CP-54138: Sync SSH status during XAPI startup

 - Ensure host.enabled_ssh reflects the actual SSH service state on startup, in case it was manually changed by the user.

 - Reschedule the "disable SSH" job if:
   - host.ssh_enabled_timeout is set to a positive value, and
   - host.ssh_expiry is in the future.

 - Disable the SSH if:
   - host.ssh_enabled_timeout is set to a positive value, and
   - host.ssh_expiry is in the past.

Signed-off-by: Lunfan Zhang <[email protected]>

Author: LunfanZhang

ocaml/xapi/dbsync_slave.ml

@@ -380,5 +380,10 @@ let update_env __context sync_keys =
       Create_misc.create_chipset_info ~__context info
   ) ;
   switched_sync Xapi_globs.sync_gpus (fun () -> Xapi_pgpu.update_gpus ~__context) ;
+  switched_sync Xapi_globs.sync_ssh_status (fun () ->
+      let ssh_service = !Xapi_globs.ssh_service in
+      let status = Fe_systemctl.is_active ~service:ssh_service in
+      Db.Host.set_ssh_enabled ~__context ~self:localhost ~value:status
+  ) ;
 
   remove_pending_guidances ~__context

ocaml/xapi/xapi_globs.ml

@@ -368,6 +368,8 @@ let sync_bios_strings = "sync_bios_strings"
 
 let sync_chipset_info = "sync_chipset_info"
 
+let sync_ssh_status = "sync_ssh_status"
+
 let sync_pci_devices = "sync_pci_devices"
 
 let sync_gpus = "sync_gpus"

ocaml/xapi/xapi_host.mli

@@ -577,3 +577,6 @@ val set_ssh_enabled_timeout :
 
 val set_console_idle_timeout :
   __context:Context.t -> self:API.ref_host -> value:int64 -> unit
+
+val schedule_disable_ssh_job :
+  __context:Context.t -> self:API.ref_host -> timeout:int64 -> unit

ocaml/xapi/xapi_periodic_scheduler_init.ml

@@ -13,6 +13,8 @@
  *)
 (** Periodic scheduler for background tasks. *)
 
+module Date = Clock.Date
+
 module D = Debug.Make (struct let name = "backgroundscheduler" end)
 
 open D
@@ -73,6 +75,25 @@ let register ~__context =
       (fun __context -> Xapi_subject.update_all_subjects ~__context
     )
   in
+  let sync_ssh_status ~__context =
+    let self = Helpers.get_localhost ~__context in
+    let timeout = Db.Host.get_ssh_enabled_timeout ~__context ~self in
+
+    if timeout > 0L then
+      let expiry_time =
+        Db.Host.get_ssh_expiry ~__context ~self
+        |> Date.to_unix_time
+        |> Int64.of_float
+      in
+      let current_time = Unix.time () |> Int64.of_float in
+
+      if Int64.compare expiry_time current_time > 0 then
+        let remaining = Int64.sub expiry_time current_time in
+        Xapi_host.schedule_disable_ssh_job ~__context ~self ~timeout:remaining
+      (* handle the case where XAPI is not active when the SSH timeout expires *)
+      else if Fe_systemctl.is_active ~service:!Xapi_globs.ssh_service then
+        Xapi_host.disable_ssh ~__context ~self
+  in
   let update_all_subjects_delay = 10.0 in
   (* initial delay = 10 seconds *)
   if master then
@@ -133,6 +154,7 @@ let register ~__context =
     "Check stunnel cache expiry"
     (Xapi_stdext_threads_scheduler.Scheduler.Periodic stunnel_period)
     stunnel_period Stunnel_cache.gc ;
+  sync_ssh_status ~__context ;
   if
     master
     && Db.Pool.get_update_sync_enabled ~__context