conf.j2 new file mode 100755 index 00000000..a3708e2d --- /dev/null +++ b/data/templates/limits.conf.j2 @@ -0,0 +1,69 @@ +# /etc/security/limits.conf +# +# This file generate by j2 template file: src/sonic-host-services-data/templates/limits.conf.j2 +# +# Each line describes a limit for a user in the form: +# +# +# +# Where: +# can be: +# - a user name +# - a group name, with @group syntax +# - the wildcard *, for default entry +# - the wildcard %, can be also used with %group syntax, +# for maxlogin limit +# - NOTE: group and wildcard limits are not applied to root. +# To apply a limit to the root user, must be +# the literal username root. +# +# can have the two values: +# - "soft" for enforcing the soft limits +# - "hard" for enforcing hard limits +# +# can be one of the following: +# - core - limits the core file size (KB) +# - data - max data size (KB) +# - fsize - maximum filesize (KB) +# - memlock - max locked-in-memory address space (KB) +# - nofile - max number of open file descriptors +# - rss - max resident set size (KB) +# - stack - max stack size (KB) +# - cpu - max CPU time (MIN) +# - nproc - max number of processes +# - as - address space limit (KB) +# - maxlogins - max number of logins for this user +# - maxsyslogins - max number of logins on the system +# - priority - the priority to run user process with +# - locks - max number of file locks the user can hold +# - sigpending - max number of pending signals +# - msgqueue - max memory used by POSIX message queues (bytes) +# - nice - max nice priority allowed to raise to values: [-20, 19] +# - rtprio - max realtime priority +# - chroot - change root to directory (Debian-specific) +# +# +# is related with : +# All items support the values -1, unlimited or infinity indicating +# no limit, except for priority and nice. +# +# If a hard limit or soft limit of a resource is set to a valid value, +# but outside of the supported range of the local system, the system +# may reject the new limit or unexpected behavior may occur. If the +# control value required is used, the module will reject the login if +# a limit could not be set. +# +# +# + +# * soft core 0 +# root hard core 100000 +# * hard rss 10000 +# @student hard nproc 20 +# @faculty soft nproc 20 +# @faculty hard nproc 50 +# ftp hard nproc 0 +# ftp - chroot /ftp +# @student - maxlogins 4 + +# End of file diff --git a/data/templates/pam_limits.j2 b/data/templates/pam_limits.j2 new file mode 100755 index 00000000..6a421d04 --- /dev/null +++ b/data/templates/pam_limits.j2 @@ -0,0 +1,12 @@ +#THIS IS AN AUTO-GENERATED FILE +# +# This file generate by j2 template file: src/sonic-host-services-data/templates/pam_limits.j2 +# +# /etc/pam.d/pam-limits settings common to all services +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. +# +# here are the per-package modules (the "Primary" block) \ No newline at end of file diff --git a/data/templates/pam_radius_auth.conf.j2 b/data/templates/pam_radius_auth.conf.j2 new file mode 100644 index 00000000..7d3c73e1 --- /dev/null +++ b/data/templates/pam_radius_auth.conf.j2 @@ -0,0 +1,3 @@ +# server[:port] shared_secret timeout(s) source_ip vrf +[{{ server.ip }}]:{{ server.auth_port }} {{ server.passkey }} {{ server.timeout }} {% if server.src_ip %} {{ server.src_ip }} {% endif %} {% if server.vrf %} {% if not server.src_ip %} - {% endif %} {{ server.vrf }}{% endif %} + diff --git a/data/templates/radius_nss.conf.j2 b/data/templates/radius_nss.conf.j2 new file mode 100644 index 00000000..a0da68d3 --- /dev/null +++ b/data/templates/radius_nss.conf.j2 @@ -0,0 +1,58 @@ +#THIS IS AN AUTO-GENERATED FILE +# Generated from: /usr/share/sonic/templates/radius_nss.conf.j2 +# RADIUS NSS Configuration File +# +# Debug: on|off|trace +# Default: off +# +# debug=on +{% if debug %} +debug=on +{% endif %} + +# +# User Privilege: +# Default: +# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/usr/bin/sonic-launch-shell +# user_priv=1;pw_info=remote_user;gid=999;group=docker;shell=/usr/bin/sonic-launch-shell + +# Eg: +# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/usr/bin/sonic-launch-shell +# user_priv=7;pw_info=netops;gid=999;group=docker;shell=/usr/bin/sonic-launch-shell +# user_priv=1;pw_info=operator;gid=100;group=docker;shell=/usr/bin/sonic-launch-shell +# + +# many_to_one: +# y: Map RADIUS users to one local user per privilege. +# n: Create local user account on first successful authentication. +# Default: n +# + +# Eg: +# many_to_one=y +# + +# unconfirmed_disallow: +# y: Do not allow unconfirmed users (users created before authentication) +# n: Allow unconfirmed users. +# Default: n + +# Eg: +# unconfirmed_disallow=y +# + +# unconfirmed_ageout: +# : Wait time before purging unconfirmed users +# Default: 600 +# + +# Eg: +# unconfirmed_ageout=900 +# + +# unconfirmed_regexp: +# : The RE to match the command line of processes for which the +# creation of unconfirmed users are to be allowed. +# Default: (.*: \[priv\])|(.*: \[accepted\]) +# where: is the unconfirmed user. +# diff --git a/data/templates/tacplus_nss.conf.j2 b/data/templates/tacplus_nss.conf.j2 new file mode 100644 index 00000000..812b47bf --- /dev/null +++ b/data/templates/tacplus_nss.conf.j2 @@ -0,0 +1,60 @@ +# Configuration for libnss-tacplus + +# debug - If you want to open debug log, set it on +# Default: off +# debug=on +{% if debug %} +debug=on +{% endif %} + +# local_accounting - If you want to local accounting, set it +# Default: None +# local_accounting +{% if local_accounting %} +local_accounting +{% endif %} + +# tacacs_accounting - If you want to tacacs+ accounting, set it +# Default: None +# tacacs_accounting +{% if tacacs_accounting %} +tacacs_accounting +{% endif %} + +# local_authorization - If you want to local authorization, set it +# Default: None +# local_authorization +{% if local_authorization %} +local_authorization +{% endif %} + +# tacacs_authorization - If you want to tacacs+ authorization, set it +# Default: None +# tacacs_authorization +{% if tacacs_authorization %} +tacacs_authorization +{% endif %} + +# src_ip - set source address of TACACS+ protocol packets +# Default: None (auto source ip address) +# src_ip=2.2.2.2 +{% if src_ip %} +src_ip={{ src_ip }} +{% endif %} + +# server - set ip address, tcp port, secret string and timeout for TACACS+ servers +# Default: None (no TACACS+ server) +# server=1.1.1.1:49,secret=test,timeout=3 +{% for server in servers %} +server={{ server.ip }}:{{ server.tcp_port }},secret={{ server.passkey }},timeout={{ server.timeout }}{% if server.vrf %},vrf={{ server.vrf }}{% endif %}{{''}} +{% endfor %} + +# user_priv - set the map between TACACS+ user privilege and local user's passwd +# Default: +# user_priv=15;pw_info=remote_user_su;gid=1000;group=sudo,docker;shell=/bin/bash +# user_priv=1;pw_info=remote_user;gid=999;group=docker;shell=/bin/bash + +# many_to_one - create one local user for many TACACS+ users which has the same privilege +# Default: many_to_one=n +# many_to_one=y + diff --git a/tests/hostcfgd/hostcfgd_passwh_test.py b/tests/hostcfgd/hostcfgd_passwh_test.py index c583809b..a4eb7893 100755 --- a/tests/hostcfgd/hostcfgd_passwh_test.py +++ b/tests/hostcfgd/hostcfgd_passwh_test.py @@ -17,7 +17,7 @@ modules_path = os.path.dirname(test_path) scripts_path = os.path.join(modules_path, "scripts") src_path = os.path.dirname(modules_path) -templates_path = os.path.join(src_path, "sonic-host-services-data/templates") +templates_path = os.path.join(src_path, "data/templates") output_path = os.path.join(test_path, "hostcfgd/output") sample_output_path = os.path.join(test_path, "hostcfgd/sample_output") sys.path.insert(0, modules_path)