Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[201811] disk_check.py: Allow remote user access when disk is read-only #1873

Merged
merged 3 commits into from
Oct 15, 2021

Conversation

renukamanavalan
Copy link
Contributor

What I did

How I did it

Cherry pick PR #1569, #1736 & #1747

How to verify it

Previous command output (if the output of a command-line utility has changed)

New command output (if the output of a command-line utility has changed)

What I did
There is a bug that occasionally turn root-overlay as RO. This makes /etc & /home as RO. This blocks any new remote user login, as that needs to write into /etc & /home.

This tool scans /etc & /home (or given dirs) as in RW or RO state. If RO, it could create a writable overlay using tmpfs.
This is transient and stays until next reboot. Any write after the overlay will be lost upon reboot.

But this allows new remote users login.

How I did it
Create upper & work dirs in /run/mount (tmpfs). Mount /etc & /home as lowerdirs and use the same name for final merge. This allows anyone opening a file in /etc or /home to operate on the merged overlay, transparently.

How to verify it
Mount any dir on tmpfs ( mount -t tmpfs tmpfs test_dir)
remount as RO (mount -o remount,ro test_dir)
Pass that dir to this script. (disk_check.py -d ./test_dir)
Now it should be RW
1) Set default loglevel to SYSLOG_ERR
2) Make log level configurable via args
…1747)

What I did
Have independent subdirs for each mounted dir to avoid any collisions of files/dirs by same name.
Adopt for older version of python3

How I did it
Changes:
Individual subdirs for each dir to be mounted
subprocess args made compatible with older version of python3 (tested in version 3.5.3)

How to verify it
Simulate read-only state
Run this script
Test ssh via new tacacs user (who had not logged in earlier)
@renukamanavalan renukamanavalan self-assigned this Oct 11, 2021
@yxieca
Copy link
Contributor

yxieca commented Oct 12, 2021

@renukamanavalan please elaborate how your tested this change?

@yxieca yxieca changed the title disk_check.py: Allow remote user access when disk is read-only [201811] disk_check.py: Allow remote user access when disk is read-only Oct 12, 2021
@renukamanavalan
Copy link
Contributor Author

Manually copied the disk_check.py onto device running 201811 at /usr/local/bin/.
Updated /etc/monit/conf.d/sonic-host as in PR 8951 (buildimage)
Restarted monit service
Ensured the switch has TACACS confgured
Make disk read-only
After a pause, tested to login using a remote user credentials of a user who has not logged in before into this device.
In other words, ensure that this created entry in /etc/passwd & created home dir for this user
It worked as expected
Did a device reboot
Confirmed that there is no trace of that user in device (as the updates were done on tmpfs)

@yxieca yxieca merged commit f3f8667 into sonic-net:201811 Oct 15, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants