2016-03-08 13:42:20 -06:00
|
|
|
#!/bin/bash
|
|
|
|
## This script is to automate the preparation for a debian file system, which will be used for
|
|
|
|
## an ONIE installer image.
|
|
|
|
##
|
|
|
|
## USAGE:
|
[baseimage]: Improve password hashing for default user account (#1748)
* [slave.mk]: Fix displaying username and password in build summary
We display contents of DEFAULT_USERNAME and DEFAULT_PASSWORD, while
image can be build with USERNAME and/or PASSWORD given on make(1)
command line. For example:
$ make USERNAME=adm PASSWORD=mypass target/sonic-broadcom.bin
Fix by displaying USERNAME and PASSWORD variables in build summary.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
* [baseimage]: Improve default user account handling
There are couple of issues with current implementation of default
user account management in baseimage:
1) It uses DES to encrypt accounts password. Furthermore this
effectively limits password length to 8 symbols, even if more
provided with PASSWORD or DEFAULT_PASSWORD from rules/config.
2) Salt value for password is same on all builds even with different
password increasing attack surface.
3) During the build process password passed as command line parameter
either as plain text (if given to make(1) as "make PASSWORD=...")
or DES encrypted (if given to build_debian.sh) can be seen by
non-build users using /proc/<pid>/cmdline file that has group and
world readable permissions.
Both 1) and 2) come from:
perl -e 'print crypt("$(PASSWORD)", "salt"),"\n"')"
that by defalt uses DES if salt does not have format $<id>$<salt>$,
where <id> is hashing function id. See crypt(3) for more details on
valid <id> values.
To address issues above we propose following changes:
1) Do not create password by hands (e.g. using perl snippet above):
put this job to chpasswd(8) which is aware about system wide
password hashing policy specified in /etc/login.defs with
ENCRYPT_METHOD (by default it is SHA512 for Debian 8).
2) Now chpasswd(8) will take care about proper salt value.
3) This has two steps:
3.1) For compatibility reasons accept USERNAME and PASSWORD as
make(1) parameters, but warn user that this is unsafe.
3.2) Use process environment to pass USERNAME and PASSWORD variables
from Makefile to build_debian.sh as more secure alternative to
passing via command line parameters: /proc/<pid>/environ
readable only by user running process or privileged users like
root.
Before change:
--------------
hash1
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSs", "salt"),"\n"')"
^^^^^^^^
8 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Note the hash (DES encrypted password)
hash2
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSsWoRd", "salt"),"\n"')"
^^^^^^^^^^^^
12 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Hash is the same as for "YourPaSs"
After change:
-------------
hash1
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$1Nho1jHC$T8YwK58FYToXMFuetQta7/XouAAN2q1IzWC3bdIg86woAs6WuTg\
^^^^^^^^
Note salt here
ksLO3oyQInax/wNVq.N4de6dyWZDsCAvsZ1:17681:0:99999:7:::
hash2
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$yKU5g7BO$kdT02Z1wHXhr1VCniKkZbLaMPZXK0WSSVGhSLGrNhsrsVxCJ.D9\
^^^^^^^^
Here salt completely different from case above
plFpd8ksGNpw/Vb92hvgYyCL2i5cfI8QEY/:17681:0:99999:7:::
Since salt is different hashes for same password different too.
hash1
-----
# LANG=C perl -e 'print crypt("YourPaSs", "\$6\$salt\$"),"\n"'
^^^^^
We want SHA512 hash
$6$salt$qkwPvXqUeGpexO1vatnIQFAreOTXs6rnDX.OI.Sz2rcy51JrO8dFc9aGv82bB\
yd2ELrIMJ.FQLNjgSD0nNha7/
hash2
-----
# LANG=C perl -e 'print crypt("YourPaSsWoRd", "\$6\$salt\$"),"\n"'
$6$salt$1JVndGzyy/dj7PaXo6hNcttlQoZe23ob8GWYWxVGEiGOlh6sofbaIvwl6Ho7N\
kYDI8zwRumRwga/A29nHm4mZ1
Now with same "salt" and $<id>$, and same 8 symbol prefix in password, but
different password length we have different hashes.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
2018-06-09 13:29:16 -05:00
|
|
|
## USERNAME=username PASSWORD=password ./build_debian
|
|
|
|
## ENVIRONMENT:
|
2016-03-08 13:42:20 -06:00
|
|
|
## USERNAME
|
|
|
|
## The name of the default admin user
|
[baseimage]: Improve password hashing for default user account (#1748)
* [slave.mk]: Fix displaying username and password in build summary
We display contents of DEFAULT_USERNAME and DEFAULT_PASSWORD, while
image can be build with USERNAME and/or PASSWORD given on make(1)
command line. For example:
$ make USERNAME=adm PASSWORD=mypass target/sonic-broadcom.bin
Fix by displaying USERNAME and PASSWORD variables in build summary.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
* [baseimage]: Improve default user account handling
There are couple of issues with current implementation of default
user account management in baseimage:
1) It uses DES to encrypt accounts password. Furthermore this
effectively limits password length to 8 symbols, even if more
provided with PASSWORD or DEFAULT_PASSWORD from rules/config.
2) Salt value for password is same on all builds even with different
password increasing attack surface.
3) During the build process password passed as command line parameter
either as plain text (if given to make(1) as "make PASSWORD=...")
or DES encrypted (if given to build_debian.sh) can be seen by
non-build users using /proc/<pid>/cmdline file that has group and
world readable permissions.
Both 1) and 2) come from:
perl -e 'print crypt("$(PASSWORD)", "salt"),"\n"')"
that by defalt uses DES if salt does not have format $<id>$<salt>$,
where <id> is hashing function id. See crypt(3) for more details on
valid <id> values.
To address issues above we propose following changes:
1) Do not create password by hands (e.g. using perl snippet above):
put this job to chpasswd(8) which is aware about system wide
password hashing policy specified in /etc/login.defs with
ENCRYPT_METHOD (by default it is SHA512 for Debian 8).
2) Now chpasswd(8) will take care about proper salt value.
3) This has two steps:
3.1) For compatibility reasons accept USERNAME and PASSWORD as
make(1) parameters, but warn user that this is unsafe.
3.2) Use process environment to pass USERNAME and PASSWORD variables
from Makefile to build_debian.sh as more secure alternative to
passing via command line parameters: /proc/<pid>/environ
readable only by user running process or privileged users like
root.
Before change:
--------------
hash1
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSs", "salt"),"\n"')"
^^^^^^^^
8 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Note the hash (DES encrypted password)
hash2
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSsWoRd", "salt"),"\n"')"
^^^^^^^^^^^^
12 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Hash is the same as for "YourPaSs"
After change:
-------------
hash1
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$1Nho1jHC$T8YwK58FYToXMFuetQta7/XouAAN2q1IzWC3bdIg86woAs6WuTg\
^^^^^^^^
Note salt here
ksLO3oyQInax/wNVq.N4de6dyWZDsCAvsZ1:17681:0:99999:7:::
hash2
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$yKU5g7BO$kdT02Z1wHXhr1VCniKkZbLaMPZXK0WSSVGhSLGrNhsrsVxCJ.D9\
^^^^^^^^
Here salt completely different from case above
plFpd8ksGNpw/Vb92hvgYyCL2i5cfI8QEY/:17681:0:99999:7:::
Since salt is different hashes for same password different too.
hash1
-----
# LANG=C perl -e 'print crypt("YourPaSs", "\$6\$salt\$"),"\n"'
^^^^^
We want SHA512 hash
$6$salt$qkwPvXqUeGpexO1vatnIQFAreOTXs6rnDX.OI.Sz2rcy51JrO8dFc9aGv82bB\
yd2ELrIMJ.FQLNjgSD0nNha7/
hash2
-----
# LANG=C perl -e 'print crypt("YourPaSsWoRd", "\$6\$salt\$"),"\n"'
$6$salt$1JVndGzyy/dj7PaXo6hNcttlQoZe23ob8GWYWxVGEiGOlh6sofbaIvwl6Ho7N\
kYDI8zwRumRwga/A29nHm4mZ1
Now with same "salt" and $<id>$, and same 8 symbol prefix in password, but
different password length we have different hashes.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
2018-06-09 13:29:16 -05:00
|
|
|
## PASSWORD
|
|
|
|
## The password, expected by chpasswd command
|
2016-03-08 13:42:20 -06:00
|
|
|
|
|
|
|
## Default user
|
|
|
|
[ -n "$USERNAME" ] || {
|
[baseimage]: Improve password hashing for default user account (#1748)
* [slave.mk]: Fix displaying username and password in build summary
We display contents of DEFAULT_USERNAME and DEFAULT_PASSWORD, while
image can be build with USERNAME and/or PASSWORD given on make(1)
command line. For example:
$ make USERNAME=adm PASSWORD=mypass target/sonic-broadcom.bin
Fix by displaying USERNAME and PASSWORD variables in build summary.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
* [baseimage]: Improve default user account handling
There are couple of issues with current implementation of default
user account management in baseimage:
1) It uses DES to encrypt accounts password. Furthermore this
effectively limits password length to 8 symbols, even if more
provided with PASSWORD or DEFAULT_PASSWORD from rules/config.
2) Salt value for password is same on all builds even with different
password increasing attack surface.
3) During the build process password passed as command line parameter
either as plain text (if given to make(1) as "make PASSWORD=...")
or DES encrypted (if given to build_debian.sh) can be seen by
non-build users using /proc/<pid>/cmdline file that has group and
world readable permissions.
Both 1) and 2) come from:
perl -e 'print crypt("$(PASSWORD)", "salt"),"\n"')"
that by defalt uses DES if salt does not have format $<id>$<salt>$,
where <id> is hashing function id. See crypt(3) for more details on
valid <id> values.
To address issues above we propose following changes:
1) Do not create password by hands (e.g. using perl snippet above):
put this job to chpasswd(8) which is aware about system wide
password hashing policy specified in /etc/login.defs with
ENCRYPT_METHOD (by default it is SHA512 for Debian 8).
2) Now chpasswd(8) will take care about proper salt value.
3) This has two steps:
3.1) For compatibility reasons accept USERNAME and PASSWORD as
make(1) parameters, but warn user that this is unsafe.
3.2) Use process environment to pass USERNAME and PASSWORD variables
from Makefile to build_debian.sh as more secure alternative to
passing via command line parameters: /proc/<pid>/environ
readable only by user running process or privileged users like
root.
Before change:
--------------
hash1
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSs", "salt"),"\n"')"
^^^^^^^^
8 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Note the hash (DES encrypted password)
hash2
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSsWoRd", "salt"),"\n"')"
^^^^^^^^^^^^
12 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Hash is the same as for "YourPaSs"
After change:
-------------
hash1
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$1Nho1jHC$T8YwK58FYToXMFuetQta7/XouAAN2q1IzWC3bdIg86woAs6WuTg\
^^^^^^^^
Note salt here
ksLO3oyQInax/wNVq.N4de6dyWZDsCAvsZ1:17681:0:99999:7:::
hash2
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$yKU5g7BO$kdT02Z1wHXhr1VCniKkZbLaMPZXK0WSSVGhSLGrNhsrsVxCJ.D9\
^^^^^^^^
Here salt completely different from case above
plFpd8ksGNpw/Vb92hvgYyCL2i5cfI8QEY/:17681:0:99999:7:::
Since salt is different hashes for same password different too.
hash1
-----
# LANG=C perl -e 'print crypt("YourPaSs", "\$6\$salt\$"),"\n"'
^^^^^
We want SHA512 hash
$6$salt$qkwPvXqUeGpexO1vatnIQFAreOTXs6rnDX.OI.Sz2rcy51JrO8dFc9aGv82bB\
yd2ELrIMJ.FQLNjgSD0nNha7/
hash2
-----
# LANG=C perl -e 'print crypt("YourPaSsWoRd", "\$6\$salt\$"),"\n"'
$6$salt$1JVndGzyy/dj7PaXo6hNcttlQoZe23ob8GWYWxVGEiGOlh6sofbaIvwl6Ho7N\
kYDI8zwRumRwga/A29nHm4mZ1
Now with same "salt" and $<id>$, and same 8 symbol prefix in password, but
different password length we have different hashes.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
2018-06-09 13:29:16 -05:00
|
|
|
echo "Error: no or empty USERNAME"
|
2016-03-08 13:42:20 -06:00
|
|
|
exit 1
|
|
|
|
}
|
|
|
|
|
[baseimage]: Improve password hashing for default user account (#1748)
* [slave.mk]: Fix displaying username and password in build summary
We display contents of DEFAULT_USERNAME and DEFAULT_PASSWORD, while
image can be build with USERNAME and/or PASSWORD given on make(1)
command line. For example:
$ make USERNAME=adm PASSWORD=mypass target/sonic-broadcom.bin
Fix by displaying USERNAME and PASSWORD variables in build summary.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
* [baseimage]: Improve default user account handling
There are couple of issues with current implementation of default
user account management in baseimage:
1) It uses DES to encrypt accounts password. Furthermore this
effectively limits password length to 8 symbols, even if more
provided with PASSWORD or DEFAULT_PASSWORD from rules/config.
2) Salt value for password is same on all builds even with different
password increasing attack surface.
3) During the build process password passed as command line parameter
either as plain text (if given to make(1) as "make PASSWORD=...")
or DES encrypted (if given to build_debian.sh) can be seen by
non-build users using /proc/<pid>/cmdline file that has group and
world readable permissions.
Both 1) and 2) come from:
perl -e 'print crypt("$(PASSWORD)", "salt"),"\n"')"
that by defalt uses DES if salt does not have format $<id>$<salt>$,
where <id> is hashing function id. See crypt(3) for more details on
valid <id> values.
To address issues above we propose following changes:
1) Do not create password by hands (e.g. using perl snippet above):
put this job to chpasswd(8) which is aware about system wide
password hashing policy specified in /etc/login.defs with
ENCRYPT_METHOD (by default it is SHA512 for Debian 8).
2) Now chpasswd(8) will take care about proper salt value.
3) This has two steps:
3.1) For compatibility reasons accept USERNAME and PASSWORD as
make(1) parameters, but warn user that this is unsafe.
3.2) Use process environment to pass USERNAME and PASSWORD variables
from Makefile to build_debian.sh as more secure alternative to
passing via command line parameters: /proc/<pid>/environ
readable only by user running process or privileged users like
root.
Before change:
--------------
hash1
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSs", "salt"),"\n"')"
^^^^^^^^
8 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Note the hash (DES encrypted password)
hash2
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSsWoRd", "salt"),"\n"')"
^^^^^^^^^^^^
12 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Hash is the same as for "YourPaSs"
After change:
-------------
hash1
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$1Nho1jHC$T8YwK58FYToXMFuetQta7/XouAAN2q1IzWC3bdIg86woAs6WuTg\
^^^^^^^^
Note salt here
ksLO3oyQInax/wNVq.N4de6dyWZDsCAvsZ1:17681:0:99999:7:::
hash2
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$yKU5g7BO$kdT02Z1wHXhr1VCniKkZbLaMPZXK0WSSVGhSLGrNhsrsVxCJ.D9\
^^^^^^^^
Here salt completely different from case above
plFpd8ksGNpw/Vb92hvgYyCL2i5cfI8QEY/:17681:0:99999:7:::
Since salt is different hashes for same password different too.
hash1
-----
# LANG=C perl -e 'print crypt("YourPaSs", "\$6\$salt\$"),"\n"'
^^^^^
We want SHA512 hash
$6$salt$qkwPvXqUeGpexO1vatnIQFAreOTXs6rnDX.OI.Sz2rcy51JrO8dFc9aGv82bB\
yd2ELrIMJ.FQLNjgSD0nNha7/
hash2
-----
# LANG=C perl -e 'print crypt("YourPaSsWoRd", "\$6\$salt\$"),"\n"'
$6$salt$1JVndGzyy/dj7PaXo6hNcttlQoZe23ob8GWYWxVGEiGOlh6sofbaIvwl6Ho7N\
kYDI8zwRumRwga/A29nHm4mZ1
Now with same "salt" and $<id>$, and same 8 symbol prefix in password, but
different password length we have different hashes.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
2018-06-09 13:29:16 -05:00
|
|
|
## Password for the default user
|
|
|
|
[ -n "$PASSWORD" ] || {
|
|
|
|
echo "Error: no or empty PASSWORD"
|
2016-03-08 13:42:20 -06:00
|
|
|
exit 1
|
|
|
|
}
|
|
|
|
|
|
|
|
## Include common functions
|
|
|
|
. functions.sh
|
|
|
|
|
|
|
|
## Enable debug output for script
|
|
|
|
set -x -e
|
|
|
|
|
2016-07-26 14:01:58 -05:00
|
|
|
## docker engine version (with platform)
|
2017-09-05 04:07:05 -05:00
|
|
|
DOCKER_VERSION=1.11.1-0~stretch_amd64
|
2018-01-10 03:34:46 -06:00
|
|
|
LINUX_KERNEL_VERSION=4.9.0-5
|
2016-07-26 14:01:58 -05:00
|
|
|
|
2016-03-08 13:42:20 -06:00
|
|
|
## Working directory to prepare the file system
|
|
|
|
FILESYSTEM_ROOT=./fsroot
|
2017-02-27 15:08:41 -06:00
|
|
|
PLATFORM_DIR=platform
|
2016-03-08 13:42:20 -06:00
|
|
|
## Hostname for the linux image
|
2016-09-15 17:22:29 -05:00
|
|
|
HOSTNAME=sonic
|
2016-03-08 13:42:20 -06:00
|
|
|
DEFAULT_USERINFO="Default admin user,,,"
|
|
|
|
|
|
|
|
## Read ONIE image related config file
|
|
|
|
. ./onie-image.conf
|
|
|
|
[ -n "$ONIE_IMAGE_PART_SIZE" ] || {
|
|
|
|
echo "Error: Invalid ONIE_IMAGE_PART_SIZE in onie image config file"
|
|
|
|
exit 1
|
|
|
|
}
|
|
|
|
[ -n "$ONIE_INSTALLER_PAYLOAD" ] || {
|
|
|
|
echo "Error: Invalid ONIE_INSTALLER_PAYLOAD in onie image config file"
|
|
|
|
exit 1
|
|
|
|
}
|
|
|
|
[ -n "$FILESYSTEM_SQUASHFS" ] || {
|
|
|
|
echo "Error: Invalid FILESYSTEM_SQUASHFS in onie image config file"
|
|
|
|
exit 1
|
|
|
|
}
|
|
|
|
|
|
|
|
## Prepare the file system directory
|
|
|
|
if [[ -d $FILESYSTEM_ROOT ]]; then
|
2017-02-10 09:39:05 -06:00
|
|
|
sudo rm -rf $FILESYSTEM_ROOT || die "Failed to clean chroot directory"
|
2016-03-08 13:42:20 -06:00
|
|
|
fi
|
|
|
|
mkdir -p $FILESYSTEM_ROOT
|
2017-02-27 15:08:41 -06:00
|
|
|
mkdir -p $FILESYSTEM_ROOT/$PLATFORM_DIR
|
2017-09-17 13:41:30 -05:00
|
|
|
mkdir -p $FILESYSTEM_ROOT/$PLATFORM_DIR/x86_64-grub
|
2017-02-27 15:08:41 -06:00
|
|
|
touch $FILESYSTEM_ROOT/$PLATFORM_DIR/firsttime
|
2016-03-08 13:42:20 -06:00
|
|
|
|
|
|
|
## Build a basic Debian system by debootstrap
|
|
|
|
echo '[INFO] Debootstrap...'
|
2017-09-05 04:07:05 -05:00
|
|
|
sudo http_proxy=$http_proxy debootstrap --variant=minbase --arch amd64 stretch $FILESYSTEM_ROOT http://debian-archive.trafficmanager.net/debian
|
2016-03-08 13:42:20 -06:00
|
|
|
|
|
|
|
## Config hostname and hosts, otherwise 'sudo ...' will complain 'sudo: unable to resolve host ...'
|
|
|
|
sudo LANG=C chroot $FILESYSTEM_ROOT /bin/bash -c "echo '$HOSTNAME' > /etc/hostname"
|
|
|
|
sudo LANG=C chroot $FILESYSTEM_ROOT /bin/bash -c "echo '127.0.0.1 $HOSTNAME' >> /etc/hosts"
|
2016-09-25 23:48:25 -05:00
|
|
|
sudo LANG=C chroot $FILESYSTEM_ROOT /bin/bash -c "echo '127.0.0.1 localhost' >> /etc/hosts"
|
2016-03-08 13:42:20 -06:00
|
|
|
|
|
|
|
## Config basic fstab
|
|
|
|
sudo LANG=C chroot $FILESYSTEM_ROOT /bin/bash -c 'echo "proc /proc proc defaults 0 0" >> /etc/fstab'
|
|
|
|
sudo LANG=C chroot $FILESYSTEM_ROOT /bin/bash -c 'echo "sysfs /sys sysfs defaults 0 0" >> /etc/fstab'
|
|
|
|
|
2017-12-24 01:34:15 -06:00
|
|
|
## Setup proxy
|
|
|
|
[ -n "$http_proxy" ] && sudo /bin/bash -c "echo 'Acquire::http::Proxy \"$http_proxy\";' > $FILESYSTEM_ROOT/etc/apt/apt.conf.d/01proxy"
|
|
|
|
|
2016-03-08 13:42:20 -06:00
|
|
|
## Note: mounting is necessary to makedev and install linux image
|
|
|
|
echo '[INFO] Mount all'
|
|
|
|
## Output all the mounted device for troubleshooting
|
|
|
|
mount
|
|
|
|
trap_push 'sudo umount $FILESYSTEM_ROOT/proc || true'
|
|
|
|
sudo LANG=C chroot $FILESYSTEM_ROOT mount proc /proc -t proc
|
|
|
|
|
|
|
|
## Pointing apt to public apt mirrors and getting latest packages, needed for latest security updates
|
2016-11-08 05:04:52 -06:00
|
|
|
sudo cp files/apt/sources.list $FILESYSTEM_ROOT/etc/apt/
|
2016-11-16 14:46:15 -06:00
|
|
|
sudo cp files/apt/apt.conf.d/{81norecommends,apt-{clean,gzip-indexes,no-languages}} $FILESYSTEM_ROOT/etc/apt/apt.conf.d/
|
2016-05-27 15:30:13 -05:00
|
|
|
sudo LANG=C chroot $FILESYSTEM_ROOT bash -c 'apt-mark auto `apt-mark showmanual`'
|
2016-03-08 13:42:20 -06:00
|
|
|
|
|
|
|
## Note: set lang to prevent locale warnings in your chroot
|
|
|
|
sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y update
|
|
|
|
sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y upgrade
|
|
|
|
echo '[INFO] Install packages for building image'
|
2017-09-02 17:29:21 -05:00
|
|
|
sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install makedev psmisc systemd-sysv
|
2016-03-08 13:42:20 -06:00
|
|
|
|
|
|
|
## Create device files
|
|
|
|
echo '[INFO] MAKEDEV'
|
|
|
|
sudo LANG=C chroot $FILESYSTEM_ROOT /bin/bash -c 'cd /dev && MAKEDEV generic'
|
|
|
|
## Install initramfs-tools and linux kernel
|
|
|
|
## Note: initramfs-tools recommends depending on busybox, and we really want busybox for
|
|
|
|
## 1. commands such as touch
|
|
|
|
## 2. mount supports squashfs
|
|
|
|
## However, 'dpkg -i' plus 'apt-get install -f' will ignore the recommended dependency. So
|
|
|
|
## we install busybox explicitly
|
|
|
|
sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install busybox
|
2016-09-06 15:15:10 -05:00
|
|
|
echo '[INFO] Install SONiC linux kernel image'
|
2016-03-08 13:42:20 -06:00
|
|
|
## Note: duplicate apt-get command to ensure every line return zero
|
2017-09-01 03:53:21 -05:00
|
|
|
sudo dpkg --root=$FILESYSTEM_ROOT -i target/debs/initramfs-tools-core_*.deb || \
|
|
|
|
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
|
2016-12-05 13:12:19 -06:00
|
|
|
sudo dpkg --root=$FILESYSTEM_ROOT -i target/debs/initramfs-tools_*.deb || \
|
2016-03-08 13:42:20 -06:00
|
|
|
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
|
2017-09-01 02:35:36 -05:00
|
|
|
sudo dpkg --root=$FILESYSTEM_ROOT -i target/debs/linux-image-${LINUX_KERNEL_VERSION}-amd64_*.deb || \
|
2016-03-08 13:42:20 -06:00
|
|
|
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
|
2017-12-11 11:00:41 -06:00
|
|
|
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install acl
|
2016-05-27 15:30:13 -05:00
|
|
|
|
2017-09-02 17:32:31 -05:00
|
|
|
## Update initramfs for booting with squashfs+overlay
|
2016-03-08 13:42:20 -06:00
|
|
|
cat files/initramfs-tools/modules | sudo tee -a $FILESYSTEM_ROOT/etc/initramfs-tools/modules > /dev/null
|
|
|
|
|
2017-01-24 00:25:47 -06:00
|
|
|
## Hook into initramfs: change fs type from vfat to ext4 on arista switches
|
|
|
|
sudo mkdir -p $FILESYSTEM_ROOT/etc/initramfs-tools/scripts/init-premount/
|
|
|
|
sudo cp files/initramfs-tools/arista-convertfs $FILESYSTEM_ROOT/etc/initramfs-tools/scripts/init-premount/arista-convertfs
|
|
|
|
sudo chmod +x $FILESYSTEM_ROOT/etc/initramfs-tools/scripts/init-premount/arista-convertfs
|
|
|
|
sudo cp files/initramfs-tools/mke2fs $FILESYSTEM_ROOT/etc/initramfs-tools/hooks/mke2fs
|
|
|
|
sudo chmod +x $FILESYSTEM_ROOT/etc/initramfs-tools/hooks/mke2fs
|
2017-11-24 19:30:11 -06:00
|
|
|
sudo cp files/initramfs-tools/setfacl $FILESYSTEM_ROOT/etc/initramfs-tools/hooks/setfacl
|
|
|
|
sudo chmod +x $FILESYSTEM_ROOT/etc/initramfs-tools/hooks/setfacl
|
2017-01-24 00:25:47 -06:00
|
|
|
|
2017-08-19 23:32:10 -05:00
|
|
|
# Hook into initramfs: rename the management interfaces on arista switches
|
|
|
|
sudo cp files/initramfs-tools/arista-net $FILESYSTEM_ROOT/etc/initramfs-tools/scripts/init-premount/arista-net
|
|
|
|
sudo chmod +x $FILESYSTEM_ROOT/etc/initramfs-tools/scripts/init-premount/arista-net
|
|
|
|
|
2018-02-07 08:07:01 -06:00
|
|
|
# Hook into initramfs: resize root partition after migration from another NOS to SONiC on Dell switches
|
|
|
|
sudo cp files/initramfs-tools/resize-rootfs $FILESYSTEM_ROOT/etc/initramfs-tools/scripts/init-premount/resize-rootfs
|
|
|
|
sudo chmod +x $FILESYSTEM_ROOT/etc/initramfs-tools/scripts/init-premount/resize-rootfs
|
|
|
|
|
2016-03-08 13:42:20 -06:00
|
|
|
## Hook into initramfs: after partition mount and loop file mount
|
|
|
|
## 1. Prepare layered file system
|
|
|
|
## 2. Bind-mount docker working directory (docker aufs cannot work over aufs rootfs)
|
|
|
|
sudo cp files/initramfs-tools/union-mount $FILESYSTEM_ROOT/etc/initramfs-tools/scripts/init-bottom/union-mount
|
|
|
|
sudo chmod +x $FILESYSTEM_ROOT/etc/initramfs-tools/scripts/init-bottom/union-mount
|
2017-09-06 22:07:32 -05:00
|
|
|
sudo cp files/initramfs-tools/varlog $FILESYSTEM_ROOT/etc/initramfs-tools/scripts/init-bottom/varlog
|
|
|
|
sudo chmod +x $FILESYSTEM_ROOT/etc/initramfs-tools/scripts/init-bottom/varlog
|
2018-03-08 18:42:41 -06:00
|
|
|
# Management interface (eth0) dhcp can be optionally turned off (during a migration from another NOS to SONiC)
|
|
|
|
sudo cp files/initramfs-tools/mgmt-intf-dhcp $FILESYSTEM_ROOT/etc/initramfs-tools/scripts/init-bottom/mgmt-intf-dhcp
|
|
|
|
sudo chmod +x $FILESYSTEM_ROOT/etc/initramfs-tools/scripts/init-bottom/mgmt-intf-dhcp
|
2016-03-08 13:42:20 -06:00
|
|
|
sudo cp files/initramfs-tools/union-fsck $FILESYSTEM_ROOT/etc/initramfs-tools/hooks/union-fsck
|
|
|
|
sudo chmod +x $FILESYSTEM_ROOT/etc/initramfs-tools/hooks/union-fsck
|
2017-09-02 17:32:31 -05:00
|
|
|
pushd $FILESYSTEM_ROOT/usr/share/initramfs-tools/scripts/init-bottom && sudo patch -p1 < $OLDPWD/files/initramfs-tools/udev.patch; popd
|
2016-03-08 13:42:20 -06:00
|
|
|
|
2017-12-22 12:04:29 -06:00
|
|
|
## Install latest intel ixgbe driver
|
2018-01-10 04:48:24 -06:00
|
|
|
sudo cp target/debs/ixgbe.ko $FILESYSTEM_ROOT/lib/modules/${LINUX_KERNEL_VERSION}-amd64/kernel/drivers/net/ethernet/intel/ixgbe/ixgbe.ko
|
2017-12-22 12:04:29 -06:00
|
|
|
|
2016-03-08 13:42:20 -06:00
|
|
|
## Install docker
|
|
|
|
echo '[INFO] Install docker'
|
2016-07-26 14:01:58 -05:00
|
|
|
## Install apparmor utils since they're missing and apparmor is enabled in the kernel
|
|
|
|
## Otherwise Docker will fail to start
|
|
|
|
sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install apparmor
|
|
|
|
docker_deb_url=https://apt.dockerproject.org/repo/pool/main/d/docker-engine/docker-engine_${DOCKER_VERSION}.deb
|
|
|
|
docker_deb_temp=`mktemp`
|
|
|
|
trap_push "rm -f $docker_deb_temp"
|
2018-08-13 20:30:00 -05:00
|
|
|
wget $docker_deb_url -qO $docker_deb_temp
|
|
|
|
sudo dpkg --root=$FILESYSTEM_ROOT -i $docker_deb_temp || \
|
|
|
|
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
|
|
|
|
|
2016-08-04 12:39:33 -05:00
|
|
|
## Add docker config drop-in to select aufs, otherwise it may select other storage driver
|
2016-03-08 13:42:20 -06:00
|
|
|
sudo mkdir -p $FILESYSTEM_ROOT/etc/systemd/system/docker.service.d/
|
2016-07-26 14:01:58 -05:00
|
|
|
## Note: $_ means last argument of last command
|
2016-03-08 13:42:20 -06:00
|
|
|
sudo cp files/docker/docker.service.conf $_
|
|
|
|
|
|
|
|
## Create default user
|
|
|
|
## Note: user should be in the group with the same name, and also in sudo/docker group
|
|
|
|
sudo LANG=C chroot $FILESYSTEM_ROOT useradd -G sudo,docker $USERNAME -c "$DEFAULT_USERINFO" -m -s /bin/bash
|
|
|
|
## Create password for the default user
|
[baseimage]: Improve password hashing for default user account (#1748)
* [slave.mk]: Fix displaying username and password in build summary
We display contents of DEFAULT_USERNAME and DEFAULT_PASSWORD, while
image can be build with USERNAME and/or PASSWORD given on make(1)
command line. For example:
$ make USERNAME=adm PASSWORD=mypass target/sonic-broadcom.bin
Fix by displaying USERNAME and PASSWORD variables in build summary.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
* [baseimage]: Improve default user account handling
There are couple of issues with current implementation of default
user account management in baseimage:
1) It uses DES to encrypt accounts password. Furthermore this
effectively limits password length to 8 symbols, even if more
provided with PASSWORD or DEFAULT_PASSWORD from rules/config.
2) Salt value for password is same on all builds even with different
password increasing attack surface.
3) During the build process password passed as command line parameter
either as plain text (if given to make(1) as "make PASSWORD=...")
or DES encrypted (if given to build_debian.sh) can be seen by
non-build users using /proc/<pid>/cmdline file that has group and
world readable permissions.
Both 1) and 2) come from:
perl -e 'print crypt("$(PASSWORD)", "salt"),"\n"')"
that by defalt uses DES if salt does not have format $<id>$<salt>$,
where <id> is hashing function id. See crypt(3) for more details on
valid <id> values.
To address issues above we propose following changes:
1) Do not create password by hands (e.g. using perl snippet above):
put this job to chpasswd(8) which is aware about system wide
password hashing policy specified in /etc/login.defs with
ENCRYPT_METHOD (by default it is SHA512 for Debian 8).
2) Now chpasswd(8) will take care about proper salt value.
3) This has two steps:
3.1) For compatibility reasons accept USERNAME and PASSWORD as
make(1) parameters, but warn user that this is unsafe.
3.2) Use process environment to pass USERNAME and PASSWORD variables
from Makefile to build_debian.sh as more secure alternative to
passing via command line parameters: /proc/<pid>/environ
readable only by user running process or privileged users like
root.
Before change:
--------------
hash1
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSs", "salt"),"\n"')"
^^^^^^^^
8 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Note the hash (DES encrypted password)
hash2
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSsWoRd", "salt"),"\n"')"
^^^^^^^^^^^^
12 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Hash is the same as for "YourPaSs"
After change:
-------------
hash1
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$1Nho1jHC$T8YwK58FYToXMFuetQta7/XouAAN2q1IzWC3bdIg86woAs6WuTg\
^^^^^^^^
Note salt here
ksLO3oyQInax/wNVq.N4de6dyWZDsCAvsZ1:17681:0:99999:7:::
hash2
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$yKU5g7BO$kdT02Z1wHXhr1VCniKkZbLaMPZXK0WSSVGhSLGrNhsrsVxCJ.D9\
^^^^^^^^
Here salt completely different from case above
plFpd8ksGNpw/Vb92hvgYyCL2i5cfI8QEY/:17681:0:99999:7:::
Since salt is different hashes for same password different too.
hash1
-----
# LANG=C perl -e 'print crypt("YourPaSs", "\$6\$salt\$"),"\n"'
^^^^^
We want SHA512 hash
$6$salt$qkwPvXqUeGpexO1vatnIQFAreOTXs6rnDX.OI.Sz2rcy51JrO8dFc9aGv82bB\
yd2ELrIMJ.FQLNjgSD0nNha7/
hash2
-----
# LANG=C perl -e 'print crypt("YourPaSsWoRd", "\$6\$salt\$"),"\n"'
$6$salt$1JVndGzyy/dj7PaXo6hNcttlQoZe23ob8GWYWxVGEiGOlh6sofbaIvwl6Ho7N\
kYDI8zwRumRwga/A29nHm4mZ1
Now with same "salt" and $<id>$, and same 8 symbol prefix in password, but
different password length we have different hashes.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
2018-06-09 13:29:16 -05:00
|
|
|
echo "$USERNAME:$PASSWORD" | sudo LANG=C chroot $FILESYSTEM_ROOT chpasswd
|
2016-03-08 13:42:20 -06:00
|
|
|
|
2016-03-16 01:38:26 -05:00
|
|
|
## Pre-install hardware drivers
|
|
|
|
sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install \
|
|
|
|
firmware-linux-nonfree
|
|
|
|
|
2016-03-08 13:42:20 -06:00
|
|
|
## Pre-install the fundamental packages
|
|
|
|
## Note: gdisk is needed for sgdisk in install.sh
|
|
|
|
## Note: parted is needed for partprobe in install.sh
|
2016-07-26 14:01:58 -05:00
|
|
|
## Note: ca-certificates is needed for easy_install
|
2017-03-02 18:04:18 -06:00
|
|
|
## Note: don't install python-apt by pip, older than Debian repo one
|
2017-01-29 13:33:33 -06:00
|
|
|
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install \
|
2016-05-27 15:30:13 -05:00
|
|
|
file \
|
|
|
|
ifupdown \
|
|
|
|
iproute2 \
|
2017-03-20 23:39:09 -05:00
|
|
|
bridge-utils \
|
2016-05-27 15:30:13 -05:00
|
|
|
isc-dhcp-client \
|
2016-03-08 13:42:20 -06:00
|
|
|
sudo \
|
|
|
|
vim \
|
|
|
|
tcpdump \
|
2017-06-15 12:31:13 -05:00
|
|
|
dbus \
|
2016-03-08 13:42:20 -06:00
|
|
|
ntp \
|
2016-05-27 15:30:13 -05:00
|
|
|
ntpstat \
|
2016-03-08 13:42:20 -06:00
|
|
|
openssh-server \
|
|
|
|
python \
|
|
|
|
python-setuptools \
|
2017-05-18 12:57:19 -05:00
|
|
|
monit \
|
2016-03-08 13:42:20 -06:00
|
|
|
python-apt \
|
2016-05-27 15:30:13 -05:00
|
|
|
traceroute \
|
|
|
|
iputils-ping \
|
|
|
|
net-tools \
|
2016-07-26 14:01:58 -05:00
|
|
|
bsdmainutils \
|
|
|
|
ca-certificates \
|
|
|
|
i2c-tools \
|
2016-10-18 13:22:29 -05:00
|
|
|
efibootmgr \
|
|
|
|
usbutils \
|
2017-01-29 13:33:33 -06:00
|
|
|
pciutils \
|
|
|
|
iptables-persistent \
|
2017-02-17 15:47:01 -06:00
|
|
|
logrotate \
|
2017-03-15 20:38:55 -05:00
|
|
|
curl \
|
2017-04-21 19:23:36 -05:00
|
|
|
kexec-tools \
|
2017-05-11 20:46:11 -05:00
|
|
|
less \
|
2017-09-17 13:41:30 -05:00
|
|
|
unzip \
|
2017-10-05 23:43:25 -05:00
|
|
|
gdisk \
|
2018-01-10 05:04:32 -06:00
|
|
|
sysfsutils \
|
2018-03-08 18:42:41 -06:00
|
|
|
grub2-common \
|
2018-08-11 12:58:30 -05:00
|
|
|
rsyslog \
|
2018-04-26 15:53:54 -05:00
|
|
|
ethtool \
|
2018-07-01 11:46:25 -05:00
|
|
|
screen \
|
|
|
|
hping3 \
|
|
|
|
python-scapy \
|
|
|
|
tcptraceroute \
|
|
|
|
mtr-tiny
|
2017-09-17 13:41:30 -05:00
|
|
|
|
|
|
|
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y download \
|
|
|
|
grub-pc-bin
|
|
|
|
|
|
|
|
sudo mv $FILESYSTEM_ROOT/grub-pc-bin*.deb $FILESYSTEM_ROOT/$PLATFORM_DIR/x86_64-grub
|
2017-03-15 20:38:55 -05:00
|
|
|
|
2018-02-08 19:43:52 -06:00
|
|
|
sudo dpkg --root=$FILESYSTEM_ROOT -i target/debs/libwrap0_*.deb || \
|
|
|
|
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
|
|
|
|
|
2017-03-15 20:38:55 -05:00
|
|
|
## Disable kexec supported reboot which was installed by default
|
|
|
|
sudo sed -i 's/LOAD_KEXEC=true/LOAD_KEXEC=false/' $FILESYSTEM_ROOT/etc/default/kexec
|
2016-03-08 13:42:20 -06:00
|
|
|
|
2018-06-04 23:01:53 -05:00
|
|
|
## Fix ping tools permission so non root user can directly use them
|
|
|
|
## Note: this is a workaround since aufs doesn't support extended attributes
|
|
|
|
## Ref: https://github.com/moby/moby/issues/5650#issuecomment-303499489
|
|
|
|
## TODO: remove workaround when the overlay filesystem support extended attributes
|
|
|
|
sudo chmod u+s $FILESYSTEM_ROOT/bin/ping{,6}
|
|
|
|
|
2016-07-26 14:01:58 -05:00
|
|
|
## Remove sshd host keys, and will regenerate on first sshd start
|
|
|
|
sudo rm -f $FILESYSTEM_ROOT/etc/ssh/ssh_host_*_key*
|
|
|
|
sudo cp files/sshd/host-ssh-keygen.sh $FILESYSTEM_ROOT/usr/local/bin/
|
|
|
|
sudo cp -f files/sshd/sshd.service $FILESYSTEM_ROOT/lib/systemd/system/ssh.service
|
|
|
|
## Config sshd
|
|
|
|
sudo augtool --autosave "set /files/etc/ssh/sshd_config/UseDNS no" -r $FILESYSTEM_ROOT
|
2018-01-09 19:55:10 -06:00
|
|
|
sudo sed -i 's/^ListenAddress ::/#ListenAddress ::/' $FILESYSTEM_ROOT/etc/ssh/sshd_config
|
|
|
|
sudo sed -i 's/^#ListenAddress 0.0.0.0/ListenAddress 0.0.0.0/' $FILESYSTEM_ROOT/etc/ssh/sshd_config
|
2016-07-26 14:01:58 -05:00
|
|
|
|
2017-05-18 12:57:19 -05:00
|
|
|
## Config monit
|
|
|
|
sudo sed -i '
|
|
|
|
s/^# set logfile syslog/set logfile syslog/;
|
|
|
|
s/^\s*set logfile \/var/# set logfile \/var/;
|
|
|
|
s/^# set httpd port/set httpd port/;
|
|
|
|
s/^# use address localhost/ use address localhost/;
|
|
|
|
s/^# allow localhost/ allow localhost/;
|
|
|
|
s/^# allow admin:monit/ allow admin:monit/;
|
|
|
|
s/^# allow @monit/ allow @monit/;
|
|
|
|
s/^# allow @users readonly/ allow @users readonly/
|
|
|
|
' $FILESYSTEM_ROOT/etc/monit/monitrc
|
|
|
|
|
|
|
|
sudo tee -a $FILESYSTEM_ROOT/etc/monit/monitrc > /dev/null <<'EOF'
|
2017-09-02 17:32:31 -05:00
|
|
|
check filesystem root-overlay with path /
|
2017-05-18 12:57:19 -05:00
|
|
|
if space usage > 90% for 5 times within 10 cycles then alert
|
2018-07-03 19:00:31 -05:00
|
|
|
check filesystem var-log with path /var/log
|
|
|
|
if space usage > 90% for 5 times within 10 cycles then alert
|
2017-05-18 12:57:19 -05:00
|
|
|
check system $HOST
|
|
|
|
if memory usage > 90% for 5 times within 10 cycles then alert
|
|
|
|
if cpu usage (user) > 90% for 5 times within 10 cycles then alert
|
|
|
|
if cpu usage (system) > 90% for 5 times within 10 cycles then alert
|
|
|
|
EOF
|
|
|
|
|
2016-07-26 14:01:58 -05:00
|
|
|
## Config sysctl
|
|
|
|
sudo mkdir -p $FILESYSTEM_ROOT/var/core
|
|
|
|
sudo augtool --autosave "
|
2017-08-30 11:41:47 -05:00
|
|
|
set /files/etc/sysctl.conf/kernel.core_pattern '|/usr/bin/coredump-compress %e %t %p'
|
2016-11-04 21:47:36 -05:00
|
|
|
|
2017-05-11 20:57:00 -05:00
|
|
|
set /files/etc/sysctl.conf/kernel.softlockup_panic 1
|
|
|
|
set /files/etc/sysctl.conf/kernel.panic 10
|
2017-08-30 11:41:47 -05:00
|
|
|
set /files/etc/sysctl.conf/fs.suid_dumpable 2
|
2017-05-11 20:57:00 -05:00
|
|
|
|
2016-11-04 21:47:36 -05:00
|
|
|
set /files/etc/sysctl.conf/net.ipv4.conf.default.forwarding 1
|
|
|
|
set /files/etc/sysctl.conf/net.ipv4.conf.all.forwarding 1
|
|
|
|
set /files/etc/sysctl.conf/net.ipv4.conf.eth0.forwarding 0
|
|
|
|
|
2016-07-26 14:01:58 -05:00
|
|
|
set /files/etc/sysctl.conf/net.ipv4.conf.default.arp_accept 0
|
|
|
|
set /files/etc/sysctl.conf/net.ipv4.conf.default.arp_announce 0
|
|
|
|
set /files/etc/sysctl.conf/net.ipv4.conf.default.arp_filter 0
|
|
|
|
set /files/etc/sysctl.conf/net.ipv4.conf.default.arp_notify 0
|
|
|
|
set /files/etc/sysctl.conf/net.ipv4.conf.default.arp_ignore 0
|
|
|
|
set /files/etc/sysctl.conf/net.ipv4.conf.all.arp_accept 0
|
|
|
|
set /files/etc/sysctl.conf/net.ipv4.conf.all.arp_announce 1
|
|
|
|
set /files/etc/sysctl.conf/net.ipv4.conf.all.arp_filter 0
|
|
|
|
set /files/etc/sysctl.conf/net.ipv4.conf.all.arp_notify 1
|
|
|
|
set /files/etc/sysctl.conf/net.ipv4.conf.all.arp_ignore 2
|
2016-11-04 21:47:36 -05:00
|
|
|
|
2017-05-15 19:06:19 -05:00
|
|
|
set /files/etc/sysctl.conf/net.ipv4.neigh.default.base_reachable_time_ms 1800000
|
Fix potential blackholing/looping traffic when link-local was used and refresh ipv6 neighbor to avoid CPU hit (#1904)
* Fix potential blackholing/looping traffic and refresh ipv6 neighbor to avoid CPU hit
In case ipv6 global addresses were configured on L3 interfaces and used for peering,
and routing protocol was using link-local addresses on the same interfaces as prefered nexthops,
the link-local addresses could be aged out after a while due to no activities towards the link-local
addresses themselves. And when we receive new routes with the link-local nexthops, SONiC won't insert
them to the HW, and thus cause looping or blackholing traffic.
Global ipv6 addresses on L3 interfaces between switches are refreshed by BGP keeplive and other messages.
On server facing side, traffic may hit fowarding plane only, and no refresh for the ipv6 neighbor entries regularly.
This could age-out the linux kernel ipv6 neighbor entries, and HW neighbor table entries could be removed,
and thus traffic going to those neighbors would hit CPU, and cause traffic drop and temperary CPU high load.
Also, if link-local addresses were not learned, we may not get them at all later.
It is intended to fix all above issues.
Changes:
Add ndisc6 package in swss docker and use it for ipv6 ndp ping to update the neighbors' state on Vlan interfaces
Change the default ipv6 neighbor reachable timer to 30mins
Add periodical ipv6 multicast ping to ff02::11 to get/refresh link-local neighbor info.
* Fix review comments:
Add PORTCHANNEL_INTERFACE interface for ipv6 multicast ping
format issue
* Combine regular L3 interface and portchannel interface for looping
* Add ndisc6 package to vs docker
2018-08-12 05:14:55 -05:00
|
|
|
set /files/etc/sysctl.conf/net.ipv6.neigh.default.base_reachable_time_ms 1800000
|
2017-05-15 19:06:19 -05:00
|
|
|
|
2016-11-04 21:47:36 -05:00
|
|
|
set /files/etc/sysctl.conf/net.ipv6.conf.default.forwarding 1
|
|
|
|
set /files/etc/sysctl.conf/net.ipv6.conf.all.forwarding 1
|
|
|
|
set /files/etc/sysctl.conf/net.ipv6.conf.eth0.forwarding 0
|
|
|
|
|
|
|
|
set /files/etc/sysctl.conf/net.ipv6.conf.default.accept_dad 0
|
2016-11-03 14:15:00 -05:00
|
|
|
set /files/etc/sysctl.conf/net.ipv6.conf.all.accept_dad 0
|
2018-05-12 03:31:17 -05:00
|
|
|
set /files/etc/sysctl.conf/net.ipv6.conf.eth0.accept_dad 0
|
2017-05-10 19:39:51 -05:00
|
|
|
|
|
|
|
set /files/etc/sysctl.conf/net.ipv6.conf.eth0.accept_ra_defrtr 0
|
2017-06-29 03:40:22 -05:00
|
|
|
|
|
|
|
set /files/etc/sysctl.conf/net.core.rmem_max 2097152
|
2018-03-14 11:20:47 -05:00
|
|
|
set /files/etc/sysctl.conf/net.core.wmem_max 2097152
|
2016-07-26 14:01:58 -05:00
|
|
|
" -r $FILESYSTEM_ROOT
|
|
|
|
|
2016-03-08 13:42:20 -06:00
|
|
|
## docker-py is needed by Ansible docker module
|
2017-12-24 01:34:15 -06:00
|
|
|
sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT easy_install pip
|
|
|
|
sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT pip install 'docker-py==1.6.0'
|
2017-03-02 18:04:18 -06:00
|
|
|
## Note: keep pip installed for maintainance purpose
|
2016-03-08 13:42:20 -06:00
|
|
|
|
2017-03-23 14:18:52 -05:00
|
|
|
## Create /var/run/redis folder for docker-database to mount
|
|
|
|
sudo mkdir -p $FILESYSTEM_ROOT/var/run/redis
|
|
|
|
|
2016-03-08 13:42:20 -06:00
|
|
|
## Config DHCP for eth0
|
|
|
|
sudo tee -a $FILESYSTEM_ROOT/etc/network/interfaces > /dev/null <<EOF
|
|
|
|
|
|
|
|
auto eth0
|
|
|
|
allow-hotplug eth0
|
|
|
|
iface eth0 inet dhcp
|
|
|
|
EOF
|
|
|
|
|
2016-05-27 15:30:13 -05:00
|
|
|
sudo cp files/dhcp/rfc3442-classless-routes $FILESYSTEM_ROOT/etc/dhcp/dhclient-exit-hooks.d
|
2017-02-02 13:19:48 -06:00
|
|
|
sudo cp files/dhcp/sethostname $FILESYSTEM_ROOT/etc/dhcp/dhclient-exit-hooks.d/
|
2017-02-17 15:47:01 -06:00
|
|
|
sudo cp files/dhcp/graphserviceurl $FILESYSTEM_ROOT/etc/dhcp/dhclient-exit-hooks.d/
|
|
|
|
sudo cp files/dhcp/snmpcommunity $FILESYSTEM_ROOT/etc/dhcp/dhclient-exit-hooks.d/
|
|
|
|
sudo cp files/dhcp/dhclient.conf $FILESYSTEM_ROOT/etc/dhcp/
|
2016-05-27 15:30:13 -05:00
|
|
|
|
2017-04-05 18:14:41 -05:00
|
|
|
## Version file
|
|
|
|
sudo mkdir -p $FILESYSTEM_ROOT/etc/sonic
|
|
|
|
sudo tee $FILESYSTEM_ROOT/etc/sonic/sonic_version.yml > /dev/null <<EOF
|
2018-03-16 03:09:33 -05:00
|
|
|
build_version: '$(sonic_get_version)'
|
2018-01-03 23:43:06 -06:00
|
|
|
debian_version: '$(cat $FILESYSTEM_ROOT/etc/debian_version)'
|
2018-03-16 03:09:33 -05:00
|
|
|
kernel_version: '$kversion'
|
2017-04-05 18:14:41 -05:00
|
|
|
asic_type: $sonic_asic_platform
|
2018-03-16 03:09:33 -05:00
|
|
|
commit_id: '$(git rev-parse --short HEAD)'
|
2017-04-05 18:14:41 -05:00
|
|
|
build_date: $(date -u)
|
2017-04-16 03:17:22 -05:00
|
|
|
build_number: ${BUILD_NUMBER:-0}
|
2017-04-05 18:14:41 -05:00
|
|
|
built_by: $USER@$BUILD_HOSTNAME
|
|
|
|
EOF
|
|
|
|
|
2017-01-29 13:33:33 -06:00
|
|
|
if [ -f sonic_debian_extension.sh ]; then
|
2017-02-27 15:08:41 -06:00
|
|
|
./sonic_debian_extension.sh $FILESYSTEM_ROOT $PLATFORM_DIR
|
2017-01-29 13:33:33 -06:00
|
|
|
fi
|
|
|
|
|
2017-09-19 18:23:31 -05:00
|
|
|
## Organization specific extensions such as Configuration & Scripts for features like AAA, ZTP...
|
|
|
|
if [ "${enable_organization_extensions}" = "y" ]; then
|
|
|
|
if [ -f files/build_templates/organization_extensions.sh ]; then
|
|
|
|
sudo chmod 755 files/build_templates/organization_extensions.sh
|
|
|
|
./files/build_templates/organization_extensions.sh -f $FILESYSTEM_ROOT -h $HOSTNAME
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
2018-03-05 01:07:40 -06:00
|
|
|
## Update initramfs
|
|
|
|
sudo chroot $FILESYSTEM_ROOT update-initramfs -u
|
|
|
|
|
2016-03-08 13:42:20 -06:00
|
|
|
## Clean up apt
|
|
|
|
sudo LANG=C chroot $FILESYSTEM_ROOT apt-get autoremove
|
2016-05-27 15:30:13 -05:00
|
|
|
sudo LANG=C chroot $FILESYSTEM_ROOT apt-get autoclean
|
2016-03-08 13:42:20 -06:00
|
|
|
sudo LANG=C chroot $FILESYSTEM_ROOT apt-get clean
|
2016-05-27 15:30:13 -05:00
|
|
|
sudo LANG=C chroot $FILESYSTEM_ROOT bash -c 'rm -rf /usr/share/doc/* /usr/share/locale/* /var/lib/apt/lists/* /tmp/*'
|
2016-03-08 13:42:20 -06:00
|
|
|
|
2017-12-24 01:34:15 -06:00
|
|
|
## Clean up proxy
|
|
|
|
[ -n "$http_proxy" ] && sudo rm -f $FILESYSTEM_ROOT/etc/apt/apt.conf.d/01proxy
|
|
|
|
|
2016-03-08 13:42:20 -06:00
|
|
|
## Umount all
|
|
|
|
echo '[INFO] Umount all'
|
2017-07-12 03:28:36 -05:00
|
|
|
## Display all process details access /proc
|
|
|
|
sudo LANG=C chroot $FILESYSTEM_ROOT fuser -vm /proc
|
|
|
|
## Kill the processes
|
2016-03-08 13:42:20 -06:00
|
|
|
sudo LANG=C chroot $FILESYSTEM_ROOT fuser -km /proc || true
|
2017-07-12 03:28:36 -05:00
|
|
|
## Wait fuser fully kill the processes
|
|
|
|
sleep 15
|
|
|
|
sudo umount $FILESYSTEM_ROOT/proc || true
|
2016-03-08 13:42:20 -06:00
|
|
|
|
|
|
|
## Prepare empty directory to trigger mount move in initramfs-tools/mount_loop_root, implemented by patching
|
|
|
|
sudo mkdir $FILESYSTEM_ROOT/host
|
|
|
|
|
|
|
|
## Compress most file system into squashfs file
|
|
|
|
sudo rm -f $ONIE_INSTALLER_PAYLOAD $FILESYSTEM_SQUASHFS
|
2016-05-27 15:30:13 -05:00
|
|
|
## Output the file system total size for diag purpose
|
2017-07-12 03:28:36 -05:00
|
|
|
## Note: -x to skip directories on different file systems, such as /proc
|
|
|
|
sudo du -hsx $FILESYSTEM_ROOT
|
2018-08-13 00:23:43 -05:00
|
|
|
sudo mkdir -p $FILESYSTEM_ROOT/var/lib/docker
|
2017-02-27 15:08:41 -06:00
|
|
|
sudo mksquashfs $FILESYSTEM_ROOT $FILESYSTEM_SQUASHFS -e boot -e var/lib/docker -e $PLATFORM_DIR
|
2016-03-08 13:42:20 -06:00
|
|
|
|
2017-01-29 13:33:33 -06:00
|
|
|
## Compress docker files
|
2017-02-06 10:17:16 -06:00
|
|
|
pushd $FILESYSTEM_ROOT && sudo tar czf $OLDPWD/$FILESYSTEM_DOCKERFS -C var/lib/docker .; popd
|
2017-01-29 13:33:33 -06:00
|
|
|
|
2017-02-27 15:08:41 -06:00
|
|
|
## Compress together with /boot, /var/lib/docker and $PLATFORM_DIR as an installer payload zip file
|
|
|
|
pushd $FILESYSTEM_ROOT && sudo zip $OLDPWD/$ONIE_INSTALLER_PAYLOAD -r boot/ $PLATFORM_DIR/; popd
|
2017-01-29 13:33:33 -06:00
|
|
|
sudo zip -g $ONIE_INSTALLER_PAYLOAD $FILESYSTEM_SQUASHFS $FILESYSTEM_DOCKERFS
|