From 6e8c9a2d32d8200ce6da17075f06d5da98caf48f Mon Sep 17 00:00:00 2001 From: liuh-80 Date: Tue, 8 Mar 2022 07:49:11 +0000 Subject: [PATCH 01/11] Add j2 template for enable pam_limit and limit ssh session --- files/build_templates/limits.conf.j2 | 62 ++++++++++++++++++++++++++++ files/build_templates/pam_limits.j2 | 16 +++++++ 2 files changed, 78 insertions(+) create mode 100755 files/build_templates/limits.conf.j2 create mode 100755 files/build_templates/pam_limits.j2 diff --git a/files/build_templates/limits.conf.j2 b/files/build_templates/limits.conf.j2 new file mode 100755 index 000000000000..112cb7ef8833 --- /dev/null +++ b/files/build_templates/limits.conf.j2 @@ -0,0 +1,62 @@ +# /etc/security/limits.conf +# +# This file generate by j2 template file: files\build_templates\limits.conf.j2 +# +#Each line describes a limit for a user in the form: +# +# +# +#Where: +# can be: +# - a user name +# - a group name, with @group syntax +# - the wildcard *, for default entry +# - the wildcard %, can be also used with %group syntax, +# for maxlogin limit +# - NOTE: group and wildcard limits are not applied to root. +# To apply a limit to the root user, must be +# the literal username root. +# +# can have the two values: +# - "soft" for enforcing the soft limits +# - "hard" for enforcing hard limits +# +# can be one of the following: +# - core - limits the core file size (KB) +# - data - max data size (KB) +# - fsize - maximum filesize (KB) +# - memlock - max locked-in-memory address space (KB) +# - nofile - max number of open file descriptors +# - rss - max resident set size (KB) +# - stack - max stack size (KB) +# - cpu - max CPU time (MIN) +# - nproc - max number of processes +# - as - address space limit (KB) +# - maxlogins - max number of logins for this user +# - maxsyslogins - max number of logins on the system +# - priority - the priority to run user process with +# - locks - max number of file locks the user can hold +# - sigpending - max number of pending signals +# - msgqueue - max memory used by POSIX message queues (bytes) +# - nice - max nice priority allowed to raise to values: [-20, 19] +# - rtprio - max realtime priority +# - chroot - change root to directory (Debian-specific) +# +# +# + +#* soft core 0 +#root hard core 100000 +#* hard rss 10000 +#@student hard nproc 20 +#@faculty soft nproc 20 +#@faculty hard nproc 50 +#ftp hard nproc 0 +#ftp - chroot /ftp +#@student - maxlogins 4 + +{% for user in limitusers %} +{{ user.username }} hard maxlogins {{ user.maxlogin }} +{% endfor %} + +# End of file \ No newline at end of file diff --git a/files/build_templates/pam_limits.j2 b/files/build_templates/pam_limits.j2 new file mode 100755 index 000000000000..fde6338af5a0 --- /dev/null +++ b/files/build_templates/pam_limits.j2 @@ -0,0 +1,16 @@ +#THIS IS AN AUTO-GENERATED FILE +# +# This file generate by j2 template file: files\build_templates\pam_limits.j2 +# +# /etc/pam.d/pam-limits settings common to all services +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. +# +# here are the per-package modules (the "Primary" block) + +{% if sonic_enable_pam_limit == 'true' %} +session required pam_limits.so +{% endif %} From 787db9968fa91116c18857129c8ad8740e966a05 Mon Sep 17 00:00:00 2001 From: liuh-80 <58683130+liuh-80@users.noreply.github.com> Date: Mon, 14 Mar 2022 10:18:56 +0800 Subject: [PATCH 02/11] Update pam_limits.j2 --- files/build_templates/pam_limits.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/build_templates/pam_limits.j2 b/files/build_templates/pam_limits.j2 index fde6338af5a0..9baff2a05d1c 100755 --- a/files/build_templates/pam_limits.j2 +++ b/files/build_templates/pam_limits.j2 @@ -1,6 +1,6 @@ #THIS IS AN AUTO-GENERATED FILE # -# This file generate by j2 template file: files\build_templates\pam_limits.j2 +# This file generate by j2 template file: files/build_templates/pam_limits.j2 # # /etc/pam.d/pam-limits settings common to all services # This file is included from other service-specific PAM config files, From f1e8a6ed6dbd6380723a09ab7459b92a7bafe167 Mon Sep 17 00:00:00 2001 From: liuh-80 <58683130+liuh-80@users.noreply.github.com> Date: Mon, 14 Mar 2022 10:19:24 +0800 Subject: [PATCH 03/11] Update limits.conf.j2 --- files/build_templates/limits.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/files/build_templates/limits.conf.j2 b/files/build_templates/limits.conf.j2 index 112cb7ef8833..b315d624999f 100755 --- a/files/build_templates/limits.conf.j2 +++ b/files/build_templates/limits.conf.j2 @@ -1,6 +1,6 @@ # /etc/security/limits.conf # -# This file generate by j2 template file: files\build_templates\limits.conf.j2 +# This file generate by j2 template file: files/build_templates/limits.conf.j2 # #Each line describes a limit for a user in the form: # @@ -59,4 +59,4 @@ {{ user.username }} hard maxlogins {{ user.maxlogin }} {% endfor %} -# End of file \ No newline at end of file +# End of file From 64df6dd737a240d199f82a08050d80e445ab3144 Mon Sep 17 00:00:00 2001 From: liuh-80 <58683130+liuh-80@users.noreply.github.com> Date: Mon, 14 Mar 2022 10:44:23 +0800 Subject: [PATCH 04/11] Update limits.conf.j2 --- files/build_templates/limits.conf.j2 | 43 +++++++++++++++++----------- 1 file changed, 27 insertions(+), 16 deletions(-) diff --git a/files/build_templates/limits.conf.j2 b/files/build_templates/limits.conf.j2 index b315d624999f..593cc86ef373 100755 --- a/files/build_templates/limits.conf.j2 +++ b/files/build_templates/limits.conf.j2 @@ -2,12 +2,12 @@ # # This file generate by j2 template file: files/build_templates/limits.conf.j2 # -#Each line describes a limit for a user in the form: +# Each line describes a limit for a user in the form: # -# +# # -#Where: -# can be: +# Where: +# can be: # - a user name # - a group name, with @group syntax # - the wildcard *, for default entry @@ -17,11 +17,11 @@ # To apply a limit to the root user, must be # the literal username root. # -# can have the two values: +# can have the two values: # - "soft" for enforcing the soft limits # - "hard" for enforcing hard limits # -# can be one of the following: +# can be one of the following: # - core - limits the core file size (KB) # - data - max data size (KB) # - fsize - maximum filesize (KB) @@ -42,18 +42,29 @@ # - rtprio - max realtime priority # - chroot - change root to directory (Debian-specific) # -# +# +# is related with : +# All items support the values -1, unlimited or infinity indicating +# no limit, except for priority and nice. +# +# If a hard limit or soft limit of a resource is set to a valid value, +# but outside of the supported range of the local system, the system +# may reject the new limit or unexpected behavior may occur. If the +# control value required is used, the module will reject the login if +# a limit could not be set. +# +# # -#* soft core 0 -#root hard core 100000 -#* hard rss 10000 -#@student hard nproc 20 -#@faculty soft nproc 20 -#@faculty hard nproc 50 -#ftp hard nproc 0 -#ftp - chroot /ftp -#@student - maxlogins 4 +# * soft core 0 +# root hard core 100000 +# * hard rss 10000 +# @student hard nproc 20 +# @faculty soft nproc 20 +# @faculty hard nproc 50 +# ftp hard nproc 0 +# ftp - chroot /ftp +# @student - maxlogins 4 {% for user in limitusers %} {{ user.username }} hard maxlogins {{ user.maxlogin }} From 817ecc416256b381816847e02d73786491b7fcd9 Mon Sep 17 00:00:00 2001 From: liuh-80 Date: Mon, 14 Mar 2022 03:18:28 +0000 Subject: [PATCH 05/11] Move template file location --- .../templates/limits.conf.j2 | 73 +++++++++++++++++++ .../templates/pam_limits.j2 | 16 ++++ 2 files changed, 89 insertions(+) create mode 100755 src/sonic-host-services-data/templates/limits.conf.j2 create mode 100755 src/sonic-host-services-data/templates/pam_limits.j2 diff --git a/src/sonic-host-services-data/templates/limits.conf.j2 b/src/sonic-host-services-data/templates/limits.conf.j2 new file mode 100755 index 000000000000..593cc86ef373 --- /dev/null +++ b/src/sonic-host-services-data/templates/limits.conf.j2 @@ -0,0 +1,73 @@ +# /etc/security/limits.conf +# +# This file generate by j2 template file: files/build_templates/limits.conf.j2 +# +# Each line describes a limit for a user in the form: +# +# +# +# Where: +# can be: +# - a user name +# - a group name, with @group syntax +# - the wildcard *, for default entry +# - the wildcard %, can be also used with %group syntax, +# for maxlogin limit +# - NOTE: group and wildcard limits are not applied to root. +# To apply a limit to the root user, must be +# the literal username root. +# +# can have the two values: +# - "soft" for enforcing the soft limits +# - "hard" for enforcing hard limits +# +# can be one of the following: +# - core - limits the core file size (KB) +# - data - max data size (KB) +# - fsize - maximum filesize (KB) +# - memlock - max locked-in-memory address space (KB) +# - nofile - max number of open file descriptors +# - rss - max resident set size (KB) +# - stack - max stack size (KB) +# - cpu - max CPU time (MIN) +# - nproc - max number of processes +# - as - address space limit (KB) +# - maxlogins - max number of logins for this user +# - maxsyslogins - max number of logins on the system +# - priority - the priority to run user process with +# - locks - max number of file locks the user can hold +# - sigpending - max number of pending signals +# - msgqueue - max memory used by POSIX message queues (bytes) +# - nice - max nice priority allowed to raise to values: [-20, 19] +# - rtprio - max realtime priority +# - chroot - change root to directory (Debian-specific) +# +# +# is related with : +# All items support the values -1, unlimited or infinity indicating +# no limit, except for priority and nice. +# +# If a hard limit or soft limit of a resource is set to a valid value, +# but outside of the supported range of the local system, the system +# may reject the new limit or unexpected behavior may occur. If the +# control value required is used, the module will reject the login if +# a limit could not be set. +# +# +# + +# * soft core 0 +# root hard core 100000 +# * hard rss 10000 +# @student hard nproc 20 +# @faculty soft nproc 20 +# @faculty hard nproc 50 +# ftp hard nproc 0 +# ftp - chroot /ftp +# @student - maxlogins 4 + +{% for user in limitusers %} +{{ user.username }} hard maxlogins {{ user.maxlogin }} +{% endfor %} + +# End of file diff --git a/src/sonic-host-services-data/templates/pam_limits.j2 b/src/sonic-host-services-data/templates/pam_limits.j2 new file mode 100755 index 000000000000..9baff2a05d1c --- /dev/null +++ b/src/sonic-host-services-data/templates/pam_limits.j2 @@ -0,0 +1,16 @@ +#THIS IS AN AUTO-GENERATED FILE +# +# This file generate by j2 template file: files/build_templates/pam_limits.j2 +# +# /etc/pam.d/pam-limits settings common to all services +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. +# +# here are the per-package modules (the "Primary" block) + +{% if sonic_enable_pam_limit == 'true' %} +session required pam_limits.so +{% endif %} From e72797eab7ecfbd1261a899e2c2c344428b168b0 Mon Sep 17 00:00:00 2001 From: liuh-80 Date: Mon, 14 Mar 2022 04:30:56 +0000 Subject: [PATCH 06/11] Fix old file not remove issue --- files/build_templates/limits.conf.j2 | 73 ---------------------------- files/build_templates/pam_limits.j2 | 16 ------ 2 files changed, 89 deletions(-) delete mode 100755 files/build_templates/limits.conf.j2 delete mode 100755 files/build_templates/pam_limits.j2 diff --git a/files/build_templates/limits.conf.j2 b/files/build_templates/limits.conf.j2 deleted file mode 100755 index 593cc86ef373..000000000000 --- a/files/build_templates/limits.conf.j2 +++ /dev/null @@ -1,73 +0,0 @@ -# /etc/security/limits.conf -# -# This file generate by j2 template file: files/build_templates/limits.conf.j2 -# -# Each line describes a limit for a user in the form: -# -# -# -# Where: -# can be: -# - a user name -# - a group name, with @group syntax -# - the wildcard *, for default entry -# - the wildcard %, can be also used with %group syntax, -# for maxlogin limit -# - NOTE: group and wildcard limits are not applied to root. -# To apply a limit to the root user, must be -# the literal username root. -# -# can have the two values: -# - "soft" for enforcing the soft limits -# - "hard" for enforcing hard limits -# -# can be one of the following: -# - core - limits the core file size (KB) -# - data - max data size (KB) -# - fsize - maximum filesize (KB) -# - memlock - max locked-in-memory address space (KB) -# - nofile - max number of open file descriptors -# - rss - max resident set size (KB) -# - stack - max stack size (KB) -# - cpu - max CPU time (MIN) -# - nproc - max number of processes -# - as - address space limit (KB) -# - maxlogins - max number of logins for this user -# - maxsyslogins - max number of logins on the system -# - priority - the priority to run user process with -# - locks - max number of file locks the user can hold -# - sigpending - max number of pending signals -# - msgqueue - max memory used by POSIX message queues (bytes) -# - nice - max nice priority allowed to raise to values: [-20, 19] -# - rtprio - max realtime priority -# - chroot - change root to directory (Debian-specific) -# -# -# is related with : -# All items support the values -1, unlimited or infinity indicating -# no limit, except for priority and nice. -# -# If a hard limit or soft limit of a resource is set to a valid value, -# but outside of the supported range of the local system, the system -# may reject the new limit or unexpected behavior may occur. If the -# control value required is used, the module will reject the login if -# a limit could not be set. -# -# -# - -# * soft core 0 -# root hard core 100000 -# * hard rss 10000 -# @student hard nproc 20 -# @faculty soft nproc 20 -# @faculty hard nproc 50 -# ftp hard nproc 0 -# ftp - chroot /ftp -# @student - maxlogins 4 - -{% for user in limitusers %} -{{ user.username }} hard maxlogins {{ user.maxlogin }} -{% endfor %} - -# End of file diff --git a/files/build_templates/pam_limits.j2 b/files/build_templates/pam_limits.j2 deleted file mode 100755 index 9baff2a05d1c..000000000000 --- a/files/build_templates/pam_limits.j2 +++ /dev/null @@ -1,16 +0,0 @@ -#THIS IS AN AUTO-GENERATED FILE -# -# This file generate by j2 template file: files/build_templates/pam_limits.j2 -# -# /etc/pam.d/pam-limits settings common to all services -# This file is included from other service-specific PAM config files, -# and should contain a list of the authentication modules that define -# the central authentication scheme for use on the system -# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the -# traditional Unix authentication mechanisms. -# -# here are the per-package modules (the "Primary" block) - -{% if sonic_enable_pam_limit == 'true' %} -session required pam_limits.so -{% endif %} From e5be05b035c3d5fe68c0a422a3aee487fe7f434d Mon Sep 17 00:00:00 2001 From: liuh-80 <58683130+liuh-80@users.noreply.github.com> Date: Mon, 14 Mar 2022 12:54:06 +0800 Subject: [PATCH 07/11] Move template files location --- .../sonic-host-services-data/templates}/limits.conf.j2 | 0 .../sonic-host-services-data/templates}/pam_limits.j2 | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename {files/build_templates => src/sonic-host-services-data/templates}/limits.conf.j2 (100%) rename {files/build_templates => src/sonic-host-services-data/templates}/pam_limits.j2 (100%) diff --git a/files/build_templates/limits.conf.j2 b/src/sonic-host-services-data/templates/limits.conf.j2 similarity index 100% rename from files/build_templates/limits.conf.j2 rename to src/sonic-host-services-data/templates/limits.conf.j2 diff --git a/files/build_templates/pam_limits.j2 b/src/sonic-host-services-data/templates/pam_limits.j2 similarity index 100% rename from files/build_templates/pam_limits.j2 rename to src/sonic-host-services-data/templates/pam_limits.j2 From 6f35781fea91e4f4291d4adbb03b0e1144ebf1b7 Mon Sep 17 00:00:00 2001 From: liuh-80 Date: Fri, 18 Mar 2022 05:38:34 +0000 Subject: [PATCH 08/11] Improve config file generate process --- .../templates/limits.conf.j2 | 6 +- .../templates/pam_limits.j2 | 8 +-- src/sonic-host-services/scripts/hostcfgd | 68 +++++++++++++++++++ 3 files changed, 71 insertions(+), 11 deletions(-) diff --git a/src/sonic-host-services-data/templates/limits.conf.j2 b/src/sonic-host-services-data/templates/limits.conf.j2 index 593cc86ef373..41b37221e41e 100755 --- a/src/sonic-host-services-data/templates/limits.conf.j2 +++ b/src/sonic-host-services-data/templates/limits.conf.j2 @@ -1,6 +1,6 @@ # /etc/security/limits.conf # -# This file generate by j2 template file: files/build_templates/limits.conf.j2 +# This file generate by j2 template file: src/sonic-host-services-data/templates/limits.conf.j2 # # Each line describes a limit for a user in the form: # @@ -66,8 +66,4 @@ # ftp - chroot /ftp # @student - maxlogins 4 -{% for user in limitusers %} -{{ user.username }} hard maxlogins {{ user.maxlogin }} -{% endfor %} - # End of file diff --git a/src/sonic-host-services-data/templates/pam_limits.j2 b/src/sonic-host-services-data/templates/pam_limits.j2 index 9baff2a05d1c..f87906932fb7 100755 --- a/src/sonic-host-services-data/templates/pam_limits.j2 +++ b/src/sonic-host-services-data/templates/pam_limits.j2 @@ -1,6 +1,6 @@ #THIS IS AN AUTO-GENERATED FILE # -# This file generate by j2 template file: files/build_templates/pam_limits.j2 +# This file generate by j2 template file: src/sonic-host-services-data/templates/pam_limits.j2 # # /etc/pam.d/pam-limits settings common to all services # This file is included from other service-specific PAM config files, @@ -9,8 +9,4 @@ # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # -# here are the per-package modules (the "Primary" block) - -{% if sonic_enable_pam_limit == 'true' %} -session required pam_limits.so -{% endif %} +# here are the per-package modules (the "Primary" block) \ No newline at end of file diff --git a/src/sonic-host-services/scripts/hostcfgd b/src/sonic-host-services/scripts/hostcfgd index 9b39fb5eb807..8211a2574fe9 100755 --- a/src/sonic-host-services/scripts/hostcfgd +++ b/src/sonic-host-services/scripts/hostcfgd @@ -25,6 +25,10 @@ PAM_RADIUS_AUTH_CONF_TEMPLATE = "/usr/share/sonic/templates/pam_radius_auth.conf NSS_CONF = "/etc/nsswitch.conf" ETC_PAMD_SSHD = "/etc/pam.d/sshd" ETC_PAMD_LOGIN = "/etc/pam.d/login" +PAM_LIMITS_CONF_TEMPLATE = "/usr/share/sonic/templates/pam_limits.j2" +LIMITS_CONF_TEMPLATE = "/usr/share/sonic/templates/limits.conf.j2" +PAM_LIMITS_CONF = "/etc/pam.d/pam-limits-conf" +LIMITS_CONF = "/etc/security/limits.conf" # TACACS+ TACPLUS_SERVER_PASSKEY_DEFAULT = "" @@ -950,6 +954,67 @@ class NtpCfg(object): syslog.syslog(syslog.LOG_INFO, 'ntp server update, restarting ntp-config, ntp servers configured {}'.format(self.ntp_servers)) run_cmd(cmd) +class PamLimitsCfg(object): + """ + PamLimit Config Daemon + 1) The pam_limits PAM module sets limits on the system resources that can be obtained in a user-session. + 2) Purpose of this daemon is to render pam_limits config file. + """ + def __init__(self): + self.hwsku = "" + self.type = "" + + # Load conf from ConfigDb + def load(self, config_db): + device_metadata = config_db.get_table('DEVICE_METADATA') + if "localhost" not in device_metadata: + return + + self.read_localhost_config(device_metadata["localhost"]) + self.modify_conf_file() + + # Read localhost config + def read_localhost_config(self, localhost): + if "hwsku" not in localhost \ + or "type" not in localhost: + return + + self.hwsku = localhost["hwsku"] + self.type = localhost["type"] + + # Render pam_limits config files + def modify_conf_file(self): + env = jinja2.Environment(loader=jinja2.FileSystemLoader('/'), trim_blocks=True) + env.filters['sub'] = sub + + try: + template_file = os.path.abspath(PAM_LIMITS_CONF_TEMPLATE) + template = env.get_template(template_file) + pam_limits_conf = template.render( + hwsku=self.hwsku, + type=self.type) + with open(PAM_LIMITS_CONF, 'w') as f: + f.write(pam_limits_conf) + + template_file = os.path.abspath(LIMITS_CONF_TEMPLATE) + template = env.get_template(template_file) + limits_conf = template.render( + hwsku=self.hwsku, + type=self.type) + with open(LIMITS_CONF, 'w') as f: + f.write(limits_conf) + + self.reload_pam_config() + except Exception as e: + syslog.syslog(syslog.LOG_ERR, + "modify pam_limits config file failed with exception: {}" + .format(e)) + + # Reload PAM config + def reload_pam_config(self): + reload_pam_config_cmd = "sudo /usr/sbin/pam-auth-update" + run_cmd(reload_pam_config_cmd) + class HostConfigDaemon: def __init__(self): # Just a sanity check to verify if the CONFIG_DB has been initialized @@ -988,6 +1053,8 @@ class HostConfigDaemon: self.hostname_cache="" self.aaacfg = AaaCfg() + # Initialize PamLimitsCfg + self.pamLimitsCfg = PamLimitsCfg() def load(self): aaa = self.config_db.get_table('AAA') @@ -996,6 +1063,7 @@ class HostConfigDaemon: radius_global = self.config_db.get_table('RADIUS') radius_server = self.config_db.get_table('RADIUS_SERVER') self.aaacfg.load(aaa, tacacs_global, tacacs_server, radius_global, radius_server) + self.pamLimitsCfg.load(self.config_db) try: dev_meta = self.config_db.get_table('DEVICE_METADATA') From 4dce00b5d45cb11b4063f88187133b62f0d98f68 Mon Sep 17 00:00:00 2001 From: liuh-80 Date: Mon, 21 Mar 2022 05:46:24 +0000 Subject: [PATCH 09/11] Improve code by PR comments --- src/sonic-host-services/scripts/hostcfgd | 26 ++++++++++++------------ 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/src/sonic-host-services/scripts/hostcfgd b/src/sonic-host-services/scripts/hostcfgd index 4a9dc504280f..5cad4153dbf0 100755 --- a/src/sonic-host-services/scripts/hostcfgd +++ b/src/sonic-host-services/scripts/hostcfgd @@ -976,30 +976,30 @@ class PamLimitsCfg(object): 1) The pam_limits PAM module sets limits on the system resources that can be obtained in a user-session. 2) Purpose of this daemon is to render pam_limits config file. """ - def __init__(self): + def __init__(self, CfgDb): + self.config_db = CfgDb self.hwsku = "" self.type = "" - # Load conf from ConfigDb - def load(self, config_db): - device_metadata = config_db.get_table('DEVICE_METADATA') + # Load config from ConfigDb and render config file/ + def update_config_file(self): + device_metadata = self.config_db.get_table('DEVICE_METADATA') if "localhost" not in device_metadata: return self.read_localhost_config(device_metadata["localhost"]) - self.modify_conf_file() + self.render_conf_file() # Read localhost config def read_localhost_config(self, localhost): - if "hwsku" not in localhost \ - or "type" not in localhost: - return + if "hwsku" in localhost: + self.hwsku = localhost["hwsku"] - self.hwsku = localhost["hwsku"] - self.type = localhost["type"] + if "type" in localhost: + self.type = localhost["type"] # Render pam_limits config files - def modify_conf_file(self): + def render_conf_file(self): env = jinja2.Environment(loader=jinja2.FileSystemLoader('/'), trim_blocks=True) env.filters['sub'] = sub @@ -1073,7 +1073,8 @@ class HostConfigDaemon: self.aaacfg = AaaCfg() # Initialize PamLimitsCfg - self.pamLimitsCfg = PamLimitsCfg() + self.pamLimitsCfg = PamLimitsCfg(self.config_db) + self.pamLimitsCfg.update_config_file() def load(self): aaa = self.config_db.get_table('AAA') @@ -1082,7 +1083,6 @@ class HostConfigDaemon: radius_global = self.config_db.get_table('RADIUS') radius_server = self.config_db.get_table('RADIUS_SERVER') self.aaacfg.load(aaa, tacacs_global, tacacs_server, radius_global, radius_server) - self.pamLimitsCfg.load(self.config_db) try: dev_meta = self.config_db.get_table('DEVICE_METADATA') From a41d486c6ee3152609ffb2db2f289662c3b5a8f4 Mon Sep 17 00:00:00 2001 From: liuh-80 Date: Tue, 22 Mar 2022 09:42:33 +0000 Subject: [PATCH 10/11] Improve code by PR comments --- src/sonic-host-services/scripts/hostcfgd | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/sonic-host-services/scripts/hostcfgd b/src/sonic-host-services/scripts/hostcfgd index 5cad4153dbf0..14a181ff7856 100755 --- a/src/sonic-host-services/scripts/hostcfgd +++ b/src/sonic-host-services/scripts/hostcfgd @@ -976,8 +976,8 @@ class PamLimitsCfg(object): 1) The pam_limits PAM module sets limits on the system resources that can be obtained in a user-session. 2) Purpose of this daemon is to render pam_limits config file. """ - def __init__(self, CfgDb): - self.config_db = CfgDb + def __init__(self, config_db): + self.config_db = config_db self.hwsku = "" self.type = "" @@ -994,9 +994,13 @@ class PamLimitsCfg(object): def read_localhost_config(self, localhost): if "hwsku" in localhost: self.hwsku = localhost["hwsku"] + else: + self.hwsku = "" if "type" in localhost: self.type = localhost["type"] + else: + self.type = "" # Render pam_limits config files def render_conf_file(self): From 95ff2400b0b8961b0cd580407dcf5a65c6a5e25e Mon Sep 17 00:00:00 2001 From: liuh-80 Date: Wed, 23 Mar 2022 03:39:46 +0000 Subject: [PATCH 11/11] Fix CPU issue by remove unecessary config update command --- src/sonic-host-services/scripts/hostcfgd | 7 ------- 1 file changed, 7 deletions(-) diff --git a/src/sonic-host-services/scripts/hostcfgd b/src/sonic-host-services/scripts/hostcfgd index 14a181ff7856..5b6693fbcdf7 100755 --- a/src/sonic-host-services/scripts/hostcfgd +++ b/src/sonic-host-services/scripts/hostcfgd @@ -1023,18 +1023,11 @@ class PamLimitsCfg(object): type=self.type) with open(LIMITS_CONF, 'w') as f: f.write(limits_conf) - - self.reload_pam_config() except Exception as e: syslog.syslog(syslog.LOG_ERR, "modify pam_limits config file failed with exception: {}" .format(e)) - # Reload PAM config - def reload_pam_config(self): - reload_pam_config_cmd = "sudo /usr/sbin/pam-auth-update" - run_cmd(reload_pam_config_cmd) - class HostConfigDaemon: def __init__(self): # Just a sanity check to verify if the CONFIG_DB has been initialized