Merge SSH management Phase2 feature to next (#6500)

Merge feature branch `configure-ssh-phase2` to master

Author: BengangY

ocaml/idl/datamodel_errors.ml

@@ -2053,6 +2053,12 @@ let _ =
   error Api_errors.disable_ssh_partially_failed ["hosts"]
     ~doc:"Some of hosts failed to disable SSH access." () ;
 
+  error Api_errors.set_ssh_timeout_partially_failed ["hosts"]
+    ~doc:"Some hosts failed to set SSH timeout." () ;
+
+  error Api_errors.set_console_timeout_partially_failed ["hosts"]
+    ~doc:"Some hosts failed to set console timeout." () ;
+
   error Api_errors.host_driver_no_hardware ["driver variant"]
     ~doc:"No hardware present for this host driver variant" () ;
 

ocaml/idl/datamodel_host.ml

@@ -1297,14 +1297,63 @@ let create_params =
     ; param_doc=
         "The SHA256 checksum of updateinfo of the most recently applied update \
          on the host"
-    ; param_release= numbered_release "24.39.0-next"
+    ; param_release= numbered_release "24.40.0"
     ; param_default= Some (VString "")
     }
+  ; {
+      param_type= Bool
+    ; param_name= "ssh_enabled"
+    ; param_doc= "True if SSH access is enabled for the host"
+    ; param_release= numbered_release "25.20.0-next"
+    ; param_default= Some (VBool Constants.default_ssh_enabled)
+    }
+  ; {
+      param_type= Int
+    ; param_name= "ssh_enabled_timeout"
+    ; param_doc=
+        "The timeout in seconds after which SSH access will be automatically \
+         disabled (0 means never), this setting will be applied every time the \
+         SSH is enabled by XAPI"
+    ; param_release= numbered_release "25.20.0-next"
+    ; param_default= Some (VInt Constants.default_ssh_enabled_timeout)
+    }
+  ; {
+      param_type= DateTime
+    ; param_name= "ssh_expiry"
+    ; param_doc=
+        "The time in UTC after which the SSH access will be automatically \
+         disabled"
+    ; param_release= numbered_release "25.20.0-next"
+    ; param_default= Some (VDateTime Date.epoch)
+    }
+  ; {
+      param_type= Int
+    ; param_name= "console_idle_timeout"
+    ; param_doc=
+        "The timeout in seconds after which idle console will be automatically \
+         terminated (0 means never)"
+    ; param_release= numbered_release "25.20.0-next"
+    ; param_default= Some (VInt Constants.default_console_idle_timeout)
+    }
   ]
 
 let create =
   call ~name:"create" ~in_oss_since:None
-    ~lifecycle:[(Published, rel_rio, "Create a new host record")]
+    ~lifecycle:
+      [
+        (Published, rel_rio, "Create a new host record")
+      ; ( Changed
+        , "24.40.0"
+        , "Added --last_update_hash option to allow last_update_hash to be \
+           kept for host joined a pool"
+        )
+      ; ( Changed
+        , "25.20.0-next"
+        , "Added --ssh_enabled --ssh_enabled_timeout --ssh_expiry \
+           --console_idle_timeout options to allow them to be configured for \
+           new host"
+        )
+      ]
     ~versioned_params:create_params ~doc:"Create a new host record"
     ~result:(Ref _host, "Reference to the newly created host object.")
     ~hide_from_docs:true ~allowed_roles:_R_POOL_OP ()
@@ -2368,6 +2417,29 @@ let disable_ssh =
     ~params:[(Ref _host, "self", "The host")]
     ~allowed_roles:_R_POOL_ADMIN ()
 
+let set_ssh_enabled_timeout =
+  call ~name:"set_ssh_enabled_timeout" ~lifecycle:[]
+    ~doc:"Set the SSH service enabled timeout for the host"
+    ~params:
+      [
+        (Ref _host, "self", "The host")
+      ; ( Int
+        , "value"
+        , "The SSH enabled timeout in seconds (0 means no timeout, max 2 days)"
+        )
+      ]
+    ~allowed_roles:_R_POOL_ADMIN ()
+
+let set_console_idle_timeout =
+  call ~name:"set_console_idle_timeout" ~lifecycle:[]
+    ~doc:"Set the console idle timeout for the host"
+    ~params:
+      [
+        (Ref _host, "self", "The host")
+      ; (Int, "value", "The console idle timeout in seconds")
+      ]
+    ~allowed_roles:_R_POOL_ADMIN ()
+
 let latest_synced_updates_applied_state =
   Enum
     ( "latest_synced_updates_applied_state"
@@ -2527,6 +2599,8 @@ let t =
       ; emergency_clear_mandatory_guidance
       ; enable_ssh
       ; disable_ssh
+      ; set_ssh_enabled_timeout
+      ; set_console_idle_timeout
       ]
     ~contents:
       ([
@@ -2964,6 +3038,24 @@ let t =
             ~default_value:(Some (VString "")) "last_update_hash"
             "The SHA256 checksum of updateinfo of the most recently applied \
              update on the host"
+        ; field ~qualifier:DynamicRO ~lifecycle:[] ~ty:Bool
+            ~default_value:(Some (VBool Constants.default_ssh_enabled))
+            "ssh_enabled" "True if SSH access is enabled for the host"
+        ; field ~qualifier:DynamicRO ~lifecycle:[] ~ty:Int
+            ~default_value:(Some (VInt Constants.default_ssh_enabled_timeout))
+            "ssh_enabled_timeout"
+            "The timeout in seconds after which SSH access will be \
+             automatically disabled (0 means never), this setting will be \
+             applied every time the SSH is enabled by XAPI"
+        ; field ~qualifier:DynamicRO ~lifecycle:[] ~ty:DateTime
+            ~default_value:(Some (VDateTime Date.epoch)) "ssh_expiry"
+            "The time in UTC after which the SSH access will be automatically \
+             disabled"
+        ; field ~qualifier:DynamicRO ~lifecycle:[] ~ty:Int
+            ~default_value:(Some (VInt Constants.default_console_idle_timeout))
+            "console_idle_timeout"
+            "The timeout in seconds after which idle console will be \
+             automatically terminated (0 means never)"
         ]
       )
     ()

ocaml/idl/datamodel_pool.ml

@@ -1249,7 +1249,15 @@ let remove_repository =
 
 let sync_updates =
   call ~name:"sync_updates"
-    ~lifecycle:[(Published, "1.329.0", "")]
+    ~lifecycle:
+      [
+        (Published, "1.329.0", "")
+      ; ( Changed
+        , "25.7.0"
+        , "Added --username --password options to allow syncing updates from a \
+           remote_pool type repository"
+        )
+      ]
     ~doc:"Sync with the enabled repository"
     ~versioned_params:
       [
@@ -1286,14 +1294,14 @@ let sync_updates =
           param_type= String
         ; param_name= "username"
         ; param_doc= "The username of the remote pool"
-        ; param_release= numbered_release "25.6.0-next"
+        ; param_release= numbered_release "25.7.0"
         ; param_default= Some (VString "")
         }
       ; {
           param_type= String
         ; param_name= "password"
         ; param_doc= "The password of the remote pool"
-        ; param_release= numbered_release "25.6.0-next"
+        ; param_release= numbered_release "25.7.0"
         ; param_default= Some (VString "")
         }
       ]
@@ -1571,6 +1579,33 @@ let disable_ssh =
     ~params:[(Ref _pool, "self", "The pool")]
     ~allowed_roles:_R_POOL_ADMIN ()
 
+let set_ssh_enabled_timeout =
+  call ~name:"set_ssh_enabled_timeout" ~lifecycle:[]
+    ~doc:"Set the SSH enabled timeout for all hosts in the pool"
+    ~params:
+      [
+        (Ref _pool, "self", "The pool")
+      ; ( Int
+        , "value"
+        , "The SSH enabled timeout in seconds. (0 means no timeout, max 2 days)"
+        )
+      ]
+    ~allowed_roles:_R_POOL_ADMIN ()
+
+let set_console_idle_timeout =
+  call ~name:"set_console_idle_timeout" ~lifecycle:[]
+    ~doc:"Set the console idle timeout for all hosts in the pool"
+    ~params:
+      [
+        (Ref _pool, "self", "The pool")
+      ; ( Int
+        , "value"
+        , "The idle SSH/VNC session timeout in seconds. A value of 0 means no \
+           timeout."
+        )
+      ]
+    ~allowed_roles:_R_POOL_ADMIN ()
+
 (** A pool class *)
 let t =
   create_obj ~in_db:true
@@ -1667,6 +1702,8 @@ let t =
       ; get_guest_secureboot_readiness
       ; enable_ssh
       ; disable_ssh
+      ; set_ssh_enabled_timeout
+      ; set_console_idle_timeout
       ]
     ~contents:
       ([

ocaml/idl/schematest.ml

@@ -3,7 +3,7 @@ let hash x = Digest.string x |> Digest.to_hex
 (* BEWARE: if this changes, check that schema has been bumped accordingly in
    ocaml/idl/datamodel_common.ml, usually schema_minor_vsn *)
 
-let last_known_schema_hash = "2f80cd8fbfd0eedab4dfe345565bcb64"
+let last_known_schema_hash = "dc1ccf295f957509f7eac4a005d17965"
 
 let current_schema_hash : string =
   let open Datamodel_types in

ocaml/tests/common/test_common.ml

@@ -170,13 +170,16 @@ let make_host ~__context ?(uuid = make_uuid ()) ?(name_label = "host")
     ?(external_auth_service_name = "") ?(external_auth_configuration = [])
     ?(license_params = []) ?(edition = "free") ?(license_server = [])
     ?(local_cache_sr = Ref.null) ?(chipset_info = []) ?(ssl_legacy = false)
-    ?(last_software_update = Date.epoch) ?(last_update_hash = "") () =
+    ?(last_software_update = Date.epoch) ?(last_update_hash = "")
+    ?(ssh_enabled = true) ?(ssh_enabled_timeout = 0L) ?(ssh_expiry = Date.epoch)
+    ?(console_idle_timeout = 0L) () =
   let host =
     Xapi_host.create ~__context ~uuid ~name_label ~name_description ~hostname
       ~address ~external_auth_type ~external_auth_service_name
       ~external_auth_configuration ~license_params ~edition ~license_server
       ~local_cache_sr ~chipset_info ~ssl_legacy ~last_software_update
-      ~last_update_hash
+      ~last_update_hash ~ssh_enabled ~ssh_enabled_timeout ~ssh_expiry
+      ~console_idle_timeout
   in
   Db.Host.set_cpu_info ~__context ~self:host ~value:default_cpu_info ;
   host
@@ -215,7 +218,8 @@ let make_host2 ~__context ?(ref = Ref.make ()) ?(uuid = make_uuid ())
     ~last_software_update:(Xapi_host.get_servertime ~__context ~host:ref)
     ~recommended_guidances:[] ~latest_synced_updates_applied:`unknown
     ~pending_guidances_recommended:[] ~pending_guidances_full:[]
-    ~last_update_hash:"" ;
+    ~last_update_hash:"" ~ssh_enabled:true ~ssh_enabled_timeout:0L
+    ~ssh_expiry:Date.epoch ~console_idle_timeout:0L ;
   ref
 
 let make_pif ~__context ~network ~host ?(device = "eth0")

ocaml/tests/test_host.ml

@@ -24,6 +24,8 @@ let add_host __context name =
        ~license_params:[] ~edition:"" ~license_server:[]
        ~local_cache_sr:Ref.null ~chipset_info:[] ~ssl_legacy:false
        ~last_software_update:Clock.Date.epoch ~last_update_hash:""
+       ~ssh_enabled:true ~ssh_enabled_timeout:0L ~ssh_expiry:Clock.Date.epoch
+       ~console_idle_timeout:0L
     )
 
 (* Creates an unlicensed pool with the maximum number of hosts *)

ocaml/xapi-cli-server/records.ml

@@ -20,6 +20,8 @@ let nullref = Ref.string_of Ref.null
 
 let nid = "<not in database>"
 
+let inconsistent = "<inconsistent>"
+
 let unknown_time = "<unknown time>"
 
 let string_of_float f = Printf.sprintf "%.3f" f
@@ -204,6 +206,37 @@ let get_pbds_host rpc session_id pbds =
 let get_sr_host rpc session_id record =
   get_pbds_host rpc session_id record.API.sR_PBDs
 
+(** Get consistent field from all hosts, or return a default value if the field
+    is not the same on all hosts. *)
+let get_consistent_field_or_default ~rpc ~session_id ~getter ~transform ~default
+    =
+  match Client.Host.get_all ~rpc ~session_id with
+  | [] ->
+      default
+  | hosts -> (
+      let result =
+        List.fold_left
+          (fun acc host ->
+            match acc with
+            | `Inconsistent ->
+                `Inconsistent
+            | `NotSet ->
+                `Value (getter ~rpc ~session_id ~self:host |> transform)
+            | `Value v ->
+                let current = getter ~rpc ~session_id ~self:host |> transform in
+                if v = current then `Value v else `Inconsistent
+          )
+          `NotSet hosts
+      in
+      match result with
+      | `Value v ->
+          v
+      | `Inconsistent ->
+          default
+      | `NotSet ->
+          default
+    )
+
 let bond_record rpc session_id bond =
   let _ref = ref bond in
   let empty_record =
@@ -1515,6 +1548,42 @@ let pool_record rpc session_id pool =
           )
           ~get_map:(fun () -> (x ()).API.pool_license_server)
           ()
+      ; make_field ~name:"ssh-enabled"
+          ~get:(fun () ->
+            get_consistent_field_or_default ~rpc ~session_id
+              ~getter:Client.Host.get_ssh_enabled ~transform:string_of_bool
+              ~default:inconsistent
+          )
+          ()
+      ; make_field ~name:"ssh-enabled-timeout"
+          ~get:(fun () ->
+            get_consistent_field_or_default ~rpc ~session_id
+              ~getter:Client.Host.get_ssh_enabled_timeout
+              ~transform:Int64.to_string ~default:inconsistent
+          )
+          ~set:(fun value ->
+            Client.Pool.set_ssh_enabled_timeout ~rpc ~session_id ~self:pool
+              ~value:(safe_i64_of_string "ssh-enabled-timeout" value)
+          )
+          ()
+      ; make_field ~name:"ssh-expiry"
+          ~get:(fun () ->
+            get_consistent_field_or_default ~rpc ~session_id
+              ~getter:Client.Host.get_ssh_expiry ~transform:Date.to_rfc3339
+              ~default:inconsistent
+          )
+          ()
+      ; make_field ~name:"console-idle-timeout"
+          ~get:(fun () ->
+            get_consistent_field_or_default ~rpc ~session_id
+              ~getter:Client.Host.get_console_idle_timeout
+              ~transform:Int64.to_string ~default:inconsistent
+          )
+          ~set:(fun value ->
+            Client.Pool.set_console_idle_timeout ~rpc ~session_id ~self:pool
+              ~value:(safe_i64_of_string "console-idle-timeout" value)
+          )
+          ()
       ]
   }
 
@@ -3286,6 +3355,26 @@ let host_record rpc session_id host =
       ; make_field ~name:"last-update-hash"
           ~get:(fun () -> (x ()).API.host_last_update_hash)
           ()
+      ; make_field ~name:"ssh-enabled"
+          ~get:(fun () -> string_of_bool (x ()).API.host_ssh_enabled)
+          ()
+      ; make_field ~name:"ssh-enabled-timeout"
+          ~get:(fun () -> Int64.to_string (x ()).API.host_ssh_enabled_timeout)
+          ~set:(fun value ->
+            Client.Host.set_ssh_enabled_timeout ~rpc ~session_id ~self:host
+              ~value:(safe_i64_of_string "ssh-enabled-timeout" value)
+          )
+          ()
+      ; make_field ~name:"ssh-expiry"
+          ~get:(fun () -> Date.to_rfc3339 (x ()).API.host_ssh_expiry)
+          ()
+      ; make_field ~name:"console-idle-timeout"
+          ~get:(fun () -> Int64.to_string (x ()).API.host_console_idle_timeout)
+          ~set:(fun value ->
+            Client.Host.set_console_idle_timeout ~rpc ~session_id ~self:host
+              ~value:(safe_i64_of_string "console-idle-timeout" value)
+          )
+          ()
       ]
   }
 

ocaml/xapi-consts/api_errors.ml

@@ -1428,6 +1428,12 @@ let enable_ssh_partially_failed = add_error "ENABLE_SSH_PARTIALLY_FAILED"
 
 let disable_ssh_partially_failed = add_error "DISABLE_SSH_PARTIALLY_FAILED"
 
+let set_ssh_timeout_partially_failed =
+  add_error "SET_SSH_TIMEOUT_PARTIALLY_FAILED"
+
+let set_console_timeout_partially_failed =
+  add_error "SET_CONSOLE_TIMEOUT_PARTIALLY_FAILED"
+
 let host_driver_no_hardware = add_error "HOST_DRIVER_NO_HARDWARE"
 
 let tls_verification_not_enabled_in_pool =