Add INCLUDE_SSH build flag (sonic-net#7)

* Added INCLUDE_SSH build flag Signed-off-by: Maksym Hedeon <[email protected]> * INCLUDE_SSH fixed non existing path Signed-off-by: Maksym Hedeon <[email protected]> Signed-off-by: Maksym Hedeon <[email protected]>
maksymhedeon · Feb 1, 2023 · b0bfc69 · b0bfc69
1 parent d6be086
commit b0bfc69
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 24 deletions.
diff --git a/build_debian.sh b/build_debian.sh
@@ -218,7 +218,7 @@ echo '[INFO] Install docker'
 ## Otherwise Docker will fail to start
 sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install apparmor
 if [ $INCLUDE_NTP == y ]; then
-sudo cp files/image_config/ntp/ntp-apparmor $FILESYSTEM_ROOT/etc/apparmor.d/local/usr.sbin.ntpd
+    sudo cp files/image_config/ntp/ntp-apparmor $FILESYSTEM_ROOT/etc/apparmor.d/local/usr.sbin.ntpd
 fi
 sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install apt-transport-https \
                                                        ca-certificates \
@@ -290,11 +290,20 @@ SYSLOG_PACKAGE=""
 if [ $INCLUDE_SYSLOG == y ]; then
     SYSLOG_PACKAGE=rsyslog
 fi
+
 NTPSTAT_PACKAGE=""
 if [ $INCLUDE_NTP == y ]; then
     NTPSTAT_PACKAGE=ntpstat
 fi
 
+SSH_PACKAGE=""
+if [ $INCLUDE_SSH == y ]; then
+    SSH_PACKAGE=openssh-server
+else
+    # This lib is present if fsroot, but it seems like not in dependences
+    sudo LANG=C chroot $FILESYSTEM_ROOT /bin/bash -c "apt-get remove -y libssh2-1"
+fi
+
 ## Pre-install the fundamental packages
 ## Note: gdisk is needed for sgdisk in install.sh
 ## Note: parted is needed for partprobe in install.sh
@@ -312,7 +321,7 @@ sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y in
     tcpdump                 \
     dbus                    \
     $NTPSTAT_PACKAGE        \
-    openssh-server          \
+    $SSH_PACKAGE            \
     python3-apt             \
     traceroute              \
     iputils-ping            \
@@ -383,9 +392,6 @@ sudo LANG=c chroot $FILESYSTEM_ROOT chmod 644 /etc/group
 sudo LANG=C chroot $FILESYSTEM_ROOT /bin/bash -c "mkdir -p /etc/initramfs-tools/conf.d"
 sudo LANG=C chroot $FILESYSTEM_ROOT /bin/bash -c "echo 'MODULES=most' >> /etc/initramfs-tools/conf.d/driver-policy"
 
-# Copy vmcore-sysctl.conf to add more vmcore dump flags to kernel
-sudo cp files/image_config/kdump/vmcore-sysctl.conf $FILESYSTEM_ROOT/etc/sysctl.d/
-
 #Adds a locale to a debian system in non-interactive mode
 sudo sed -i '/^#.* en_US.* /s/^#//' $FILESYSTEM_ROOT/etc/locale.gen && \
     sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT locale-gen "en_US.UTF-8"
@@ -403,6 +409,11 @@ sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y in
     $NTP_PACKAGE \
     systemd-sysv
 
+# Next copy command was moved because in case of disabling ssh from build
+# "$FILESYSTEM_ROOT/etc/sysctl.d/" path doesn't exist until systemd is installed.
+# Copy vmcore-sysctl.conf to add more vmcore dump flags to kernel
+sudo cp files/image_config/kdump/vmcore-sysctl.conf $FILESYSTEM_ROOT/etc/sysctl.d/
+
 if [[ $CONFIGURED_ARCH == amd64 ]]; then
     sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y download \
         grub-pc-bin
@@ -413,15 +424,16 @@ fi
 ## Disable kexec supported reboot which was installed by default
 sudo sed -i 's/LOAD_KEXEC=true/LOAD_KEXEC=false/' $FILESYSTEM_ROOT/etc/default/kexec
 
+if [ $INCLUDE_SSH == y ]; then
 ## Remove sshd host keys, and will regenerate on first sshd start
-sudo rm -f $FILESYSTEM_ROOT/etc/ssh/ssh_host_*_key*
-sudo cp files/sshd/host-ssh-keygen.sh $FILESYSTEM_ROOT/usr/local/bin/
-sudo mkdir $FILESYSTEM_ROOT/etc/systemd/system/ssh.service.d
-sudo cp files/sshd/override.conf $FILESYSTEM_ROOT/etc/systemd/system/ssh.service.d/override.conf
-# Config sshd
-# 1. Set 'UseDNS' to 'no'
-# 2. Configure sshd to close all SSH connetions after 15 minutes of inactivity
-sudo augtool -r $FILESYSTEM_ROOT <<'EOF'
+    sudo rm -f $FILESYSTEM_ROOT/etc/ssh/ssh_host_*_key*
+    sudo cp files/sshd/host-ssh-keygen.sh $FILESYSTEM_ROOT/usr/local/bin/
+    sudo mkdir $FILESYSTEM_ROOT/etc/systemd/system/ssh.service.d
+    sudo cp files/sshd/override.conf $FILESYSTEM_ROOT/etc/systemd/system/ssh.service.d/override.conf
+    # Config sshd
+    # 1. Set 'UseDNS' to 'no'
+    # 2. Configure sshd to close all SSH connetions after 15 minutes of inactivity
+    sudo augtool -r $FILESYSTEM_ROOT <<'EOF'
 touch /files/etc/ssh/sshd_config/EmptyLineHack
 rename /files/etc/ssh/sshd_config/EmptyLineHack ""
 set /files/etc/ssh/sshd_config/UseDNS no
@@ -439,9 +451,10 @@ set /files/etc/ssh/sshd_config/#comment[following-sibling::*[1][self::ClientAliv
 save
 quit
 EOF
-# Configure sshd to listen for v4 and v6 connections
-sudo sed -i 's/^#ListenAddress 0.0.0.0/ListenAddress 0.0.0.0/' $FILESYSTEM_ROOT/etc/ssh/sshd_config
-sudo sed -i 's/^#ListenAddress ::/ListenAddress ::/' $FILESYSTEM_ROOT/etc/ssh/sshd_config
+    # Configure sshd to listen for v4 and v6 connections
+    sudo sed -i 's/^#ListenAddress 0.0.0.0/ListenAddress 0.0.0.0/' $FILESYSTEM_ROOT/etc/ssh/sshd_config
+    sudo sed -i 's/^#ListenAddress ::/ListenAddress ::/' $FILESYSTEM_ROOT/etc/ssh/sshd_config
+fi
 
 if [ $INCLUDE_SYSLOG == y ]; then
     ## Config rsyslog
@@ -510,16 +523,16 @@ sudo cp files/dhcp/graphserviceurl $FILESYSTEM_ROOT/etc/dhcp/dhclient-exit-hooks
 sudo cp files/dhcp/snmpcommunity $FILESYSTEM_ROOT/etc/dhcp/dhclient-exit-hooks.d/
 sudo cp files/dhcp/vrf $FILESYSTEM_ROOT/etc/dhcp/dhclient-exit-hooks.d/
 if [ $INCLUDE_NTP == y ]; then
-if [ -f files/image_config/ntp/ntp ]; then
-    sudo cp ./files/image_config/ntp/ntp $FILESYSTEM_ROOT/etc/init.d/
-fi
+    if [ -f files/image_config/ntp/ntp ]; then
+        sudo cp ./files/image_config/ntp/ntp $FILESYSTEM_ROOT/etc/init.d/
+    fi
 fi
 
 if [ $INCLUDE_NTP == y ]; then
-if [ -f files/image_config/ntp/ntp-systemd-wrapper ]; then
-    sudo mkdir -p $FILESYSTEM_ROOT/usr/lib/ntp/
-    sudo cp ./files/image_config/ntp/ntp-systemd-wrapper $FILESYSTEM_ROOT/usr/lib/ntp/
-fi
+    if [ -f files/image_config/ntp/ntp-systemd-wrapper ]; then
+        sudo mkdir -p $FILESYSTEM_ROOT/usr/lib/ntp/
+        sudo cp ./files/image_config/ntp/ntp-systemd-wrapper $FILESYSTEM_ROOT/usr/lib/ntp/
+    fi
 fi
 
 ## Version file

diff --git a/files/build_templates/sonic_debian_extension.j2 b/files/build_templates/sonic_debian_extension.j2
@@ -334,13 +334,17 @@ sudo chmod 755 $FILESYSTEM_ROOT/usr/bin/restart_service
 # Install custom-built smartmontools
 sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/smartmontools_*.deb
 
+{% if include_ssh == "y" %}
 # Install custom-built openssh sshd
 sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/openssh-server_*.deb
+{%- endif %}
 
+{% if include_ssh == "y" %}
 # Remove sshd host keys, and will regenerate on first sshd start. This needs to be
 # done again here because our custom version of sshd is being installed, which
 # will regenerate the sshd host keys.
 sudo rm -f $FILESYSTEM_ROOT/etc/ssh/ssh_host_*_key*
+{%- endif %}
 
 {% if sonic_asic_platform == 'broadcom' %}
 # Install custom-built flashrom

diff --git a/rules/config b/rules/config
@@ -259,3 +259,5 @@ INCLUDE_PMON = y
 # INCLUDE_DATABASE - build docker-database for redis db support
 INCLUDE_DATABASE = y
 
+# INCLUDE_SSH - build openssh pakage and include files to the fsroot
+INCLUDE_SSH = y
diff --git a/slave.mk b/slave.mk
@@ -324,7 +324,7 @@ $(info "INCLUDE_KUBERNETES"              : "$(INCLUDE_KUBERNETES)")
 $(info "INCLUDE_MACSEC"                  : "$(INCLUDE_MACSEC)")
 $(info "INCLUDE_MUX"                     : "$(INCLUDE_MUX)")
 $(info "INCLUDE_SYSLOG"                  : "$(INCLUDE_SYSLOG)")
-$(info "INCLUDE_RADIUS"                     : "$(INCLUDE_RADIUS)")
+$(info "INCLUDE_RADIUS"                  : "$(INCLUDE_RADIUS)")
 $(info "INCLUDE_NTP"                     : "$(INCLUDE_NTP)")
 $(info "INCLUDE_LLDP"                    : "$(INCLUDE_LLDP)")
 $(info "INCLUDE_SNMP"                    : "$(INCLUDE_SNMP)")
@@ -334,6 +334,7 @@ $(info "INCLUDE_BGP"                     : "$(INCLUDE_BGP)")
 $(info "INCLUDE_SWSS"                    : "$(INCLUDE_SWSS)")
 $(info "INCLUDE_PMON"                    : "$(INCLUDE_PMON)")
 $(info "INCLUDE_DATABASE"                : "$(INCLUDE_DATABASE)")
+$(info "INCLUDE_SSH"                     : "$(INCLUDE_SSH)")
 $(info "TELEMETRY_WRITABLE"              : "$(TELEMETRY_WRITABLE)")
 $(info "ENABLE_AUTO_TECH_SUPPORT"        : "$(ENABLE_AUTO_TECH_SUPPORT)")
 $(info "PDDF_SUPPORT"                    : "$(PDDF_SUPPORT)")
@@ -1041,6 +1042,7 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
 	export include_p4rt="$(INCLUDE_P4RT)"
 	export include_sflow="$(INCLUDE_SFLOW)"
 	export include_radius="$(INCLUDE_RADIUS)"
+	export include_ssh="$(INCLUDE_SSH)"
 	export enable_auto_tech_support="$(ENABLE_AUTO_TECH_SUPPORT)"
 	export include_macsec="$(INCLUDE_MACSEC)"
 	export include_ntp="$(INCLUDE_NTP)"
@@ -1223,6 +1225,7 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
 		MULTIARCH_QEMU_ENVIRON=$(MULTIARCH_QEMU_ENVIRON) \
 		INCLUDE_NTP=$(INCLUDE_NTP) \
 		INCLUDE_SYSLOG=$(INCLUDE_SYSLOG) \
+		INCLUDE_SSH=$(INCLUDE_SSH) \
 			./build_debian.sh $(LOG)
 
 		USERNAME="$(USERNAME)" \