Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Nokia-7215-T1] Disable sysrq-trigger from platform init #18161

Merged
merged 1 commit into from
Feb 28, 2024
Merged

[Nokia-7215-T1] Disable sysrq-trigger from platform init #18161

merged 1 commit into from
Feb 28, 2024

Conversation

Pavan-Nokia
Copy link
Contributor

@Pavan-Nokia Pavan-Nokia commented Feb 22, 2024
edited
Loading

Why I did it

Disable sysrq invocation by keyboard and terminal server to prevent accidently triggering it under console overload conditions and performing unintentional actions

Work item tracking.
  • Microsoft ADO (number only):17610243

How I did it

Disable sysrq by writing 0 into "/proc/sys/kernel/sysrq" register

How to verify it

  1. Verify the register value is 0. also verify that sysrq cannot be triggered by sending a break character via the terminal server.
root@sonic:# cat /proc/sys/kernel/sysrq
0
root@sonic:#
telnet> send brk
hh
-bash: hh: command not found
root@sonic:#
  1. Verify sysrq can still be triggered from procfs
root@sonic:# echo u > /proc/sysrq-trigger 
root@sonic:#  sysrq: EmergeRemount R/O

root@sonic:# echo "hi" > /tmp/abc.txt
-bash: /tmp/abc.txt: Read-only file system

Which release branch to backport (provide reason below if selected)

  • 201811
  • 201911
  • 202006
  • 202012
  • 202106
  • 202111
  • 202205
  • 202211
  • 202305
  • 202311

Tested branch (Please provide the tested image version)

Description for the changelog

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

@Pavan-Nokia
Copy link
Contributor Author

@jon-nokia @carl-nokia

@prgeor
Copy link
Contributor

prgeor commented Feb 23, 2024

@Pavan-Nokia How are you running the telnet command? As you can see below, its not working on 7215

image

prgeor
prgeor reviewed Feb 23, 2024
View reviewed changes
platform/marvell-armhf/sonic-platform-nokia/7215/scripts/nokia-7215init.sh
@@ -30,6 +30,9 @@ nokia_7215_profile()
# Install kernel drivers required for i2c bus access
load_kernel_drivers

# Disable sysrq-trigger
echo 0 > /proc/sys/kernel/sysrq
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Pavan-Nokia As I understand, there is still a small window of opportunity during boot which may trigger sysrq commands?

Copy link
Contributor Author

@Pavan-Nokia Pavan-Nokia Feb 23, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, that is correct

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Pavan-Nokia How did you rule out this window of time is NOT impacted on the MSFT prod scenario?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@prgeor What we have learnt from our debug sessions is that the MSFT scripts start sending data only when they see a prompt. This change is in the platform init which runs during postinstall, before the getty service which enables the prompt.

The only way to get full protection from sysrq is to make a sonic-linux-kernel change to disable this feature completely this would remove any window / chance for failure on any platform

@Pavan-Nokia
Copy link
Contributor Author

@Pavan-Nokia How are you running the telnet command? As you can see below, its not working on 7215

image

the way we connect to the 7215 via the console is using a telnet command
for example:
image

and as this message here says the escape character to get to telnet prompt is "ctrl+ ]"
and from there I am sending a break

from the error message I see in your screenshot you have not connected to any device via telnet. so it doesn't understand where to send

@prgeor
Copy link
Contributor

prgeor commented Feb 27, 2024

@lguohan, @yxieca please help merge

@Blueve
Copy link
Contributor

Blueve commented Feb 28, 2024

@Pavan-Nokia please help update ADO number: 17610243

@yxieca yxieca merged commit 6511c3b into sonic-net:master Feb 28, 2024
11 checks passed
mssonicbld pushed a commit to mssonicbld/sonic-buildimage that referenced this pull request Feb 28, 2024
@Pavan-Nokia @mssonicbld
[Nokia-7215-T1] Disable sysrq-trigger from platform init (sonic-net#1…
a28afba 
…8161)
@mssonicbld mssonicbld mentioned this pull request Feb 28, 2024
Merged
@mssonicbld
Copy link
Collaborator

Cherry-pick PR to 202311: #18210

yxieca pushed a commit that referenced this pull request Feb 28, 2024
@mssonicbld @Pavan-Nokia
[Nokia-7215-T1] Disable sysrq-trigger from platform init (#18161) (#1…
55da4fa 
…8210)

Co-authored-by: Pavan-Nokia <[email protected]>
@Pavan-Nokia Pavan-Nokia deleted the dev_armhf_plat_sysrq branch February 28, 2024 20:51
mssonicbld pushed a commit to mssonicbld/sonic-buildimage that referenced this pull request Feb 29, 2024
@Pavan-Nokia @mssonicbld
[Nokia-7215-T1] Disable sysrq-trigger from platform init (sonic-net#1…
67768d3 
…8161)
@mssonicbld mssonicbld mentioned this pull request Feb 29, 2024
Merged
@mssonicbld
Copy link
Collaborator

Cherry-pick PR to 202305: #18224

mssonicbld pushed a commit that referenced this pull request Feb 29, 2024
@Pavan-Nokia @mssonicbld
[Nokia-7215-T1] Disable sysrq-trigger from platform init (#18161)
4194d2a
sonic-otn pushed a commit to Weitang-Zheng/sonic-buildimage that referenced this pull request Mar 11, 2024
@Pavan-Nokia @sonic-otn
[Nokia-7215-T1] Disable sysrq-trigger from platform init (sonic-net#1…
49f4a3f 
…8161)
saksarav-nokia pushed a commit to saksarav-nokia/sonic-buildimage that referenced this pull request Mar 12, 2024
@Pavan-Nokia @saksarav-nokia
[Nokia-7215-T1] Disable sysrq-trigger from platform init (sonic-net#1…
f2344b5 
…8161)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Blueve Blueve Blueve approved these changes

@prgeor prgeor prgeor approved these changes

@jon-nokia jon-nokia jon-nokia approved these changes

@lguohan lguohan Awaiting requested review from lguohan lguohan is a code owner

Assignees
No one assigned
Labels
Approved for 202305 Branch Approved for 202311 Branch Created PR to 202311 Branch Included in 202305 Branch Included in 202311 Branch Request for 202205 Branch Request for 202305 Branch Request for 202311 Branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@Pavan-Nokia @prgeor @Blueve @mssonicbld @jon-nokia @yxieca @StormLiangMS