2019-06-22 13:26:23 -05:00
|
|
|
{% from "dockers/dockerfile-macros.j2" import install_debian_packages, install_python_wheels, copy_files %}
|
2022-04-27 19:39:37 -05:00
|
|
|
FROM docker-config-engine-bullseye-{{DOCKER_USERNAME}}:{{DOCKER_USERTAG}}
|
2016-12-05 13:12:19 -06:00
|
|
|
|
2018-06-25 12:48:42 -05:00
|
|
|
ARG docker_container_name
|
|
|
|
|
2018-05-02 13:46:21 -05:00
|
|
|
# Make apt-get non-interactive
|
2017-02-16 23:48:49 -06:00
|
|
|
ENV DEBIAN_FRONTEND=noninteractive
|
|
|
|
|
2018-05-02 13:46:21 -05:00
|
|
|
# Update apt's cache of available packages
|
2016-12-05 13:12:19 -06:00
|
|
|
RUN apt-get update
|
|
|
|
|
2020-11-04 11:31:06 -06:00
|
|
|
# Install redis-server
|
[redis] Upgrade redis version (#9757)
#### Why I did it
The current redis version of SONiC is `6.0.6`, which contains many high-risky security issues like CVEs that are fixed in the latest version. The Redis release notes also highly recommend to upgrade with SECURITY urgency.
```
================================================================================
Redis 6.0.16 Released Mon Oct 4 12:00:00 IDT 2021
================================================================================
Upgrade urgency: SECURITY, contains fixes to security issues.
Security Fixes:
* (CVE-2021-41099) Integer to heap buffer overflow handling certain string
commands and network payloads, when proto-max-bulk-len is manually configured
to a non-default, very large value [reported by yiyuaner].
* (CVE-2021-32762) Integer to heap buffer overflow issue in redis-cli and
redis-sentinel parsing large multi-bulk replies on some older and less common
platforms [reported by Microsoft Vulnerability Research].
* (CVE-2021-32687) Integer to heap buffer overflow with intsets, when
set-max-intset-entries is manually configured to a non-default, very large
value [reported by Pawel Wieczorkiewicz, AWS].
* (CVE-2021-32675) Denial Of Service when processing RESP request payloads with
a large number of elements on many connections.
* (CVE-2021-32672) Random heap reading issue with Lua Debugger [reported by
Meir Shpilraien].
* (CVE-2021-32628) Integer to heap buffer overflow handling ziplist-encoded
data types, when configuring a large, non-default value for
hash-max-ziplist-entries, hash-max-ziplist-value, zset-max-ziplist-entries
or zset-max-ziplist-value [reported by sundb].
* (CVE-2021-32627) Integer to heap buffer overflow issue with streams, when
configuring a non-default, large value for proto-max-bulk-len and
client-query-buffer-limit [reported by sundb].
* (CVE-2021-32626) Specially crafted Lua scripts may result with Heap buffer
overflow [reported by Meir Shpilraien].
Other bug fixes:
* Fix appendfsync to always guarantee fsync before reply, on MacOS and FreeBSD (kqueue) (#9416)
* Fix the wrong mis-detection of sync_file_range system call, affecting performance (#9371)
* Fix replication issues when repl-diskless-load is used (#9280)
```
#### How I did it
Edit `Dockerfile.j2` file
#### How to verify it
Check redis version
#### Description for the changelog
This PR will upgrade redis-server version to `6.0.16`.
2022-02-15 18:43:01 -06:00
|
|
|
RUN apt-get install -y redis-tools redis-server
|
2020-06-27 03:17:20 -05:00
|
|
|
|
2018-05-02 13:46:21 -05:00
|
|
|
{% if docker_database_debs.strip() -%}
|
|
|
|
# Copy locally-built Debian package dependencies
|
2019-06-22 13:26:23 -05:00
|
|
|
{{ copy_files("debs/", docker_database_debs.split(' '), "/debs/") }}
|
2016-12-05 13:12:19 -06:00
|
|
|
|
2018-05-02 13:46:21 -05:00
|
|
|
# Install locally-built Debian packages and implicitly install their dependencies
|
2019-06-22 13:26:23 -05:00
|
|
|
{{ install_debian_packages(docker_database_debs.split(' ')) }}
|
2018-05-02 13:46:21 -05:00
|
|
|
{%- endif %}
|
|
|
|
|
|
|
|
# Clean up
|
2019-06-22 13:26:23 -05:00
|
|
|
RUN apt-get clean -y && \
|
|
|
|
apt-get autoclean -y && \
|
|
|
|
apt-get autoremove -y && \
|
|
|
|
rm -rf /debs ~/.cache && \
|
|
|
|
sed -ri 's/^(save .*$)/# \1/g; \
|
2018-05-02 13:46:21 -05:00
|
|
|
s/^daemonize yes$/daemonize no/; \
|
|
|
|
s/^logfile .*$/logfile ""/; \
|
|
|
|
s/^# syslog-enabled no$/syslog-enabled no/; \
|
|
|
|
s/^# unixsocket/unixsocket/; \
|
2019-07-04 00:16:10 -05:00
|
|
|
s/redis-server.sock/redis.sock/g; \
|
2022-10-28 20:28:57 -05:00
|
|
|
s/^client-output-buffer-limit pubsub [0-9]+mb [0-9]+mb [0-9]+/client-output-buffer-limit pubsub 0 0 0/; \
|
|
|
|
s/^notify-keyspace-events ""$/notify-keyspace-events AKE/ \
|
2016-12-05 13:12:19 -06:00
|
|
|
' /etc/redis/redis.conf
|
|
|
|
|
create multiple Redis DB instances based on CONFIG at /etc/sonic/database_config.json (#2182)
this is the first step to moving different databases tables into different database instances
in this PR, only handle multiple database instances creation based on user configuration at /etc/sonic/database_config.json
we keep current method to create single database instance if no extra/new DATABASE configuration exist in database_config.json file.
if user try to configure more db instances at database_config.json , we create those new db instances along with the original db instance existing today.
The configuration is as below, later we can add more db related information if needed:
{
...
"DATABASE": {
"redis-db-01" : {
"port" : "6380",
"database": ["APPL_DB", "STATE_DB"]
},
"redis-db-02" : {
"port" : "6381",
"database":["ASIC_DB"]
},
}
...
}
The detail description is at design doc at Azure/SONiC#271
The main idea is : when database.sh started, we check the configuration and generate corresponding scripts.
rc.local service handle old_config copy when loading new images, there is no dependency between rc.local and database service today, for safety and make sure the copy operation are done before database try to read it, we make database service run after rc.local
Then database docker started, we check the configuration and generate corresponding scripts/.conf in database docker as well.
based on those conf, we create databases instances as required.
at last, we ping_pong check database are up and continue
Signed-off-by: Dong Zhang d.zhang@alibaba-inc.com
2019-08-28 13:15:10 -05:00
|
|
|
COPY ["supervisord.conf.j2", "/usr/share/sonic/templates/"]
|
|
|
|
COPY ["docker-database-init.sh", "/usr/local/bin/"]
|
2020-05-08 23:24:05 -05:00
|
|
|
COPY ["database_config.json.j2", "/usr/share/sonic/templates/"]
|
|
|
|
COPY ["database_global.json.j2", "/usr/share/sonic/templates/"]
|
2020-02-11 16:03:02 -06:00
|
|
|
COPY ["files/supervisor-proc-exit-listener", "/usr/bin"]
|
2020-07-01 17:58:53 -05:00
|
|
|
COPY ["files/sysctl-net.conf", "/etc/sysctl.d/"]
|
2020-02-11 16:03:02 -06:00
|
|
|
COPY ["critical_processes", "/etc/supervisor"]
|
2020-10-14 17:15:24 -05:00
|
|
|
COPY ["files/update_chassisdb_config", "/usr/local/bin/"]
|
2020-12-10 13:06:19 -06:00
|
|
|
COPY ["flush_unused_database", "/usr/local/bin/"]
|
2017-05-08 17:43:31 -05:00
|
|
|
|
create multiple Redis DB instances based on CONFIG at /etc/sonic/database_config.json (#2182)
this is the first step to moving different databases tables into different database instances
in this PR, only handle multiple database instances creation based on user configuration at /etc/sonic/database_config.json
we keep current method to create single database instance if no extra/new DATABASE configuration exist in database_config.json file.
if user try to configure more db instances at database_config.json , we create those new db instances along with the original db instance existing today.
The configuration is as below, later we can add more db related information if needed:
{
...
"DATABASE": {
"redis-db-01" : {
"port" : "6380",
"database": ["APPL_DB", "STATE_DB"]
},
"redis-db-02" : {
"port" : "6381",
"database":["ASIC_DB"]
},
}
...
}
The detail description is at design doc at Azure/SONiC#271
The main idea is : when database.sh started, we check the configuration and generate corresponding scripts.
rc.local service handle old_config copy when loading new images, there is no dependency between rc.local and database service today, for safety and make sure the copy operation are done before database try to read it, we make database service run after rc.local
Then database docker started, we check the configuration and generate corresponding scripts/.conf in database docker as well.
based on those conf, we create databases instances as required.
at last, we ping_pong check database are up and continue
Signed-off-by: Dong Zhang d.zhang@alibaba-inc.com
2019-08-28 13:15:10 -05:00
|
|
|
ENTRYPOINT ["/usr/local/bin/docker-database-init.sh"]
|