-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add TACACS server monitor design document. #1467
Open
liuh-80
wants to merge
11
commits into
sonic-net:master
Choose a base branch
from
liuh-80:dev/liuh/tacacs-server-monitor
base: master
Could not load branches
Branch not found: {{ refName }}
Could not load tags
Nothing to show
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from 2 commits
Commits
Show all changes
11 commits
Select commit
Hold shift + click to select a range
31c352c
Add TACACS monitor design document
liuh-80 e8904c2
Improve design document
liuh-80 d880f38
dev/liuh/tacacs-server-monitor
liuh-80 3be2092
Update TACACS+ Server Monitor.md
liuh-80 972e520
Improve design doc
liuh-80 99be3fa
Improve design doc
liuh-80 9573e13
Add more detail to design doc
liuh-80 a584a50
Update TACACS+ Server Monitor.md
liuh-80 4f7250a
Update TACACS+ Server Monitor.md
liuh-80 f5f4f2d
Update TACACS+ Server Monitor.md
liuh-80 f9e4285
Remove update TACACS server proority part
liuh-80 File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,86 @@ | ||
# TACACS+ server monitor design | ||
|
||
## Overview | ||
|
||
SONiC device usually configured with multiple TACACS+ server, when a server is unreachable, SONiC device will try to connect with next TACACS+ server. | ||
|
||
SONiC device will communicate with TACACS+ server in following scenarios: | ||
1. Remote user login to SONiC device. | ||
2. Remote user run commands on SONiC device. | ||
|
||
There is a timeout for each server, the default value is 5 seconds, this means if the first server not reachable, SONiC device will stuck there when user login or running commands. | ||
|
||
To improve this issue, SONiC will add a TACACS+ server monitor to change server priority, a server unreachable or slow response will be downgrade. | ||
|
||
### Functional Requirement | ||
- Monit TACACS+ server unreachable event from COUNTER_DB. | ||
- Monit TACACS+ server slow response event from COUNTER_DB. | ||
- Change server priority based unreachable event and slow response event. | ||
- Not change any other server attribute. | ||
- Not change any other TACACS+ config. | ||
|
||
### Counter DB schema | ||
#### TACPLUS_SERVER_LATENCY Table schema | ||
``` | ||
; Key | ||
server_key = IPAddress ; TACACS+ server’s address | ||
; Attributes | ||
latency = 1*10DIGIT ; server network latency in MS, -1 for connect to server timeout | ||
``` | ||
|
||
### Config DB schema | ||
#### TACPLUS_SERVER_MONITOR Table schema | ||
liuh-80 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
``` | ||
; Key | ||
config_key = 'config' ; The configuration key | ||
; Attributes | ||
time_window = 1*5DIGIT ; Monitor time window in minute, default is 5 | ||
high_latency_threshold = 1*5DIGIT ; High latency threshold in ms, default is 20 | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. missing yang mode design. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Fixed, yang model added. |
||
``` | ||
|
||
# 3 Limitation | ||
|
||
- Service priority change will have 1 minutes delay, this is because monit service will run profile every 1 minutes. | ||
liuh-80 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
# 4 Design | ||
|
||
``` | ||
+------------+ | ||
| Monit | | ||
+-----+------+ | ||
| | ||
+------------v--------------+ +---------------------+ | ||
| | | | | ||
| | | | | ||
| TACACS+ Monitor |------>| COUNTER_DB | | ||
| | | | | ||
| | | | | ||
+------------+--------------+ +--------------------- | ||
| | ||
+---------v---------+ +-------+--------+ | ||
| | | | | ||
| TACACS config file+---------------> config file | | ||
| generate script | | | | ||
+-------------------+ +-------+--------+ | ||
|
||
``` | ||
- TACACS+ monitor is a Monit profile. | ||
- TACACS+ monitor will perdically check TACACS server latency and update latency to COUNTER_DB. | ||
- The latency in COUNTER_DB TACPLUS_SERVER_LATENCY table is average latency in recent time window. | ||
- The time window side defined in CONFIG_DB TACPLUS_SERVER_MONITOR table. | ||
- TACACS+ monitor also will write warning message to syslog and re-generate TACACS server config file when following event happen in COUNTER_DB: | ||
- Any server latency is -1, which means the server is unreachable. | ||
- Any server latency is bigger than high_latency_threshold. | ||
- TACACS+ monitor will not change TACACS server config in CONFIG_DB, it only re-generate TACACS config file based on CONFIG_DB and COUNTER_DB. | ||
- The TACACS config file generate code will move to a new script file, both hostcfgd and TACACS+ monitor will use this file to re-generate TACACS config file. | ||
liuh-80 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
- When generate TACACS config file, server priority calculated according to following rules: | ||
- Change high latency server and un-reachable server priority to 1, this is because 1 is the smallest priority, and SONiC device will use high priority server first. | ||
liuh-80 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
- If other server also has priority 1 in CONFIG_DB, change priority to 2 | ||
- If other server priority is no 1, using original priority in CONFIG_DB | ||
|
||
# 5 References | ||
|
||
## TACACS+ Authentication | ||
https://github.com/sonic-net/SONiC/blob/master/doc/aaa/TACACS%2B%20Authentication.md | ||
## SONiC TACACS+ improvement | ||
https://github.com/sonic-net/SONiC/blob/master/doc/aaa/TACACS%2B%20Design.md |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
which component write to the counter_db, it is not clear from the design doc
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Monit service will write COUNTER_DB, add detail to design doc.