2016-03-08 13:42:20 -06:00
#!/bin/bash
## This script is to automate the preparation for a debian file system, which will be used for
## an ONIE installer image.
##
## USAGE:
[baseimage]: Improve password hashing for default user account (#1748)
* [slave.mk]: Fix displaying username and password in build summary
We display contents of DEFAULT_USERNAME and DEFAULT_PASSWORD, while
image can be build with USERNAME and/or PASSWORD given on make(1)
command line. For example:
$ make USERNAME=adm PASSWORD=mypass target/sonic-broadcom.bin
Fix by displaying USERNAME and PASSWORD variables in build summary.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
* [baseimage]: Improve default user account handling
There are couple of issues with current implementation of default
user account management in baseimage:
1) It uses DES to encrypt accounts password. Furthermore this
effectively limits password length to 8 symbols, even if more
provided with PASSWORD or DEFAULT_PASSWORD from rules/config.
2) Salt value for password is same on all builds even with different
password increasing attack surface.
3) During the build process password passed as command line parameter
either as plain text (if given to make(1) as "make PASSWORD=...")
or DES encrypted (if given to build_debian.sh) can be seen by
non-build users using /proc/<pid>/cmdline file that has group and
world readable permissions.
Both 1) and 2) come from:
perl -e 'print crypt("$(PASSWORD)", "salt"),"\n"')"
that by defalt uses DES if salt does not have format $<id>$<salt>$,
where <id> is hashing function id. See crypt(3) for more details on
valid <id> values.
To address issues above we propose following changes:
1) Do not create password by hands (e.g. using perl snippet above):
put this job to chpasswd(8) which is aware about system wide
password hashing policy specified in /etc/login.defs with
ENCRYPT_METHOD (by default it is SHA512 for Debian 8).
2) Now chpasswd(8) will take care about proper salt value.
3) This has two steps:
3.1) For compatibility reasons accept USERNAME and PASSWORD as
make(1) parameters, but warn user that this is unsafe.
3.2) Use process environment to pass USERNAME and PASSWORD variables
from Makefile to build_debian.sh as more secure alternative to
passing via command line parameters: /proc/<pid>/environ
readable only by user running process or privileged users like
root.
Before change:
--------------
hash1
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSs", "salt"),"\n"')"
^^^^^^^^
8 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Note the hash (DES encrypted password)
hash2
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSsWoRd", "salt"),"\n"')"
^^^^^^^^^^^^
12 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Hash is the same as for "YourPaSs"
After change:
-------------
hash1
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$1Nho1jHC$T8YwK58FYToXMFuetQta7/XouAAN2q1IzWC3bdIg86woAs6WuTg\
^^^^^^^^
Note salt here
ksLO3oyQInax/wNVq.N4de6dyWZDsCAvsZ1:17681:0:99999:7:::
hash2
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$yKU5g7BO$kdT02Z1wHXhr1VCniKkZbLaMPZXK0WSSVGhSLGrNhsrsVxCJ.D9\
^^^^^^^^
Here salt completely different from case above
plFpd8ksGNpw/Vb92hvgYyCL2i5cfI8QEY/:17681:0:99999:7:::
Since salt is different hashes for same password different too.
hash1
-----
# LANG=C perl -e 'print crypt("YourPaSs", "\$6\$salt\$"),"\n"'
^^^^^
We want SHA512 hash
$6$salt$qkwPvXqUeGpexO1vatnIQFAreOTXs6rnDX.OI.Sz2rcy51JrO8dFc9aGv82bB\
yd2ELrIMJ.FQLNjgSD0nNha7/
hash2
-----
# LANG=C perl -e 'print crypt("YourPaSsWoRd", "\$6\$salt\$"),"\n"'
$6$salt$1JVndGzyy/dj7PaXo6hNcttlQoZe23ob8GWYWxVGEiGOlh6sofbaIvwl6Ho7N\
kYDI8zwRumRwga/A29nHm4mZ1
Now with same "salt" and $<id>$, and same 8 symbol prefix in password, but
different password length we have different hashes.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
2018-06-09 13:29:16 -05:00
## USERNAME=username PASSWORD=password ./build_debian
## ENVIRONMENT:
2016-03-08 13:42:20 -06:00
## USERNAME
## The name of the default admin user
[baseimage]: Improve password hashing for default user account (#1748)
* [slave.mk]: Fix displaying username and password in build summary
We display contents of DEFAULT_USERNAME and DEFAULT_PASSWORD, while
image can be build with USERNAME and/or PASSWORD given on make(1)
command line. For example:
$ make USERNAME=adm PASSWORD=mypass target/sonic-broadcom.bin
Fix by displaying USERNAME and PASSWORD variables in build summary.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
* [baseimage]: Improve default user account handling
There are couple of issues with current implementation of default
user account management in baseimage:
1) It uses DES to encrypt accounts password. Furthermore this
effectively limits password length to 8 symbols, even if more
provided with PASSWORD or DEFAULT_PASSWORD from rules/config.
2) Salt value for password is same on all builds even with different
password increasing attack surface.
3) During the build process password passed as command line parameter
either as plain text (if given to make(1) as "make PASSWORD=...")
or DES encrypted (if given to build_debian.sh) can be seen by
non-build users using /proc/<pid>/cmdline file that has group and
world readable permissions.
Both 1) and 2) come from:
perl -e 'print crypt("$(PASSWORD)", "salt"),"\n"')"
that by defalt uses DES if salt does not have format $<id>$<salt>$,
where <id> is hashing function id. See crypt(3) for more details on
valid <id> values.
To address issues above we propose following changes:
1) Do not create password by hands (e.g. using perl snippet above):
put this job to chpasswd(8) which is aware about system wide
password hashing policy specified in /etc/login.defs with
ENCRYPT_METHOD (by default it is SHA512 for Debian 8).
2) Now chpasswd(8) will take care about proper salt value.
3) This has two steps:
3.1) For compatibility reasons accept USERNAME and PASSWORD as
make(1) parameters, but warn user that this is unsafe.
3.2) Use process environment to pass USERNAME and PASSWORD variables
from Makefile to build_debian.sh as more secure alternative to
passing via command line parameters: /proc/<pid>/environ
readable only by user running process or privileged users like
root.
Before change:
--------------
hash1
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSs", "salt"),"\n"')"
^^^^^^^^
8 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Note the hash (DES encrypted password)
hash2
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSsWoRd", "salt"),"\n"')"
^^^^^^^^^^^^
12 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Hash is the same as for "YourPaSs"
After change:
-------------
hash1
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$1Nho1jHC$T8YwK58FYToXMFuetQta7/XouAAN2q1IzWC3bdIg86woAs6WuTg\
^^^^^^^^
Note salt here
ksLO3oyQInax/wNVq.N4de6dyWZDsCAvsZ1:17681:0:99999:7:::
hash2
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$yKU5g7BO$kdT02Z1wHXhr1VCniKkZbLaMPZXK0WSSVGhSLGrNhsrsVxCJ.D9\
^^^^^^^^
Here salt completely different from case above
plFpd8ksGNpw/Vb92hvgYyCL2i5cfI8QEY/:17681:0:99999:7:::
Since salt is different hashes for same password different too.
hash1
-----
# LANG=C perl -e 'print crypt("YourPaSs", "\$6\$salt\$"),"\n"'
^^^^^
We want SHA512 hash
$6$salt$qkwPvXqUeGpexO1vatnIQFAreOTXs6rnDX.OI.Sz2rcy51JrO8dFc9aGv82bB\
yd2ELrIMJ.FQLNjgSD0nNha7/
hash2
-----
# LANG=C perl -e 'print crypt("YourPaSsWoRd", "\$6\$salt\$"),"\n"'
$6$salt$1JVndGzyy/dj7PaXo6hNcttlQoZe23ob8GWYWxVGEiGOlh6sofbaIvwl6Ho7N\
kYDI8zwRumRwga/A29nHm4mZ1
Now with same "salt" and $<id>$, and same 8 symbol prefix in password, but
different password length we have different hashes.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
2018-06-09 13:29:16 -05:00
## PASSWORD
## The password, expected by chpasswd command
2016-03-08 13:42:20 -06:00
## Default user
[ -n " $USERNAME " ] || {
[baseimage]: Improve password hashing for default user account (#1748)
* [slave.mk]: Fix displaying username and password in build summary
We display contents of DEFAULT_USERNAME and DEFAULT_PASSWORD, while
image can be build with USERNAME and/or PASSWORD given on make(1)
command line. For example:
$ make USERNAME=adm PASSWORD=mypass target/sonic-broadcom.bin
Fix by displaying USERNAME and PASSWORD variables in build summary.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
* [baseimage]: Improve default user account handling
There are couple of issues with current implementation of default
user account management in baseimage:
1) It uses DES to encrypt accounts password. Furthermore this
effectively limits password length to 8 symbols, even if more
provided with PASSWORD or DEFAULT_PASSWORD from rules/config.
2) Salt value for password is same on all builds even with different
password increasing attack surface.
3) During the build process password passed as command line parameter
either as plain text (if given to make(1) as "make PASSWORD=...")
or DES encrypted (if given to build_debian.sh) can be seen by
non-build users using /proc/<pid>/cmdline file that has group and
world readable permissions.
Both 1) and 2) come from:
perl -e 'print crypt("$(PASSWORD)", "salt"),"\n"')"
that by defalt uses DES if salt does not have format $<id>$<salt>$,
where <id> is hashing function id. See crypt(3) for more details on
valid <id> values.
To address issues above we propose following changes:
1) Do not create password by hands (e.g. using perl snippet above):
put this job to chpasswd(8) which is aware about system wide
password hashing policy specified in /etc/login.defs with
ENCRYPT_METHOD (by default it is SHA512 for Debian 8).
2) Now chpasswd(8) will take care about proper salt value.
3) This has two steps:
3.1) For compatibility reasons accept USERNAME and PASSWORD as
make(1) parameters, but warn user that this is unsafe.
3.2) Use process environment to pass USERNAME and PASSWORD variables
from Makefile to build_debian.sh as more secure alternative to
passing via command line parameters: /proc/<pid>/environ
readable only by user running process or privileged users like
root.
Before change:
--------------
hash1
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSs", "salt"),"\n"')"
^^^^^^^^
8 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Note the hash (DES encrypted password)
hash2
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSsWoRd", "salt"),"\n"')"
^^^^^^^^^^^^
12 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Hash is the same as for "YourPaSs"
After change:
-------------
hash1
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$1Nho1jHC$T8YwK58FYToXMFuetQta7/XouAAN2q1IzWC3bdIg86woAs6WuTg\
^^^^^^^^
Note salt here
ksLO3oyQInax/wNVq.N4de6dyWZDsCAvsZ1:17681:0:99999:7:::
hash2
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$yKU5g7BO$kdT02Z1wHXhr1VCniKkZbLaMPZXK0WSSVGhSLGrNhsrsVxCJ.D9\
^^^^^^^^
Here salt completely different from case above
plFpd8ksGNpw/Vb92hvgYyCL2i5cfI8QEY/:17681:0:99999:7:::
Since salt is different hashes for same password different too.
hash1
-----
# LANG=C perl -e 'print crypt("YourPaSs", "\$6\$salt\$"),"\n"'
^^^^^
We want SHA512 hash
$6$salt$qkwPvXqUeGpexO1vatnIQFAreOTXs6rnDX.OI.Sz2rcy51JrO8dFc9aGv82bB\
yd2ELrIMJ.FQLNjgSD0nNha7/
hash2
-----
# LANG=C perl -e 'print crypt("YourPaSsWoRd", "\$6\$salt\$"),"\n"'
$6$salt$1JVndGzyy/dj7PaXo6hNcttlQoZe23ob8GWYWxVGEiGOlh6sofbaIvwl6Ho7N\
kYDI8zwRumRwga/A29nHm4mZ1
Now with same "salt" and $<id>$, and same 8 symbol prefix in password, but
different password length we have different hashes.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
2018-06-09 13:29:16 -05:00
echo "Error: no or empty USERNAME"
2016-03-08 13:42:20 -06:00
exit 1
}
[baseimage]: Improve password hashing for default user account (#1748)
* [slave.mk]: Fix displaying username and password in build summary
We display contents of DEFAULT_USERNAME and DEFAULT_PASSWORD, while
image can be build with USERNAME and/or PASSWORD given on make(1)
command line. For example:
$ make USERNAME=adm PASSWORD=mypass target/sonic-broadcom.bin
Fix by displaying USERNAME and PASSWORD variables in build summary.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
* [baseimage]: Improve default user account handling
There are couple of issues with current implementation of default
user account management in baseimage:
1) It uses DES to encrypt accounts password. Furthermore this
effectively limits password length to 8 symbols, even if more
provided with PASSWORD or DEFAULT_PASSWORD from rules/config.
2) Salt value for password is same on all builds even with different
password increasing attack surface.
3) During the build process password passed as command line parameter
either as plain text (if given to make(1) as "make PASSWORD=...")
or DES encrypted (if given to build_debian.sh) can be seen by
non-build users using /proc/<pid>/cmdline file that has group and
world readable permissions.
Both 1) and 2) come from:
perl -e 'print crypt("$(PASSWORD)", "salt"),"\n"')"
that by defalt uses DES if salt does not have format $<id>$<salt>$,
where <id> is hashing function id. See crypt(3) for more details on
valid <id> values.
To address issues above we propose following changes:
1) Do not create password by hands (e.g. using perl snippet above):
put this job to chpasswd(8) which is aware about system wide
password hashing policy specified in /etc/login.defs with
ENCRYPT_METHOD (by default it is SHA512 for Debian 8).
2) Now chpasswd(8) will take care about proper salt value.
3) This has two steps:
3.1) For compatibility reasons accept USERNAME and PASSWORD as
make(1) parameters, but warn user that this is unsafe.
3.2) Use process environment to pass USERNAME and PASSWORD variables
from Makefile to build_debian.sh as more secure alternative to
passing via command line parameters: /proc/<pid>/environ
readable only by user running process or privileged users like
root.
Before change:
--------------
hash1
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSs", "salt"),"\n"')"
^^^^^^^^
8 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Note the hash (DES encrypted password)
hash2
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSsWoRd", "salt"),"\n"')"
^^^^^^^^^^^^
12 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Hash is the same as for "YourPaSs"
After change:
-------------
hash1
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$1Nho1jHC$T8YwK58FYToXMFuetQta7/XouAAN2q1IzWC3bdIg86woAs6WuTg\
^^^^^^^^
Note salt here
ksLO3oyQInax/wNVq.N4de6dyWZDsCAvsZ1:17681:0:99999:7:::
hash2
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$yKU5g7BO$kdT02Z1wHXhr1VCniKkZbLaMPZXK0WSSVGhSLGrNhsrsVxCJ.D9\
^^^^^^^^
Here salt completely different from case above
plFpd8ksGNpw/Vb92hvgYyCL2i5cfI8QEY/:17681:0:99999:7:::
Since salt is different hashes for same password different too.
hash1
-----
# LANG=C perl -e 'print crypt("YourPaSs", "\$6\$salt\$"),"\n"'
^^^^^
We want SHA512 hash
$6$salt$qkwPvXqUeGpexO1vatnIQFAreOTXs6rnDX.OI.Sz2rcy51JrO8dFc9aGv82bB\
yd2ELrIMJ.FQLNjgSD0nNha7/
hash2
-----
# LANG=C perl -e 'print crypt("YourPaSsWoRd", "\$6\$salt\$"),"\n"'
$6$salt$1JVndGzyy/dj7PaXo6hNcttlQoZe23ob8GWYWxVGEiGOlh6sofbaIvwl6Ho7N\
kYDI8zwRumRwga/A29nHm4mZ1
Now with same "salt" and $<id>$, and same 8 symbol prefix in password, but
different password length we have different hashes.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
2018-06-09 13:29:16 -05:00
## Password for the default user
[ -n " $PASSWORD " ] || {
echo "Error: no or empty PASSWORD"
2016-03-08 13:42:20 -06:00
exit 1
}
## Include common functions
. functions.sh
## Enable debug output for script
set -x -e
2019-07-26 00:06:41 -05:00
CONFIGURED_ARCH = $( [ -f .arch ] && cat .arch || echo amd64)
2016-07-26 14:01:58 -05:00
## docker engine version (with platform)
2022-04-27 12:20:42 -05:00
DOCKER_VERSION = 5:20.10.14~3-0~debian-$IMAGE_DISTRO
CONTAINERD_IO_VERSION = 1.5.11-1
2022-11-14 18:33:34 -06:00
LINUX_KERNEL_VERSION = 5.10.0-18-2
2016-07-26 14:01:58 -05:00
2016-03-08 13:42:20 -06:00
## Working directory to prepare the file system
FILESYSTEM_ROOT = ./fsroot
2017-02-27 15:08:41 -06:00
PLATFORM_DIR = platform
2016-03-08 13:42:20 -06:00
## Hostname for the linux image
2016-09-15 17:22:29 -05:00
HOSTNAME = sonic
2016-03-08 13:42:20 -06:00
DEFAULT_USERINFO = "Default admin user,,,"
2020-12-21 01:31:10 -06:00
BUILD_TOOL_PATH = src/sonic-build-hooks/buildinfo
TRUSTED_GPG_DIR = $BUILD_TOOL_PATH /trusted.gpg.d
2016-03-08 13:42:20 -06:00
## Read ONIE image related config file
. ./onie-image.conf
[ -n " $ONIE_IMAGE_PART_SIZE " ] || {
echo "Error: Invalid ONIE_IMAGE_PART_SIZE in onie image config file"
exit 1
}
[ -n " $ONIE_INSTALLER_PAYLOAD " ] || {
echo "Error: Invalid ONIE_INSTALLER_PAYLOAD in onie image config file"
exit 1
}
[ -n " $FILESYSTEM_SQUASHFS " ] || {
echo "Error: Invalid FILESYSTEM_SQUASHFS in onie image config file"
exit 1
}
## Prepare the file system directory
if [ [ -d $FILESYSTEM_ROOT ] ] ; then
2017-02-10 09:39:05 -06:00
sudo rm -rf $FILESYSTEM_ROOT || die "Failed to clean chroot directory"
2016-03-08 13:42:20 -06:00
fi
mkdir -p $FILESYSTEM_ROOT
2017-02-27 15:08:41 -06:00
mkdir -p $FILESYSTEM_ROOT /$PLATFORM_DIR
2022-07-12 17:00:57 -05:00
mkdir -p $FILESYSTEM_ROOT /$PLATFORM_DIR /grub
2017-02-27 15:08:41 -06:00
touch $FILESYSTEM_ROOT /$PLATFORM_DIR /firsttime
2016-03-08 13:42:20 -06:00
2022-03-10 19:23:37 -06:00
## ensure proc is mounted
sudo mount proc /proc -t proc || true
2019-01-04 22:47:43 -06:00
## make / as a mountpoint in chroot env, needed by dockerd
pushd $FILESYSTEM_ROOT
sudo mount --bind . .
popd
2020-12-21 01:31:10 -06:00
## Build the host debian base system
echo '[INFO] Build host debian base system...'
TARGET_PATH = $TARGET_PATH scripts/build_debian_base_system.sh $CONFIGURED_ARCH $IMAGE_DISTRO $FILESYSTEM_ROOT
# Prepare buildinfo
2022-12-11 19:20:56 -06:00
sudo SONIC_VERSION_CACHE = ${ SONIC_VERSION_CACHE } \
DBGOPT = " ${ DBGOPT } " \
scripts/prepare_debian_image_buildinfo.sh $CONFIGURED_ARCH $IMAGE_DISTRO $FILESYSTEM_ROOT $http_proxy
2016-03-08 13:42:20 -06:00
2021-04-08 00:00:27 -05:00
sudo chown root:root $FILESYSTEM_ROOT
2016-03-08 13:42:20 -06:00
## Config hostname and hosts, otherwise 'sudo ...' will complain 'sudo: unable to resolve host ...'
sudo LANG = C chroot $FILESYSTEM_ROOT /bin/bash -c " echo ' $HOSTNAME ' > /etc/hostname "
sudo LANG = C chroot $FILESYSTEM_ROOT /bin/bash -c " echo '127.0.0.1 $HOSTNAME ' >> /etc/hosts "
2016-09-25 23:48:25 -05:00
sudo LANG = C chroot $FILESYSTEM_ROOT /bin/bash -c "echo '127.0.0.1 localhost' >> /etc/hosts"
2016-03-08 13:42:20 -06:00
## Config basic fstab
sudo LANG = C chroot $FILESYSTEM_ROOT /bin/bash -c 'echo "proc /proc proc defaults 0 0" >> /etc/fstab'
sudo LANG = C chroot $FILESYSTEM_ROOT /bin/bash -c 'echo "sysfs /sys sysfs defaults 0 0" >> /etc/fstab'
2017-12-24 01:34:15 -06:00
## Setup proxy
[ -n " $http_proxy " ] && sudo /bin/bash -c " echo 'Acquire::http::Proxy \" $http_proxy \";' > $FILESYSTEM_ROOT /etc/apt/apt.conf.d/01proxy "
2020-02-03 14:31:40 -06:00
trap_push 'sudo LANG=C chroot $FILESYSTEM_ROOT umount /proc || true'
sudo LANG = C chroot $FILESYSTEM_ROOT mount proc /proc -t proc
2016-03-08 13:42:20 -06:00
## Note: mounting is necessary to makedev and install linux image
echo '[INFO] Mount all'
## Output all the mounted device for troubleshooting
2020-02-03 14:31:40 -06:00
sudo LANG = C chroot $FILESYSTEM_ROOT mount
2016-03-08 13:42:20 -06:00
2020-12-21 01:31:10 -06:00
## Install the trusted gpg public keys
[ -d $TRUSTED_GPG_DIR ] && [ ! -z " $( ls $TRUSTED_GPG_DIR ) " ] && sudo cp $TRUSTED_GPG_DIR /* ${ FILESYSTEM_ROOT } /etc/apt/trusted.gpg.d/
2016-03-08 13:42:20 -06:00
## Pointing apt to public apt mirrors and getting latest packages, needed for latest security updates
2022-11-08 18:09:53 -06:00
scripts/build_mirror_config.sh files/apt $CONFIGURED_ARCH $IMAGE_DISTRO
2019-07-26 00:06:41 -05:00
sudo cp files/apt/sources.list.$CONFIGURED_ARCH $FILESYSTEM_ROOT /etc/apt/sources.list
2022-11-20 18:05:16 -06:00
sudo cp files/apt/apt.conf.d/{ 81norecommends,apt-{ clean,gzip-indexes,no-languages} ,no-check-valid-until,apt-multiple-retries} $FILESYSTEM_ROOT /etc/apt/apt.conf.d/
2016-03-08 13:42:20 -06:00
## Note: set lang to prevent locale warnings in your chroot
sudo LANG = C chroot $FILESYSTEM_ROOT apt-get -y update
sudo LANG = C chroot $FILESYSTEM_ROOT apt-get -y upgrade
Image build time improvements (#10104)
* [build]: Patch debootstrap to not unmount the host's /proc filesystem
Currently, when the final image is being built (sonic-vs.img.gz,
sonic-broadcom.bin, or similar), each invocation of sudo in the
build_debian.sh script takes 0.8 seconds to run and execute the actual
command. This is because the /proc filesystem in the slave container has
been unmounted somehow. This is happening when debootstrap is running,
and it incorrectly unmounts the host's (in our case, the slave
container's) /proc filesystem because in the new image being built,
/proc is a symlink to the host's (the slave container's) /proc. Because
of that, /proc is gone, and each invocation of sudo adds 0.8 seconds
overhead. As a side effect, docker exec into the slave container during
this time will fail, because /proc/self/fd doesn't exist anymore, and
docker exec assumes that that exists.
Debootstrap has fixed this in 1.0.124 and newer, so backport the patch
that fixes this into the version that Bullseye has.
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
* [build_debian.sh]: Use eatmydata to speed up deb package installations
During package installations, dpkg calls fsync multiples times (for each
package) to ensure that tht efiles are written to disk, so that if
there's some system crash during package installation, then it is in at
least a somewhat recoverable state. For our use case though, we're
installing packages in a chroot in fsroot-* from a slave container and
then packaging it into an image. If there were a system crash (or even
if docker crashed), the fsroot-* directory would first be removed, and
the process would get restarted. This means that the fsync calls aren't
really needed for our use case.
The eatmydata package includes a library that will block/suppress the
use of fsync (and similar) system calls from applications and will
instead just return success, so that the application is not blocked on
disk writes, which can instead happen in the background instead as
necessary. If dpkg is run with this library, then the fsync calls that
it does will have no effect.
Therefore, install the eatmydata package at the beginning of
build_debian.sh and have dpkg be run under eatmydata for almost all
package installations/removals. At the end of the installation, remove
it, so that the final image uses dpkg as normal.
In my testing, this saves about 2-3 minutes from the image build time.
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
* Change ln syntax to use chroot
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2022-04-19 11:22:16 -05:00
echo '[INFO] Install and setup eatmydata'
sudo LANG = C chroot $FILESYSTEM_ROOT apt-get -y install eatmydata
sudo LANG = C chroot $FILESYSTEM_ROOT ln -s /usr/bin/eatmydata /usr/local/bin/dpkg
echo 'Dir::Bin::dpkg "/usr/local/bin/dpkg";' | sudo tee $FILESYSTEM_ROOT /etc/apt/apt.conf.d/00image-install-eatmydata > /dev/null
2023-01-04 23:16:49 -06:00
## Note: dpkg hook conflict with eatmydata
sudo LANG = C chroot $FILESYSTEM_ROOT rm /usr/local/sbin/dpkg -f
Image build time improvements (#10104)
* [build]: Patch debootstrap to not unmount the host's /proc filesystem
Currently, when the final image is being built (sonic-vs.img.gz,
sonic-broadcom.bin, or similar), each invocation of sudo in the
build_debian.sh script takes 0.8 seconds to run and execute the actual
command. This is because the /proc filesystem in the slave container has
been unmounted somehow. This is happening when debootstrap is running,
and it incorrectly unmounts the host's (in our case, the slave
container's) /proc filesystem because in the new image being built,
/proc is a symlink to the host's (the slave container's) /proc. Because
of that, /proc is gone, and each invocation of sudo adds 0.8 seconds
overhead. As a side effect, docker exec into the slave container during
this time will fail, because /proc/self/fd doesn't exist anymore, and
docker exec assumes that that exists.
Debootstrap has fixed this in 1.0.124 and newer, so backport the patch
that fixes this into the version that Bullseye has.
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
* [build_debian.sh]: Use eatmydata to speed up deb package installations
During package installations, dpkg calls fsync multiples times (for each
package) to ensure that tht efiles are written to disk, so that if
there's some system crash during package installation, then it is in at
least a somewhat recoverable state. For our use case though, we're
installing packages in a chroot in fsroot-* from a slave container and
then packaging it into an image. If there were a system crash (or even
if docker crashed), the fsroot-* directory would first be removed, and
the process would get restarted. This means that the fsync calls aren't
really needed for our use case.
The eatmydata package includes a library that will block/suppress the
use of fsync (and similar) system calls from applications and will
instead just return success, so that the application is not blocked on
disk writes, which can instead happen in the background instead as
necessary. If dpkg is run with this library, then the fsync calls that
it does will have no effect.
Therefore, install the eatmydata package at the beginning of
build_debian.sh and have dpkg be run under eatmydata for almost all
package installations/removals. At the end of the installation, remove
it, so that the final image uses dpkg as normal.
In my testing, this saves about 2-3 minutes from the image build time.
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
* Change ln syntax to use chroot
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2022-04-19 11:22:16 -05:00
2016-03-08 13:42:20 -06:00
echo '[INFO] Install packages for building image'
2021-04-08 00:00:27 -05:00
sudo LANG = C chroot $FILESYSTEM_ROOT apt-get -y install makedev psmisc
2016-03-08 13:42:20 -06:00
2022-07-21 16:15:16 -05:00
if [ [ $CROSS_BUILD_ENVIRON = = y ] ] ; then
sudo LANG = C chroot $FILESYSTEM_ROOT dpkg --add-architecture $CONFIGURED_ARCH
fi
2016-03-08 13:42:20 -06:00
## Create device files
echo '[INFO] MAKEDEV'
2019-07-26 00:06:41 -05:00
if [ [ $CONFIGURED_ARCH = = armhf || $CONFIGURED_ARCH = = arm64 ] ] ; then
sudo LANG = C chroot $FILESYSTEM_ROOT /bin/bash -c 'cd /dev && MAKEDEV generic-arm'
else
sudo LANG = C chroot $FILESYSTEM_ROOT /bin/bash -c 'cd /dev && MAKEDEV generic'
fi
2022-12-17 16:38:31 -06:00
## docker and mkinitramfs on target system will use pigz/unpigz automatically
if [ [ $GZ_COMPRESS_PROGRAM = = pigz ] ] ; then
sudo LANG = C chroot $FILESYSTEM_ROOT apt-get -y install pigz
fi
2016-03-08 13:42:20 -06:00
## Install initramfs-tools and linux kernel
## Note: initramfs-tools recommends depending on busybox, and we really want busybox for
## 1. commands such as touch
## 2. mount supports squashfs
## However, 'dpkg -i' plus 'apt-get install -f' will ignore the recommended dependency. So
## we install busybox explicitly
2020-02-03 22:19:44 -06:00
sudo LANG = C chroot $FILESYSTEM_ROOT apt-get -y install busybox linux-base
2016-09-06 15:15:10 -05:00
echo '[INFO] Install SONiC linux kernel image'
2016-03-08 13:42:20 -06:00
## Note: duplicate apt-get command to ensure every line return zero
2019-02-05 00:06:37 -06:00
sudo dpkg --root= $FILESYSTEM_ROOT -i $debs_path /initramfs-tools-core_*.deb || \
2017-09-01 03:53:21 -05:00
sudo LANG = C DEBIAN_FRONTEND = noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
2019-02-05 00:06:37 -06:00
sudo dpkg --root= $FILESYSTEM_ROOT -i $debs_path /initramfs-tools_*.deb || \
2016-03-08 13:42:20 -06:00
sudo LANG = C DEBIAN_FRONTEND = noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
2019-10-10 17:11:26 -05:00
sudo dpkg --root= $FILESYSTEM_ROOT -i $debs_path /linux-image-${ LINUX_KERNEL_VERSION } -*_${ CONFIGURED_ARCH } .deb || \
2016-03-08 13:42:20 -06:00
sudo LANG = C DEBIAN_FRONTEND = noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
2017-12-11 11:00:41 -06:00
sudo LANG = C DEBIAN_FRONTEND = noninteractive chroot $FILESYSTEM_ROOT apt-get -y install acl
2020-02-26 13:27:52 -06:00
if [ [ $CONFIGURED_ARCH = = amd64 ] ] ; then
sudo LANG = C DEBIAN_FRONTEND = noninteractive chroot $FILESYSTEM_ROOT apt-get -y install dmidecode hdparm
fi
2016-05-27 15:30:13 -05:00
2022-04-19 00:23:15 -05:00
## Sign the Linux kernel
2023-03-14 07:55:22 -05:00
# note: when flag SONIC_ENABLE_SECUREBOOT_SIGNATURE is enabled the Secure Upgrade flags should be disabled (no_sign) to avoid conflict between the features.
if [ " $SONIC_ENABLE_SECUREBOOT_SIGNATURE " = "y" ] && [ " $SECURE_UPGRADE_MODE " != 'dev' ] && [ " $SECURE_UPGRADE_MODE " != "prod" ] ; then
2022-04-19 00:23:15 -05:00
if [ ! -f $SIGNING_KEY ] ; then
echo "Error: SONiC linux kernel signing key missing"
exit 1
fi
if [ ! -f $SIGNING_CERT ] ; then
echo "Error: SONiC linux kernel signing certificate missing"
exit 1
fi
echo '[INFO] Signing SONiC linux kernel image'
2022-07-12 17:00:57 -05:00
K = $FILESYSTEM_ROOT /boot/vmlinuz-${ LINUX_KERNEL_VERSION } -${ CONFIGURED_ARCH }
2022-04-19 00:23:15 -05:00
sbsign --key $SIGNING_KEY --cert $SIGNING_CERT --output /tmp/${ K ##*/ } ${ K }
sudo cp -f /tmp/${ K ##*/ } ${ K }
fi
2017-09-02 17:32:31 -05:00
## Update initramfs for booting with squashfs+overlay
2016-03-08 13:42:20 -06:00
cat files/initramfs-tools/modules | sudo tee -a $FILESYSTEM_ROOT /etc/initramfs-tools/modules > /dev/null
2017-01-24 00:25:47 -06:00
## Hook into initramfs: change fs type from vfat to ext4 on arista switches
sudo mkdir -p $FILESYSTEM_ROOT /etc/initramfs-tools/scripts/init-premount/
sudo cp files/initramfs-tools/arista-convertfs $FILESYSTEM_ROOT /etc/initramfs-tools/scripts/init-premount/arista-convertfs
sudo chmod +x $FILESYSTEM_ROOT /etc/initramfs-tools/scripts/init-premount/arista-convertfs
2019-02-27 12:28:04 -06:00
sudo cp files/initramfs-tools/arista-hook $FILESYSTEM_ROOT /etc/initramfs-tools/scripts/init-premount/arista-hook
sudo chmod +x $FILESYSTEM_ROOT /etc/initramfs-tools/scripts/init-premount/arista-hook
2017-01-24 00:25:47 -06:00
sudo cp files/initramfs-tools/mke2fs $FILESYSTEM_ROOT /etc/initramfs-tools/hooks/mke2fs
sudo chmod +x $FILESYSTEM_ROOT /etc/initramfs-tools/hooks/mke2fs
2017-11-24 19:30:11 -06:00
sudo cp files/initramfs-tools/setfacl $FILESYSTEM_ROOT /etc/initramfs-tools/hooks/setfacl
sudo chmod +x $FILESYSTEM_ROOT /etc/initramfs-tools/hooks/setfacl
2017-01-24 00:25:47 -06:00
2017-08-19 23:32:10 -05:00
# Hook into initramfs: rename the management interfaces on arista switches
sudo cp files/initramfs-tools/arista-net $FILESYSTEM_ROOT /etc/initramfs-tools/scripts/init-premount/arista-net
sudo chmod +x $FILESYSTEM_ROOT /etc/initramfs-tools/scripts/init-premount/arista-net
2018-02-07 08:07:01 -06:00
# Hook into initramfs: resize root partition after migration from another NOS to SONiC on Dell switches
sudo cp files/initramfs-tools/resize-rootfs $FILESYSTEM_ROOT /etc/initramfs-tools/scripts/init-premount/resize-rootfs
sudo chmod +x $FILESYSTEM_ROOT /etc/initramfs-tools/scripts/init-premount/resize-rootfs
2022-05-12 10:11:02 -05:00
# Hook into initramfs: upgrade SSD from initramfs
sudo cp files/initramfs-tools/ssd-upgrade $FILESYSTEM_ROOT /etc/initramfs-tools/scripts/init-premount/ssd-upgrade
sudo chmod +x $FILESYSTEM_ROOT /etc/initramfs-tools/scripts/init-premount/ssd-upgrade
2020-04-30 02:33:20 -05:00
# Hook into initramfs: run fsck to repair a non-clean filesystem prior to be mounted
sudo cp files/initramfs-tools/fsck-rootfs $FILESYSTEM_ROOT /etc/initramfs-tools/scripts/init-premount/fsck-rootfs
sudo chmod +x $FILESYSTEM_ROOT /etc/initramfs-tools/scripts/init-premount/fsck-rootfs
2016-03-08 13:42:20 -06:00
## Hook into initramfs: after partition mount and loop file mount
## 1. Prepare layered file system
2019-10-09 19:38:53 -05:00
## 2. Bind-mount docker working directory (docker overlay storage cannot work over overlay rootfs)
2016-03-08 13:42:20 -06:00
sudo cp files/initramfs-tools/union-mount $FILESYSTEM_ROOT /etc/initramfs-tools/scripts/init-bottom/union-mount
sudo chmod +x $FILESYSTEM_ROOT /etc/initramfs-tools/scripts/init-bottom/union-mount
2017-09-06 22:07:32 -05:00
sudo cp files/initramfs-tools/varlog $FILESYSTEM_ROOT /etc/initramfs-tools/scripts/init-bottom/varlog
sudo chmod +x $FILESYSTEM_ROOT /etc/initramfs-tools/scripts/init-bottom/varlog
2018-03-08 18:42:41 -06:00
# Management interface (eth0) dhcp can be optionally turned off (during a migration from another NOS to SONiC)
2019-04-02 17:48:04 -05:00
#sudo cp files/initramfs-tools/mgmt-intf-dhcp $FILESYSTEM_ROOT/etc/initramfs-tools/scripts/init-bottom/mgmt-intf-dhcp
#sudo chmod +x $FILESYSTEM_ROOT/etc/initramfs-tools/scripts/init-bottom/mgmt-intf-dhcp
2016-03-08 13:42:20 -06:00
sudo cp files/initramfs-tools/union-fsck $FILESYSTEM_ROOT /etc/initramfs-tools/hooks/union-fsck
sudo chmod +x $FILESYSTEM_ROOT /etc/initramfs-tools/hooks/union-fsck
2017-09-02 17:32:31 -05:00
pushd $FILESYSTEM_ROOT /usr/share/initramfs-tools/scripts/init-bottom && sudo patch -p1 < $OLDPWD /files/initramfs-tools/udev.patch; popd
2020-01-15 10:25:01 -06:00
if [ [ $CONFIGURED_ARCH = = armhf || $CONFIGURED_ARCH = = arm64 ] ] ; then
sudo cp files/initramfs-tools/uboot-utils $FILESYSTEM_ROOT /etc/initramfs-tools/hooks/uboot-utils
sudo chmod +x $FILESYSTEM_ROOT /etc/initramfs-tools/hooks/uboot-utils
cat files/initramfs-tools/modules.arm | sudo tee -a $FILESYSTEM_ROOT /etc/initramfs-tools/modules > /dev/null
2020-08-06 05:16:11 -05:00
fi
# Update initramfs for load platform specific modules
if [ -f platform/$CONFIGURED_PLATFORM /modules ] ; then
cat platform/$CONFIGURED_PLATFORM /modules | sudo tee -a $FILESYSTEM_ROOT /etc/initramfs-tools/modules > /dev/null
2020-01-15 10:25:01 -06:00
fi
2016-03-08 13:42:20 -06:00
2021-04-18 10:17:57 -05:00
## Add mtd and uboot firmware tools package
2022-03-10 17:23:21 -06:00
sudo LANG = C chroot $FILESYSTEM_ROOT apt-get -y install u-boot-tools libubootenv-tool mtd-utils device-tree-compiler
2021-04-18 10:17:57 -05:00
2016-03-08 13:42:20 -06:00
## Install docker
echo '[INFO] Install docker'
2016-07-26 14:01:58 -05:00
## Install apparmor utils since they're missing and apparmor is enabled in the kernel
## Otherwise Docker will fail to start
sudo LANG = C chroot $FILESYSTEM_ROOT apt-get -y install apparmor
2020-12-18 06:57:35 -06:00
sudo cp files/image_config/ntp/ntp-apparmor $FILESYSTEM_ROOT /etc/apparmor.d/local/usr.sbin.ntpd
2019-01-04 22:47:43 -06:00
sudo LANG = C chroot $FILESYSTEM_ROOT apt-get -y install apt-transport-https \
ca-certificates \
curl \
gnupg2 \
software-properties-common
2020-11-11 20:19:48 -06:00
if [ [ $CONFIGURED_ARCH = = armhf ] ] ; then
# update ssl ca certificates for secure pem
sudo https_proxy = $https_proxy LANG = C chroot $FILESYSTEM_ROOT c_rehash
fi
2022-04-27 12:20:42 -05:00
sudo https_proxy = $https_proxy LANG = C chroot $FILESYSTEM_ROOT curl -o /tmp/docker.asc -fsSL https://download.docker.com/linux/debian/gpg
sudo LANG = C chroot $FILESYSTEM_ROOT mv /tmp/docker.asc /etc/apt/trusted.gpg.d/
2019-01-04 22:47:43 -06:00
sudo LANG = C chroot $FILESYSTEM_ROOT add-apt-repository \
2020-02-03 14:31:40 -06:00
" deb [arch= $CONFIGURED_ARCH ] https://download.docker.com/linux/debian $IMAGE_DISTRO stable "
2019-01-04 22:47:43 -06:00
sudo LANG = C chroot $FILESYSTEM_ROOT apt-get update
2022-04-27 12:20:42 -05:00
sudo LANG = C chroot $FILESYSTEM_ROOT apt-get -y install docker-ce= ${ DOCKER_VERSION } docker-ce-cli= ${ DOCKER_VERSION } containerd.io= ${ CONTAINERD_IO_VERSION }
2020-05-21 07:09:06 -05:00
2021-02-08 21:35:08 -06:00
# Uninstall 'python3-gi' installed as part of 'software-properties-common' to remove debian version of 'PyGObject'
# pip version of 'PyGObject' will be installed during installation of 'sonic-host-services'
sudo LANG = C chroot $FILESYSTEM_ROOT apt-get -y remove software-properties-common gnupg2 python3-gi
2018-08-13 20:30:00 -05:00
2022-08-13 10:01:35 -05:00
install_kubernetes ( ) {
local ver = " $1 "
2020-04-13 10:41:18 -05:00
sudo https_proxy = $https_proxy LANG = C chroot $FILESYSTEM_ROOT curl -fsSL \
https://packages.cloud.google.com/apt/doc/apt-key.gpg | \
sudo LANG = C chroot $FILESYSTEM_ROOT apt-key add -
## Check out the sources list update matches current Debian version
sudo cp files/image_config/kubernetes/kubernetes.list $FILESYSTEM_ROOT /etc/apt/sources.list.d/
sudo LANG = C chroot $FILESYSTEM_ROOT apt-get update
2023-03-16 19:21:37 -05:00
sudo LANG = C chroot $FILESYSTEM_ROOT apt-get -y install kubernetes-cni= ${ KUBERNETES_CNI_VERSION }
2022-08-13 10:01:35 -05:00
sudo LANG = C chroot $FILESYSTEM_ROOT apt-get -y install kubelet = ${ ver }
sudo LANG = C chroot $FILESYSTEM_ROOT apt-get -y install kubectl = ${ ver }
sudo LANG = C chroot $FILESYSTEM_ROOT apt-get -y install kubeadm = ${ ver }
}
if [ " $INCLUDE_KUBERNETES " = = "y" ]
then
## Install Kubernetes
echo '[INFO] Install kubernetes'
install_kubernetes ${ KUBERNETES_VERSION }
2020-04-13 10:41:18 -05:00
else
echo '[INFO] Skipping Install kubernetes'
fi
2022-08-13 10:01:35 -05:00
if [ " $INCLUDE_KUBERNETES_MASTER " = = "y" ]
then
## Install Kubernetes master
echo '[INFO] Install kubernetes master'
install_kubernetes ${ MASTER_KUBERNETES_VERSION }
sudo https_proxy = $https_proxy LANG = C chroot $FILESYSTEM_ROOT curl -fsSL \
https://packages.microsoft.com/keys/microsoft.asc | \
sudo LANG = C chroot $FILESYSTEM_ROOT apt-key add -
sudo https_proxy = $https_proxy LANG = C chroot $FILESYSTEM_ROOT curl -fsSL \
https://packages.microsoft.com/keys/msopentech.asc | \
sudo LANG = C chroot $FILESYSTEM_ROOT apt-key add -
echo " deb [arch=amd64] https://packages.microsoft.com/repos/azurecore-debian $IMAGE_DISTRO main " | \
sudo tee $FILESYSTEM_ROOT /etc/apt/sources.list.d/azure.list
sudo LANG = C chroot $FILESYSTEM_ROOT apt-get update
sudo LANG = C chroot $FILESYSTEM_ROOT apt-get -y install hyperv-daemons gnupg xmlstarlet
sudo LANG = C chroot $FILESYSTEM_ROOT apt-get -y install metricsext2
sudo LANG = C chroot $FILESYSTEM_ROOT apt-get -y remove gnupg
sudo https_proxy = $https_proxy LANG = C chroot $FILESYSTEM_ROOT curl -o /tmp/cri-dockerd.deb -fsSL \
https://github.com/Mirantis/cri-dockerd/releases/download/v${ MASTER_CRI_DOCKERD } /cri-dockerd_${ MASTER_CRI_DOCKERD } .3-0.debian-${ IMAGE_DISTRO } _amd64.deb
sudo LANG = C chroot $FILESYSTEM_ROOT apt-get -y install -f /tmp/cri-dockerd.deb
sudo LANG = C chroot $FILESYSTEM_ROOT rm -f /tmp/cri-dockerd.deb
else
echo '[INFO] Skipping Install kubernetes master'
fi
2019-10-09 19:38:53 -05:00
## Add docker config drop-in to specify dockerd command line
2016-03-08 13:42:20 -06:00
sudo mkdir -p $FILESYSTEM_ROOT /etc/systemd/system/docker.service.d/
2016-07-26 14:01:58 -05:00
## Note: $_ means last argument of last command
2016-03-08 13:42:20 -06:00
sudo cp files/docker/docker.service.conf $_
## Create default user
2020-09-03 01:40:22 -05:00
## Note: user should be in the group with the same name, and also in sudo/docker/redis groups
2021-04-08 09:48:37 -05:00
sudo LANG = C chroot $FILESYSTEM_ROOT useradd -G sudo,docker $USERNAME -c " $DEFAULT_USERINFO " -m -s /bin/bash
2016-03-08 13:42:20 -06:00
## Create password for the default user
[baseimage]: Improve password hashing for default user account (#1748)
* [slave.mk]: Fix displaying username and password in build summary
We display contents of DEFAULT_USERNAME and DEFAULT_PASSWORD, while
image can be build with USERNAME and/or PASSWORD given on make(1)
command line. For example:
$ make USERNAME=adm PASSWORD=mypass target/sonic-broadcom.bin
Fix by displaying USERNAME and PASSWORD variables in build summary.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
* [baseimage]: Improve default user account handling
There are couple of issues with current implementation of default
user account management in baseimage:
1) It uses DES to encrypt accounts password. Furthermore this
effectively limits password length to 8 symbols, even if more
provided with PASSWORD or DEFAULT_PASSWORD from rules/config.
2) Salt value for password is same on all builds even with different
password increasing attack surface.
3) During the build process password passed as command line parameter
either as plain text (if given to make(1) as "make PASSWORD=...")
or DES encrypted (if given to build_debian.sh) can be seen by
non-build users using /proc/<pid>/cmdline file that has group and
world readable permissions.
Both 1) and 2) come from:
perl -e 'print crypt("$(PASSWORD)", "salt"),"\n"')"
that by defalt uses DES if salt does not have format $<id>$<salt>$,
where <id> is hashing function id. See crypt(3) for more details on
valid <id> values.
To address issues above we propose following changes:
1) Do not create password by hands (e.g. using perl snippet above):
put this job to chpasswd(8) which is aware about system wide
password hashing policy specified in /etc/login.defs with
ENCRYPT_METHOD (by default it is SHA512 for Debian 8).
2) Now chpasswd(8) will take care about proper salt value.
3) This has two steps:
3.1) For compatibility reasons accept USERNAME and PASSWORD as
make(1) parameters, but warn user that this is unsafe.
3.2) Use process environment to pass USERNAME and PASSWORD variables
from Makefile to build_debian.sh as more secure alternative to
passing via command line parameters: /proc/<pid>/environ
readable only by user running process or privileged users like
root.
Before change:
--------------
hash1
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSs", "salt"),"\n"')"
^^^^^^^^
8 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Note the hash (DES encrypted password)
hash2
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSsWoRd", "salt"),"\n"')"
^^^^^^^^^^^^
12 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Hash is the same as for "YourPaSs"
After change:
-------------
hash1
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$1Nho1jHC$T8YwK58FYToXMFuetQta7/XouAAN2q1IzWC3bdIg86woAs6WuTg\
^^^^^^^^
Note salt here
ksLO3oyQInax/wNVq.N4de6dyWZDsCAvsZ1:17681:0:99999:7:::
hash2
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$yKU5g7BO$kdT02Z1wHXhr1VCniKkZbLaMPZXK0WSSVGhSLGrNhsrsVxCJ.D9\
^^^^^^^^
Here salt completely different from case above
plFpd8ksGNpw/Vb92hvgYyCL2i5cfI8QEY/:17681:0:99999:7:::
Since salt is different hashes for same password different too.
hash1
-----
# LANG=C perl -e 'print crypt("YourPaSs", "\$6\$salt\$"),"\n"'
^^^^^
We want SHA512 hash
$6$salt$qkwPvXqUeGpexO1vatnIQFAreOTXs6rnDX.OI.Sz2rcy51JrO8dFc9aGv82bB\
yd2ELrIMJ.FQLNjgSD0nNha7/
hash2
-----
# LANG=C perl -e 'print crypt("YourPaSsWoRd", "\$6\$salt\$"),"\n"'
$6$salt$1JVndGzyy/dj7PaXo6hNcttlQoZe23ob8GWYWxVGEiGOlh6sofbaIvwl6Ho7N\
kYDI8zwRumRwga/A29nHm4mZ1
Now with same "salt" and $<id>$, and same 8 symbol prefix in password, but
different password length we have different hashes.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
2018-06-09 13:29:16 -05:00
echo " $USERNAME : $PASSWORD " | sudo LANG = C chroot $FILESYSTEM_ROOT chpasswd
2016-03-08 13:42:20 -06:00
2021-04-08 09:48:37 -05:00
## Create redis group
sudo LANG = C chroot $FILESYSTEM_ROOT groupadd -f redis
sudo LANG = C chroot $FILESYSTEM_ROOT usermod -aG redis $USERNAME
2019-08-06 23:33:14 -05:00
if [ [ $CONFIGURED_ARCH = = amd64 ] ] ; then
## Pre-install hardware drivers
sudo LANG = C chroot $FILESYSTEM_ROOT apt-get -y install \
firmware-linux-nonfree
fi
2016-03-16 01:38:26 -05:00
2016-03-08 13:42:20 -06:00
## Pre-install the fundamental packages
## Note: gdisk is needed for sgdisk in install.sh
## Note: parted is needed for partprobe in install.sh
2016-07-26 14:01:58 -05:00
## Note: ca-certificates is needed for easy_install
2017-03-02 18:04:18 -06:00
## Note: don't install python-apt by pip, older than Debian repo one
2021-10-28 23:24:26 -05:00
## Note: fdisk and gpg are needed by fwutil
2017-01-29 13:33:33 -06:00
sudo LANG = C DEBIAN_FRONTEND = noninteractive chroot $FILESYSTEM_ROOT apt-get -y install \
2016-05-27 15:30:13 -05:00
file \
2019-07-24 18:18:40 -05:00
ifmetric \
2016-05-27 15:30:13 -05:00
iproute2 \
2017-03-20 23:39:09 -05:00
bridge-utils \
2016-05-27 15:30:13 -05:00
isc-dhcp-client \
2016-03-08 13:42:20 -06:00
sudo \
vim \
tcpdump \
2017-06-15 12:31:13 -05:00
dbus \
2016-05-27 15:30:13 -05:00
ntpstat \
2016-03-08 13:42:20 -06:00
openssh-server \
2021-07-15 17:15:45 -05:00
python3-apt \
2016-05-27 15:30:13 -05:00
traceroute \
iputils-ping \
2022-08-20 20:09:04 -05:00
arping \
2016-05-27 15:30:13 -05:00
net-tools \
2016-07-26 14:01:58 -05:00
bsdmainutils \
ca-certificates \
i2c-tools \
2016-10-18 13:22:29 -05:00
efibootmgr \
usbutils \
2017-01-29 13:33:33 -06:00
pciutils \
iptables-persistent \
2019-05-09 11:44:41 -05:00
ebtables \
2017-02-17 15:47:01 -06:00
logrotate \
2017-03-15 20:38:55 -05:00
curl \
2017-04-21 19:23:36 -05:00
kexec-tools \
2017-05-11 20:46:11 -05:00
less \
2017-09-17 13:41:30 -05:00
unzip \
2017-10-05 23:43:25 -05:00
gdisk \
2018-01-10 05:04:32 -06:00
sysfsutils \
2019-01-15 20:15:56 -06:00
squashfs-tools \
2018-03-08 18:42:41 -06:00
grub2-common \
2018-07-01 11:46:25 -05:00
screen \
hping3 \
tcptraceroute \
2018-09-11 05:15:19 -05:00
mtr-tiny \
2019-01-25 13:47:09 -06:00
locales \
2019-08-14 12:40:55 -05:00
cgroup-tools \
[baseimage]: install ndisc6 package (#3344)
ndisc6 gathers a few diagnostic tools for IPv6 networks including:
- ndisc6, which performs ICMPv6 Neighbor Discovery in userland,
- rdisc6, which performs ICMPv6 Router Discovery in userland,
- rltraceroute6, a UDP/ICMP IPv6 implementation of traceroute,
- tcptraceroute6, a TCP/IPv6-based traceroute implementation,
- tcpspray6, a TCP/IP Discard/Echo bandwidth meter,
- addrinfo, easy script interface for hostname and address resolution,
- dnssort, DNS sorting script.
Signed-off-by: Guohan Lu <gulv@microsoft.com>
2019-08-15 02:32:58 -05:00
ipmitool \
2019-11-09 01:08:42 -06:00
ndisc6 \
2020-01-29 19:40:43 -06:00
makedumpfile \
2020-04-07 22:57:54 -05:00
conntrack \
2020-12-16 18:38:15 -06:00
python3 \
python3-distutils \
2020-02-03 14:31:40 -06:00
python3-pip \
2021-07-15 17:15:45 -05:00
python-is-python3 \
2020-03-19 20:30:00 -05:00
cron \
2021-07-15 17:15:45 -05:00
libprotobuf23 \
2021-12-02 14:29:39 -06:00
libgrpc++1 \
libgrpc10 \
2020-09-18 20:44:23 -05:00
haveged \
2021-10-28 23:24:26 -05:00
fdisk \
gpg \
2021-11-30 21:50:09 -06:00
jq \
2022-08-31 15:09:36 -05:00
auditd \
2023-01-30 14:13:10 -06:00
linux-perf \
2023-02-09 22:22:44 -06:00
lsof \
sysstat
2019-08-14 12:40:55 -05:00
2022-08-04 17:10:34 -05:00
# default rsyslog version is 8.2110.0 which has a bug on log rate limit,
# use backport version
sudo LANG = C DEBIAN_FRONTEND = noninteractive chroot $FILESYSTEM_ROOT apt-get -t bullseye-backports -y install rsyslog
2022-02-28 13:46:50 -06:00
# Have systemd create the auditd log directory
sudo mkdir -p ${ FILESYSTEM_ROOT } /etc/systemd/system/auditd.service.d
sudo tee ${ FILESYSTEM_ROOT } /etc/systemd/system/auditd.service.d/log-directory.conf >/dev/null <<EOF
[ Service]
LogsDirectory = audit
LogsDirectoryMode = 0750
EOF
[TACACS] Fix auditd can't load tacplus plugin issue. (#9481)
<!--
Please make sure you've read and understood our contributing guidelines:
https://github.com/Azure/SONiC/blob/gh-pages/CONTRIBUTING.md
** Make sure all your commits include a signature generated with `git commit -s` **
If this is a bug fix, make sure your description includes "fixes #xxxx", or
"closes #xxxx" or "resolves #xxxx"
Please provide the following information:
-->
#### Why I did it
1. Fix auditd log file path, because known issue: https://github.com/Azure/sonic-buildimage/issues/9548
2. When SONiC change to based on bullseye, auditd version upgrade from 2.8.4 to 3.0.2, and in auditd 3.0.2 the plugin file path changed to /etc/audit/plugins.d, however the upstream auditisp-tacplus project not follow-up this change, it still install plugin config file to /etc/audit/audisp.d. so the plugin can't be launch correctly, the code change in src/tacacs/audisp/patches/0001-Porting-to-sonic.patch fix this issue.
#### How I did it
Fix tacacs plugin config file path.
Create /var/log/audit folder for auditd.
#### How to verify it
Pass all UT, also run per-command acccounting UT to validate plugin loaded.
#### Which release branch to backport (provide reason below if selected)
<!--
- Note we only backport fixes to a release branch, *not* features!
- Please also provide a reason for the backporting below.
- e.g.
- [x] 202006
-->
- [ ] 201811
- [ ] 201911
- [ ] 202006
- [ ] 202012
- [ ] 202106
#### Description for the changelog
<!--
Write a short (one line) summary that describes the changes in this
pull request for inclusion in the changelog:
-->
Fix tacacs plugin config file path.
Create /var/log/audit folder for auditd.
#### A picture of a cute animal (not mandatory but encouraged)
2021-12-15 21:02:58 -06:00
2019-08-06 23:33:14 -05:00
if [ [ $CONFIGURED_ARCH = = amd64 ] ] ; then
## Pre-install the fundamental packages for amd64 (x86)
sudo LANG = C DEBIAN_FRONTEND = noninteractive chroot $FILESYSTEM_ROOT apt-get -y install \
2020-02-03 14:31:40 -06:00
rasdaemon
2019-08-06 23:33:14 -05:00
fi
2018-09-11 05:15:19 -05:00
2019-10-22 21:02:08 -05:00
## Set /etc/shadow permissions to -rw-------.
sudo LANG = c chroot $FILESYSTEM_ROOT chmod 600 /etc/shadow
## Set /etc/passwd, /etc/group permissions to -rw-r--r--.
sudo LANG = c chroot $FILESYSTEM_ROOT chmod 644 /etc/passwd
sudo LANG = c chroot $FILESYSTEM_ROOT chmod 644 /etc/group
2019-11-09 01:08:42 -06:00
# Needed to install kdump-tools
sudo LANG = C chroot $FILESYSTEM_ROOT /bin/bash -c "mkdir -p /etc/initramfs-tools/conf.d"
sudo LANG = C chroot $FILESYSTEM_ROOT /bin/bash -c "echo 'MODULES=most' >> /etc/initramfs-tools/conf.d/driver-policy"
2020-12-15 10:54:13 -06:00
# Copy vmcore-sysctl.conf to add more vmcore dump flags to kernel
sudo cp files/image_config/kdump/vmcore-sysctl.conf $FILESYSTEM_ROOT /etc/sysctl.d/
2018-09-11 05:15:19 -05:00
#Adds a locale to a debian system in non-interactive mode
sudo sed -i '/^#.* en_US.* /s/^#//' $FILESYSTEM_ROOT /etc/locale.gen && \
sudo LANG = C DEBIAN_FRONTEND = noninteractive chroot $FILESYSTEM_ROOT locale-gen "en_US.UTF-8"
sudo LANG = en_US.UTF-8 DEBIAN_FRONTEND = noninteractive chroot $FILESYSTEM_ROOT update-locale "LANG=en_US.UTF-8"
sudo LANG = C chroot $FILESYSTEM_ROOT bash -c "find /usr/share/i18n/locales/ ! -name 'en_US' -type f -exec rm -f {} +"
2017-09-17 13:41:30 -05:00
2021-07-15 17:15:45 -05:00
sudo LANG = C DEBIAN_FRONTEND = noninteractive chroot $FILESYSTEM_ROOT apt-get -y install \
2021-04-08 00:00:27 -05:00
picocom \
2021-04-18 10:07:02 -05:00
systemd \
2021-08-16 10:49:43 -05:00
systemd-sysv \
ntp
2018-08-17 19:38:20 -05:00
2022-07-12 17:00:57 -05:00
if [ [ $TARGET_BOOTLOADER = = grub ] ] ; then
if [ [ $CONFIGURED_ARCH = = amd64 ] ] ; then
GRUB_PKG = grub-pc-bin
elif [ [ $CONFIGURED_ARCH = = arm64 ] ] ; then
GRUB_PKG = grub-efi-arm64-bin
fi
2022-12-11 19:20:56 -06:00
sudo LANG = C DEBIAN_FRONTEND = noninteractive chroot $FILESYSTEM_ROOT apt-get install -d -o dir::cache= /var/cache/apt \
2022-07-12 17:00:57 -05:00
$GRUB_PKG
2017-09-17 13:41:30 -05:00
2022-12-11 19:20:56 -06:00
sudo cp $FILESYSTEM_ROOT /var/cache/apt/archives/grub*.deb $FILESYSTEM_ROOT /$PLATFORM_DIR /grub
2019-07-26 00:06:41 -05:00
fi
2017-03-15 20:38:55 -05:00
## Disable kexec supported reboot which was installed by default
sudo sed -i 's/LOAD_KEXEC=true/LOAD_KEXEC=false/' $FILESYSTEM_ROOT /etc/default/kexec
2016-03-08 13:42:20 -06:00
2016-07-26 14:01:58 -05:00
## Remove sshd host keys, and will regenerate on first sshd start
sudo rm -f $FILESYSTEM_ROOT /etc/ssh/ssh_host_*_key*
sudo cp files/sshd/host-ssh-keygen.sh $FILESYSTEM_ROOT /usr/local/bin/
2022-04-25 12:38:52 -05:00
sudo mkdir $FILESYSTEM_ROOT /etc/systemd/system/ssh.service.d
sudo cp files/sshd/override.conf $FILESYSTEM_ROOT /etc/systemd/system/ssh.service.d/override.conf
2019-07-07 02:41:14 -05:00
# Config sshd
# 1. Set 'UseDNS' to 'no'
# 2. Configure sshd to close all SSH connetions after 15 minutes of inactivity
sudo augtool -r $FILESYSTEM_ROOT <<'EOF'
touch /files/etc/ssh/sshd_config/EmptyLineHack
rename /files/etc/ssh/sshd_config/EmptyLineHack ""
set /files/etc/ssh/sshd_config/UseDNS no
ins #comment before /files/etc/ssh/sshd_config/UseDNS
set /files/etc/ssh/sshd_config/#comment[ following-sibling::*[ 1] [ self::UseDNS] ] "Disable hostname lookups"
rm /files/etc/ssh/sshd_config/ClientAliveInterval
rm /files/etc/ssh/sshd_config/ClientAliveCountMax
touch /files/etc/ssh/sshd_config/EmptyLineHack
rename /files/etc/ssh/sshd_config/EmptyLineHack ""
2022-11-19 01:30:34 -06:00
set /files/etc/ssh/sshd_config/ClientAliveInterval 900
2022-10-31 18:00:05 -05:00
set /files/etc/ssh/sshd_config/ClientAliveCountMax 0
2019-07-07 02:41:14 -05:00
ins #comment before /files/etc/ssh/sshd_config/ClientAliveInterval
2022-11-19 01:30:34 -06:00
set /files/etc/ssh/sshd_config/#comment[ following-sibling::*[ 1] [ self::ClientAliveInterval] ] "Close inactive client sessions after 15 minutes"
2022-09-21 20:25:29 -05:00
rm /files/etc/ssh/sshd_config/LogLevel
set /files/etc/ssh/sshd_config/LogLevel VERBOSE
2019-07-07 02:41:14 -05:00
save
quit
EOF
2021-06-17 13:38:54 -05:00
# Configure sshd to listen for v4 and v6 connections
2018-01-09 19:55:10 -06:00
sudo sed -i 's/^#ListenAddress 0.0.0.0/ListenAddress 0.0.0.0/' $FILESYSTEM_ROOT /etc/ssh/sshd_config
2021-06-17 13:38:54 -05:00
sudo sed -i 's/^#ListenAddress ::/ListenAddress ::/' $FILESYSTEM_ROOT /etc/ssh/sshd_config
2016-07-26 14:01:58 -05:00
2020-04-03 05:42:16 -05:00
## Config rsyslog
sudo augtool -r $FILESYSTEM_ROOT --autosave "
rm /files/lib/systemd/system/rsyslog.service/Service/ExecStart/arguments
set /files/lib/systemd/system/rsyslog.service/Service/ExecStart/arguments/1 -n
"
2016-07-26 14:01:58 -05:00
sudo mkdir -p $FILESYSTEM_ROOT /var/core
2020-07-01 17:58:53 -05:00
# Config sysctl
2016-07-26 14:01:58 -05:00
sudo augtool --autosave "
2020-09-20 22:16:42 -05:00
set /files/etc/sysctl.conf/kernel.core_pattern '|/usr/local/bin/coredump-compress %e %t %p %P'
2017-05-11 20:57:00 -05:00
set /files/etc/sysctl.conf/kernel.softlockup_panic 1
set /files/etc/sysctl.conf/kernel.panic 10
2020-12-30 07:00:16 -06:00
set /files/etc/sysctl.conf/kernel.hung_task_timeout_secs 300
2019-06-11 18:19:49 -05:00
set /files/etc/sysctl.conf/vm.panic_on_oom 2
2017-08-30 11:41:47 -05:00
set /files/etc/sysctl.conf/fs.suid_dumpable 2
2020-07-01 17:58:53 -05:00
" -r $FILESYSTEM_ROOT
2017-05-11 20:57:00 -05:00
2020-07-01 17:58:53 -05:00
sysctl_net_cmd_string = ""
while read line; do
[ [ " $line " = ~ ^#.*$ ] ] && continue
sysctl_net_conf_key = ` echo $line | awk -F '=' '{print $1}' `
sysctl_net_conf_value = ` echo $line | awk -F '=' '{print $2}' `
sysctl_net_cmd_string = $sysctl_net_cmd_string " set /files/etc/sysctl.conf/ $sysctl_net_conf_key $sysctl_net_conf_value " $'\n'
done < files/image_config/sysctl/sysctl-net.conf
2020-01-10 15:26:04 -06:00
2020-07-01 17:58:53 -05:00
sudo augtool --autosave " $sysctl_net_cmd_string " -r $FILESYSTEM_ROOT
2016-07-26 14:01:58 -05:00
2020-12-16 18:38:15 -06:00
# Upgrade pip via PyPI and uninstall the Debian version
sudo https_proxy = $https_proxy LANG = C chroot $FILESYSTEM_ROOT pip3 install --upgrade pip
2021-07-15 17:15:45 -05:00
sudo LANG = C DEBIAN_FRONTEND = noninteractive chroot $FILESYSTEM_ROOT apt-get purge -y python3-pip
2020-12-16 18:38:15 -06:00
# For building Python packages
sudo https_proxy = $https_proxy LANG = C chroot $FILESYSTEM_ROOT pip3 install 'setuptools==49.6.00'
sudo https_proxy = $https_proxy LANG = C chroot $FILESYSTEM_ROOT pip3 install 'wheel==0.35.1'
2020-11-05 13:23:00 -06:00
# docker Python API package is needed by Ansible docker module as well as some SONiC applications
2023-05-10 09:43:35 -05:00
sudo https_proxy = $https_proxy LANG = C chroot $FILESYSTEM_ROOT pip3 install 'docker==6.1.1'
2020-11-05 13:23:00 -06:00
2021-02-17 12:37:47 -06:00
# Install scapy
sudo https_proxy = $https_proxy LANG = C chroot $FILESYSTEM_ROOT pip3 install 'scapy==2.4.4'
2017-03-02 18:04:18 -06:00
## Note: keep pip installed for maintainance purpose
2016-03-08 13:42:20 -06:00
2020-12-29 15:02:11 -06:00
# Install GCC, needed for building/installing some Python packages
sudo LANG = C DEBIAN_FRONTEND = noninteractive chroot $FILESYSTEM_ROOT apt-get -y install gcc
2018-12-15 13:52:36 -06:00
2017-03-23 14:18:52 -05:00
## Create /var/run/redis folder for docker-database to mount
sudo mkdir -p $FILESYSTEM_ROOT /var/run/redis
2016-03-08 13:42:20 -06:00
## Config DHCP for eth0
sudo tee -a $FILESYSTEM_ROOT /etc/network/interfaces > /dev/null <<EOF
auto eth0
allow-hotplug eth0
iface eth0 inet dhcp
EOF
2016-05-27 15:30:13 -05:00
sudo cp files/dhcp/rfc3442-classless-routes $FILESYSTEM_ROOT /etc/dhcp/dhclient-exit-hooks.d
2017-02-02 13:19:48 -06:00
sudo cp files/dhcp/sethostname $FILESYSTEM_ROOT /etc/dhcp/dhclient-exit-hooks.d/
2019-12-10 10:16:56 -06:00
sudo cp files/dhcp/sethostname6 $FILESYSTEM_ROOT /etc/dhcp/dhclient-exit-hooks.d/
2017-02-17 15:47:01 -06:00
sudo cp files/dhcp/graphserviceurl $FILESYSTEM_ROOT /etc/dhcp/dhclient-exit-hooks.d/
sudo cp files/dhcp/snmpcommunity $FILESYSTEM_ROOT /etc/dhcp/dhclient-exit-hooks.d/
2019-01-15 20:15:56 -06:00
sudo cp files/dhcp/vrf $FILESYSTEM_ROOT /etc/dhcp/dhclient-exit-hooks.d/
2019-09-16 12:21:06 -05:00
if [ -f files/image_config/ntp/ntp ] ; then
sudo cp ./files/image_config/ntp/ntp $FILESYSTEM_ROOT /etc/init.d/
fi
2016-05-27 15:30:13 -05:00
2020-03-24 23:21:15 -05:00
if [ -f files/image_config/ntp/ntp-systemd-wrapper ] ; then
2020-12-02 17:02:50 -06:00
sudo mkdir -p $FILESYSTEM_ROOT /usr/lib/ntp/
2020-03-24 23:21:15 -05:00
sudo cp ./files/image_config/ntp/ntp-systemd-wrapper $FILESYSTEM_ROOT /usr/lib/ntp/
fi
2017-04-05 18:14:41 -05:00
## Version file
sudo mkdir -p $FILESYSTEM_ROOT /etc/sonic
2021-08-08 22:44:02 -05:00
if [ -f files/image_config/sonic_release ] ; then
sudo cp files/image_config/sonic_release $FILESYSTEM_ROOT /etc/sonic/
fi
2021-05-28 12:16:02 -05:00
export build_version = " ${ SONIC_IMAGE_VERSION } "
export debian_version = " $( cat $FILESYSTEM_ROOT /etc/debian_version) "
export kernel_version = " ${ kversion } "
export asic_type = " ${ sonic_asic_platform } "
2022-03-28 13:22:32 -05:00
export asic_subtype = " ${ TARGET_MACHINE } "
2021-05-28 12:16:02 -05:00
export commit_id = " $( git rev-parse --short HEAD) "
2021-08-08 22:44:02 -05:00
export branch = " $( git rev-parse --abbrev-ref HEAD) "
export release = " $( if [ -f $FILESYSTEM_ROOT /etc/sonic/sonic_release ] ; then cat $FILESYSTEM_ROOT /etc/sonic/sonic_release; fi ) "
2021-05-28 12:16:02 -05:00
export build_date = " $( date -u) "
export build_number = " ${ BUILD_NUMBER :- 0 } "
export built_by = " $USER @ $BUILD_HOSTNAME "
2023-04-11 20:20:08 -05:00
export sonic_os_version = " ${ SONIC_OS_VERSION } "
2021-05-28 12:16:02 -05:00
j2 files/build_templates/sonic_version.yml.j2 | sudo tee $FILESYSTEM_ROOT /etc/sonic/sonic_version.yml
2017-04-05 18:14:41 -05:00
2019-09-13 12:50:31 -05:00
## Copy over clean-up script
sudo cp ./files/scripts/core_cleanup.py $FILESYSTEM_ROOT /usr/bin/core_cleanup.py
2019-09-05 21:41:35 -05:00
## Copy ASIC config checksum
2020-11-04 17:06:44 -06:00
sudo chmod 755 files/build_scripts/generate_asic_config_checksum.py
./files/build_scripts/generate_asic_config_checksum.py
2019-09-05 21:41:35 -05:00
if [ [ ! -f './asic_config_checksum' ] ] ; then
echo 'asic_config_checksum not found'
exit 1
fi
sudo cp ./asic_config_checksum $FILESYSTEM_ROOT /etc/sonic/asic_config_checksum
2017-01-29 13:33:33 -06:00
if [ -f sonic_debian_extension.sh ] ; then
2021-04-18 10:17:57 -05:00
./sonic_debian_extension.sh $FILESYSTEM_ROOT $PLATFORM_DIR $IMAGE_DISTRO
2017-01-29 13:33:33 -06:00
fi
2017-09-19 18:23:31 -05:00
## Organization specific extensions such as Configuration & Scripts for features like AAA, ZTP...
if [ " ${ enable_organization_extensions } " = "y" ] ; then
if [ -f files/build_templates/organization_extensions.sh ] ; then
2019-06-18 12:00:16 -05:00
sudo chmod 755 files/build_templates/organization_extensions.sh
2017-09-19 18:23:31 -05:00
./files/build_templates/organization_extensions.sh -f $FILESYSTEM_ROOT -h $HOSTNAME
fi
fi
2021-01-27 10:36:10 -06:00
## Setup ebtable rules (rule file in text format)
2020-09-03 19:27:07 -05:00
sudo cp files/image_config/ebtables/ebtables.filter.cfg ${ FILESYSTEM_ROOT } /etc
2019-05-09 11:44:41 -05:00
2019-07-04 00:13:55 -05:00
## Debug Image specific changes
## Update motd for debug image
if [ " $DEBUG_IMG " = = "y" ]
then
sudo LANG = C chroot $FILESYSTEM_ROOT /bin/bash -c "echo '**************' >> /etc/motd"
sudo LANG = C chroot $FILESYSTEM_ROOT /bin/bash -c "echo 'Running DEBUG image' >> /etc/motd"
sudo LANG = C chroot $FILESYSTEM_ROOT /bin/bash -c "echo '**************' >> /etc/motd"
sudo LANG = C chroot $FILESYSTEM_ROOT /bin/bash -c "echo '/src has the sources' >> /etc/motd"
sudo LANG = C chroot $FILESYSTEM_ROOT /bin/bash -c "echo '/src is mounted in each docker' >> /etc/motd"
sudo LANG = C chroot $FILESYSTEM_ROOT /bin/bash -c "echo '/debug is created for core files or temp files' >> /etc/motd"
sudo LANG = C chroot $FILESYSTEM_ROOT /bin/bash -c "echo 'Create a subdir under /debug to upload your files' >> /etc/motd"
sudo LANG = C chroot $FILESYSTEM_ROOT /bin/bash -c "echo '/debug is mounted in each docker' >> /etc/motd"
sudo mkdir -p $FILESYSTEM_ROOT /src
2019-08-28 11:29:48 -05:00
sudo cp $DEBUG_SRC_ARCHIVE_FILE $FILESYSTEM_ROOT /src/
2019-07-04 00:13:55 -05:00
sudo mkdir -p $FILESYSTEM_ROOT /debug
fi
2023-03-14 07:55:22 -05:00
# #################
# secure boot
# #################
if [ [ $SECURE_UPGRADE_MODE = = 'dev' || $SECURE_UPGRADE_MODE = = "prod" && $SONIC_ENABLE_SECUREBOOT_SIGNATURE != 'y' ] ] ; then
# note: SONIC_ENABLE_SECUREBOOT_SIGNATURE is a feature that signing just kernel,
# SECURE_UPGRADE_MODE is signing all the boot component including kernel.
# its required to do not enable both features together to avoid conflicts.
echo "Secure Boot support build stage: Starting .."
# debian secure boot dependecies
sudo LANG = C DEBIAN_FRONTEND = noninteractive chroot $FILESYSTEM_ROOT apt-get -y install \
shim-unsigned \
grub-efi
2023-04-24 13:17:51 -05:00
if [ ! -f $SECURE_UPGRADE_SIGNING_CERT ] ; then
echo " Error: SONiC SECURE_UPGRADE_SIGNING_CERT= $SECURE_UPGRADE_SIGNING_CERT key missing "
2023-03-14 07:55:22 -05:00
exit 1
fi
if [ [ $SECURE_UPGRADE_MODE = = 'dev' ] ] ; then
# development signing & verification
if [ ! -f $SECURE_UPGRADE_DEV_SIGNING_KEY ] ; then
echo " Error: SONiC SECURE_UPGRADE_DEV_SIGNING_KEY= $SECURE_UPGRADE_DEV_SIGNING_KEY key missing "
exit 1
fi
sudo ./scripts/signing_secure_boot_dev.sh -a $CONFIGURED_ARCH \
-r $FILESYSTEM_ROOT \
-l $LINUX_KERNEL_VERSION \
2023-04-24 13:17:51 -05:00
-c $SECURE_UPGRADE_SIGNING_CERT \
2023-03-14 07:55:22 -05:00
-p $SECURE_UPGRADE_DEV_SIGNING_KEY
elif [ [ $SECURE_UPGRADE_MODE = = "prod" ] ] ; then
# Here Vendor signing should be implemented
OUTPUT_SEC_BOOT_DIR = $FILESYSTEM_ROOT /boot
2023-05-02 01:13:16 -05:00
if [ ! -f $sonic_su_prod_signing_tool ] ; then
echo " Error: SONiC sonic_su_prod_signing_tool= $sonic_su_prod_signing_tool script missing "
2023-03-14 07:55:22 -05:00
exit 1
fi
2023-05-16 00:36:13 -05:00
sudo $sonic_su_prod_signing_tool -a $CONFIGURED_ARCH \
-r $FILESYSTEM_ROOT \
-l $LINUX_KERNEL_VERSION \
-o $OUTPUT_SEC_BOOT_DIR \
$SECURE_UPGRADE_PROD_TOOL_ARGS
2023-05-02 01:13:16 -05:00
2023-03-14 07:55:22 -05:00
# verifying all EFI files and kernel modules in $OUTPUT_SEC_BOOT_DIR
sudo ./scripts/secure_boot_signature_verification.sh -e $OUTPUT_SEC_BOOT_DIR \
2023-04-24 13:17:51 -05:00
-c $SECURE_UPGRADE_SIGNING_CERT \
2023-03-14 07:55:22 -05:00
-k $FILESYSTEM_ROOT
# verifying vmlinuz file.
sudo ./scripts/secure_boot_signature_verification.sh -e $FILESYSTEM_ROOT /boot/vmlinuz-${ LINUX_KERNEL_VERSION } -${ CONFIGURED_ARCH } \
2023-04-24 13:17:51 -05:00
-c $SECURE_UPGRADE_SIGNING_CERT \
2023-03-14 07:55:22 -05:00
-k $FILESYSTEM_ROOT
fi
echo "Secure Boot support build stage: END."
fi
2018-03-05 01:07:40 -06:00
## Update initramfs
sudo chroot $FILESYSTEM_ROOT update-initramfs -u
2020-01-15 10:25:01 -06:00
## Convert initrd image to u-boot format
2022-07-12 17:00:57 -05:00
if [ [ $TARGET_BOOTLOADER = = uboot ] ] ; then
2020-01-15 10:25:01 -06:00
INITRD_FILE = initrd.img-${ LINUX_KERNEL_VERSION } -${ CONFIGURED_ARCH }
if [ [ $CONFIGURED_ARCH = = armhf ] ] ; then
INITRD_FILE = initrd.img-${ LINUX_KERNEL_VERSION } -armmp
2020-01-23 18:50:17 -06:00
sudo LANG = C chroot $FILESYSTEM_ROOT mkimage -A arm -O linux -T ramdisk -C gzip -d /boot/$INITRD_FILE /boot/u${ INITRD_FILE }
## Overwriting the initrd image with uInitrd
sudo LANG = C chroot $FILESYSTEM_ROOT mv /boot/u${ INITRD_FILE } /boot/$INITRD_FILE
elif [ [ $CONFIGURED_ARCH = = arm64 ] ] ; then
sudo cp -v $PLATFORM_DIR /${ sonic_asic_platform } -${ CONFIGURED_ARCH } /sonic_fit.its $FILESYSTEM_ROOT /boot/
sudo LANG = C chroot $FILESYSTEM_ROOT mkimage -f /boot/sonic_fit.its /boot/sonic_${ CONFIGURED_ARCH } .fit
2020-01-15 10:25:01 -06:00
fi
fi
2018-03-05 01:07:40 -06:00
2022-03-12 05:07:10 -06:00
# Collect host image version files before cleanup
2022-12-11 19:20:56 -06:00
SONIC_VERSION_CACHE = ${ SONIC_VERSION_CACHE } \
DBGOPT = " ${ DBGOPT } " \
scripts/collect_host_image_version_files.sh $CONFIGURED_ARCH $IMAGE_DISTRO $TARGET_PATH $FILESYSTEM_ROOT
2022-03-12 05:07:10 -06:00
2020-12-29 15:02:11 -06:00
# Remove GCC
sudo LANG = C DEBIAN_FRONTEND = noninteractive chroot $FILESYSTEM_ROOT apt-get -y remove gcc
Image build time improvements (#10104)
* [build]: Patch debootstrap to not unmount the host's /proc filesystem
Currently, when the final image is being built (sonic-vs.img.gz,
sonic-broadcom.bin, or similar), each invocation of sudo in the
build_debian.sh script takes 0.8 seconds to run and execute the actual
command. This is because the /proc filesystem in the slave container has
been unmounted somehow. This is happening when debootstrap is running,
and it incorrectly unmounts the host's (in our case, the slave
container's) /proc filesystem because in the new image being built,
/proc is a symlink to the host's (the slave container's) /proc. Because
of that, /proc is gone, and each invocation of sudo adds 0.8 seconds
overhead. As a side effect, docker exec into the slave container during
this time will fail, because /proc/self/fd doesn't exist anymore, and
docker exec assumes that that exists.
Debootstrap has fixed this in 1.0.124 and newer, so backport the patch
that fixes this into the version that Bullseye has.
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
* [build_debian.sh]: Use eatmydata to speed up deb package installations
During package installations, dpkg calls fsync multiples times (for each
package) to ensure that tht efiles are written to disk, so that if
there's some system crash during package installation, then it is in at
least a somewhat recoverable state. For our use case though, we're
installing packages in a chroot in fsroot-* from a slave container and
then packaging it into an image. If there were a system crash (or even
if docker crashed), the fsroot-* directory would first be removed, and
the process would get restarted. This means that the fsync calls aren't
really needed for our use case.
The eatmydata package includes a library that will block/suppress the
use of fsync (and similar) system calls from applications and will
instead just return success, so that the application is not blocked on
disk writes, which can instead happen in the background instead as
necessary. If dpkg is run with this library, then the fsync calls that
it does will have no effect.
Therefore, install the eatmydata package at the beginning of
build_debian.sh and have dpkg be run under eatmydata for almost all
package installations/removals. At the end of the installation, remove
it, so that the final image uses dpkg as normal.
In my testing, this saves about 2-3 minutes from the image build time.
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
* Change ln syntax to use chroot
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2022-04-19 11:22:16 -05:00
# Remove eatmydata
sudo rm $FILESYSTEM_ROOT /etc/apt/apt.conf.d/00image-install-eatmydata $FILESYSTEM_ROOT /usr/local/bin/dpkg
sudo LANG = C DEBIAN_FRONTEND = noninteractive chroot $FILESYSTEM_ROOT apt-get -y remove eatmydata
2016-03-08 13:42:20 -06:00
## Clean up apt
2018-12-15 13:52:36 -06:00
sudo LANG = C chroot $FILESYSTEM_ROOT apt-get -y autoremove
2016-05-27 15:30:13 -05:00
sudo LANG = C chroot $FILESYSTEM_ROOT apt-get autoclean
2016-03-08 13:42:20 -06:00
sudo LANG = C chroot $FILESYSTEM_ROOT apt-get clean
2016-05-27 15:30:13 -05:00
sudo LANG = C chroot $FILESYSTEM_ROOT bash -c 'rm -rf /usr/share/doc/* /usr/share/locale/* /var/lib/apt/lists/* /tmp/*'
2016-03-08 13:42:20 -06:00
2017-12-24 01:34:15 -06:00
## Clean up proxy
[ -n " $http_proxy " ] && sudo rm -f $FILESYSTEM_ROOT /etc/apt/apt.conf.d/01proxy
2022-03-12 05:08:21 -06:00
## Clean up pip cache
sudo LANG = C chroot $FILESYSTEM_ROOT pip3 cache purge
2016-03-08 13:42:20 -06:00
## Umount all
echo '[INFO] Umount all'
2017-07-12 03:28:36 -05:00
## Display all process details access /proc
sudo LANG = C chroot $FILESYSTEM_ROOT fuser -vm /proc
## Kill the processes
2016-03-08 13:42:20 -06:00
sudo LANG = C chroot $FILESYSTEM_ROOT fuser -km /proc || true
2017-07-12 03:28:36 -05:00
## Wait fuser fully kill the processes
sleep 15
2020-02-03 14:31:40 -06:00
sudo LANG = C chroot $FILESYSTEM_ROOT umount /proc || true
2016-03-08 13:42:20 -06:00
## Prepare empty directory to trigger mount move in initramfs-tools/mount_loop_root, implemented by patching
sudo mkdir $FILESYSTEM_ROOT /host
2023-02-23 17:36:37 -06:00
if [ [ " $CHANGE_DEFAULT_PASSWORD " = = "y" ] ] ; then
## Expire default password for exitsing users that can do login
default_users = $( cat $FILESYSTEM_ROOT /etc/passwd | grep "/home" | grep ":/bin/bash\|:/bin/sh" | awk -F ":" '{print $1}' 2> /dev/null)
for user in $default_users
do
sudo LANG = C chroot $FILESYSTEM_ROOT passwd -e ${ user }
done
fi
2016-03-08 13:42:20 -06:00
## Compress most file system into squashfs file
sudo rm -f $ONIE_INSTALLER_PAYLOAD $FILESYSTEM_SQUASHFS
2016-05-27 15:30:13 -05:00
## Output the file system total size for diag purpose
2017-07-12 03:28:36 -05:00
## Note: -x to skip directories on different file systems, such as /proc
sudo du -hsx $FILESYSTEM_ROOT
2018-08-13 00:23:43 -05:00
sudo mkdir -p $FILESYSTEM_ROOT /var/lib/docker
2023-05-01 19:12:38 -05:00
sudo cp files/image_config/resolv-config/resolv.conf $FILESYSTEM_ROOT /etc/resolv.conf
2021-11-17 16:32:14 -06:00
sudo mksquashfs $FILESYSTEM_ROOT $FILESYSTEM_SQUASHFS -comp zstd -b 1M -e boot -e var/lib/docker -e $PLATFORM_DIR
2020-12-24 12:45:19 -06:00
2021-04-08 09:48:37 -05:00
# Ensure admin gid is 1000
gid_user = $( sudo LANG = C chroot $FILESYSTEM_ROOT id -g $USERNAME ) || gid_user = "none"
if [ " ${ gid_user } " != "1000" ] ; then
die " expect gid 1000. current: ${ gid_user } "
fi
2021-04-21 23:00:12 -05:00
# ALERT: This bit of logic tears down the qemu based build environment used to
# perform builds for the ARM architecture. This must be the last step in this
# script before creating the Sonic installer payload zip file.
2022-07-21 16:15:16 -05:00
if [ [ $MULTIARCH_QEMU_ENVIRON = = y || $CROSS_BUILD_ENVIRON = = y ] ] ; then
2021-04-21 23:00:12 -05:00
# Remove qemu arm bin executable used for cross-building
sudo rm -f $FILESYSTEM_ROOT /usr/bin/qemu*static || true
DOCKERFS_PATH = ../dockerfs/
fi
2017-01-29 13:33:33 -06:00
## Compress docker files
2022-12-17 16:38:31 -06:00
pushd $FILESYSTEM_ROOT && sudo tar -I $GZ_COMPRESS_PROGRAM -cf $OLDPWD /$FILESYSTEM_DOCKERFS -C ${ DOCKERFS_PATH } var/lib/docker .; popd
2017-01-29 13:33:33 -06:00
2017-02-27 15:08:41 -06:00
## Compress together with /boot, /var/lib/docker and $PLATFORM_DIR as an installer payload zip file
2022-12-17 16:38:31 -06:00
pushd $FILESYSTEM_ROOT && sudo tar -I $GZ_COMPRESS_PROGRAM -cf platform.tar.gz -C $PLATFORM_DIR . && sudo zip -n .gz $OLDPWD /$ONIE_INSTALLER_PAYLOAD -r boot/ platform.tar.gz; popd
2020-06-22 11:30:31 -05:00
sudo zip -g -n .squashfs:.gz $ONIE_INSTALLER_PAYLOAD $FILESYSTEM_SQUASHFS $FILESYSTEM_DOCKERFS