2016-12-05 13:12:19 -06:00
|
|
|
###############################################################################
|
|
|
|
## Presettings
|
|
|
|
###############################################################################
|
|
|
|
|
|
|
|
# Select bash for commands
|
|
|
|
.ONESHELL:
|
|
|
|
SHELL = /bin/bash
|
|
|
|
.SHELLFLAGS += -e
|
2017-07-19 10:10:45 -05:00
|
|
|
USER = $(shell id -un)
|
|
|
|
UID = $(shell id -u)
|
|
|
|
GUID = $(shell id -g)
|
2018-10-29 14:06:57 -05:00
|
|
|
SONIC_GET_VERSION=$(shell export BUILD_TIMESTAMP=$(BUILD_TIMESTAMP) && export BUILD_NUMBER=$(BUILD_NUMBER) && . functions.sh && sonic_get_version)
|
2016-12-05 13:12:19 -06:00
|
|
|
|
|
|
|
.SECONDEXPANSION:
|
|
|
|
|
2018-05-10 20:52:38 -05:00
|
|
|
NULL :=
|
|
|
|
SPACE := $(NULL) $(NULL)
|
2016-12-05 13:12:19 -06:00
|
|
|
|
|
|
|
###############################################################################
|
|
|
|
## General definitions
|
|
|
|
###############################################################################
|
|
|
|
|
|
|
|
SRC_PATH = src
|
|
|
|
RULES_PATH = rules
|
|
|
|
TARGET_PATH = target
|
|
|
|
DOCKERS_PATH = dockers
|
|
|
|
DEBS_PATH = $(TARGET_PATH)/debs
|
2017-07-28 12:57:51 -05:00
|
|
|
FILES_PATH = $(TARGET_PATH)/files
|
2016-12-05 13:12:19 -06:00
|
|
|
PYTHON_WHEELS_PATH = $(TARGET_PATH)/python-wheels
|
|
|
|
PROJECT_ROOT = $(shell pwd)
|
2019-07-09 10:55:03 -05:00
|
|
|
DBG_IMAGE_MARK = dbg
|
2019-08-28 11:29:48 -05:00
|
|
|
DBG_SRC_ARCHIVE_FILE = $(TARGET_PATH)/sonic_src.tar.gz
|
2021-01-12 08:03:12 -06:00
|
|
|
DPKG_ADMINDIR_PATH = /sonic/dpkg
|
2016-12-05 13:12:19 -06:00
|
|
|
|
2017-01-29 13:33:33 -06:00
|
|
|
CONFIGURED_PLATFORM := $(shell [ -f .platform ] && cat .platform || echo generic)
|
2016-12-05 13:12:19 -06:00
|
|
|
PLATFORM_PATH = platform/$(CONFIGURED_PLATFORM)
|
2017-04-05 18:14:41 -05:00
|
|
|
export BUILD_NUMBER
|
2018-10-04 23:20:01 -05:00
|
|
|
export BUILD_TIMESTAMP
|
[barefoot]: Support for platforms based on Barefoot Networks' device (#1796)
* Initial commit
* Add Ingrasys S9180-32X platform dirver.
Signed-off-by: Wade He <chihen.he@gmail.com>
* Add bfn.service for init barefoot.
Signed-off-by: Wade He <chihen.he@gmail.com>
* [Barefoot Beta] Add some functions and fixed some bugs.
1. Update sensors.conf.
2. Fixed IO expander init.
3. Fixed PSU EEPROM.
4. Fixed MB EEPROM.
5. Add fancontrol and fan init.
6. Add SYS LED control (sys, fan, fan tray).
7. 2.5V compute and setup max and min.
8. Fixed typo MB eeprom delete address.
9. Remove coretemp to BMC.
10. Add active CPLD.
11. Modify SFP+ GPIO slave address.
12. Modify tmp75 Near Port 32 slave address.
Signed-off-by: Wade He <chihen.he@gmail.com>
* Add bfn script in /etc/init.d/
Signed-off-by: Wade He <chihen.he@gmail.com>
* Add bfn service in debian
Signed-off-by: Wade He <chihen.he@gmail.com>
* Fixed CPLD switch LED behavior.
Signed-off-by: Wade He <chihen.he@gmail.com>
* [Barefoot Beta] Fixed sensors and hwmon order.
1. Fixed ignore sensors Vbat.
2. Reorg hwmon order.
Signed-off-by: Wade He <chihen.he@gmail.com>
* Fixed PSU1 and PSU2 EEPROM order.
Signed-off-by: Wade He <chihen.he@gmail.com>
* initial barefoot checkin october 2017
* update refpoint
* update refpoints
* update refpoints to bf-master
* update refpoint
* update refpoint to tested version
* change to platform from asic
* update refpoint for swss
* revert core creation setting
* update refpoints
* add telnet for debug shell
* update refpoints 11/17/17
* missed change in file on previous merge
* [CPLD] Fixed blink LED issue.
* Fixed blink LED mask set error.
Signed-off-by: Wade He <chihen.he@gmail.com>
* Update bf_kdrv.c for 6.0.2.39
* Update bf kernel driver
* Add bf_fun kernel module.
* Update bf_tun for fixed build error
* merge with Azure master (12/12/17)
* update swss refpoint
* update refpoint of swss
* library dependency for stack unroll
* update refpoint to bf-master
* [DHCP relay]: Fix circuit ID and remote ID bugs (#1248)
* [DHCP relay]: Fix circuit ID and remote ID bugs
* Set circuit_id_len after setting circuit_id_len to ip->name
* [Platform] Add Psuutil and update sensors.conf for S9100-32X, S8810-32Q and S9200-64X (#1272)
* Add I2C CPLD kernel module for psuutil.
* Support psuutil script.
* Add voltage min and max threshold.
* Update sensors.conf for tmp75.
Signed-off-by: Wade He <chihen.he@gmail.com>
* Allow multi platform support - infra (more changes to follow)
* update relative path to include platform for clarity
* [Platform] Add Ingrasys S9130-32X and S9230-64X with Nephos Switch ASIC for "branch 201712" (#1274)
- What I did
Add switch ASIC vendor: Nephos
Add Nephos platforms: Ingrasys S9130-32X, Ingrasys S9230-64X
- How I did it
Add platform/nephos files
Add platform/nephos/sonic-platform-modules-ingrasys submodule
Add device/ingrasys/x86_64-ingrasys_s9130_32x-r0 files
Add device/ingrasys/x86_64-ingrasys_s9230_64x-r0 files
Add SONiC to support Nephos platform
Update Head of submodule src/sonic-sairedis to "3b817bb"
- How to verify it
To build SONiC installer image and docker images, run the following commands:
make configure PLATFORM=nephos
make target/sonic-nephos.bin
Check system and network feature is worked as well
- Description for the changelog
Add switch ASIC vendor and platforms for Nephos
- A picture of a cute animal (not mandatory but encouraged)
Signed-off-by: Sam Yang <yang.kaiyu@gmail.com>
* change source of files to github (from dropbox), update sairedis refpoint
* update refpoint of sairedis
* [centec] support CENTEC SAI 1.0 on 201712 branch and update e582-48x6q board (#1269)
* [marvel]: Marvell's updates for SONiC.201712 & SAI v1.0 (#1287)
* update sairedis (fast-boot refpoint)
* fix syncd rpc make files
* update refpoint to handle Makefile change (no functional change)
* [Marvell]: Add support for SLM5401-54x device (#1307)
* Marvell's updates for SONiC.201712 & SAI v1.0
* [Platform] Add Marvell's SLM5401-54x for branch 201712
* [Broadcom]: Update Boradcom SAI package to 3.0.3.3-3 (#1312) (#1321)
- update Arista 7050-QX32S config.bcm file
- update Accton th-as771*-32x100G.config.bcm files
* update refpoint for Makefile chnage in sairedis
* update refpoint - sairedis
* update sairedis to older refpoint till we debug clean build
* export asic platform for build
* update refpoint for makefiles
* [PLATFORM] Centec update E582 driver fan/epprom/sensor (#1332)
* Upload wnc-osw1800
* Modify for Barefoot suggest
* Revert bfn-platform.mk
* Update bfn-platform-wnc.mk
Update parameter name
* Update parameter name
* initial support for WNC platform
* change switch name to "switch"
* Delete bf modules for rel_7_0
* Add Ingrasys S9180 platform
Signed-off-by: Wade He <chihen.he@gmail.com>
* Modify bfnsdk for Ingrasys S9180 platform
Signed-off-by: Wade He <chihen.he@gmail.com>
* Resolved the conflict.
* Resolved the conflict.
* Update submodule path and url.
* Delete unused file.
* Update PSU GPIO and EEPROM for psuutil.
* Add psuutil in S9180-32X
Signed-off-by: Wade He <chihen.he@gmail.com>
* update refpoint
* update refpoint
* change contact email, update refpoint
* cleanup and update kernel modules
* updates based on review
* update refpoint
* update refpoint
* fix typo in config script to check for platforms
* remove stale file
* resolve conflicts
* cleanup diffs with Azure repo and update SDK debs
* update refpoints to Azure
* address review comments
* revert refpoint of swss-common
* porting the build fix from master
* porting build fix from master
* Minor Fix
* Minor fix
* Temp to sde deb packages url
* Update sonic - sairedis,swss & swss-common refpoints
* Update git modules url path to bfn repo
* updated paths for swss, swss-common & sairedis
* Update refpoint for sonic-swss to local bfn repo
* Update URL for downloading sde debian packages
* porting fix links of debian git server from master
* porting fix links of debian git server from master
* [Ingrasys] Add platform support for S9280-64X with Barefoot ASIC
* Update ref points for swss, swss-common and sairedis repos
* Add sonic platform scripts for bfn montara/maverick
* Call sh scripts instead of calling py scripts
* Address upstream PR Comments (#10)
* Update bf-master with azure/master
* Undo changes to some files
* Revert "Address upstream PR Comments (#10)"
This reverts commit a7fddb83ca1073f90fbe46955ba57a9b43742c73.
* Address upstream comments (#11)
* Remove all non bfn specific changes from upstream PR
* Revert "Address upstream comments (#11)"
This reverts commit 559132103e5c73e43f4282d1559ede03f16abfea.
* Undo non bfn changes
* Little more cleanup
* Add back code removed in merge
* export CONFIGURED_PLATFORM
* Update sairedis and swss refpoints
* Address Upstream PR comment
* change deb pkg dependency from 3.16.0-4-amd64 to 3.16.0-5-amd64
* Set default tx queue len for usb0 interface to 64
* Update sairedis refpoint
* Update swss ref point
* Add bfn buffer cfg files for montara/maverick as per new design
* Update buffer cfg templates for bfn montara
* add non zero size to buffer profile
* add macro to generate port lists
* Update buffer cfg templates for bfn mavericks
* add non zero size for buffer profiles
* add port generation macro
* Add missing psmisc package
* BGP docker seems to be missing killall utility being used by fast-reboot script. This is causing non graceful termination of BGP sessions.
Adding psmisc to resolve this issue.
* Update swss ref point
* Update swss ref point
* Update sairedis refpoint
* Update sairedis refpoint
* Update sairedis refpoint
* Update sairedis refpoint
* Update refpoint for sairedis and swss
* sairedis to azure master
* swss to latest bfn bf-master
* Update gitmodules
Update url for sairedis to azure master
* Correct typo in bfn platform script
* Update swss and sairedis ref points
* Update swss ref point
* Address Review comments
* Update swws path in gitmodules to azure master
* update swss refpoint
* update base docker j2 file -remove psmisc package (could be a concern, would cause fast reboot to not work correctly will fix in another PR)
* Fix sairedis refpoint broken in by previous merge
* Remove psmisc from docker base image
* This will break fast reboot as killall is required for killing bgp process and initiating graceful termination of BGP session.
Will fix this in a seperate PR. Need this for SONIC upstreaming
* Address upstream comments
* Remove bmc interface from interface jinja template and sample output interfaces file
* Add bmc interface at boot time to network interfaces for bfn bmc based platforms
* Remove autogen ingrasys debian files
* Revert "Remove autogen ingrasys debian files"
* Buffer and qos config template fix for bfn platforms (#21)
SWI-1509 Buffer and qos config template fix for bfn platforms
* Fix qos config files for montara & mavericks (#22)
* Reference only ppg 3,4 in qos files as no profiles are attached to 0,1 in buffer configs
* Fix vs test (#23)
2018-07-24 12:23:12 -05:00
|
|
|
export CONFIGURED_PLATFORM
|
2016-12-05 13:12:19 -06:00
|
|
|
|
|
|
|
###############################################################################
|
|
|
|
## Utility rules
|
|
|
|
## Define configuration, help etc.
|
|
|
|
###############################################################################
|
|
|
|
|
|
|
|
.platform :
|
2017-01-29 13:33:33 -06:00
|
|
|
ifneq ($(CONFIGURED_PLATFORM),generic)
|
2016-12-05 13:12:19 -06:00
|
|
|
@echo Build system is not configured, please run make configure
|
|
|
|
@exit 1
|
2017-01-29 13:33:33 -06:00
|
|
|
endif
|
|
|
|
|
2016-12-05 13:12:19 -06:00
|
|
|
configure :
|
|
|
|
@mkdir -p target/debs
|
2017-07-28 12:57:51 -05:00
|
|
|
@mkdir -p target/files
|
2016-12-05 13:12:19 -06:00
|
|
|
@mkdir -p target/python-wheels
|
2021-01-12 08:03:12 -06:00
|
|
|
@mkdir -p $(DPKG_ADMINDIR_PATH)
|
2016-12-05 13:12:19 -06:00
|
|
|
@echo $(PLATFORM) > .platform
|
|
|
|
|
2017-03-02 06:08:25 -06:00
|
|
|
distclean : .platform clean
|
|
|
|
@rm -f .platform
|
2016-12-05 13:12:19 -06:00
|
|
|
|
2017-07-29 17:34:27 -05:00
|
|
|
list :
|
|
|
|
@$(foreach target,$(SONIC_TARGET_LIST),echo $(target);)
|
|
|
|
|
2016-12-05 13:12:19 -06:00
|
|
|
###############################################################################
|
|
|
|
## Include other rules
|
|
|
|
###############################################################################
|
|
|
|
|
2018-03-06 01:55:37 -06:00
|
|
|
ifeq ($(SONIC_ENABLE_PFCWD_ON_START),y)
|
|
|
|
ENABLE_PFCWD_ON_START = y
|
|
|
|
endif
|
|
|
|
|
2018-04-18 02:31:12 -05:00
|
|
|
ifeq ($(SONIC_ENABLE_SYSTEM_TELEMETRY),y)
|
|
|
|
ENABLE_SYSTEM_TELEMETRY = y
|
|
|
|
endif
|
|
|
|
|
2018-10-15 15:49:35 -05:00
|
|
|
ifeq ($(SONIC_ENABLE_SYNCD_RPC),y)
|
|
|
|
ENABLE_SYNCD_RPC = y
|
|
|
|
endif
|
|
|
|
|
2018-10-21 19:20:27 -05:00
|
|
|
ifeq ($(SONIC_INSTALL_DEBUG_TOOLS),y)
|
|
|
|
INSTALL_DEBUG_TOOLS = y
|
|
|
|
endif
|
|
|
|
|
2016-12-05 13:12:19 -06:00
|
|
|
include $(RULES_PATH)/config
|
|
|
|
include $(RULES_PATH)/functions
|
|
|
|
include $(RULES_PATH)/*.mk
|
|
|
|
ifneq ($(CONFIGURED_PLATFORM), undefined)
|
|
|
|
include $(PLATFORM_PATH)/rules.mk
|
|
|
|
endif
|
|
|
|
|
2017-04-12 13:23:48 -05:00
|
|
|
ifeq ($(USERNAME),)
|
|
|
|
override USERNAME := $(DEFAULT_USERNAME)
|
[baseimage]: Improve password hashing for default user account (#1748)
* [slave.mk]: Fix displaying username and password in build summary
We display contents of DEFAULT_USERNAME and DEFAULT_PASSWORD, while
image can be build with USERNAME and/or PASSWORD given on make(1)
command line. For example:
$ make USERNAME=adm PASSWORD=mypass target/sonic-broadcom.bin
Fix by displaying USERNAME and PASSWORD variables in build summary.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
* [baseimage]: Improve default user account handling
There are couple of issues with current implementation of default
user account management in baseimage:
1) It uses DES to encrypt accounts password. Furthermore this
effectively limits password length to 8 symbols, even if more
provided with PASSWORD or DEFAULT_PASSWORD from rules/config.
2) Salt value for password is same on all builds even with different
password increasing attack surface.
3) During the build process password passed as command line parameter
either as plain text (if given to make(1) as "make PASSWORD=...")
or DES encrypted (if given to build_debian.sh) can be seen by
non-build users using /proc/<pid>/cmdline file that has group and
world readable permissions.
Both 1) and 2) come from:
perl -e 'print crypt("$(PASSWORD)", "salt"),"\n"')"
that by defalt uses DES if salt does not have format $<id>$<salt>$,
where <id> is hashing function id. See crypt(3) for more details on
valid <id> values.
To address issues above we propose following changes:
1) Do not create password by hands (e.g. using perl snippet above):
put this job to chpasswd(8) which is aware about system wide
password hashing policy specified in /etc/login.defs with
ENCRYPT_METHOD (by default it is SHA512 for Debian 8).
2) Now chpasswd(8) will take care about proper salt value.
3) This has two steps:
3.1) For compatibility reasons accept USERNAME and PASSWORD as
make(1) parameters, but warn user that this is unsafe.
3.2) Use process environment to pass USERNAME and PASSWORD variables
from Makefile to build_debian.sh as more secure alternative to
passing via command line parameters: /proc/<pid>/environ
readable only by user running process or privileged users like
root.
Before change:
--------------
hash1
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSs", "salt"),"\n"')"
^^^^^^^^
8 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Note the hash (DES encrypted password)
hash2
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSsWoRd", "salt"),"\n"')"
^^^^^^^^^^^^
12 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Hash is the same as for "YourPaSs"
After change:
-------------
hash1
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$1Nho1jHC$T8YwK58FYToXMFuetQta7/XouAAN2q1IzWC3bdIg86woAs6WuTg\
^^^^^^^^
Note salt here
ksLO3oyQInax/wNVq.N4de6dyWZDsCAvsZ1:17681:0:99999:7:::
hash2
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$yKU5g7BO$kdT02Z1wHXhr1VCniKkZbLaMPZXK0WSSVGhSLGrNhsrsVxCJ.D9\
^^^^^^^^
Here salt completely different from case above
plFpd8ksGNpw/Vb92hvgYyCL2i5cfI8QEY/:17681:0:99999:7:::
Since salt is different hashes for same password different too.
hash1
-----
# LANG=C perl -e 'print crypt("YourPaSs", "\$6\$salt\$"),"\n"'
^^^^^
We want SHA512 hash
$6$salt$qkwPvXqUeGpexO1vatnIQFAreOTXs6rnDX.OI.Sz2rcy51JrO8dFc9aGv82bB\
yd2ELrIMJ.FQLNjgSD0nNha7/
hash2
-----
# LANG=C perl -e 'print crypt("YourPaSsWoRd", "\$6\$salt\$"),"\n"'
$6$salt$1JVndGzyy/dj7PaXo6hNcttlQoZe23ob8GWYWxVGEiGOlh6sofbaIvwl6Ho7N\
kYDI8zwRumRwga/A29nHm4mZ1
Now with same "salt" and $<id>$, and same 8 symbol prefix in password, but
different password length we have different hashes.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
2018-06-09 13:29:16 -05:00
|
|
|
else
|
|
|
|
$(warning USERNAME given on command line: could be visible to other users)
|
2017-04-12 13:23:48 -05:00
|
|
|
endif
|
|
|
|
|
|
|
|
ifeq ($(PASSWORD),)
|
|
|
|
override PASSWORD := $(DEFAULT_PASSWORD)
|
[baseimage]: Improve password hashing for default user account (#1748)
* [slave.mk]: Fix displaying username and password in build summary
We display contents of DEFAULT_USERNAME and DEFAULT_PASSWORD, while
image can be build with USERNAME and/or PASSWORD given on make(1)
command line. For example:
$ make USERNAME=adm PASSWORD=mypass target/sonic-broadcom.bin
Fix by displaying USERNAME and PASSWORD variables in build summary.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
* [baseimage]: Improve default user account handling
There are couple of issues with current implementation of default
user account management in baseimage:
1) It uses DES to encrypt accounts password. Furthermore this
effectively limits password length to 8 symbols, even if more
provided with PASSWORD or DEFAULT_PASSWORD from rules/config.
2) Salt value for password is same on all builds even with different
password increasing attack surface.
3) During the build process password passed as command line parameter
either as plain text (if given to make(1) as "make PASSWORD=...")
or DES encrypted (if given to build_debian.sh) can be seen by
non-build users using /proc/<pid>/cmdline file that has group and
world readable permissions.
Both 1) and 2) come from:
perl -e 'print crypt("$(PASSWORD)", "salt"),"\n"')"
that by defalt uses DES if salt does not have format $<id>$<salt>$,
where <id> is hashing function id. See crypt(3) for more details on
valid <id> values.
To address issues above we propose following changes:
1) Do not create password by hands (e.g. using perl snippet above):
put this job to chpasswd(8) which is aware about system wide
password hashing policy specified in /etc/login.defs with
ENCRYPT_METHOD (by default it is SHA512 for Debian 8).
2) Now chpasswd(8) will take care about proper salt value.
3) This has two steps:
3.1) For compatibility reasons accept USERNAME and PASSWORD as
make(1) parameters, but warn user that this is unsafe.
3.2) Use process environment to pass USERNAME and PASSWORD variables
from Makefile to build_debian.sh as more secure alternative to
passing via command line parameters: /proc/<pid>/environ
readable only by user running process or privileged users like
root.
Before change:
--------------
hash1
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSs", "salt"),"\n"')"
^^^^^^^^
8 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Note the hash (DES encrypted password)
hash2
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSsWoRd", "salt"),"\n"')"
^^^^^^^^^^^^
12 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Hash is the same as for "YourPaSs"
After change:
-------------
hash1
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$1Nho1jHC$T8YwK58FYToXMFuetQta7/XouAAN2q1IzWC3bdIg86woAs6WuTg\
^^^^^^^^
Note salt here
ksLO3oyQInax/wNVq.N4de6dyWZDsCAvsZ1:17681:0:99999:7:::
hash2
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$yKU5g7BO$kdT02Z1wHXhr1VCniKkZbLaMPZXK0WSSVGhSLGrNhsrsVxCJ.D9\
^^^^^^^^
Here salt completely different from case above
plFpd8ksGNpw/Vb92hvgYyCL2i5cfI8QEY/:17681:0:99999:7:::
Since salt is different hashes for same password different too.
hash1
-----
# LANG=C perl -e 'print crypt("YourPaSs", "\$6\$salt\$"),"\n"'
^^^^^
We want SHA512 hash
$6$salt$qkwPvXqUeGpexO1vatnIQFAreOTXs6rnDX.OI.Sz2rcy51JrO8dFc9aGv82bB\
yd2ELrIMJ.FQLNjgSD0nNha7/
hash2
-----
# LANG=C perl -e 'print crypt("YourPaSsWoRd", "\$6\$salt\$"),"\n"'
$6$salt$1JVndGzyy/dj7PaXo6hNcttlQoZe23ob8GWYWxVGEiGOlh6sofbaIvwl6Ho7N\
kYDI8zwRumRwga/A29nHm4mZ1
Now with same "salt" and $<id>$, and same 8 symbol prefix in password, but
different password length we have different hashes.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
2018-06-09 13:29:16 -05:00
|
|
|
else
|
|
|
|
$(warning PASSWORD given on command line: could be visible to other users)
|
2017-04-12 13:23:48 -05:00
|
|
|
endif
|
|
|
|
|
2018-06-19 17:59:12 -05:00
|
|
|
ifeq ($(SONIC_DEBUGGING_ON),y)
|
|
|
|
DEB_BUILD_OPTIONS_GENERIC := "nostrip"
|
|
|
|
endif
|
|
|
|
|
|
|
|
ifeq ($(SONIC_PROFILING_ON),y)
|
|
|
|
DEB_BUILD_OPTIONS_GENERIC := "nostrip noopt"
|
|
|
|
endif
|
|
|
|
|
2017-12-20 17:25:30 -06:00
|
|
|
ifeq ($(SONIC_BUILD_JOBS),)
|
|
|
|
override SONIC_BUILD_JOBS := $(SONIC_CONFIG_BUILD_JOBS)
|
|
|
|
endif
|
|
|
|
|
2019-04-01 17:47:23 -05:00
|
|
|
ifeq ($(VS_PREPARE_MEM),)
|
|
|
|
override VS_PREPARE_MEM := $(DEFAULT_VS_PREPARE_MEM)
|
|
|
|
endif
|
|
|
|
|
2018-07-25 10:14:18 -05:00
|
|
|
ifeq ($(KERNEL_PROCURE_METHOD),)
|
|
|
|
override KERNEL_PROCURE_METHOD := $(DEFAULT_KERNEL_PROCURE_METHOD)
|
|
|
|
endif
|
|
|
|
|
2017-12-20 17:25:30 -06:00
|
|
|
MAKEFLAGS += -j $(SONIC_BUILD_JOBS)
|
2017-07-07 07:32:50 -05:00
|
|
|
export SONIC_CONFIG_MAKE_JOBS
|
2016-12-05 13:12:19 -06:00
|
|
|
|
2018-11-26 20:19:12 -06:00
|
|
|
###############################################################################
|
|
|
|
## Routing stack related exports
|
|
|
|
###############################################################################
|
|
|
|
|
|
|
|
export SONIC_ROUTING_STACK
|
|
|
|
export FRR_USER_UID
|
|
|
|
export FRR_USER_GID
|
|
|
|
|
2017-04-20 11:12:27 -05:00
|
|
|
###############################################################################
|
|
|
|
## Dumping key config attributes associated to current building exercise
|
|
|
|
###############################################################################
|
|
|
|
|
2017-07-25 01:49:39 -05:00
|
|
|
$(info SONiC Build System)
|
|
|
|
$(info )
|
|
|
|
$(info Build Configuration)
|
|
|
|
$(info "CONFIGURED_PLATFORM" : "$(if $(PLATFORM),$(PLATFORM),$(CONFIGURED_PLATFORM))")
|
|
|
|
$(info "SONIC_CONFIG_PRINT_DEPENDENCIES" : "$(SONIC_CONFIG_PRINT_DEPENDENCIES)")
|
2017-12-20 17:25:30 -06:00
|
|
|
$(info "SONIC_BUILD_JOBS" : "$(SONIC_BUILD_JOBS)")
|
2017-07-25 01:49:39 -05:00
|
|
|
$(info "SONIC_CONFIG_MAKE_JOBS" : "$(SONIC_CONFIG_MAKE_JOBS)")
|
[baseimage]: Improve password hashing for default user account (#1748)
* [slave.mk]: Fix displaying username and password in build summary
We display contents of DEFAULT_USERNAME and DEFAULT_PASSWORD, while
image can be build with USERNAME and/or PASSWORD given on make(1)
command line. For example:
$ make USERNAME=adm PASSWORD=mypass target/sonic-broadcom.bin
Fix by displaying USERNAME and PASSWORD variables in build summary.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
* [baseimage]: Improve default user account handling
There are couple of issues with current implementation of default
user account management in baseimage:
1) It uses DES to encrypt accounts password. Furthermore this
effectively limits password length to 8 symbols, even if more
provided with PASSWORD or DEFAULT_PASSWORD from rules/config.
2) Salt value for password is same on all builds even with different
password increasing attack surface.
3) During the build process password passed as command line parameter
either as plain text (if given to make(1) as "make PASSWORD=...")
or DES encrypted (if given to build_debian.sh) can be seen by
non-build users using /proc/<pid>/cmdline file that has group and
world readable permissions.
Both 1) and 2) come from:
perl -e 'print crypt("$(PASSWORD)", "salt"),"\n"')"
that by defalt uses DES if salt does not have format $<id>$<salt>$,
where <id> is hashing function id. See crypt(3) for more details on
valid <id> values.
To address issues above we propose following changes:
1) Do not create password by hands (e.g. using perl snippet above):
put this job to chpasswd(8) which is aware about system wide
password hashing policy specified in /etc/login.defs with
ENCRYPT_METHOD (by default it is SHA512 for Debian 8).
2) Now chpasswd(8) will take care about proper salt value.
3) This has two steps:
3.1) For compatibility reasons accept USERNAME and PASSWORD as
make(1) parameters, but warn user that this is unsafe.
3.2) Use process environment to pass USERNAME and PASSWORD variables
from Makefile to build_debian.sh as more secure alternative to
passing via command line parameters: /proc/<pid>/environ
readable only by user running process or privileged users like
root.
Before change:
--------------
hash1
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSs", "salt"),"\n"')"
^^^^^^^^
8 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Note the hash (DES encrypted password)
hash2
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSsWoRd", "salt"),"\n"')"
^^^^^^^^^^^^
12 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Hash is the same as for "YourPaSs"
After change:
-------------
hash1
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$1Nho1jHC$T8YwK58FYToXMFuetQta7/XouAAN2q1IzWC3bdIg86woAs6WuTg\
^^^^^^^^
Note salt here
ksLO3oyQInax/wNVq.N4de6dyWZDsCAvsZ1:17681:0:99999:7:::
hash2
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$yKU5g7BO$kdT02Z1wHXhr1VCniKkZbLaMPZXK0WSSVGhSLGrNhsrsVxCJ.D9\
^^^^^^^^
Here salt completely different from case above
plFpd8ksGNpw/Vb92hvgYyCL2i5cfI8QEY/:17681:0:99999:7:::
Since salt is different hashes for same password different too.
hash1
-----
# LANG=C perl -e 'print crypt("YourPaSs", "\$6\$salt\$"),"\n"'
^^^^^
We want SHA512 hash
$6$salt$qkwPvXqUeGpexO1vatnIQFAreOTXs6rnDX.OI.Sz2rcy51JrO8dFc9aGv82bB\
yd2ELrIMJ.FQLNjgSD0nNha7/
hash2
-----
# LANG=C perl -e 'print crypt("YourPaSsWoRd", "\$6\$salt\$"),"\n"'
$6$salt$1JVndGzyy/dj7PaXo6hNcttlQoZe23ob8GWYWxVGEiGOlh6sofbaIvwl6Ho7N\
kYDI8zwRumRwga/A29nHm4mZ1
Now with same "salt" and $<id>$, and same 8 symbol prefix in password, but
different password length we have different hashes.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
2018-06-09 13:29:16 -05:00
|
|
|
$(info "USERNAME" : "$(USERNAME)")
|
|
|
|
$(info "PASSWORD" : "$(PASSWORD)")
|
2017-07-25 01:49:39 -05:00
|
|
|
$(info "ENABLE_DHCP_GRAPH_SERVICE" : "$(ENABLE_DHCP_GRAPH_SERVICE)")
|
|
|
|
$(info "SHUTDOWN_BGP_ON_START" : "$(SHUTDOWN_BGP_ON_START)")
|
2018-03-06 01:55:37 -06:00
|
|
|
$(info "ENABLE_PFCWD_ON_START" : "$(ENABLE_PFCWD_ON_START)")
|
2018-10-21 19:20:27 -05:00
|
|
|
$(info "INSTALL_DEBUG_TOOLS" : "$(INSTALL_DEBUG_TOOLS)")
|
2017-07-25 01:49:39 -05:00
|
|
|
$(info "ROUTING_STACK" : "$(SONIC_ROUTING_STACK)")
|
2018-11-26 20:19:12 -06:00
|
|
|
ifeq ($(SONIC_ROUTING_STACK),frr)
|
|
|
|
$(info "FRR_USER_UID" : "$(FRR_USER_UID)")
|
|
|
|
$(info "FRR_USER_GID" : "$(FRR_USER_GID)")
|
|
|
|
endif
|
2017-07-25 01:49:39 -05:00
|
|
|
$(info "ENABLE_SYNCD_RPC" : "$(ENABLE_SYNCD_RPC)")
|
2017-09-19 18:23:31 -05:00
|
|
|
$(info "ENABLE_ORGANIZATION_EXTENSIONS" : "$(ENABLE_ORGANIZATION_EXTENSIONS)")
|
2017-12-24 01:34:15 -06:00
|
|
|
$(info "HTTP_PROXY" : "$(HTTP_PROXY)")
|
|
|
|
$(info "HTTPS_PROXY" : "$(HTTPS_PROXY)")
|
2018-03-27 15:39:04 -05:00
|
|
|
$(info "ENABLE_SYSTEM_TELEMETRY" : "$(ENABLE_SYSTEM_TELEMETRY)")
|
2018-06-19 17:59:12 -05:00
|
|
|
$(info "SONIC_DEBUGGING_ON" : "$(SONIC_DEBUGGING_ON)")
|
|
|
|
$(info "SONIC_PROFILING_ON" : "$(SONIC_PROFILING_ON)")
|
2018-07-25 10:14:18 -05:00
|
|
|
$(info "KERNEL_PROCURE_METHOD" : "$(KERNEL_PROCURE_METHOD)")
|
2018-10-04 23:20:01 -05:00
|
|
|
$(info "BUILD_TIMESTAMP" : "$(BUILD_TIMESTAMP)")
|
2019-04-01 17:47:23 -05:00
|
|
|
$(info "VS_PREPARE_MEM" : "$(VS_PREPARE_MEM)")
|
2017-07-25 01:49:39 -05:00
|
|
|
$(info )
|
2017-04-20 11:12:27 -05:00
|
|
|
|
2016-12-05 13:12:19 -06:00
|
|
|
###############################################################################
|
|
|
|
## Generic rules section
|
|
|
|
## All rules must go after includes for propper targets expansion
|
|
|
|
###############################################################################
|
|
|
|
|
2018-08-11 18:46:13 -05:00
|
|
|
export kernel_procure_method=$(KERNEL_PROCURE_METHOD)
|
2019-04-01 17:47:23 -05:00
|
|
|
export vs_build_prepare_mem=$(VS_PREPARE_MEM)
|
2018-07-25 10:14:18 -05:00
|
|
|
|
2016-12-14 13:59:24 -06:00
|
|
|
###############################################################################
|
|
|
|
## Local targets
|
|
|
|
###############################################################################
|
|
|
|
|
|
|
|
# Copy debian packages from local directory
|
|
|
|
# Add new package for copy:
|
|
|
|
# SOME_NEW_DEB = some_new_deb.deb
|
|
|
|
# $(SOME_NEW_DEB)_PATH = path/to/some_new_deb.deb
|
|
|
|
# SONIC_COPY_DEBS += $(SOME_NEW_DEB)
|
|
|
|
$(addprefix $(DEBS_PATH)/, $(SONIC_COPY_DEBS)) : $(DEBS_PATH)/% : .platform
|
|
|
|
$(HEADER)
|
|
|
|
$(foreach deb,$* $($*_DERIVED_DEBS), \
|
|
|
|
{ cp $($(deb)_PATH)/$(deb) $(DEBS_PATH)/ $(LOG) || exit 1 ; } ; )
|
|
|
|
$(FOOTER)
|
|
|
|
|
2018-07-25 10:14:18 -05:00
|
|
|
|
2017-07-29 17:34:27 -05:00
|
|
|
SONIC_TARGET_LIST += $(addprefix $(DEBS_PATH)/, $(SONIC_COPY_DEBS))
|
|
|
|
|
2016-12-14 13:59:24 -06:00
|
|
|
# Copy regular files from local directory
|
|
|
|
# Add new package for copy:
|
|
|
|
# SOME_NEW_FILE = some_new_file
|
|
|
|
# $(SOME_NEW_FILE)_PATH = path/to/some_new_file
|
|
|
|
# SONIC_COPY_FILES += $(SOME_NEW_FILE)
|
2017-07-28 12:57:51 -05:00
|
|
|
$(addprefix $(FILES_PATH)/, $(SONIC_COPY_FILES)) : $(FILES_PATH)/% : .platform
|
2016-12-14 13:59:24 -06:00
|
|
|
$(HEADER)
|
2017-07-28 12:57:51 -05:00
|
|
|
cp $($*_PATH)/$* $(FILES_PATH)/ $(LOG) || exit 1
|
2016-12-14 13:59:24 -06:00
|
|
|
$(FOOTER)
|
|
|
|
|
2017-07-29 17:34:27 -05:00
|
|
|
SONIC_TARGET_LIST += $(addprefix $(FILES_PATH)/, $(SONIC_COPY_FILES))
|
|
|
|
|
2016-12-05 13:12:19 -06:00
|
|
|
###############################################################################
|
|
|
|
## Online targets
|
|
|
|
###############################################################################
|
|
|
|
|
|
|
|
# Download debian packages from online location
|
|
|
|
# Add new package for download:
|
|
|
|
# SOME_NEW_DEB = some_new_deb.deb
|
|
|
|
# $(SOME_NEW_DEB)_URL = https://url/to/this/deb.deb
|
|
|
|
# SONIC_ONLINE_DEBS += $(SOME_NEW_DEB)
|
|
|
|
$(addprefix $(DEBS_PATH)/, $(SONIC_ONLINE_DEBS)) : $(DEBS_PATH)/% : .platform
|
|
|
|
$(HEADER)
|
|
|
|
$(foreach deb,$* $($*_DERIVED_DEBS), \
|
2017-07-21 11:05:21 -05:00
|
|
|
{ wget --no-use-server-timestamps -O $(DEBS_PATH)/$(deb) $($(deb)_URL) $(LOG) || exit 1 ; } ; )
|
2016-12-05 13:12:19 -06:00
|
|
|
$(FOOTER)
|
|
|
|
|
2017-07-29 17:34:27 -05:00
|
|
|
SONIC_TARGET_LIST += $(addprefix $(DEBS_PATH)/, $(SONIC_ONLINE_DEBS))
|
|
|
|
|
2016-12-05 13:12:19 -06:00
|
|
|
# Download regular files from online location
|
|
|
|
# Files are stored in deb packages directory for convenience
|
|
|
|
# Add new file for download:
|
|
|
|
# SOME_NEW_FILE = some_new_file
|
|
|
|
# $(SOME_NEW_FILE)_URL = https://url/to/this/file
|
|
|
|
# SONIC_ONLINE_FILES += $(SOME_NEW_FILE)
|
2017-07-28 12:57:51 -05:00
|
|
|
$(addprefix $(FILES_PATH)/, $(SONIC_ONLINE_FILES)) : $(FILES_PATH)/% : .platform
|
2016-12-05 13:12:19 -06:00
|
|
|
$(HEADER)
|
2017-07-21 11:05:21 -05:00
|
|
|
wget --no-use-server-timestamps -O $@ $($*_URL) $(LOG)
|
2016-12-05 13:12:19 -06:00
|
|
|
$(FOOTER)
|
|
|
|
|
2017-07-29 17:34:27 -05:00
|
|
|
SONIC_TARGET_LIST += $(addprefix $(FILES_PATH)/, $(SONIC_ONLINE_FILES))
|
|
|
|
|
2018-11-21 00:32:40 -06:00
|
|
|
###############################################################################
|
|
|
|
## Build targets
|
|
|
|
###############################################################################
|
|
|
|
|
|
|
|
# Build project using build.sh script
|
|
|
|
# They are essentially a one-time build projects that get sources from some URL
|
|
|
|
# and compile them
|
|
|
|
# Add new file for build:
|
|
|
|
# SOME_NEW_FILE = some_new_deb.deb
|
|
|
|
# $(SOME_NEW_FILE)_SRC_PATH = $(SRC_PATH)/project_name
|
|
|
|
# $(SOME_NEW_FILE)_DEPENDS = $(SOME_OTHER_DEB1) $(SOME_OTHER_DEB2) ...
|
|
|
|
# SONIC_MAKE_FILES += $(SOME_NEW_FILE)
|
|
|
|
$(addprefix $(FILES_PATH)/, $(SONIC_MAKE_FILES)) : $(FILES_PATH)/% : .platform $$(addsuffix -install,$$(addprefix $(DEBS_PATH)/,$$($$*_DEPENDS)))
|
|
|
|
$(HEADER)
|
|
|
|
# Remove target to force rebuild
|
|
|
|
rm -f $(addprefix $(FILES_PATH)/, $*)
|
|
|
|
# Apply series of patches if exist
|
|
|
|
if [ -f $($*_SRC_PATH).patch/series ]; then pushd $($*_SRC_PATH) && QUILT_PATCHES=../$(notdir $($*_SRC_PATH)).patch quilt push -a; popd; fi
|
|
|
|
# Build project and take package
|
|
|
|
make DEST=$(shell pwd)/$(FILES_PATH) -C $($*_SRC_PATH) $(shell pwd)/$(FILES_PATH)/$* $(LOG)
|
|
|
|
# Clean up
|
|
|
|
if [ -f $($*_SRC_PATH).patch/series ]; then pushd $($*_SRC_PATH) && quilt pop -a -f; popd; fi
|
[build]: wait for conflicts package to be uninstalled (#5039)
when parallel build is enabled, both docker-fpm-frr and docker-syncd-brcm
is built at the same time, docker-fpm-frr requires swss which requires to
install libsaivs-dev. docker-syncd-brcm requires syncd package which requires
to install libsaibcm-dev.
since libsaivs-dev and libsaibcm-dev install the sai header in the same
location, these two packages cannot be installed at the same time. Therefore,
we need to serialize the build between these two packages. Simply uninstall
the conflict package is not enough to solve this issue. The correct solution
is to have one package wait for another package to be uninstalled.
For example, if syncd is built first, then it will install libsaibcm-dev.
Meanwhile, if the swss build job starts and tries to install libsaivs-dev,
it will first try to query if libsaibcm-dev is installed or not. if it is
installed, then it will wait until libsaibcm-dev is uninstalled. After syncd
job is finished, it will uninstall libsaibcm-dev and swss build job will be
unblocked.
To solve this issue, _UNINSTALLS is introduced to uninstall a package that
is no longer needed and to allow blocked job to continue.
Signed-off-by: Guohan Lu <lguohan@gmail.com>
2020-07-27 12:46:20 -05:00
|
|
|
|
|
|
|
# Uninstall unneeded build dependency
|
|
|
|
$(call UNINSTALL_DEBS,$($*_UNINSTALLS))
|
|
|
|
|
2018-11-21 00:32:40 -06:00
|
|
|
$(FOOTER)
|
|
|
|
|
|
|
|
SONIC_TARGET_LIST += $(addprefix $(FILES_PATH)/, $(SONIC_MAKE_FILES))
|
|
|
|
|
2016-12-05 13:12:19 -06:00
|
|
|
###############################################################################
|
|
|
|
## Debian package related targets
|
|
|
|
###############################################################################
|
|
|
|
|
|
|
|
# Build project using build.sh script
|
|
|
|
# They are essentially a one-time build projects that get sources from some URL
|
|
|
|
# and compile them
|
|
|
|
# Add new package for build:
|
|
|
|
# SOME_NEW_DEB = some_new_deb.deb
|
|
|
|
# $(SOME_NEW_DEB)_SRC_PATH = $(SRC_PATH)/project_name
|
|
|
|
# $(SOME_NEW_DEB)_DEPENDS = $(SOME_OTHER_DEB1) $(SOME_OTHER_DEB2) ...
|
|
|
|
# SONIC_MAKE_DEBS += $(SOME_NEW_DEB)
|
|
|
|
$(addprefix $(DEBS_PATH)/, $(SONIC_MAKE_DEBS)) : $(DEBS_PATH)/% : .platform $$(addsuffix -install,$$(addprefix $(DEBS_PATH)/,$$($$*_DEPENDS)))
|
|
|
|
$(HEADER)
|
2017-09-07 16:02:17 -05:00
|
|
|
# Remove target to force rebuild
|
2017-03-01 10:32:58 -06:00
|
|
|
rm -f $(addprefix $(DEBS_PATH)/, $* $($*_DERIVED_DEBS) $($*_EXTRA_DEBS))
|
2017-09-07 16:02:17 -05:00
|
|
|
# Apply series of patches if exist
|
2017-03-17 00:57:30 -05:00
|
|
|
if [ -f $($*_SRC_PATH).patch/series ]; then pushd $($*_SRC_PATH) && QUILT_PATCHES=../$(notdir $($*_SRC_PATH)).patch quilt push -a; popd; fi
|
2021-01-12 08:03:12 -06:00
|
|
|
$(SETUP_OVERLAYFS_FOR_DPKG_ADMINDIR)
|
2017-09-07 16:02:17 -05:00
|
|
|
# Build project and take package
|
2018-06-19 17:59:12 -05:00
|
|
|
DEB_BUILD_OPTIONS="${DEB_BUILD_OPTIONS_GENERIC}" make DEST=$(shell pwd)/$(DEBS_PATH) -C $($*_SRC_PATH) $(shell pwd)/$(DEBS_PATH)/$* $(LOG)
|
2017-09-07 16:02:17 -05:00
|
|
|
# Clean up
|
2017-03-17 00:57:30 -05:00
|
|
|
if [ -f $($*_SRC_PATH).patch/series ]; then pushd $($*_SRC_PATH) && quilt pop -a -f; popd; fi
|
[build]: wait for conflicts package to be uninstalled (#5039)
when parallel build is enabled, both docker-fpm-frr and docker-syncd-brcm
is built at the same time, docker-fpm-frr requires swss which requires to
install libsaivs-dev. docker-syncd-brcm requires syncd package which requires
to install libsaibcm-dev.
since libsaivs-dev and libsaibcm-dev install the sai header in the same
location, these two packages cannot be installed at the same time. Therefore,
we need to serialize the build between these two packages. Simply uninstall
the conflict package is not enough to solve this issue. The correct solution
is to have one package wait for another package to be uninstalled.
For example, if syncd is built first, then it will install libsaibcm-dev.
Meanwhile, if the swss build job starts and tries to install libsaivs-dev,
it will first try to query if libsaibcm-dev is installed or not. if it is
installed, then it will wait until libsaibcm-dev is uninstalled. After syncd
job is finished, it will uninstall libsaibcm-dev and swss build job will be
unblocked.
To solve this issue, _UNINSTALLS is introduced to uninstall a package that
is no longer needed and to allow blocked job to continue.
Signed-off-by: Guohan Lu <lguohan@gmail.com>
2020-07-27 12:46:20 -05:00
|
|
|
|
|
|
|
# Uninstall unneeded build dependency
|
|
|
|
$(call UNINSTALL_DEBS,$($*_UNINSTALLS))
|
|
|
|
|
2016-12-05 13:12:19 -06:00
|
|
|
$(FOOTER)
|
|
|
|
|
2017-07-29 17:34:27 -05:00
|
|
|
SONIC_TARGET_LIST += $(addprefix $(DEBS_PATH)/, $(SONIC_MAKE_DEBS))
|
|
|
|
|
2016-12-05 13:12:19 -06:00
|
|
|
# Build project with dpkg-buildpackage
|
|
|
|
# Add new package for build:
|
|
|
|
# SOME_NEW_DEB = some_new_deb.deb
|
|
|
|
# $(SOME_NEW_DEB)_SRC_PATH = $(SRC_PATH)/project_name
|
|
|
|
# $(SOME_NEW_DEB)_DEPENDS = $(SOME_OTHER_DEB1) $(SOME_OTHER_DEB2) ...
|
|
|
|
# SONIC_DPKG_DEBS += $(SOME_NEW_DEB)
|
|
|
|
$(addprefix $(DEBS_PATH)/, $(SONIC_DPKG_DEBS)) : $(DEBS_PATH)/% : .platform $$(addsuffix -install,$$(addprefix $(DEBS_PATH)/,$$($$*_DEPENDS)))
|
|
|
|
$(HEADER)
|
2017-09-07 16:02:17 -05:00
|
|
|
# Remove old build logs if they exist
|
2016-12-05 13:12:19 -06:00
|
|
|
rm -f $($*_SRC_PATH)/debian/*.debhelper.log
|
2017-09-07 16:02:17 -05:00
|
|
|
# Apply series of patches if exist
|
2017-05-22 03:08:16 -05:00
|
|
|
if [ -f $($*_SRC_PATH).patch/series ]; then pushd $($*_SRC_PATH) && QUILT_PATCHES=../$(notdir $($*_SRC_PATH)).patch quilt push -a; popd; fi
|
2017-09-07 16:02:17 -05:00
|
|
|
# Build project
|
2016-12-05 13:12:19 -06:00
|
|
|
pushd $($*_SRC_PATH) $(LOG)
|
|
|
|
[ ! -f ./autogen.sh ] || ./autogen.sh $(LOG)
|
2021-01-12 08:03:12 -06:00
|
|
|
$(SETUP_OVERLAYFS_FOR_DPKG_ADMINDIR)
|
2017-10-24 00:01:42 -05:00
|
|
|
$(if $($*_DPKG_TARGET),
|
2021-01-12 08:03:12 -06:00
|
|
|
DEB_BUILD_OPTIONS="${DEB_BUILD_OPTIONS_GENERIC} ${$*_DEB_BUILD_OPTIONS}" dpkg-buildpackage -rfakeroot -b -us -uc -j$(SONIC_CONFIG_MAKE_JOBS) --as-root -T$($*_DPKG_TARGET) --admindir $$mergedir $(LOG),
|
|
|
|
DEB_BUILD_OPTIONS="${DEB_BUILD_OPTIONS_GENERIC} ${$*_DEB_BUILD_OPTIONS}" dpkg-buildpackage -rfakeroot -b -us -uc -j$(SONIC_CONFIG_MAKE_JOBS) --admindir $$mergedir $(LOG)
|
2017-10-24 00:01:42 -05:00
|
|
|
)
|
2016-12-05 13:12:19 -06:00
|
|
|
popd $(LOG)
|
2017-09-07 16:02:17 -05:00
|
|
|
# Clean up
|
2017-05-22 03:08:16 -05:00
|
|
|
if [ -f $($*_SRC_PATH).patch/series ]; then pushd $($*_SRC_PATH) && quilt pop -a -f; popd; fi
|
2017-09-07 16:02:17 -05:00
|
|
|
# Take built package(s)
|
2017-03-01 10:32:58 -06:00
|
|
|
mv $(addprefix $($*_SRC_PATH)/../, $* $($*_DERIVED_DEBS) $($*_EXTRA_DEBS)) $(DEBS_PATH) $(LOG)
|
[build]: wait for conflicts package to be uninstalled (#5039)
when parallel build is enabled, both docker-fpm-frr and docker-syncd-brcm
is built at the same time, docker-fpm-frr requires swss which requires to
install libsaivs-dev. docker-syncd-brcm requires syncd package which requires
to install libsaibcm-dev.
since libsaivs-dev and libsaibcm-dev install the sai header in the same
location, these two packages cannot be installed at the same time. Therefore,
we need to serialize the build between these two packages. Simply uninstall
the conflict package is not enough to solve this issue. The correct solution
is to have one package wait for another package to be uninstalled.
For example, if syncd is built first, then it will install libsaibcm-dev.
Meanwhile, if the swss build job starts and tries to install libsaivs-dev,
it will first try to query if libsaibcm-dev is installed or not. if it is
installed, then it will wait until libsaibcm-dev is uninstalled. After syncd
job is finished, it will uninstall libsaibcm-dev and swss build job will be
unblocked.
To solve this issue, _UNINSTALLS is introduced to uninstall a package that
is no longer needed and to allow blocked job to continue.
Signed-off-by: Guohan Lu <lguohan@gmail.com>
2020-07-27 12:46:20 -05:00
|
|
|
|
|
|
|
# Uninstall unneeded build dependency
|
|
|
|
$(call UNINSTALL_DEBS,$($*_UNINSTALLS))
|
|
|
|
|
2016-12-05 13:12:19 -06:00
|
|
|
$(FOOTER)
|
|
|
|
|
2017-07-29 17:34:27 -05:00
|
|
|
SONIC_TARGET_LIST += $(addprefix $(DEBS_PATH)/, $(SONIC_DPKG_DEBS))
|
|
|
|
|
2016-12-05 13:12:19 -06:00
|
|
|
# Build project with python setup.py --command-packages=stdeb.command
|
|
|
|
# Add new package for build:
|
|
|
|
# SOME_NEW_DEB = some_new_deb.deb
|
|
|
|
# $(SOME_NEW_DEB)_SRC_PATH = $(SRC_PATH)/project_name
|
|
|
|
# $(SOME_NEW_DEB)_DEPENDS = $(SOME_OTHER_DEB1) $(SOME_OTHER_DEB2) ...
|
|
|
|
# SONIC_PYTHON_STDEB_DEBS += $(SOME_NEW_DEB)
|
2017-10-25 07:06:30 -05:00
|
|
|
$(addprefix $(DEBS_PATH)/, $(SONIC_PYTHON_STDEB_DEBS)) : $(DEBS_PATH)/% : .platform $$(addsuffix -install,$$(addprefix $(DEBS_PATH)/,$$($$*_DEPENDS))) \
|
|
|
|
$$(addsuffix -install,$$(addprefix $(PYTHON_WHEELS_PATH)/,$$($$*_WHEEL_DEPENDS)))
|
2016-12-05 13:12:19 -06:00
|
|
|
$(HEADER)
|
2017-09-07 16:02:17 -05:00
|
|
|
# Apply series of patches if exist
|
|
|
|
if [ -f $($*_SRC_PATH).patch/series ]; then pushd $($*_SRC_PATH) && QUILT_PATCHES=../$(notdir $($*_SRC_PATH)).patch quilt push -a; popd; fi
|
|
|
|
# Build project
|
2016-12-05 13:12:19 -06:00
|
|
|
pushd $($*_SRC_PATH) $(LOG)
|
2018-01-29 10:14:01 -06:00
|
|
|
rm -rf deb_dist/* $(LOG)
|
2016-12-08 09:05:19 -06:00
|
|
|
python setup.py --command-packages=stdeb.command bdist_deb $(LOG)
|
2016-12-05 13:12:19 -06:00
|
|
|
popd $(LOG)
|
2017-09-07 16:02:17 -05:00
|
|
|
# Clean up
|
|
|
|
if [ -f $($*_SRC_PATH).patch/series ]; then pushd $($*_SRC_PATH) && quilt pop -a -f; popd; fi
|
|
|
|
# Take built package(s)
|
2016-12-05 13:12:19 -06:00
|
|
|
mv $(addprefix $($*_SRC_PATH)/deb_dist/, $* $($*_DERIVED_DEBS)) $(DEBS_PATH) $(LOG)
|
|
|
|
$(FOOTER)
|
|
|
|
|
2017-07-29 17:34:27 -05:00
|
|
|
SONIC_TARGET_LIST += $(addprefix $(DEBS_PATH)/, $(SONIC_PYTHON_STDEB_DEBS))
|
|
|
|
|
2016-12-05 13:12:19 -06:00
|
|
|
# Rules for derived debian packages (dev, dbg, etc.)
|
|
|
|
# All noise takes place in main deb recipe, so we are just telling that
|
|
|
|
# we depend on it and move our deb to other targets
|
|
|
|
# Add new dev package:
|
|
|
|
# $(eval $(call add_derived_package,$(ORIGINAL_DEB),derived_deb_file.deb))
|
|
|
|
$(addprefix $(DEBS_PATH)/, $(SONIC_DERIVED_DEBS)) : $(DEBS_PATH)/% : .platform $$(addsuffix -install,$$(addprefix $(DEBS_PATH)/,$$($$*_DEPENDS)))
|
|
|
|
$(HEADER)
|
|
|
|
# All noise takes place in main deb recipe, so we are just telling that
|
|
|
|
# we depend on it
|
|
|
|
# Put newer timestamp
|
|
|
|
[ -f $@ ] && touch $@
|
|
|
|
$(FOOTER)
|
|
|
|
|
2017-07-29 17:34:27 -05:00
|
|
|
SONIC_TARGET_LIST += $(addprefix $(DEBS_PATH)/, $(SONIC_DERIVED_DEBS))
|
|
|
|
|
2017-03-01 10:32:58 -06:00
|
|
|
# Rules for extra debian packages
|
|
|
|
# All noise takes place in main deb recipe, so we are just telling that
|
|
|
|
# we need to build the main deb and move our deb to other targets
|
|
|
|
# Add new dev package:
|
|
|
|
# $(eval $(call add_extra_package,$(ORIGINAL_DEB),extra_deb_file.deb))
|
|
|
|
$(addprefix $(DEBS_PATH)/, $(SONIC_EXTRA_DEBS)) : $(DEBS_PATH)/% : .platform $$(addprefix $(DEBS_PATH)/,$$($$*_MAIN_DEB))
|
|
|
|
$(HEADER)
|
|
|
|
# All noise takes place in main deb recipe, so we are just telling that
|
|
|
|
# we depend on it
|
|
|
|
# Put newer timestamp
|
|
|
|
[ -f $@ ] && touch $@
|
|
|
|
$(FOOTER)
|
|
|
|
|
2017-07-29 17:34:27 -05:00
|
|
|
SONIC_TARGET_LIST += $(addprefix $(DEBS_PATH)/, $(SONIC_EXTRA_DEBS))
|
|
|
|
|
2016-12-05 13:12:19 -06:00
|
|
|
# Targets for installing debian packages prior to build one that depends on them
|
|
|
|
SONIC_INSTALL_TARGETS = $(addsuffix -install,$(addprefix $(DEBS_PATH)/, \
|
|
|
|
$(SONIC_ONLINE_DEBS) \
|
|
|
|
$(SONIC_COPY_DEBS) \
|
|
|
|
$(SONIC_MAKE_DEBS) \
|
|
|
|
$(SONIC_DPKG_DEBS) \
|
|
|
|
$(SONIC_PYTHON_STDEB_DEBS) \
|
2017-03-01 10:32:58 -06:00
|
|
|
$(SONIC_DERIVED_DEBS) \
|
|
|
|
$(SONIC_EXTRA_DEBS)))
|
2021-01-16 15:12:14 -06:00
|
|
|
|
[build]: wait for conflicts package to be uninstalled (#5039)
when parallel build is enabled, both docker-fpm-frr and docker-syncd-brcm
is built at the same time, docker-fpm-frr requires swss which requires to
install libsaivs-dev. docker-syncd-brcm requires syncd package which requires
to install libsaibcm-dev.
since libsaivs-dev and libsaibcm-dev install the sai header in the same
location, these two packages cannot be installed at the same time. Therefore,
we need to serialize the build between these two packages. Simply uninstall
the conflict package is not enough to solve this issue. The correct solution
is to have one package wait for another package to be uninstalled.
For example, if syncd is built first, then it will install libsaibcm-dev.
Meanwhile, if the swss build job starts and tries to install libsaivs-dev,
it will first try to query if libsaibcm-dev is installed or not. if it is
installed, then it will wait until libsaibcm-dev is uninstalled. After syncd
job is finished, it will uninstall libsaibcm-dev and swss build job will be
unblocked.
To solve this issue, _UNINSTALLS is introduced to uninstall a package that
is no longer needed and to allow blocked job to continue.
Signed-off-by: Guohan Lu <lguohan@gmail.com>
2020-07-27 12:46:20 -05:00
|
|
|
$(SONIC_INSTALL_TARGETS) : $(DEBS_PATH)/%-install : .platform $$(addsuffix -install,$$(addprefix $(DEBS_PATH)/,$$($$*_DEPENDS))) $(DEBS_PATH)/$$*
|
2021-01-16 15:12:14 -06:00
|
|
|
$(HEADER)
|
|
|
|
[ -f $(DEBS_PATH)/$* ] || { echo $(DEBS_PATH)/$* does not exist $(LOG) && false $(LOG) }
|
|
|
|
while true; do
|
[build]: wait for conflicts package to be uninstalled (#5039)
when parallel build is enabled, both docker-fpm-frr and docker-syncd-brcm
is built at the same time, docker-fpm-frr requires swss which requires to
install libsaivs-dev. docker-syncd-brcm requires syncd package which requires
to install libsaibcm-dev.
since libsaivs-dev and libsaibcm-dev install the sai header in the same
location, these two packages cannot be installed at the same time. Therefore,
we need to serialize the build between these two packages. Simply uninstall
the conflict package is not enough to solve this issue. The correct solution
is to have one package wait for another package to be uninstalled.
For example, if syncd is built first, then it will install libsaibcm-dev.
Meanwhile, if the swss build job starts and tries to install libsaivs-dev,
it will first try to query if libsaibcm-dev is installed or not. if it is
installed, then it will wait until libsaibcm-dev is uninstalled. After syncd
job is finished, it will uninstall libsaibcm-dev and swss build job will be
unblocked.
To solve this issue, _UNINSTALLS is introduced to uninstall a package that
is no longer needed and to allow blocked job to continue.
Signed-off-by: Guohan Lu <lguohan@gmail.com>
2020-07-27 12:46:20 -05:00
|
|
|
# wait for conflicted packages to be uninstalled
|
|
|
|
$(foreach deb, $($*_CONFLICT_DEBS), \
|
|
|
|
{ while dpkg -s $(firstword $(subst _, ,$(basename $(deb)))) &> /dev/null; do echo "waiting for $(deb) to be uninstalled" $(LOG); sleep 1; done } )
|
|
|
|
# put a lock here because dpkg does not allow installing packages in parallel
|
|
|
|
if mkdir $(DEBS_PATH)/dpkg_lock &> /dev/null; then
|
|
|
|
{ sudo DEBIAN_FRONTEND=noninteractive dpkg -i $(DEBS_PATH)/$* $(LOG) && rm -d $(DEBS_PATH)/dpkg_lock && break; } || { rm -d $(DEBS_PATH)/dpkg_lock && exit 1 ; }
|
|
|
|
fi
|
2021-01-16 15:12:14 -06:00
|
|
|
done
|
|
|
|
$(FOOTER)
|
|
|
|
|
2016-12-05 13:12:19 -06:00
|
|
|
###############################################################################
|
|
|
|
## Python packages
|
|
|
|
###############################################################################
|
|
|
|
|
|
|
|
# Build project using python setup.py bdist_wheel
|
|
|
|
# Projects that generate python wheels
|
|
|
|
# Add new package for build:
|
|
|
|
# SOME_NEW_WHL = some_new_whl.whl
|
|
|
|
# $(SOME_NEW_WHL)_SRC_PATH = $(SRC_PATH)/project_name
|
|
|
|
# $(SOME_NEW_WHL)_PYTHON_VERSION = 2 (or 3)
|
|
|
|
# $(SOME_NEW_WHL)_DEPENDS = $(SOME_OTHER_WHL1) $(SOME_OTHER_WHL2) ...
|
2017-03-30 17:25:31 -05:00
|
|
|
# SONIC_PYTHON_WHEELS += $(SOME_NEW_WHL)
|
2016-12-05 13:12:19 -06:00
|
|
|
$(addprefix $(PYTHON_WHEELS_PATH)/, $(SONIC_PYTHON_WHEELS)) : $(PYTHON_WHEELS_PATH)/% : .platform $$(addsuffix -install,$$(addprefix $(PYTHON_WHEELS_PATH)/,$$($$*_DEPENDS)))
|
|
|
|
$(HEADER)
|
|
|
|
pushd $($*_SRC_PATH) $(LOG)
|
2017-03-17 00:57:30 -05:00
|
|
|
# apply series of patches if exist
|
|
|
|
if [ -f ../$(notdir $($*_SRC_PATH)).patch/series ]; then QUILT_PATCHES=../$(notdir $($*_SRC_PATH)).patch quilt push -a; fi
|
2017-12-07 15:08:23 -06:00
|
|
|
[ "$($*_TEST)" = "n" ] || python$($*_PYTHON_VERSION) setup.py test $(LOG)
|
2016-12-05 13:12:19 -06:00
|
|
|
python$($*_PYTHON_VERSION) setup.py bdist_wheel $(LOG)
|
2017-03-17 00:57:30 -05:00
|
|
|
# clean up
|
|
|
|
if [ -f ../$(notdir $($*_SRC_PATH)).patch/series ]; then quilt pop -a -f; fi
|
2016-12-05 13:12:19 -06:00
|
|
|
popd $(LOG)
|
|
|
|
mv $($*_SRC_PATH)/dist/$* $(PYTHON_WHEELS_PATH) $(LOG)
|
|
|
|
$(FOOTER)
|
|
|
|
|
2017-07-29 17:34:27 -05:00
|
|
|
SONIC_TARGET_LIST += $(addprefix $(PYTHON_WHEELS_PATH)/, $(SONIC_PYTHON_WHEELS))
|
|
|
|
|
2016-12-05 13:12:19 -06:00
|
|
|
# Targets for installing python wheels.
|
|
|
|
# Autogenerated
|
|
|
|
SONIC_INSTALL_WHEELS = $(addsuffix -install, $(addprefix $(PYTHON_WHEELS_PATH)/, $(SONIC_PYTHON_WHEELS)))
|
|
|
|
$(SONIC_INSTALL_WHEELS) : $(PYTHON_WHEELS_PATH)/%-install : .platform $$(addsuffix -install,$$(addprefix $(PYTHON_WHEELS_PATH)/,$$($$*_DEPENDS))) $(PYTHON_WHEELS_PATH)/$$*
|
|
|
|
$(HEADER)
|
|
|
|
[ -f $(PYTHON_WHEELS_PATH)/$* ] || { echo $(PYTHON_WHEELS_PATH)/$* does not exist $(LOG) && exit 1; }
|
|
|
|
# put a lock here to avoid race conditions
|
|
|
|
while true; do
|
|
|
|
if mkdir $(PYTHON_WHEELS_PATH)/pip_lock &> /dev/null; then
|
2017-12-24 01:34:15 -06:00
|
|
|
{ sudo -E pip$($*_PYTHON_VERSION) install $(PYTHON_WHEELS_PATH)/$* $(LOG) && rm -d $(PYTHON_WHEELS_PATH)/pip_lock && break; } || { rm -d $(PYTHON_WHEELS_PATH)/pip_lock && exit 1 ; }
|
2016-12-05 13:12:19 -06:00
|
|
|
fi
|
|
|
|
done
|
|
|
|
$(FOOTER)
|
|
|
|
|
|
|
|
###############################################################################
|
|
|
|
## Docker images related targets
|
|
|
|
###############################################################################
|
|
|
|
|
|
|
|
# start docker daemon
|
|
|
|
docker-start :
|
2017-12-24 01:34:15 -06:00
|
|
|
@sudo sed -i '/http_proxy/d' /etc/default/docker
|
|
|
|
@sudo bash -c "echo \"export http_proxy=$$http_proxy\" >> /etc/default/docker"
|
2018-11-10 15:39:30 -06:00
|
|
|
@test x$(SONIC_CONFIG_USE_NATIVE_DOCKERD_FOR_BUILD) != x"y" && sudo service docker status &> /dev/null || ( sudo service docker start &> /dev/null && sleep 1 )
|
2016-12-05 13:12:19 -06:00
|
|
|
|
|
|
|
# targets for building simple docker images that do not depend on any debian packages
|
|
|
|
$(addprefix $(TARGET_PATH)/, $(SONIC_SIMPLE_DOCKER_IMAGES)) : $(TARGET_PATH)/%.gz : .platform docker-start $$(addsuffix -load,$$(addprefix $(TARGET_PATH)/,$$($$*.gz_LOAD_DOCKERS)))
|
|
|
|
$(HEADER)
|
2018-02-15 19:48:49 -06:00
|
|
|
# Apply series of patches if exist
|
|
|
|
if [ -f $($*.gz_PATH).patch/series ]; then pushd $($*.gz_PATH) && QUILT_PATCHES=../$(notdir $($*.gz_PATH)).patch quilt push -a; popd; fi
|
2018-09-05 17:28:32 -05:00
|
|
|
docker info $(LOG)
|
2017-12-24 01:34:15 -06:00
|
|
|
docker build --squash --no-cache \
|
|
|
|
--build-arg http_proxy=$(HTTP_PROXY) \
|
|
|
|
--build-arg https_proxy=$(HTTPS_PROXY) \
|
|
|
|
--build-arg user=$(USER) \
|
|
|
|
--build-arg uid=$(UID) \
|
|
|
|
--build-arg guid=$(GUID) \
|
2018-06-25 12:48:42 -05:00
|
|
|
--build-arg docker_container_name=$($*.gz_CONTAINER_NAME) \
|
2018-09-21 12:44:28 -05:00
|
|
|
--label Tag=$(SONIC_GET_VERSION) \
|
2017-12-24 01:34:15 -06:00
|
|
|
-t $* $($*.gz_PATH) $(LOG)
|
2016-12-05 13:12:19 -06:00
|
|
|
docker save $* | gzip -c > $@
|
2018-02-15 19:48:49 -06:00
|
|
|
# Clean up
|
|
|
|
if [ -f $($*.gz_PATH).patch/series ]; then pushd $($*.gz_PATH) && quilt pop -a -f; popd; fi
|
2016-12-05 13:12:19 -06:00
|
|
|
$(FOOTER)
|
|
|
|
|
2017-07-29 17:34:27 -05:00
|
|
|
SONIC_TARGET_LIST += $(addprefix $(TARGET_PATH)/, $(SONIC_SIMPLE_DOCKER_IMAGES))
|
|
|
|
|
2016-12-05 13:12:19 -06:00
|
|
|
# Targets for building docker images
|
2017-07-28 12:57:51 -05:00
|
|
|
$(addprefix $(TARGET_PATH)/, $(SONIC_DOCKER_IMAGES)) : $(TARGET_PATH)/%.gz : .platform docker-start $$(addprefix $(DEBS_PATH)/,$$($$*.gz_DEPENDS)) $$(addprefix $(FILES_PATH)/,$$($$*.gz_FILES)) $$(addprefix $(PYTHON_WHEELS_PATH)/,$$($$*.gz_PYTHON_WHEELS)) $$(addsuffix -load,$$(addprefix $(TARGET_PATH)/,$$($$*.gz_LOAD_DOCKERS))) $$($$*.gz_PATH)/Dockerfile.j2
|
2016-12-05 13:12:19 -06:00
|
|
|
$(HEADER)
|
2018-02-15 19:48:49 -06:00
|
|
|
# Apply series of patches if exist
|
|
|
|
if [ -f $($*.gz_PATH).patch/series ]; then pushd $($*.gz_PATH) && QUILT_PATCHES=../$(notdir $($*.gz_PATH)).patch quilt push -a; popd; fi
|
2016-12-23 17:22:06 -06:00
|
|
|
mkdir -p $($*.gz_PATH)/debs $(LOG)
|
2017-07-28 12:57:51 -05:00
|
|
|
mkdir -p $($*.gz_PATH)/files $(LOG)
|
2016-12-05 13:12:19 -06:00
|
|
|
mkdir -p $($*.gz_PATH)/python-wheels $(LOG)
|
2016-12-23 17:22:06 -06:00
|
|
|
sudo mount --bind $(DEBS_PATH) $($*.gz_PATH)/debs $(LOG)
|
2017-07-28 12:57:51 -05:00
|
|
|
sudo mount --bind $(FILES_PATH) $($*.gz_PATH)/files $(LOG)
|
2016-12-05 13:12:19 -06:00
|
|
|
sudo mount --bind $(PYTHON_WHEELS_PATH) $($*.gz_PATH)/python-wheels $(LOG)
|
2016-12-23 17:22:06 -06:00
|
|
|
# Export variables for j2. Use path for unique variable names, e.g. docker_orchagent_debs
|
|
|
|
$(eval export $(subst -,_,$(notdir $($*.gz_PATH)))_debs=$(shell printf "$(subst $(SPACE),\n,$(call expand,$($*.gz_DEPENDS),RDEPENDS))\n" | awk '!a[$$0]++'))
|
2017-03-17 16:51:42 -05:00
|
|
|
$(eval export $(subst -,_,$(notdir $($*.gz_PATH)))_whls=$(shell printf "$(subst $(SPACE),\n,$(call expand,$($*.gz_PYTHON_WHEELS)))\n" | awk '!a[$$0]++'))
|
2017-02-21 21:04:43 -06:00
|
|
|
$(eval export $(subst -,_,$(notdir $($*.gz_PATH)))_dbgs=$(shell printf "$(subst $(SPACE),\n,$(call expand,$($*.gz_DBG_PACKAGES)))\n" | awk '!a[$$0]++'))
|
2016-12-23 17:22:06 -06:00
|
|
|
j2 $($*.gz_PATH)/Dockerfile.j2 > $($*.gz_PATH)/Dockerfile
|
2018-09-05 17:28:32 -05:00
|
|
|
docker info $(LOG)
|
2017-12-24 01:34:15 -06:00
|
|
|
docker build --squash --no-cache \
|
|
|
|
--build-arg http_proxy=$(HTTP_PROXY) \
|
|
|
|
--build-arg https_proxy=$(HTTPS_PROXY) \
|
|
|
|
--build-arg user=$(USER) \
|
|
|
|
--build-arg uid=$(UID) \
|
|
|
|
--build-arg guid=$(GUID) \
|
2018-06-25 12:48:42 -05:00
|
|
|
--build-arg docker_container_name=$($*.gz_CONTAINER_NAME) \
|
2018-11-26 20:19:12 -06:00
|
|
|
--build-arg frr_user_uid=$(FRR_USER_UID) \
|
|
|
|
--build-arg frr_user_gid=$(FRR_USER_GID) \
|
2018-09-21 12:44:28 -05:00
|
|
|
--label Tag=$(SONIC_GET_VERSION) \
|
2017-12-24 01:34:15 -06:00
|
|
|
-t $* $($*.gz_PATH) $(LOG)
|
2016-12-05 13:12:19 -06:00
|
|
|
docker save $* | gzip -c > $@
|
2018-02-15 19:48:49 -06:00
|
|
|
# Clean up
|
|
|
|
if [ -f $($*.gz_PATH).patch/series ]; then pushd $($*.gz_PATH) && quilt pop -a -f; popd; fi
|
2016-12-05 13:12:19 -06:00
|
|
|
$(FOOTER)
|
|
|
|
|
2017-07-29 17:34:27 -05:00
|
|
|
SONIC_TARGET_LIST += $(addprefix $(TARGET_PATH)/, $(SONIC_DOCKER_IMAGES))
|
|
|
|
|
2019-07-09 10:55:03 -05:00
|
|
|
# Targets for building debug docker images
|
|
|
|
$(addprefix $(TARGET_PATH)/, $(SONIC_DOCKER_DBG_IMAGES)) : $(TARGET_PATH)/%-$(DBG_IMAGE_MARK).gz : .platform docker-start \
|
|
|
|
$$(addprefix $(DEBS_PATH)/,$$($$*.gz_DBG_DEPENDS)) \
|
|
|
|
$$(addsuffix -load,$$(addprefix $(TARGET_PATH)/,$$*.gz))
|
|
|
|
$(HEADER)
|
|
|
|
# Apply series of patches if exist
|
|
|
|
mkdir -p $($*.gz_PATH)/debs $(LOG)
|
|
|
|
sudo mount --bind $(DEBS_PATH) $($*.gz_PATH)/debs $(LOG)
|
|
|
|
# Export variables for j2. Use path for unique variable names, e.g. docker_orchagent_debs
|
|
|
|
$(eval export $(subst -,_,$(notdir $($*.gz_PATH)))_dbg_debs=$(shell printf "$(subst $(SPACE),\n,$(call expand,$($*.gz_DBG_DEPENDS),RDEPENDS))\n" | awk '!a[$$0]++'))
|
|
|
|
$(eval export $(subst -,_,$(notdir $($*.gz_PATH)))_image_dbgs=$(shell printf "$(subst $(SPACE),\n,$(call expand,$($*.gz_DBG_IMAGE_PACKAGES)))\n" | awk '!a[$$0]++'))
|
|
|
|
./build_debug_docker_j2.sh $* $(subst -,_,$(notdir $($*.gz_PATH)))_dbg_debs $(subst -,_,$(notdir $($*.gz_PATH)))_image_dbgs > $($*.gz_PATH)/Dockerfile-dbg.j2
|
|
|
|
j2 $($*.gz_PATH)/Dockerfile-dbg.j2 > $($*.gz_PATH)/Dockerfile-dbg
|
|
|
|
docker info $(LOG)
|
|
|
|
docker build \
|
|
|
|
$(if $($*.gz_DBG_DEPENDS), --squash --no-cache) \
|
|
|
|
--build-arg http_proxy=$(HTTP_PROXY) \
|
|
|
|
--build-arg https_proxy=$(HTTPS_PROXY) \
|
|
|
|
--build-arg docker_container_name=$($*.gz_CONTAINER_NAME) \
|
|
|
|
--label Tag=$(SONIC_GET_VERSION) \
|
|
|
|
--file $($*.gz_PATH)/Dockerfile-dbg \
|
|
|
|
-t $*-dbg $($*.gz_PATH) $(LOG)
|
|
|
|
docker save $*-dbg | gzip -c > $@
|
|
|
|
# Clean up
|
|
|
|
if [ -f $($*.gz_PATH).patch/series ]; then pushd $($*.gz_PATH) && quilt pop -a -f; popd; fi
|
|
|
|
$(FOOTER)
|
|
|
|
|
|
|
|
SONIC_TARGET_LIST += $(addprefix $(TARGET_PATH)/, $(SONIC_DOCKER_DBG_IMAGES))
|
|
|
|
|
2016-12-05 13:12:19 -06:00
|
|
|
DOCKER_LOAD_TARGETS = $(addsuffix -load,$(addprefix $(TARGET_PATH)/, \
|
|
|
|
$(SONIC_SIMPLE_DOCKER_IMAGES) \
|
2019-07-09 10:55:03 -05:00
|
|
|
$(SONIC_DOCKER_IMAGES) \
|
|
|
|
$(SONIC_DOCKER_DBG_IMAGES)))
|
|
|
|
|
2016-12-05 13:12:19 -06:00
|
|
|
$(DOCKER_LOAD_TARGETS) : $(TARGET_PATH)/%.gz-load : .platform docker-start $$(TARGET_PATH)/$$*.gz
|
|
|
|
$(HEADER)
|
|
|
|
docker load -i $(TARGET_PATH)/$*.gz $(LOG)
|
|
|
|
$(FOOTER)
|
|
|
|
|
|
|
|
###############################################################################
|
|
|
|
## Installers
|
|
|
|
###############################################################################
|
|
|
|
|
|
|
|
# targets for building installers with base image
|
2017-11-16 14:27:03 -06:00
|
|
|
$(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
|
|
|
|
.platform \
|
|
|
|
onie-image.conf \
|
2017-09-01 02:35:36 -05:00
|
|
|
build_debian.sh \
|
|
|
|
build_image.sh \
|
2017-11-16 14:27:03 -06:00
|
|
|
$$(addsuffix -install,$$(addprefix $(DEBS_PATH)/,$$($$*_DEPENDS))) \
|
|
|
|
$$(addprefix $(DEBS_PATH)/,$$($$*_INSTALLS)) \
|
|
|
|
$$(addprefix $(DEBS_PATH)/,$$($$*_LAZY_INSTALLS)) \
|
|
|
|
$$(addprefix $(FILES_PATH)/,$$($$*_FILES)) \
|
2018-11-21 00:32:40 -06:00
|
|
|
$(addprefix $(FILES_PATH)/,$(IXGBE_DRIVER)) \
|
2017-11-16 14:27:03 -06:00
|
|
|
$(addprefix $(DEBS_PATH)/,$(INITRAMFS_TOOLS) \
|
|
|
|
$(LINUX_KERNEL) \
|
|
|
|
$(SONIC_DEVICE_DATA) \
|
2018-06-29 11:59:46 -05:00
|
|
|
$(PYTHON_CLICK) \
|
2017-12-07 05:36:17 -06:00
|
|
|
$(SONIC_UTILS) \
|
2018-07-27 19:46:33 -05:00
|
|
|
$(BASH) \
|
2017-12-07 05:36:17 -06:00
|
|
|
$(LIBPAM_TACPLUS) \
|
2019-12-30 20:25:57 -06:00
|
|
|
$(LIBNSS_TACPLUS) \
|
|
|
|
$(MONIT)) \
|
2017-11-16 14:27:03 -06:00
|
|
|
$$(addprefix $(TARGET_PATH)/,$$($$*_DOCKERS)) \
|
2018-01-17 19:11:31 -06:00
|
|
|
$$(addprefix $(PYTHON_WHEELS_PATH)/,$(SONIC_CONFIG_ENGINE)) \
|
2018-11-20 21:27:56 -06:00
|
|
|
$$(addprefix $(PYTHON_WHEELS_PATH)/,$(SONIC_PLATFORM_COMMON_PY2)) \
|
2019-07-23 09:05:35 -05:00
|
|
|
$$(addprefix $(PYTHON_WHEELS_PATH)/,$(REDIS_DUMP_LOAD_PY2)) \
|
|
|
|
$$(addprefix $(PYTHON_WHEELS_PATH)/,$(SONIC_PLATFORM_API_PY2))
|
2016-12-05 13:12:19 -06:00
|
|
|
$(HEADER)
|
2017-09-07 16:02:17 -05:00
|
|
|
# Pass initramfs and linux kernel explicitly. They are used for all platforms
|
2017-01-29 13:33:33 -06:00
|
|
|
export initramfs_tools="$(DEBS_PATH)/$(INITRAMFS_TOOLS)"
|
|
|
|
export linux_kernel="$(DEBS_PATH)/$(LINUX_KERNEL)"
|
2018-11-21 00:32:40 -06:00
|
|
|
export onie_recovery_image="$(FILES_PATH)/$(ONIE_RECOVERY_IMAGE)"
|
2017-01-29 13:33:33 -06:00
|
|
|
export kversion="$(KVERSION)"
|
|
|
|
export image_type="$($*_IMAGE_TYPE)"
|
|
|
|
export sonicadmin_user="$(USERNAME)"
|
2017-02-10 09:39:05 -06:00
|
|
|
export sonic_asic_platform="$(CONFIGURED_PLATFORM)"
|
2018-03-27 15:39:04 -05:00
|
|
|
export enable_organization_extensions="$(ENABLE_ORGANIZATION_EXTENSIONS)"
|
2017-02-17 15:47:01 -06:00
|
|
|
export enable_dhcp_graph_service="$(ENABLE_DHCP_GRAPH_SERVICE)"
|
2017-06-12 13:05:22 -05:00
|
|
|
export shutdown_bgp_on_start="$(SHUTDOWN_BGP_ON_START)"
|
2018-03-06 01:55:37 -06:00
|
|
|
export enable_pfcwd_on_start="$(ENABLE_PFCWD_ON_START)"
|
2017-11-16 14:27:03 -06:00
|
|
|
export installer_debs="$(addprefix $(DEBS_PATH)/,$($*_INSTALLS))"
|
|
|
|
export lazy_installer_debs="$(foreach deb, $($*_LAZY_INSTALLS),$(foreach device, $($(deb)_PLATFORM),$(addprefix $(device)@, $(DEBS_PATH)/$(deb))))"
|
2017-04-04 01:56:15 -05:00
|
|
|
export installer_images="$(addprefix $(TARGET_PATH)/,$($*_DOCKERS))"
|
|
|
|
export config_engine_wheel_path="$(addprefix $(PYTHON_WHEELS_PATH)/,$(SONIC_CONFIG_ENGINE))"
|
|
|
|
export swsssdk_py2_wheel_path="$(addprefix $(PYTHON_WHEELS_PATH)/,$(SWSSSDK_PY2))"
|
2018-01-17 19:11:31 -06:00
|
|
|
export platform_common_py2_wheel_path="$(addprefix $(PYTHON_WHEELS_PATH)/,$(SONIC_PLATFORM_COMMON_PY2))"
|
2018-11-20 21:27:56 -06:00
|
|
|
export redis_dump_load_py2_wheel_path="$(addprefix $(PYTHON_WHEELS_PATH)/,$(REDIS_DUMP_LOAD_PY2))"
|
2019-09-19 11:09:25 -05:00
|
|
|
export install_debug_image="$(INSTALL_DEBUG_TOOLS)"
|
2018-03-27 15:39:04 -05:00
|
|
|
|
2017-01-29 13:33:33 -06:00
|
|
|
$(foreach docker, $($*_DOCKERS),\
|
|
|
|
export docker_image="$(docker)"
|
|
|
|
export docker_image_name="$(basename $(docker))"
|
2019-07-09 10:55:03 -05:00
|
|
|
export docker_container_name="$($(docker:-dbg.gz=.gz)_CONTAINER_NAME)"
|
|
|
|
$(eval $(docker:-dbg.gz=.gz)_RUN_OPT += $($(docker:-dbg.gz=.gz)_$($*_IMAGE_TYPE)_RUN_OPT))
|
|
|
|
export docker_image_run_opt="$($(docker:-dbg.gz=.gz)_RUN_OPT)"
|
|
|
|
j2 files/build_templates/docker_image_ctl.j2 > $($(docker:-dbg.gz=.gz)_CONTAINER_NAME).sh
|
|
|
|
if [ -f files/build_templates/$($(docker:-dbg.gz=.gz)_CONTAINER_NAME).service.j2 ]; then
|
|
|
|
j2 files/build_templates/$($(docker:-dbg.gz=.gz)_CONTAINER_NAME).service.j2 > $($(docker:-dbg.gz=.gz)_CONTAINER_NAME).service
|
2017-03-01 12:57:35 -06:00
|
|
|
fi
|
2019-07-09 10:55:03 -05:00
|
|
|
chmod +x $($(docker:-dbg.gz=.gz)_CONTAINER_NAME).sh
|
2017-01-29 13:33:33 -06:00
|
|
|
)
|
|
|
|
|
2019-07-09 10:55:03 -05:00
|
|
|
export installer_start_scripts="$(foreach docker, $($*_DOCKERS),$(addsuffix .sh, $($(docker:-dbg.gz=.gz)_CONTAINER_NAME)))"
|
|
|
|
export installer_services="$(foreach docker, $($*_DOCKERS),$(addsuffix .service, $($(docker:-dbg.gz=.gz)_CONTAINER_NAME)))"
|
|
|
|
export installer_extra_files="$(foreach docker, $($*_DOCKERS), $(foreach file, $($(docker:-dbg.gz=.gz)_BASE_IMAGE_FILES), $($(docker:-dbg.gz=.gz)_PATH)/base_image_files/$(file)))"
|
2017-01-29 13:33:33 -06:00
|
|
|
|
2017-02-06 10:17:16 -06:00
|
|
|
j2 -f env files/initramfs-tools/union-mount.j2 onie-image.conf > files/initramfs-tools/union-mount
|
|
|
|
j2 -f env files/initramfs-tools/arista-convertfs.j2 onie-image.conf > files/initramfs-tools/arista-convertfs
|
|
|
|
|
2018-07-23 17:51:03 -05:00
|
|
|
j2 files/build_templates/updategraph.service.j2 > updategraph.service
|
|
|
|
|
2018-03-27 15:39:04 -05:00
|
|
|
$(if $($*_DOCKERS),
|
2017-01-29 13:33:33 -06:00
|
|
|
j2 files/build_templates/sonic_debian_extension.j2 > sonic_debian_extension.sh
|
|
|
|
chmod +x sonic_debian_extension.sh,
|
|
|
|
)
|
|
|
|
|
2019-08-28 11:29:48 -05:00
|
|
|
DEBUG_IMG="$(INSTALL_DEBUG_TOOLS)" \
|
|
|
|
DEBUG_SRC_ARCHIVE_DIRS="$(DBG_SRC_ARCHIVE)" \
|
|
|
|
DEBUG_SRC_ARCHIVE_FILE="$(DBG_SRC_ARCHIVE_FILE)" \
|
2019-08-30 10:02:44 -05:00
|
|
|
./dbg_files.sh
|
2019-07-22 18:06:43 -05:00
|
|
|
|
2019-07-09 10:55:03 -05:00
|
|
|
DEBUG_IMG="$(INSTALL_DEBUG_TOOLS)" \
|
2019-08-28 11:29:48 -05:00
|
|
|
DEBUG_SRC_ARCHIVE_FILE="$(DBG_SRC_ARCHIVE_FILE)" \
|
[baseimage]: Improve password hashing for default user account (#1748)
* [slave.mk]: Fix displaying username and password in build summary
We display contents of DEFAULT_USERNAME and DEFAULT_PASSWORD, while
image can be build with USERNAME and/or PASSWORD given on make(1)
command line. For example:
$ make USERNAME=adm PASSWORD=mypass target/sonic-broadcom.bin
Fix by displaying USERNAME and PASSWORD variables in build summary.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
* [baseimage]: Improve default user account handling
There are couple of issues with current implementation of default
user account management in baseimage:
1) It uses DES to encrypt accounts password. Furthermore this
effectively limits password length to 8 symbols, even if more
provided with PASSWORD or DEFAULT_PASSWORD from rules/config.
2) Salt value for password is same on all builds even with different
password increasing attack surface.
3) During the build process password passed as command line parameter
either as plain text (if given to make(1) as "make PASSWORD=...")
or DES encrypted (if given to build_debian.sh) can be seen by
non-build users using /proc/<pid>/cmdline file that has group and
world readable permissions.
Both 1) and 2) come from:
perl -e 'print crypt("$(PASSWORD)", "salt"),"\n"')"
that by defalt uses DES if salt does not have format $<id>$<salt>$,
where <id> is hashing function id. See crypt(3) for more details on
valid <id> values.
To address issues above we propose following changes:
1) Do not create password by hands (e.g. using perl snippet above):
put this job to chpasswd(8) which is aware about system wide
password hashing policy specified in /etc/login.defs with
ENCRYPT_METHOD (by default it is SHA512 for Debian 8).
2) Now chpasswd(8) will take care about proper salt value.
3) This has two steps:
3.1) For compatibility reasons accept USERNAME and PASSWORD as
make(1) parameters, but warn user that this is unsafe.
3.2) Use process environment to pass USERNAME and PASSWORD variables
from Makefile to build_debian.sh as more secure alternative to
passing via command line parameters: /proc/<pid>/environ
readable only by user running process or privileged users like
root.
Before change:
--------------
hash1
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSs", "salt"),"\n"')"
^^^^^^^^
8 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Note the hash (DES encrypted password)
hash2
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSsWoRd", "salt"),"\n"')"
^^^^^^^^^^^^
12 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Hash is the same as for "YourPaSs"
After change:
-------------
hash1
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$1Nho1jHC$T8YwK58FYToXMFuetQta7/XouAAN2q1IzWC3bdIg86woAs6WuTg\
^^^^^^^^
Note salt here
ksLO3oyQInax/wNVq.N4de6dyWZDsCAvsZ1:17681:0:99999:7:::
hash2
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$yKU5g7BO$kdT02Z1wHXhr1VCniKkZbLaMPZXK0WSSVGhSLGrNhsrsVxCJ.D9\
^^^^^^^^
Here salt completely different from case above
plFpd8ksGNpw/Vb92hvgYyCL2i5cfI8QEY/:17681:0:99999:7:::
Since salt is different hashes for same password different too.
hash1
-----
# LANG=C perl -e 'print crypt("YourPaSs", "\$6\$salt\$"),"\n"'
^^^^^
We want SHA512 hash
$6$salt$qkwPvXqUeGpexO1vatnIQFAreOTXs6rnDX.OI.Sz2rcy51JrO8dFc9aGv82bB\
yd2ELrIMJ.FQLNjgSD0nNha7/
hash2
-----
# LANG=C perl -e 'print crypt("YourPaSsWoRd", "\$6\$salt\$"),"\n"'
$6$salt$1JVndGzyy/dj7PaXo6hNcttlQoZe23ob8GWYWxVGEiGOlh6sofbaIvwl6Ho7N\
kYDI8zwRumRwga/A29nHm4mZ1
Now with same "salt" and $<id>$, and same 8 symbol prefix in password, but
different password length we have different hashes.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
2018-06-09 13:29:16 -05:00
|
|
|
USERNAME="$(USERNAME)" \
|
|
|
|
PASSWORD="$(PASSWORD)" \
|
2020-04-08 16:24:08 -05:00
|
|
|
IMAGE_TYPE=$($*_IMAGE_TYPE) \
|
[baseimage]: Improve password hashing for default user account (#1748)
* [slave.mk]: Fix displaying username and password in build summary
We display contents of DEFAULT_USERNAME and DEFAULT_PASSWORD, while
image can be build with USERNAME and/or PASSWORD given on make(1)
command line. For example:
$ make USERNAME=adm PASSWORD=mypass target/sonic-broadcom.bin
Fix by displaying USERNAME and PASSWORD variables in build summary.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
* [baseimage]: Improve default user account handling
There are couple of issues with current implementation of default
user account management in baseimage:
1) It uses DES to encrypt accounts password. Furthermore this
effectively limits password length to 8 symbols, even if more
provided with PASSWORD or DEFAULT_PASSWORD from rules/config.
2) Salt value for password is same on all builds even with different
password increasing attack surface.
3) During the build process password passed as command line parameter
either as plain text (if given to make(1) as "make PASSWORD=...")
or DES encrypted (if given to build_debian.sh) can be seen by
non-build users using /proc/<pid>/cmdline file that has group and
world readable permissions.
Both 1) and 2) come from:
perl -e 'print crypt("$(PASSWORD)", "salt"),"\n"')"
that by defalt uses DES if salt does not have format $<id>$<salt>$,
where <id> is hashing function id. See crypt(3) for more details on
valid <id> values.
To address issues above we propose following changes:
1) Do not create password by hands (e.g. using perl snippet above):
put this job to chpasswd(8) which is aware about system wide
password hashing policy specified in /etc/login.defs with
ENCRYPT_METHOD (by default it is SHA512 for Debian 8).
2) Now chpasswd(8) will take care about proper salt value.
3) This has two steps:
3.1) For compatibility reasons accept USERNAME and PASSWORD as
make(1) parameters, but warn user that this is unsafe.
3.2) Use process environment to pass USERNAME and PASSWORD variables
from Makefile to build_debian.sh as more secure alternative to
passing via command line parameters: /proc/<pid>/environ
readable only by user running process or privileged users like
root.
Before change:
--------------
hash1
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSs", "salt"),"\n"')"
^^^^^^^^
8 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Note the hash (DES encrypted password)
hash2
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSsWoRd", "salt"),"\n"')"
^^^^^^^^^^^^
12 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Hash is the same as for "YourPaSs"
After change:
-------------
hash1
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$1Nho1jHC$T8YwK58FYToXMFuetQta7/XouAAN2q1IzWC3bdIg86woAs6WuTg\
^^^^^^^^
Note salt here
ksLO3oyQInax/wNVq.N4de6dyWZDsCAvsZ1:17681:0:99999:7:::
hash2
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$yKU5g7BO$kdT02Z1wHXhr1VCniKkZbLaMPZXK0WSSVGhSLGrNhsrsVxCJ.D9\
^^^^^^^^
Here salt completely different from case above
plFpd8ksGNpw/Vb92hvgYyCL2i5cfI8QEY/:17681:0:99999:7:::
Since salt is different hashes for same password different too.
hash1
-----
# LANG=C perl -e 'print crypt("YourPaSs", "\$6\$salt\$"),"\n"'
^^^^^
We want SHA512 hash
$6$salt$qkwPvXqUeGpexO1vatnIQFAreOTXs6rnDX.OI.Sz2rcy51JrO8dFc9aGv82bB\
yd2ELrIMJ.FQLNjgSD0nNha7/
hash2
-----
# LANG=C perl -e 'print crypt("YourPaSsWoRd", "\$6\$salt\$"),"\n"'
$6$salt$1JVndGzyy/dj7PaXo6hNcttlQoZe23ob8GWYWxVGEiGOlh6sofbaIvwl6Ho7N\
kYDI8zwRumRwga/A29nHm4mZ1
Now with same "salt" and $<id>$, and same 8 symbol prefix in password, but
different password length we have different hashes.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
2018-06-09 13:29:16 -05:00
|
|
|
./build_debian.sh $(LOG)
|
|
|
|
|
2018-11-21 00:32:40 -06:00
|
|
|
USERNAME="$(USERNAME)" \
|
|
|
|
PASSWORD="$(PASSWORD)" \
|
[baseimage]: Improve password hashing for default user account (#1748)
* [slave.mk]: Fix displaying username and password in build summary
We display contents of DEFAULT_USERNAME and DEFAULT_PASSWORD, while
image can be build with USERNAME and/or PASSWORD given on make(1)
command line. For example:
$ make USERNAME=adm PASSWORD=mypass target/sonic-broadcom.bin
Fix by displaying USERNAME and PASSWORD variables in build summary.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
* [baseimage]: Improve default user account handling
There are couple of issues with current implementation of default
user account management in baseimage:
1) It uses DES to encrypt accounts password. Furthermore this
effectively limits password length to 8 symbols, even if more
provided with PASSWORD or DEFAULT_PASSWORD from rules/config.
2) Salt value for password is same on all builds even with different
password increasing attack surface.
3) During the build process password passed as command line parameter
either as plain text (if given to make(1) as "make PASSWORD=...")
or DES encrypted (if given to build_debian.sh) can be seen by
non-build users using /proc/<pid>/cmdline file that has group and
world readable permissions.
Both 1) and 2) come from:
perl -e 'print crypt("$(PASSWORD)", "salt"),"\n"')"
that by defalt uses DES if salt does not have format $<id>$<salt>$,
where <id> is hashing function id. See crypt(3) for more details on
valid <id> values.
To address issues above we propose following changes:
1) Do not create password by hands (e.g. using perl snippet above):
put this job to chpasswd(8) which is aware about system wide
password hashing policy specified in /etc/login.defs with
ENCRYPT_METHOD (by default it is SHA512 for Debian 8).
2) Now chpasswd(8) will take care about proper salt value.
3) This has two steps:
3.1) For compatibility reasons accept USERNAME and PASSWORD as
make(1) parameters, but warn user that this is unsafe.
3.2) Use process environment to pass USERNAME and PASSWORD variables
from Makefile to build_debian.sh as more secure alternative to
passing via command line parameters: /proc/<pid>/environ
readable only by user running process or privileged users like
root.
Before change:
--------------
hash1
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSs", "salt"),"\n"')"
^^^^^^^^
8 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Note the hash (DES encrypted password)
hash2
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSsWoRd", "salt"),"\n"')"
^^^^^^^^^^^^
12 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Hash is the same as for "YourPaSs"
After change:
-------------
hash1
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$1Nho1jHC$T8YwK58FYToXMFuetQta7/XouAAN2q1IzWC3bdIg86woAs6WuTg\
^^^^^^^^
Note salt here
ksLO3oyQInax/wNVq.N4de6dyWZDsCAvsZ1:17681:0:99999:7:::
hash2
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$yKU5g7BO$kdT02Z1wHXhr1VCniKkZbLaMPZXK0WSSVGhSLGrNhsrsVxCJ.D9\
^^^^^^^^
Here salt completely different from case above
plFpd8ksGNpw/Vb92hvgYyCL2i5cfI8QEY/:17681:0:99999:7:::
Since salt is different hashes for same password different too.
hash1
-----
# LANG=C perl -e 'print crypt("YourPaSs", "\$6\$salt\$"),"\n"'
^^^^^
We want SHA512 hash
$6$salt$qkwPvXqUeGpexO1vatnIQFAreOTXs6rnDX.OI.Sz2rcy51JrO8dFc9aGv82bB\
yd2ELrIMJ.FQLNjgSD0nNha7/
hash2
-----
# LANG=C perl -e 'print crypt("YourPaSsWoRd", "\$6\$salt\$"),"\n"'
$6$salt$1JVndGzyy/dj7PaXo6hNcttlQoZe23ob8GWYWxVGEiGOlh6sofbaIvwl6Ho7N\
kYDI8zwRumRwga/A29nHm4mZ1
Now with same "salt" and $<id>$, and same 8 symbol prefix in password, but
different password length we have different hashes.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
2018-06-09 13:29:16 -05:00
|
|
|
TARGET_MACHINE=$($*_MACHINE) \
|
|
|
|
IMAGE_TYPE=$($*_IMAGE_TYPE) \
|
|
|
|
./build_image.sh $(LOG)
|
2017-01-29 13:33:33 -06:00
|
|
|
|
|
|
|
$(foreach docker, $($*_DOCKERS), \
|
2019-07-09 10:55:03 -05:00
|
|
|
rm -f $($(docker:-dbg.gz=.gz)_CONTAINER_NAME).sh
|
|
|
|
rm -f $($(docker:-dbg.gz=.gz)_CONTAINER_NAME).service
|
2017-01-29 13:33:33 -06:00
|
|
|
)
|
|
|
|
|
|
|
|
$(if $($*_DOCKERS),
|
|
|
|
rm sonic_debian_extension.sh,
|
|
|
|
)
|
2017-02-26 18:00:44 -06:00
|
|
|
|
|
|
|
chmod a+x $@
|
2016-12-05 13:12:19 -06:00
|
|
|
$(FOOTER)
|
|
|
|
|
2017-07-29 17:34:27 -05:00
|
|
|
SONIC_TARGET_LIST += $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS))
|
|
|
|
|
2016-12-05 13:12:19 -06:00
|
|
|
###############################################################################
|
|
|
|
## Clean targets
|
|
|
|
###############################################################################
|
|
|
|
|
|
|
|
SONIC_CLEAN_DEBS = $(addsuffix -clean,$(addprefix $(DEBS_PATH)/, \
|
|
|
|
$(SONIC_ONLINE_DEBS) \
|
|
|
|
$(SONIC_COPY_DEBS) \
|
|
|
|
$(SONIC_MAKE_DEBS) \
|
|
|
|
$(SONIC_DPKG_DEBS) \
|
|
|
|
$(SONIC_PYTHON_STDEB_DEBS) \
|
2017-03-01 10:32:58 -06:00
|
|
|
$(SONIC_DERIVED_DEBS) \
|
|
|
|
$(SONIC_EXTRA_DEBS)))
|
2017-07-28 12:57:51 -05:00
|
|
|
|
|
|
|
SONIC_CLEAN_FILES = $(addsuffix -clean,$(addprefix $(FILES_PATH)/, \
|
|
|
|
$(SONIC_ONLINE_FILES) \
|
2018-11-21 00:32:40 -06:00
|
|
|
$(SONIC_COPY_FILES) \
|
|
|
|
$(SONIC_MAKE_FILES)))
|
2017-07-28 12:57:51 -05:00
|
|
|
|
2017-03-01 10:32:58 -06:00
|
|
|
$(SONIC_CLEAN_DEBS) : $(DEBS_PATH)/%-clean : .platform $$(addsuffix -clean,$$(addprefix $(DEBS_PATH)/,$$($$*_MAIN_DEB)))
|
|
|
|
@# remove derived or extra targets if main one is removed, because we treat them
|
2016-12-05 13:12:19 -06:00
|
|
|
@# as part of one package
|
2017-03-01 10:32:58 -06:00
|
|
|
@rm -f $(addprefix $(DEBS_PATH)/, $* $($*_DERIVED_DEBS) $($*_EXTRA_DEBS))
|
2016-12-05 13:12:19 -06:00
|
|
|
|
2017-07-28 12:57:51 -05:00
|
|
|
$(SONIC_CLEAN_FILES) : $(FILES_PATH)/%-clean : .platform
|
|
|
|
@rm -f $(FILES_PATH)/$*
|
|
|
|
|
2016-12-05 13:12:19 -06:00
|
|
|
SONIC_CLEAN_TARGETS += $(addsuffix -clean,$(addprefix $(TARGET_PATH)/, \
|
|
|
|
$(SONIC_DOCKER_IMAGES) \
|
2019-07-09 10:55:03 -05:00
|
|
|
$(SONIC_DOCKER_DBG_IMAGES) \
|
2017-03-07 14:34:24 -06:00
|
|
|
$(SONIC_SIMPLE_DOCKER_IMAGES) \
|
|
|
|
$(SONIC_INSTALLERS)))
|
2016-12-05 13:12:19 -06:00
|
|
|
$(SONIC_CLEAN_TARGETS) : $(TARGET_PATH)/%-clean : .platform
|
|
|
|
@rm -f $(TARGET_PATH)/$*
|
|
|
|
|
|
|
|
SONIC_CLEAN_WHEELS = $(addsuffix -clean,$(addprefix $(PYTHON_WHEELS_PATH)/, \
|
|
|
|
$(SONIC_PYTHON_WHEELS)))
|
|
|
|
$(SONIC_CLEAN_WHEELS) : $(PYTHON_WHEELS_PATH)/%-clean : .platform
|
|
|
|
@rm -f $(PYTHON_WHEELS_PATH)/$*
|
|
|
|
|
|
|
|
clean-logs : .platform
|
2017-07-28 12:57:51 -05:00
|
|
|
@rm -f $(TARGET_PATH)/*.log $(DEBS_PATH)/*.log $(FILES_PATH)/*.log $(PYTHON_WHEELS_PATH)/*.log
|
2016-12-05 13:12:19 -06:00
|
|
|
|
2017-07-28 12:57:51 -05:00
|
|
|
clean : .platform clean-logs $$(SONIC_CLEAN_DEBS) $$(SONIC_CLEAN_FILES) $$(SONIC_CLEAN_TARGETS) $$(SONIC_CLEAN_WHEELS)
|
2016-12-05 13:12:19 -06:00
|
|
|
|
|
|
|
###############################################################################
|
|
|
|
## all
|
|
|
|
###############################################################################
|
|
|
|
|
|
|
|
all : .platform $$(addprefix $(TARGET_PATH)/,$$(SONIC_ALL))
|
|
|
|
|
2018-11-21 00:32:40 -06:00
|
|
|
stretch : $$(addprefix $(DEBS_PATH)/,$$(SONIC_STRETCH_DEBS)) \
|
|
|
|
$$(addprefix $(FILES_PATH)/,$$(SONIC_STRETCH_FILES))
|
|
|
|
|
2018-03-01 03:24:35 -06:00
|
|
|
|
2016-12-05 13:12:19 -06:00
|
|
|
###############################################################################
|
|
|
|
## Standard targets
|
|
|
|
###############################################################################
|
|
|
|
|
2018-11-21 00:32:40 -06:00
|
|
|
.PHONY : $(SONIC_CLEAN_DEBS) $(SONIC_CLEAN_FILES) $(SONIC_CLEAN_TARGETS) $(SONIC_CLEAN_WHEELS) $(SONIC_PHONY_TARGETS) clean distclean configure
|
2016-12-05 13:12:19 -06:00
|
|
|
|
2017-03-02 06:08:25 -06:00
|
|
|
.INTERMEDIATE : $(SONIC_INSTALL_TARGETS) $(SONIC_INSTALL_WHEELS) $(DOCKER_LOAD_TARGETS) docker-start .platform
|