2016-12-05 13:12:19 -06:00
###############################################################################
## Presettings
###############################################################################
# Select bash for commands
.ONESHELL :
SHELL = /bin/bash
.SHELLFLAGS += -e
2017-07-19 10:10:45 -05:00
USER = $( shell id -un)
UID = $( shell id -u)
GUID = $( shell id -g)
2018-10-29 14:06:57 -05:00
SONIC_GET_VERSION = $( shell export BUILD_TIMESTAMP = $( BUILD_TIMESTAMP) && export BUILD_NUMBER = $( BUILD_NUMBER) && . functions.sh && sonic_get_version)
2016-12-05 13:12:19 -06:00
.SECONDEXPANSION :
2018-05-10 20:52:38 -05:00
NULL :=
SPACE := $( NULL) $( NULL)
2016-12-05 13:12:19 -06:00
###############################################################################
## General definitions
###############################################################################
SRC_PATH = src
RULES_PATH = rules
TARGET_PATH = target
DOCKERS_PATH = dockers
2019-02-05 00:06:37 -06:00
i f d e f B L D E N V
DEBS_PATH = $( TARGET_PATH) /debs/$( BLDENV)
FILES_PATH = $( TARGET_PATH) /files/$( BLDENV)
e l s e
2016-12-05 13:12:19 -06:00
DEBS_PATH = $( TARGET_PATH) /debs
2017-07-28 12:57:51 -05:00
FILES_PATH = $( TARGET_PATH) /files
2019-02-05 00:06:37 -06:00
e n d i f
PYTHON_DEBS_PATH = $( TARGET_PATH) /python-debs
2016-12-05 13:12:19 -06:00
PYTHON_WHEELS_PATH = $( TARGET_PATH) /python-wheels
PROJECT_ROOT = $( shell pwd )
2019-02-05 00:06:37 -06:00
STRETCH_DEBS_PATH = $( TARGET_PATH) /debs/stretch
STRETCH_FILES_PATH = $( TARGET_PATH) /files/stretch
2019-04-19 20:49:21 -05:00
DBG_IMAGE_MARK = dbg
2019-08-28 11:29:48 -05:00
DBG_SRC_ARCHIVE_FILE = $( TARGET_PATH) /sonic_src.tar.gz
2016-12-05 13:12:19 -06:00
2017-01-29 13:33:33 -06:00
CONFIGURED_PLATFORM := $( shell [ -f .platform ] && cat .platform || echo generic)
2016-12-05 13:12:19 -06:00
PLATFORM_PATH = platform/$( CONFIGURED_PLATFORM)
2019-07-26 00:06:41 -05:00
CONFIGURED_ARCH := $( shell [ -f .arch ] && cat .arch || echo amd64)
i f e q ( $( PLATFORM_ARCH ) , )
override PLATFORM_ARCH = $( CONFIGURED_ARCH)
e n d i f
2017-04-05 18:14:41 -05:00
export BUILD_NUMBER
2018-10-04 23:20:01 -05:00
export BUILD_TIMESTAMP
[barefoot]: Support for platforms based on Barefoot Networks' device (#1796)
* Initial commit
* Add Ingrasys S9180-32X platform dirver.
Signed-off-by: Wade He <chihen.he@gmail.com>
* Add bfn.service for init barefoot.
Signed-off-by: Wade He <chihen.he@gmail.com>
* [Barefoot Beta] Add some functions and fixed some bugs.
1. Update sensors.conf.
2. Fixed IO expander init.
3. Fixed PSU EEPROM.
4. Fixed MB EEPROM.
5. Add fancontrol and fan init.
6. Add SYS LED control (sys, fan, fan tray).
7. 2.5V compute and setup max and min.
8. Fixed typo MB eeprom delete address.
9. Remove coretemp to BMC.
10. Add active CPLD.
11. Modify SFP+ GPIO slave address.
12. Modify tmp75 Near Port 32 slave address.
Signed-off-by: Wade He <chihen.he@gmail.com>
* Add bfn script in /etc/init.d/
Signed-off-by: Wade He <chihen.he@gmail.com>
* Add bfn service in debian
Signed-off-by: Wade He <chihen.he@gmail.com>
* Fixed CPLD switch LED behavior.
Signed-off-by: Wade He <chihen.he@gmail.com>
* [Barefoot Beta] Fixed sensors and hwmon order.
1. Fixed ignore sensors Vbat.
2. Reorg hwmon order.
Signed-off-by: Wade He <chihen.he@gmail.com>
* Fixed PSU1 and PSU2 EEPROM order.
Signed-off-by: Wade He <chihen.he@gmail.com>
* initial barefoot checkin october 2017
* update refpoint
* update refpoints
* update refpoints to bf-master
* update refpoint
* update refpoint to tested version
* change to platform from asic
* update refpoint for swss
* revert core creation setting
* update refpoints
* add telnet for debug shell
* update refpoints 11/17/17
* missed change in file on previous merge
* [CPLD] Fixed blink LED issue.
* Fixed blink LED mask set error.
Signed-off-by: Wade He <chihen.he@gmail.com>
* Update bf_kdrv.c for 6.0.2.39
* Update bf kernel driver
* Add bf_fun kernel module.
* Update bf_tun for fixed build error
* merge with Azure master (12/12/17)
* update swss refpoint
* update refpoint of swss
* library dependency for stack unroll
* update refpoint to bf-master
* [DHCP relay]: Fix circuit ID and remote ID bugs (#1248)
* [DHCP relay]: Fix circuit ID and remote ID bugs
* Set circuit_id_len after setting circuit_id_len to ip->name
* [Platform] Add Psuutil and update sensors.conf for S9100-32X, S8810-32Q and S9200-64X (#1272)
* Add I2C CPLD kernel module for psuutil.
* Support psuutil script.
* Add voltage min and max threshold.
* Update sensors.conf for tmp75.
Signed-off-by: Wade He <chihen.he@gmail.com>
* Allow multi platform support - infra (more changes to follow)
* update relative path to include platform for clarity
* [Platform] Add Ingrasys S9130-32X and S9230-64X with Nephos Switch ASIC for "branch 201712" (#1274)
- What I did
Add switch ASIC vendor: Nephos
Add Nephos platforms: Ingrasys S9130-32X, Ingrasys S9230-64X
- How I did it
Add platform/nephos files
Add platform/nephos/sonic-platform-modules-ingrasys submodule
Add device/ingrasys/x86_64-ingrasys_s9130_32x-r0 files
Add device/ingrasys/x86_64-ingrasys_s9230_64x-r0 files
Add SONiC to support Nephos platform
Update Head of submodule src/sonic-sairedis to "3b817bb"
- How to verify it
To build SONiC installer image and docker images, run the following commands:
make configure PLATFORM=nephos
make target/sonic-nephos.bin
Check system and network feature is worked as well
- Description for the changelog
Add switch ASIC vendor and platforms for Nephos
- A picture of a cute animal (not mandatory but encouraged)
Signed-off-by: Sam Yang <yang.kaiyu@gmail.com>
* change source of files to github (from dropbox), update sairedis refpoint
* update refpoint of sairedis
* [centec] support CENTEC SAI 1.0 on 201712 branch and update e582-48x6q board (#1269)
* [marvel]: Marvell's updates for SONiC.201712 & SAI v1.0 (#1287)
* update sairedis (fast-boot refpoint)
* fix syncd rpc make files
* update refpoint to handle Makefile change (no functional change)
* [Marvell]: Add support for SLM5401-54x device (#1307)
* Marvell's updates for SONiC.201712 & SAI v1.0
* [Platform] Add Marvell's SLM5401-54x for branch 201712
* [Broadcom]: Update Boradcom SAI package to 3.0.3.3-3 (#1312) (#1321)
- update Arista 7050-QX32S config.bcm file
- update Accton th-as771*-32x100G.config.bcm files
* update refpoint for Makefile chnage in sairedis
* update refpoint - sairedis
* update sairedis to older refpoint till we debug clean build
* export asic platform for build
* update refpoint for makefiles
* [PLATFORM] Centec update E582 driver fan/epprom/sensor (#1332)
* Upload wnc-osw1800
* Modify for Barefoot suggest
* Revert bfn-platform.mk
* Update bfn-platform-wnc.mk
Update parameter name
* Update parameter name
* initial support for WNC platform
* change switch name to "switch"
* Delete bf modules for rel_7_0
* Add Ingrasys S9180 platform
Signed-off-by: Wade He <chihen.he@gmail.com>
* Modify bfnsdk for Ingrasys S9180 platform
Signed-off-by: Wade He <chihen.he@gmail.com>
* Resolved the conflict.
* Resolved the conflict.
* Update submodule path and url.
* Delete unused file.
* Update PSU GPIO and EEPROM for psuutil.
* Add psuutil in S9180-32X
Signed-off-by: Wade He <chihen.he@gmail.com>
* update refpoint
* update refpoint
* change contact email, update refpoint
* cleanup and update kernel modules
* updates based on review
* update refpoint
* update refpoint
* fix typo in config script to check for platforms
* remove stale file
* resolve conflicts
* cleanup diffs with Azure repo and update SDK debs
* update refpoints to Azure
* address review comments
* revert refpoint of swss-common
* porting the build fix from master
* porting build fix from master
* Minor Fix
* Minor fix
* Temp to sde deb packages url
* Update sonic - sairedis,swss & swss-common refpoints
* Update git modules url path to bfn repo
* updated paths for swss, swss-common & sairedis
* Update refpoint for sonic-swss to local bfn repo
* Update URL for downloading sde debian packages
* porting fix links of debian git server from master
* porting fix links of debian git server from master
* [Ingrasys] Add platform support for S9280-64X with Barefoot ASIC
* Update ref points for swss, swss-common and sairedis repos
* Add sonic platform scripts for bfn montara/maverick
* Call sh scripts instead of calling py scripts
* Address upstream PR Comments (#10)
* Update bf-master with azure/master
* Undo changes to some files
* Revert "Address upstream PR Comments (#10)"
This reverts commit a7fddb83ca1073f90fbe46955ba57a9b43742c73.
* Address upstream comments (#11)
* Remove all non bfn specific changes from upstream PR
* Revert "Address upstream comments (#11)"
This reverts commit 559132103e5c73e43f4282d1559ede03f16abfea.
* Undo non bfn changes
* Little more cleanup
* Add back code removed in merge
* export CONFIGURED_PLATFORM
* Update sairedis and swss refpoints
* Address Upstream PR comment
* change deb pkg dependency from 3.16.0-4-amd64 to 3.16.0-5-amd64
* Set default tx queue len for usb0 interface to 64
* Update sairedis refpoint
* Update swss ref point
* Add bfn buffer cfg files for montara/maverick as per new design
* Update buffer cfg templates for bfn montara
* add non zero size to buffer profile
* add macro to generate port lists
* Update buffer cfg templates for bfn mavericks
* add non zero size for buffer profiles
* add port generation macro
* Add missing psmisc package
* BGP docker seems to be missing killall utility being used by fast-reboot script. This is causing non graceful termination of BGP sessions.
Adding psmisc to resolve this issue.
* Update swss ref point
* Update swss ref point
* Update sairedis refpoint
* Update sairedis refpoint
* Update sairedis refpoint
* Update sairedis refpoint
* Update refpoint for sairedis and swss
* sairedis to azure master
* swss to latest bfn bf-master
* Update gitmodules
Update url for sairedis to azure master
* Correct typo in bfn platform script
* Update swss and sairedis ref points
* Update swss ref point
* Address Review comments
* Update swws path in gitmodules to azure master
* update swss refpoint
* update base docker j2 file -remove psmisc package (could be a concern, would cause fast reboot to not work correctly will fix in another PR)
* Fix sairedis refpoint broken in by previous merge
* Remove psmisc from docker base image
* This will break fast reboot as killall is required for killing bgp process and initiating graceful termination of BGP session.
Will fix this in a seperate PR. Need this for SONIC upstreaming
* Address upstream comments
* Remove bmc interface from interface jinja template and sample output interfaces file
* Add bmc interface at boot time to network interfaces for bfn bmc based platforms
* Remove autogen ingrasys debian files
* Revert "Remove autogen ingrasys debian files"
* Buffer and qos config template fix for bfn platforms (#21)
SWI-1509 Buffer and qos config template fix for bfn platforms
* Fix qos config files for montara & mavericks (#22)
* Reference only ppg 3,4 in qos files as no profiles are attached to 0,1 in buffer configs
* Fix vs test (#23)
2018-07-24 12:23:12 -05:00
export CONFIGURED_PLATFORM
2019-07-26 00:06:41 -05:00
export CONFIGURED_ARCH
2016-12-05 13:12:19 -06:00
###############################################################################
## Utility rules
## Define configuration, help etc.
###############################################################################
.platform :
2017-01-29 13:33:33 -06:00
i f n e q ( $( CONFIGURED_PLATFORM ) , g e n e r i c )
2016-12-05 13:12:19 -06:00
@echo Build system is not configured, please run make configure
@exit 1
2017-01-29 13:33:33 -06:00
e n d i f
2016-12-05 13:12:19 -06:00
configure :
@mkdir -p target/debs
2019-02-05 00:06:37 -06:00
@mkdir -p target/debs/stretch
2017-07-28 12:57:51 -05:00
@mkdir -p target/files
2019-02-05 00:06:37 -06:00
@mkdir -p target/files/stretch
@mkdir -p target/python-debs
2016-12-05 13:12:19 -06:00
@mkdir -p target/python-wheels
@echo $( PLATFORM) > .platform
2019-07-26 00:06:41 -05:00
@echo $( PLATFORM_ARCH) > .arch
2016-12-05 13:12:19 -06:00
2017-03-02 06:08:25 -06:00
distclean : .platform clean
@rm -f .platform
2019-07-26 00:06:41 -05:00
@rm -f .arch
2016-12-05 13:12:19 -06:00
2017-07-29 17:34:27 -05:00
list :
@$( foreach target,$( SONIC_TARGET_LIST) ,echo $( target) ; )
2016-12-05 13:12:19 -06:00
###############################################################################
## Include other rules
###############################################################################
2019-07-31 17:26:00 -05:00
i n c l u d e $( RULES_PATH ) / c o n f i g
2018-03-06 01:55:37 -06:00
i f e q ( $( SONIC_ENABLE_PFCWD_ON_START ) , y )
ENABLE_PFCWD_ON_START = y
e n d i f
2018-04-18 02:31:12 -05:00
i f e q ( $( SONIC_ENABLE_SYSTEM_TELEMETRY ) , y )
ENABLE_SYSTEM_TELEMETRY = y
e n d i f
2019-08-06 09:38:52 -05:00
i f n e q ( , $( filter $ ( CONFIGURED_ARCH ) , armhf arm 64) )
# Workaround: Force disable Telmetry for ARM, will be removed after fixing issue
# Issue: qemu crashes when it uses "go get url"
# Qemu Support: https://bugs.launchpad.net/qemu/+bug/1838946
# Golang Support: https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!topic/golang-nuts/1txPOGa4aGc
ENABLE_SYSTEM_TELEMETRY = N
e n d i f
2018-10-15 15:49:35 -05:00
i f e q ( $( SONIC_ENABLE_SYNCD_RPC ) , y )
ENABLE_SYNCD_RPC = y
e n d i f
2018-10-21 19:20:27 -05:00
i f e q ( $( SONIC_INSTALL_DEBUG_TOOLS ) , y )
INSTALL_DEBUG_TOOLS = y
e n d i f
2019-09-14 22:27:09 -05:00
i f e q ( $( SONIC_ENABLE_SFLOW ) , y )
ENABLE_SFLOW = y
e n d i f
2016-12-05 13:12:19 -06:00
i n c l u d e $( RULES_PATH ) / f u n c t i o n s
i n c l u d e $( RULES_PATH ) / * . m k
i f n e q ( $( CONFIGURED_PLATFORM ) , u n d e f i n e d )
i n c l u d e $( PLATFORM_PATH ) / r u l e s . m k
e n d i f
2017-04-12 13:23:48 -05:00
i f e q ( $( USERNAME ) , )
override USERNAME : = $( DEFAULT_USERNAME )
[baseimage]: Improve password hashing for default user account (#1748)
* [slave.mk]: Fix displaying username and password in build summary
We display contents of DEFAULT_USERNAME and DEFAULT_PASSWORD, while
image can be build with USERNAME and/or PASSWORD given on make(1)
command line. For example:
$ make USERNAME=adm PASSWORD=mypass target/sonic-broadcom.bin
Fix by displaying USERNAME and PASSWORD variables in build summary.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
* [baseimage]: Improve default user account handling
There are couple of issues with current implementation of default
user account management in baseimage:
1) It uses DES to encrypt accounts password. Furthermore this
effectively limits password length to 8 symbols, even if more
provided with PASSWORD or DEFAULT_PASSWORD from rules/config.
2) Salt value for password is same on all builds even with different
password increasing attack surface.
3) During the build process password passed as command line parameter
either as plain text (if given to make(1) as "make PASSWORD=...")
or DES encrypted (if given to build_debian.sh) can be seen by
non-build users using /proc/<pid>/cmdline file that has group and
world readable permissions.
Both 1) and 2) come from:
perl -e 'print crypt("$(PASSWORD)", "salt"),"\n"')"
that by defalt uses DES if salt does not have format $<id>$<salt>$,
where <id> is hashing function id. See crypt(3) for more details on
valid <id> values.
To address issues above we propose following changes:
1) Do not create password by hands (e.g. using perl snippet above):
put this job to chpasswd(8) which is aware about system wide
password hashing policy specified in /etc/login.defs with
ENCRYPT_METHOD (by default it is SHA512 for Debian 8).
2) Now chpasswd(8) will take care about proper salt value.
3) This has two steps:
3.1) For compatibility reasons accept USERNAME and PASSWORD as
make(1) parameters, but warn user that this is unsafe.
3.2) Use process environment to pass USERNAME and PASSWORD variables
from Makefile to build_debian.sh as more secure alternative to
passing via command line parameters: /proc/<pid>/environ
readable only by user running process or privileged users like
root.
Before change:
--------------
hash1
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSs", "salt"),"\n"')"
^^^^^^^^
8 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Note the hash (DES encrypted password)
hash2
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSsWoRd", "salt"),"\n"')"
^^^^^^^^^^^^
12 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Hash is the same as for "YourPaSs"
After change:
-------------
hash1
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$1Nho1jHC$T8YwK58FYToXMFuetQta7/XouAAN2q1IzWC3bdIg86woAs6WuTg\
^^^^^^^^
Note salt here
ksLO3oyQInax/wNVq.N4de6dyWZDsCAvsZ1:17681:0:99999:7:::
hash2
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$yKU5g7BO$kdT02Z1wHXhr1VCniKkZbLaMPZXK0WSSVGhSLGrNhsrsVxCJ.D9\
^^^^^^^^
Here salt completely different from case above
plFpd8ksGNpw/Vb92hvgYyCL2i5cfI8QEY/:17681:0:99999:7:::
Since salt is different hashes for same password different too.
hash1
-----
# LANG=C perl -e 'print crypt("YourPaSs", "\$6\$salt\$"),"\n"'
^^^^^
We want SHA512 hash
$6$salt$qkwPvXqUeGpexO1vatnIQFAreOTXs6rnDX.OI.Sz2rcy51JrO8dFc9aGv82bB\
yd2ELrIMJ.FQLNjgSD0nNha7/
hash2
-----
# LANG=C perl -e 'print crypt("YourPaSsWoRd", "\$6\$salt\$"),"\n"'
$6$salt$1JVndGzyy/dj7PaXo6hNcttlQoZe23ob8GWYWxVGEiGOlh6sofbaIvwl6Ho7N\
kYDI8zwRumRwga/A29nHm4mZ1
Now with same "salt" and $<id>$, and same 8 symbol prefix in password, but
different password length we have different hashes.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
2018-06-09 13:29:16 -05:00
e l s e
$(warning USERNAME given on command line : could be visible to other users )
2017-04-12 13:23:48 -05:00
e n d i f
i f e q ( $( PASSWORD ) , )
override PASSWORD : = $( DEFAULT_PASSWORD )
[baseimage]: Improve password hashing for default user account (#1748)
* [slave.mk]: Fix displaying username and password in build summary
We display contents of DEFAULT_USERNAME and DEFAULT_PASSWORD, while
image can be build with USERNAME and/or PASSWORD given on make(1)
command line. For example:
$ make USERNAME=adm PASSWORD=mypass target/sonic-broadcom.bin
Fix by displaying USERNAME and PASSWORD variables in build summary.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
* [baseimage]: Improve default user account handling
There are couple of issues with current implementation of default
user account management in baseimage:
1) It uses DES to encrypt accounts password. Furthermore this
effectively limits password length to 8 symbols, even if more
provided with PASSWORD or DEFAULT_PASSWORD from rules/config.
2) Salt value for password is same on all builds even with different
password increasing attack surface.
3) During the build process password passed as command line parameter
either as plain text (if given to make(1) as "make PASSWORD=...")
or DES encrypted (if given to build_debian.sh) can be seen by
non-build users using /proc/<pid>/cmdline file that has group and
world readable permissions.
Both 1) and 2) come from:
perl -e 'print crypt("$(PASSWORD)", "salt"),"\n"')"
that by defalt uses DES if salt does not have format $<id>$<salt>$,
where <id> is hashing function id. See crypt(3) for more details on
valid <id> values.
To address issues above we propose following changes:
1) Do not create password by hands (e.g. using perl snippet above):
put this job to chpasswd(8) which is aware about system wide
password hashing policy specified in /etc/login.defs with
ENCRYPT_METHOD (by default it is SHA512 for Debian 8).
2) Now chpasswd(8) will take care about proper salt value.
3) This has two steps:
3.1) For compatibility reasons accept USERNAME and PASSWORD as
make(1) parameters, but warn user that this is unsafe.
3.2) Use process environment to pass USERNAME and PASSWORD variables
from Makefile to build_debian.sh as more secure alternative to
passing via command line parameters: /proc/<pid>/environ
readable only by user running process or privileged users like
root.
Before change:
--------------
hash1
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSs", "salt"),"\n"')"
^^^^^^^^
8 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Note the hash (DES encrypted password)
hash2
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSsWoRd", "salt"),"\n"')"
^^^^^^^^^^^^
12 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Hash is the same as for "YourPaSs"
After change:
-------------
hash1
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$1Nho1jHC$T8YwK58FYToXMFuetQta7/XouAAN2q1IzWC3bdIg86woAs6WuTg\
^^^^^^^^
Note salt here
ksLO3oyQInax/wNVq.N4de6dyWZDsCAvsZ1:17681:0:99999:7:::
hash2
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$yKU5g7BO$kdT02Z1wHXhr1VCniKkZbLaMPZXK0WSSVGhSLGrNhsrsVxCJ.D9\
^^^^^^^^
Here salt completely different from case above
plFpd8ksGNpw/Vb92hvgYyCL2i5cfI8QEY/:17681:0:99999:7:::
Since salt is different hashes for same password different too.
hash1
-----
# LANG=C perl -e 'print crypt("YourPaSs", "\$6\$salt\$"),"\n"'
^^^^^
We want SHA512 hash
$6$salt$qkwPvXqUeGpexO1vatnIQFAreOTXs6rnDX.OI.Sz2rcy51JrO8dFc9aGv82bB\
yd2ELrIMJ.FQLNjgSD0nNha7/
hash2
-----
# LANG=C perl -e 'print crypt("YourPaSsWoRd", "\$6\$salt\$"),"\n"'
$6$salt$1JVndGzyy/dj7PaXo6hNcttlQoZe23ob8GWYWxVGEiGOlh6sofbaIvwl6Ho7N\
kYDI8zwRumRwga/A29nHm4mZ1
Now with same "salt" and $<id>$, and same 8 symbol prefix in password, but
different password length we have different hashes.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
2018-06-09 13:29:16 -05:00
e l s e
$(warning PASSWORD given on command line : could be visible to other users )
2017-04-12 13:23:48 -05:00
e n d i f
2018-06-19 17:59:12 -05:00
i f e q ( $( SONIC_DEBUGGING_ON ) , y )
2019-01-23 20:49:44 -06:00
DEB_BUILD_OPTIONS_GENERIC := nostrip
2018-06-19 17:59:12 -05:00
e n d i f
i f e q ( $( SONIC_PROFILING_ON ) , y )
2019-01-23 20:49:44 -06:00
DEB_BUILD_OPTIONS_GENERIC := nostrip noopt
2018-06-19 17:59:12 -05:00
e n d i f
2017-12-20 17:25:30 -06:00
i f e q ( $( SONIC_BUILD_JOBS ) , )
override SONIC_BUILD_JOBS : = $( SONIC_CONFIG_BUILD_JOBS )
e n d i f
2019-03-29 17:25:17 -05:00
i f e q ( $( VS_PREPARE_MEM ) , )
override VS_PREPARE_MEM : = $( DEFAULT_VS_PREPARE_MEM )
e n d i f
2018-07-25 10:14:18 -05:00
i f e q ( $( KERNEL_PROCURE_METHOD ) , )
override KERNEL_PROCURE_METHOD : = $( DEFAULT_KERNEL_PROCURE_METHOD )
e n d i f
2017-12-20 17:25:30 -06:00
MAKEFLAGS += -j $( SONIC_BUILD_JOBS)
2017-07-07 07:32:50 -05:00
export SONIC_CONFIG_MAKE_JOBS
2016-12-05 13:12:19 -06:00
2018-11-26 20:19:12 -06:00
###############################################################################
## Routing stack related exports
###############################################################################
export SONIC_ROUTING_STACK
export FRR_USER_UID
export FRR_USER_GID
2017-04-20 11:12:27 -05:00
###############################################################################
## Dumping key config attributes associated to current building exercise
###############################################################################
2017-07-25 01:49:39 -05:00
$( info SONiC Build System )
$( info )
$( info Build Configuration )
$(info "CONFIGURED_PLATFORM" : "$( if $ ( PLATFORM ) ,$ ( PLATFORM ) ,$ ( CONFIGURED_PLATFORM ) ) ")
2019-07-26 00:06:41 -05:00
$(info "CONFIGURED_ARCH" : "$( if $ ( PLATFORM_ARCH ) ,$ ( PLATFORM_ARCH ) ,$ ( CONFIGURED_ARCH ) ) ")
2017-07-25 01:49:39 -05:00
$(info "SONIC_CONFIG_PRINT_DEPENDENCIES" : "$( SONIC_CONFIG_PRINT_DEPENDENCIES ) ")
2017-12-20 17:25:30 -06:00
$(info "SONIC_BUILD_JOBS" : "$( SONIC_BUILD_JOBS ) ")
2017-07-25 01:49:39 -05:00
$(info "SONIC_CONFIG_MAKE_JOBS" : "$( SONIC_CONFIG_MAKE_JOBS ) ")
2019-06-20 11:19:33 -05:00
$(info "SONIC_USE_DOCKER_BUILDKIT" : "$( SONIC_USE_DOCKER_BUILDKIT ) ")
[baseimage]: Improve password hashing for default user account (#1748)
* [slave.mk]: Fix displaying username and password in build summary
We display contents of DEFAULT_USERNAME and DEFAULT_PASSWORD, while
image can be build with USERNAME and/or PASSWORD given on make(1)
command line. For example:
$ make USERNAME=adm PASSWORD=mypass target/sonic-broadcom.bin
Fix by displaying USERNAME and PASSWORD variables in build summary.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
* [baseimage]: Improve default user account handling
There are couple of issues with current implementation of default
user account management in baseimage:
1) It uses DES to encrypt accounts password. Furthermore this
effectively limits password length to 8 symbols, even if more
provided with PASSWORD or DEFAULT_PASSWORD from rules/config.
2) Salt value for password is same on all builds even with different
password increasing attack surface.
3) During the build process password passed as command line parameter
either as plain text (if given to make(1) as "make PASSWORD=...")
or DES encrypted (if given to build_debian.sh) can be seen by
non-build users using /proc/<pid>/cmdline file that has group and
world readable permissions.
Both 1) and 2) come from:
perl -e 'print crypt("$(PASSWORD)", "salt"),"\n"')"
that by defalt uses DES if salt does not have format $<id>$<salt>$,
where <id> is hashing function id. See crypt(3) for more details on
valid <id> values.
To address issues above we propose following changes:
1) Do not create password by hands (e.g. using perl snippet above):
put this job to chpasswd(8) which is aware about system wide
password hashing policy specified in /etc/login.defs with
ENCRYPT_METHOD (by default it is SHA512 for Debian 8).
2) Now chpasswd(8) will take care about proper salt value.
3) This has two steps:
3.1) For compatibility reasons accept USERNAME and PASSWORD as
make(1) parameters, but warn user that this is unsafe.
3.2) Use process environment to pass USERNAME and PASSWORD variables
from Makefile to build_debian.sh as more secure alternative to
passing via command line parameters: /proc/<pid>/environ
readable only by user running process or privileged users like
root.
Before change:
--------------
hash1
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSs", "salt"),"\n"')"
^^^^^^^^
8 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Note the hash (DES encrypted password)
hash2
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSsWoRd", "salt"),"\n"')"
^^^^^^^^^^^^
12 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Hash is the same as for "YourPaSs"
After change:
-------------
hash1
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$1Nho1jHC$T8YwK58FYToXMFuetQta7/XouAAN2q1IzWC3bdIg86woAs6WuTg\
^^^^^^^^
Note salt here
ksLO3oyQInax/wNVq.N4de6dyWZDsCAvsZ1:17681:0:99999:7:::
hash2
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$yKU5g7BO$kdT02Z1wHXhr1VCniKkZbLaMPZXK0WSSVGhSLGrNhsrsVxCJ.D9\
^^^^^^^^
Here salt completely different from case above
plFpd8ksGNpw/Vb92hvgYyCL2i5cfI8QEY/:17681:0:99999:7:::
Since salt is different hashes for same password different too.
hash1
-----
# LANG=C perl -e 'print crypt("YourPaSs", "\$6\$salt\$"),"\n"'
^^^^^
We want SHA512 hash
$6$salt$qkwPvXqUeGpexO1vatnIQFAreOTXs6rnDX.OI.Sz2rcy51JrO8dFc9aGv82bB\
yd2ELrIMJ.FQLNjgSD0nNha7/
hash2
-----
# LANG=C perl -e 'print crypt("YourPaSsWoRd", "\$6\$salt\$"),"\n"'
$6$salt$1JVndGzyy/dj7PaXo6hNcttlQoZe23ob8GWYWxVGEiGOlh6sofbaIvwl6Ho7N\
kYDI8zwRumRwga/A29nHm4mZ1
Now with same "salt" and $<id>$, and same 8 symbol prefix in password, but
different password length we have different hashes.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
2018-06-09 13:29:16 -05:00
$(info "USERNAME" : "$( USERNAME ) ")
$(info "PASSWORD" : "$( PASSWORD ) ")
2017-07-25 01:49:39 -05:00
$(info "ENABLE_DHCP_GRAPH_SERVICE" : "$( ENABLE_DHCP_GRAPH_SERVICE ) ")
$(info "SHUTDOWN_BGP_ON_START" : "$( SHUTDOWN_BGP_ON_START ) ")
2018-03-06 01:55:37 -06:00
$(info "ENABLE_PFCWD_ON_START" : "$( ENABLE_PFCWD_ON_START ) ")
2018-10-21 19:20:27 -05:00
$(info "INSTALL_DEBUG_TOOLS" : "$( INSTALL_DEBUG_TOOLS ) ")
2017-07-25 01:49:39 -05:00
$(info "ROUTING_STACK" : "$( SONIC_ROUTING_STACK ) ")
2018-11-26 20:19:12 -06:00
i f e q ( $( SONIC_ROUTING_STACK ) , f r r )
$(info "FRR_USER_UID" : "$( FRR_USER_UID ) ")
$(info "FRR_USER_GID" : "$( FRR_USER_GID ) ")
e n d i f
2017-07-25 01:49:39 -05:00
$(info "ENABLE_SYNCD_RPC" : "$( ENABLE_SYNCD_RPC ) ")
2017-09-19 18:23:31 -05:00
$(info "ENABLE_ORGANIZATION_EXTENSIONS" : "$( ENABLE_ORGANIZATION_EXTENSIONS ) ")
2017-12-24 01:34:15 -06:00
$(info "HTTP_PROXY" : "$( HTTP_PROXY ) ")
$(info "HTTPS_PROXY" : "$( HTTPS_PROXY ) ")
2018-03-27 15:39:04 -05:00
$(info "ENABLE_SYSTEM_TELEMETRY" : "$( ENABLE_SYSTEM_TELEMETRY ) ")
2018-06-19 17:59:12 -05:00
$(info "SONIC_DEBUGGING_ON" : "$( SONIC_DEBUGGING_ON ) ")
$(info "SONIC_PROFILING_ON" : "$( SONIC_PROFILING_ON ) ")
2018-07-25 10:14:18 -05:00
$(info "KERNEL_PROCURE_METHOD" : "$( KERNEL_PROCURE_METHOD ) ")
2018-10-04 23:20:01 -05:00
$(info "BUILD_TIMESTAMP" : "$( BUILD_TIMESTAMP ) ")
2019-02-05 00:06:37 -06:00
$(info "BLDENV" : "$( BLDENV ) ")
2019-03-29 17:25:17 -05:00
$(info "VS_PREPARE_MEM" : "$( VS_PREPARE_MEM ) ")
2019-09-14 22:27:09 -05:00
$(info "ENABLE_SFLOW" : "$( ENABLE_SFLOW ) ")
2017-07-25 01:49:39 -05:00
$( info )
2017-04-20 11:12:27 -05:00
2019-06-20 11:19:33 -05:00
i f e q ( $( SONIC_USE_DOCKER_BUILDKIT ) , y )
$(warning "Using SONIC_USE_DOCKER_BUILDKIT will produce larger installable SONiC image because of a docker bug (more details : https ://github .com /moby /moby /issues /38903)")
export DOCKER_BUILDKIT = 1
e n d i f
2016-12-05 13:12:19 -06:00
###############################################################################
## Generic rules section
## All rules must go after includes for propper targets expansion
###############################################################################
2018-08-11 18:46:13 -05:00
export kernel_procure_method = $( KERNEL_PROCURE_METHOD)
2019-03-29 17:25:17 -05:00
export vs_build_prepare_mem = $( VS_PREPARE_MEM)
2018-07-25 10:14:18 -05:00
2016-12-14 13:59:24 -06:00
###############################################################################
## Local targets
###############################################################################
# Copy debian packages from local directory
# Add new package for copy:
# SOME_NEW_DEB = some_new_deb.deb
# $(SOME_NEW_DEB)_PATH = path/to/some_new_deb.deb
# SONIC_COPY_DEBS += $(SOME_NEW_DEB)
$(addprefix $(DEBS_PATH)/, $(SONIC_COPY_DEBS)) : $( DEBS_PATH ) /% : .platform
$( HEADER)
$( foreach deb,$* $( $* _DERIVED_DEBS) , \
{ cp $( $( deb) _PATH) /$( deb) $( DEBS_PATH) / $( LOG) || exit 1 ; } ; )
$( FOOTER)
2018-07-25 10:14:18 -05:00
2017-07-29 17:34:27 -05:00
SONIC_TARGET_LIST += $( addprefix $( DEBS_PATH) /, $( SONIC_COPY_DEBS) )
2016-12-14 13:59:24 -06:00
# Copy regular files from local directory
# Add new package for copy:
# SOME_NEW_FILE = some_new_file
# $(SOME_NEW_FILE)_PATH = path/to/some_new_file
# SONIC_COPY_FILES += $(SOME_NEW_FILE)
2017-07-28 12:57:51 -05:00
$(addprefix $(FILES_PATH)/, $(SONIC_COPY_FILES)) : $( FILES_PATH ) /% : .platform
2016-12-14 13:59:24 -06:00
$( HEADER)
2017-07-28 12:57:51 -05:00
cp $( $* _PATH) /$* $( FILES_PATH) / $( LOG) || exit 1
2016-12-14 13:59:24 -06:00
$( FOOTER)
2017-07-29 17:34:27 -05:00
SONIC_TARGET_LIST += $( addprefix $( FILES_PATH) /, $( SONIC_COPY_FILES) )
2016-12-05 13:12:19 -06:00
###############################################################################
## Online targets
###############################################################################
# Download debian packages from online location
# Add new package for download:
# SOME_NEW_DEB = some_new_deb.deb
# $(SOME_NEW_DEB)_URL = https://url/to/this/deb.deb
# SONIC_ONLINE_DEBS += $(SOME_NEW_DEB)
$(addprefix $(DEBS_PATH)/, $(SONIC_ONLINE_DEBS)) : $( DEBS_PATH ) /% : .platform
$( HEADER)
$( foreach deb,$* $( $* _DERIVED_DEBS) , \
2017-07-21 11:05:21 -05:00
{ wget --no-use-server-timestamps -O $( DEBS_PATH) /$( deb) $( $( deb) _URL) $( LOG) || exit 1 ; } ; )
2016-12-05 13:12:19 -06:00
$( FOOTER)
2017-07-29 17:34:27 -05:00
SONIC_TARGET_LIST += $( addprefix $( DEBS_PATH) /, $( SONIC_ONLINE_DEBS) )
2016-12-05 13:12:19 -06:00
# Download regular files from online location
# Files are stored in deb packages directory for convenience
# Add new file for download:
# SOME_NEW_FILE = some_new_file
# $(SOME_NEW_FILE)_URL = https://url/to/this/file
# SONIC_ONLINE_FILES += $(SOME_NEW_FILE)
2017-07-28 12:57:51 -05:00
$(addprefix $(FILES_PATH)/, $(SONIC_ONLINE_FILES)) : $( FILES_PATH ) /% : .platform
2016-12-05 13:12:19 -06:00
$( HEADER)
2017-07-21 11:05:21 -05:00
wget --no-use-server-timestamps -O $@ $( $* _URL) $( LOG)
2016-12-05 13:12:19 -06:00
$( FOOTER)
2017-07-29 17:34:27 -05:00
SONIC_TARGET_LIST += $( addprefix $( FILES_PATH) /, $( SONIC_ONLINE_FILES) )
2018-11-21 00:32:40 -06:00
###############################################################################
## Build targets
###############################################################################
# Build project using build.sh script
# They are essentially a one-time build projects that get sources from some URL
# and compile them
# Add new file for build:
# SOME_NEW_FILE = some_new_deb.deb
# $(SOME_NEW_FILE)_SRC_PATH = $(SRC_PATH)/project_name
# $(SOME_NEW_FILE)_DEPENDS = $(SOME_OTHER_DEB1) $(SOME_OTHER_DEB2) ...
# SONIC_MAKE_FILES += $(SOME_NEW_FILE)
$(addprefix $(FILES_PATH)/, $(SONIC_MAKE_FILES)) : $( FILES_PATH ) /% : .platform $$( addsuffix -install ,$ $ ( addprefix $ ( DEBS_PATH ) /,$ $ ( $ $ *_DEPENDS ) ) )
$( HEADER)
# Remove target to force rebuild
rm -f $( addprefix $( FILES_PATH) /, $* )
# Apply series of patches if exist
if [ -f $( $* _SRC_PATH) .patch/series ] ; then pushd $( $* _SRC_PATH) && QUILT_PATCHES = ../$( notdir $( $* _SRC_PATH) ) .patch quilt push -a; popd; fi
# Build project and take package
make DEST = $( shell pwd ) /$( FILES_PATH) -C $( $* _SRC_PATH) $( shell pwd ) /$( FILES_PATH) /$* $( LOG)
# Clean up
if [ -f $( $* _SRC_PATH) .patch/series ] ; then pushd $( $* _SRC_PATH) && quilt pop -a -f; popd; fi
$( FOOTER)
SONIC_TARGET_LIST += $( addprefix $( FILES_PATH) /, $( SONIC_MAKE_FILES) )
2016-12-05 13:12:19 -06:00
###############################################################################
## Debian package related targets
###############################################################################
# Build project using build.sh script
# They are essentially a one-time build projects that get sources from some URL
# and compile them
# Add new package for build:
# SOME_NEW_DEB = some_new_deb.deb
# $(SOME_NEW_DEB)_SRC_PATH = $(SRC_PATH)/project_name
# $(SOME_NEW_DEB)_DEPENDS = $(SOME_OTHER_DEB1) $(SOME_OTHER_DEB2) ...
# SONIC_MAKE_DEBS += $(SOME_NEW_DEB)
$(addprefix $(DEBS_PATH)/, $(SONIC_MAKE_DEBS)) : $( DEBS_PATH ) /% : .platform $$( addsuffix -install ,$ $ ( addprefix $ ( DEBS_PATH ) /,$ $ ( $ $ *_DEPENDS ) ) )
$( HEADER)
2017-09-07 16:02:17 -05:00
# Remove target to force rebuild
2017-03-01 10:32:58 -06:00
rm -f $( addprefix $( DEBS_PATH) /, $* $( $* _DERIVED_DEBS) $( $* _EXTRA_DEBS) )
2017-09-07 16:02:17 -05:00
# Apply series of patches if exist
2017-03-17 00:57:30 -05:00
if [ -f $( $* _SRC_PATH) .patch/series ] ; then pushd $( $* _SRC_PATH) && QUILT_PATCHES = ../$( notdir $( $* _SRC_PATH) ) .patch quilt push -a; popd; fi
2017-09-07 16:02:17 -05:00
# Build project and take package
2018-06-19 17:59:12 -05:00
DEB_BUILD_OPTIONS = " ${ DEB_BUILD_OPTIONS_GENERIC } " make DEST = $( shell pwd ) /$( DEBS_PATH) -C $( $* _SRC_PATH) $( shell pwd ) /$( DEBS_PATH) /$* $( LOG)
2017-09-07 16:02:17 -05:00
# Clean up
2017-03-17 00:57:30 -05:00
if [ -f $( $* _SRC_PATH) .patch/series ] ; then pushd $( $* _SRC_PATH) && quilt pop -a -f; popd; fi
2016-12-05 13:12:19 -06:00
$( FOOTER)
2017-07-29 17:34:27 -05:00
SONIC_TARGET_LIST += $( addprefix $( DEBS_PATH) /, $( SONIC_MAKE_DEBS) )
2016-12-05 13:12:19 -06:00
# Build project with dpkg-buildpackage
# Add new package for build:
# SOME_NEW_DEB = some_new_deb.deb
# $(SOME_NEW_DEB)_SRC_PATH = $(SRC_PATH)/project_name
# $(SOME_NEW_DEB)_DEPENDS = $(SOME_OTHER_DEB1) $(SOME_OTHER_DEB2) ...
# SONIC_DPKG_DEBS += $(SOME_NEW_DEB)
$(addprefix $(DEBS_PATH)/, $(SONIC_DPKG_DEBS)) : $( DEBS_PATH ) /% : .platform $$( addsuffix -install ,$ $ ( addprefix $ ( DEBS_PATH ) /,$ $ ( $ $ *_DEPENDS ) ) )
$( HEADER)
2017-09-07 16:02:17 -05:00
# Remove old build logs if they exist
2016-12-05 13:12:19 -06:00
rm -f $( $* _SRC_PATH) /debian/*.debhelper.log
2017-09-07 16:02:17 -05:00
# Apply series of patches if exist
2017-05-22 03:08:16 -05:00
if [ -f $( $* _SRC_PATH) .patch/series ] ; then pushd $( $* _SRC_PATH) && QUILT_PATCHES = ../$( notdir $( $* _SRC_PATH) ) .patch quilt push -a; popd; fi
2017-09-07 16:02:17 -05:00
# Build project
2016-12-05 13:12:19 -06:00
pushd $( $* _SRC_PATH) $( LOG)
[ ! -f ./autogen.sh ] || ./autogen.sh $( LOG)
2017-10-24 00:01:42 -05:00
$( if $( $* _DPKG_TARGET) ,
2018-06-19 17:59:12 -05:00
DEB_BUILD_OPTIONS = " ${ DEB_BUILD_OPTIONS_GENERIC } ${ $* _DEB_BUILD_OPTIONS } " dpkg-buildpackage -rfakeroot -b -us -uc -j$( SONIC_CONFIG_MAKE_JOBS) --as-root -T$( $* _DPKG_TARGET) $( LOG) ,
DEB_BUILD_OPTIONS = " ${ DEB_BUILD_OPTIONS_GENERIC } ${ $* _DEB_BUILD_OPTIONS } " dpkg-buildpackage -rfakeroot -b -us -uc -j$( SONIC_CONFIG_MAKE_JOBS) $( LOG)
2017-10-24 00:01:42 -05:00
)
2016-12-05 13:12:19 -06:00
popd $( LOG)
2017-09-07 16:02:17 -05:00
# Clean up
2017-05-22 03:08:16 -05:00
if [ -f $( $* _SRC_PATH) .patch/series ] ; then pushd $( $* _SRC_PATH) && quilt pop -a -f; popd; fi
2017-09-07 16:02:17 -05:00
# Take built package(s)
2017-03-01 10:32:58 -06:00
mv $( addprefix $( $* _SRC_PATH) /../, $* $( $* _DERIVED_DEBS) $( $* _EXTRA_DEBS) ) $( DEBS_PATH) $( LOG)
2016-12-05 13:12:19 -06:00
$( FOOTER)
2017-07-29 17:34:27 -05:00
SONIC_TARGET_LIST += $( addprefix $( DEBS_PATH) /, $( SONIC_DPKG_DEBS) )
2016-12-05 13:12:19 -06:00
# Rules for derived debian packages (dev, dbg, etc.)
# All noise takes place in main deb recipe, so we are just telling that
# we depend on it and move our deb to other targets
# Add new dev package:
# $(eval $(call add_derived_package,$(ORIGINAL_DEB),derived_deb_file.deb))
$(addprefix $(DEBS_PATH)/, $(SONIC_DERIVED_DEBS)) : $( DEBS_PATH ) /% : .platform $$( addsuffix -install ,$ $ ( addprefix $ ( DEBS_PATH ) /,$ $ ( $ $ *_DEPENDS ) ) )
$( HEADER)
# All noise takes place in main deb recipe, so we are just telling that
# we depend on it
# Put newer timestamp
[ -f $@ ] && touch $@
$( FOOTER)
2017-07-29 17:34:27 -05:00
SONIC_TARGET_LIST += $( addprefix $( DEBS_PATH) /, $( SONIC_DERIVED_DEBS) )
2017-03-01 10:32:58 -06:00
# Rules for extra debian packages
# All noise takes place in main deb recipe, so we are just telling that
# we need to build the main deb and move our deb to other targets
# Add new dev package:
# $(eval $(call add_extra_package,$(ORIGINAL_DEB),extra_deb_file.deb))
$(addprefix $(DEBS_PATH)/, $(SONIC_EXTRA_DEBS)) : $( DEBS_PATH ) /% : .platform $$( addprefix $ ( DEBS_PATH ) /,$ $ ( $ $ *_MAIN_DEB ) )
$( HEADER)
# All noise takes place in main deb recipe, so we are just telling that
# we depend on it
# Put newer timestamp
[ -f $@ ] && touch $@
$( FOOTER)
2017-07-29 17:34:27 -05:00
SONIC_TARGET_LIST += $( addprefix $( DEBS_PATH) /, $( SONIC_EXTRA_DEBS) )
2016-12-05 13:12:19 -06:00
# Targets for installing debian packages prior to build one that depends on them
SONIC_INSTALL_TARGETS = $( addsuffix -install,$( addprefix $( DEBS_PATH) /, \
$( SONIC_ONLINE_DEBS) \
$( SONIC_COPY_DEBS) \
$( SONIC_MAKE_DEBS) \
$( SONIC_DPKG_DEBS) \
$( SONIC_PYTHON_STDEB_DEBS) \
2017-03-01 10:32:58 -06:00
$( SONIC_DERIVED_DEBS) \
$( SONIC_EXTRA_DEBS) ) )
2016-12-05 13:12:19 -06:00
$(SONIC_INSTALL_TARGETS) : $( DEBS_PATH ) /%-install : .platform $$( addsuffix -install ,$ $ ( addprefix $ ( DEBS_PATH ) /,$ $ ( $ $ *_DEPENDS ) ) ) $( DEBS_PATH ) /$$*
$( HEADER)
2017-07-25 01:49:39 -05:00
[ -f $( DEBS_PATH) /$* ] || { echo $( DEBS_PATH) /$* does not exist $( LOG) && false $( LOG) }
2016-12-05 13:12:19 -06:00
# put a lock here because dpkg does not allow installing packages in parallel
while true; do
if mkdir $( DEBS_PATH) /dpkg_lock & > /dev/null; then
{ sudo dpkg -i $( DEBS_PATH) /$* $( LOG) && rm -d $( DEBS_PATH) /dpkg_lock && break; } || { rm -d $( DEBS_PATH) /dpkg_lock && exit 1 ; }
fi
done
$( FOOTER)
###############################################################################
## Python packages
###############################################################################
2019-02-05 00:06:37 -06:00
# Build project with python setup.py --command-packages=stdeb.command
# Add new package for build:
# SOME_NEW_DEB = some_new_deb.deb
# $(SOME_NEW_DEB)_SRC_PATH = $(SRC_PATH)/project_name
# $(SOME_NEW_DEB)_DEPENDS = $(SOME_OTHER_DEB1) $(SOME_OTHER_DEB2) ...
# SONIC_PYTHON_STDEB_DEBS += $(SOME_NEW_DEB)
$(addprefix $(PYTHON_DEBS_PATH)/, $(SONIC_PYTHON_STDEB_DEBS)) : $( PYTHON_DEBS_PATH ) /% : .platform \
$$ ( addsuffix -install,$$ ( addprefix $( PYTHON_DEBS_PATH) /,$$ ( $$ *_DEPENDS) ) ) \
$$ ( addsuffix -install,$$ ( addprefix $( PYTHON_WHEELS_PATH) /,$$ ( $$ *_WHEEL_DEPENDS) ) )
$( HEADER)
# Apply series of patches if exist
if [ -f $( $* _SRC_PATH) .patch/series ] ; then pushd $( $* _SRC_PATH) && QUILT_PATCHES = ../$( notdir $( $* _SRC_PATH) ) .patch quilt push -a; popd; fi
# Build project
pushd $( $* _SRC_PATH) $( LOG)
rm -rf deb_dist/* $( LOG)
python setup.py --command-packages= stdeb.command bdist_deb $( LOG)
popd $( LOG)
# Clean up
if [ -f $( $* _SRC_PATH) .patch/series ] ; then pushd $( $* _SRC_PATH) && quilt pop -a -f; popd; fi
# Take built package(s)
mv $( addprefix $( $* _SRC_PATH) /deb_dist/, $* $( $* _DERIVED_DEBS) ) $( PYTHON_DEBS_PATH) $( LOG)
$( FOOTER)
SONIC_TARGET_LIST += $( addprefix $( PYTHON_DEBS_PATH) /, $( SONIC_PYTHON_STDEB_DEBS) )
2016-12-05 13:12:19 -06:00
# Build project using python setup.py bdist_wheel
# Projects that generate python wheels
# Add new package for build:
# SOME_NEW_WHL = some_new_whl.whl
# $(SOME_NEW_WHL)_SRC_PATH = $(SRC_PATH)/project_name
# $(SOME_NEW_WHL)_PYTHON_VERSION = 2 (or 3)
# $(SOME_NEW_WHL)_DEPENDS = $(SOME_OTHER_WHL1) $(SOME_OTHER_WHL2) ...
2017-03-30 17:25:31 -05:00
# SONIC_PYTHON_WHEELS += $(SOME_NEW_WHL)
2016-12-05 13:12:19 -06:00
$(addprefix $(PYTHON_WHEELS_PATH)/, $(SONIC_PYTHON_WHEELS)) : $( PYTHON_WHEELS_PATH ) /% : .platform $$( addsuffix -install ,$ $ ( addprefix $ ( PYTHON_WHEELS_PATH ) /,$ $ ( $ $ *_DEPENDS ) ) )
$( HEADER)
pushd $( $* _SRC_PATH) $( LOG)
2017-03-17 00:57:30 -05:00
# apply series of patches if exist
if [ -f ../$( notdir $( $* _SRC_PATH) ) .patch/series ] ; then QUILT_PATCHES = ../$( notdir $( $* _SRC_PATH) ) .patch quilt push -a; fi
2017-12-07 15:08:23 -06:00
[ " $( $* _TEST) " = "n" ] || python$( $* _PYTHON_VERSION) setup.py test $( LOG)
2016-12-05 13:12:19 -06:00
python$( $* _PYTHON_VERSION) setup.py bdist_wheel $( LOG)
2017-03-17 00:57:30 -05:00
# clean up
if [ -f ../$( notdir $( $* _SRC_PATH) ) .patch/series ] ; then quilt pop -a -f; fi
2016-12-05 13:12:19 -06:00
popd $( LOG)
mv $( $* _SRC_PATH) /dist/$* $( PYTHON_WHEELS_PATH) $( LOG)
$( FOOTER)
2017-07-29 17:34:27 -05:00
SONIC_TARGET_LIST += $( addprefix $( PYTHON_WHEELS_PATH) /, $( SONIC_PYTHON_WHEELS) )
2016-12-05 13:12:19 -06:00
# Targets for installing python wheels.
# Autogenerated
SONIC_INSTALL_WHEELS = $( addsuffix -install, $( addprefix $( PYTHON_WHEELS_PATH) /, $( SONIC_PYTHON_WHEELS) ) )
$(SONIC_INSTALL_WHEELS) : $( PYTHON_WHEELS_PATH ) /%-install : .platform $$( addsuffix -install ,$ $ ( addprefix $ ( PYTHON_WHEELS_PATH ) /,$ $ ( $ $ *_DEPENDS ) ) ) $( PYTHON_WHEELS_PATH ) /$$*
$( HEADER)
[ -f $( PYTHON_WHEELS_PATH) /$* ] || { echo $( PYTHON_WHEELS_PATH) /$* does not exist $( LOG) && exit 1; }
# put a lock here to avoid race conditions
while true; do
if mkdir $( PYTHON_WHEELS_PATH) /pip_lock & > /dev/null; then
2017-12-24 01:34:15 -06:00
{ sudo -E pip$( $* _PYTHON_VERSION) install $( PYTHON_WHEELS_PATH) /$* $( LOG) && rm -d $( PYTHON_WHEELS_PATH) /pip_lock && break; } || { rm -d $( PYTHON_WHEELS_PATH) /pip_lock && exit 1 ; }
2016-12-05 13:12:19 -06:00
fi
done
$( FOOTER)
###############################################################################
## Docker images related targets
###############################################################################
# start docker daemon
docker-start :
2017-12-24 01:34:15 -06:00
@sudo sed -i '/http_proxy/d' /etc/default/docker
@sudo bash -c " echo \"export http_proxy= $$ http_proxy\" >> /etc/default/docker "
2019-06-22 16:40:05 -05:00
@test x$( SONIC_CONFIG_USE_NATIVE_DOCKERD_FOR_BUILD) != x"y" && sudo service docker status & > /dev/null || ( sudo service docker start & > /dev/null && ./scripts/wait_for_docker.sh 60 )
2016-12-05 13:12:19 -06:00
# targets for building simple docker images that do not depend on any debian packages
$(addprefix $(TARGET_PATH)/, $(SONIC_SIMPLE_DOCKER_IMAGES)) : $( TARGET_PATH ) /%.gz : .platform docker -start $$( addsuffix -load ,$ $ ( addprefix $ ( TARGET_PATH ) /,$ $ ( $ $ *.gz_LOAD_DOCKERS ) ) )
$( HEADER)
2018-02-15 19:48:49 -06:00
# Apply series of patches if exist
if [ -f $( $* .gz_PATH) .patch/series ] ; then pushd $( $* .gz_PATH) && QUILT_PATCHES = ../$( notdir $( $* .gz_PATH) ) .patch quilt push -a; popd; fi
2018-09-05 17:28:32 -05:00
docker info $( LOG)
2017-12-24 01:34:15 -06:00
docker build --squash --no-cache \
--build-arg http_proxy = $( HTTP_PROXY) \
--build-arg https_proxy = $( HTTPS_PROXY) \
--build-arg user = $( USER) \
--build-arg uid = $( UID) \
--build-arg guid = $( GUID) \
2018-06-25 12:48:42 -05:00
--build-arg docker_container_name = $( $* .gz_CONTAINER_NAME) \
2018-09-21 12:44:28 -05:00
--label Tag = $( SONIC_GET_VERSION) \
2017-12-24 01:34:15 -06:00
-t $* $( $* .gz_PATH) $( LOG)
2016-12-05 13:12:19 -06:00
docker save $* | gzip -c > $@
2018-02-15 19:48:49 -06:00
# Clean up
if [ -f $( $* .gz_PATH) .patch/series ] ; then pushd $( $* .gz_PATH) && quilt pop -a -f; popd; fi
2016-12-05 13:12:19 -06:00
$( FOOTER)
2017-07-29 17:34:27 -05:00
SONIC_TARGET_LIST += $( addprefix $( TARGET_PATH) /, $( SONIC_SIMPLE_DOCKER_IMAGES) )
2019-05-27 17:50:51 -05:00
# Build jessie docker images only in jessie slave docker,
2019-03-19 11:16:33 -05:00
# jessie docker images only in jessie slave docker
2019-05-27 17:50:51 -05:00
i f e q ( $( BLDENV ) , )
2019-05-06 09:19:36 -05:00
DOCKER_IMAGES_FOR_INSTALLERS := $( sort $( foreach installer,$( SONIC_INSTALLERS) ,$( $( installer) _DOCKERS) ) )
2019-05-27 17:50:51 -05:00
DOCKER_IMAGES := $( SONIC_JESSIE_DOCKERS)
DOCKER_DBG_IMAGES := $( SONIC_JESSIE_DBG_DOCKERS)
SONIC_JESSIE_DOCKERS_FOR_INSTALLERS = $( filter $( SONIC_JESSIE_DOCKERS) ,$( DOCKER_IMAGES_FOR_INSTALLERS) $( EXTRA_JESSIE_TARGETS) )
SONIC_JESSIE_DBG_DOCKERS_FOR_INSTALLERS = $( filter $( SONIC_JESSIE_DBG_DOCKERS) , $( patsubst %.gz,%-$( DBG_IMAGE_MARK) .gz, $( SONIC_JESSIE_DOCKERS_FOR_INSTALLERS) ) )
2019-03-19 11:16:33 -05:00
e l s e
2019-05-27 17:50:51 -05:00
DOCKER_IMAGES := $( filter-out $( SONIC_JESSIE_DOCKERS) , $( SONIC_DOCKER_IMAGES) )
DOCKER_DBG_IMAGES := $( filter-out $( SONIC_JESSIE_DBG_DOCKERS) , $( SONIC_DOCKER_DBG_IMAGES) )
2019-03-19 11:16:33 -05:00
e n d i f
2016-12-05 13:12:19 -06:00
# Targets for building docker images
2019-03-19 11:16:33 -05:00
$(addprefix $(TARGET_PATH)/, $(DOCKER_IMAGES)) : $( TARGET_PATH ) /%.gz : .platform docker -start \
2019-02-05 00:06:37 -06:00
$$ ( addprefix $( DEBS_PATH) /,$$ ( $$ *.gz_DEPENDS) ) \
$$ ( addprefix $( FILES_PATH) /,$$ ( $$ *.gz_FILES) ) \
$$ ( addprefix $( PYTHON_DEBS_PATH) /,$$ ( $$ *.gz_PYTHON_DEBS) ) \
$$ ( addprefix $( PYTHON_WHEELS_PATH) /,$$ ( $$ *.gz_PYTHON_WHEELS) ) \
$$ ( addsuffix -load,$$ ( addprefix $( TARGET_PATH) /,$$ ( $$ *.gz_LOAD_DOCKERS) ) ) \
$$ ( $$ *.gz_PATH) /Dockerfile.j2
2016-12-05 13:12:19 -06:00
$( HEADER)
2018-02-15 19:48:49 -06:00
# Apply series of patches if exist
if [ -f $( $* .gz_PATH) .patch/series ] ; then pushd $( $* .gz_PATH) && QUILT_PATCHES = ../$( notdir $( $* .gz_PATH) ) .patch quilt push -a; popd; fi
2016-12-23 17:22:06 -06:00
mkdir -p $( $* .gz_PATH) /debs $( LOG)
2017-07-28 12:57:51 -05:00
mkdir -p $( $* .gz_PATH) /files $( LOG)
2019-02-05 00:06:37 -06:00
mkdir -p $( $* .gz_PATH) /python-debs $( LOG)
2016-12-05 13:12:19 -06:00
mkdir -p $( $* .gz_PATH) /python-wheels $( LOG)
2016-12-23 17:22:06 -06:00
sudo mount --bind $( DEBS_PATH) $( $* .gz_PATH) /debs $( LOG)
2017-07-28 12:57:51 -05:00
sudo mount --bind $( FILES_PATH) $( $* .gz_PATH) /files $( LOG)
2019-02-05 00:06:37 -06:00
sudo mount --bind $( PYTHON_DEBS_PATH) $( $* .gz_PATH) /python-debs $( LOG)
2016-12-05 13:12:19 -06:00
sudo mount --bind $( PYTHON_WHEELS_PATH) $( $* .gz_PATH) /python-wheels $( LOG)
2016-12-23 17:22:06 -06:00
# Export variables for j2. Use path for unique variable names, e.g. docker_orchagent_debs
$( eval export $( subst -,_,$( notdir $( $* .gz_PATH) ) ) _debs = $( shell printf " $( subst $( SPACE) ,\n ,$( call expand,$( $* .gz_DEPENDS) ,RDEPENDS) ) \n " | awk '!a[$$0]++' ) )
2019-02-05 00:06:37 -06:00
$( eval export $( subst -,_,$( notdir $( $* .gz_PATH) ) ) _pydebs = $( shell printf " $( subst $( SPACE) ,\n ,$( call expand,$( $* .gz_PYTHON_DEBS) ) ) \n " | awk '!a[$$0]++' ) )
2017-03-17 16:51:42 -05:00
$( eval export $( subst -,_,$( notdir $( $* .gz_PATH) ) ) _whls = $( shell printf " $( subst $( SPACE) ,\n ,$( call expand,$( $* .gz_PYTHON_WHEELS) ) ) \n " | awk '!a[$$0]++' ) )
2017-02-21 21:04:43 -06:00
$( eval export $( subst -,_,$( notdir $( $* .gz_PATH) ) ) _dbgs = $( shell printf " $( subst $( SPACE) ,\n ,$( call expand,$( $* .gz_DBG_PACKAGES) ) ) \n " | awk '!a[$$0]++' ) )
2016-12-23 17:22:06 -06:00
j2 $( $* .gz_PATH) /Dockerfile.j2 > $( $* .gz_PATH) /Dockerfile
2018-09-05 17:28:32 -05:00
docker info $( LOG)
2017-12-24 01:34:15 -06:00
docker build --squash --no-cache \
--build-arg http_proxy = $( HTTP_PROXY) \
--build-arg https_proxy = $( HTTPS_PROXY) \
--build-arg user = $( USER) \
--build-arg uid = $( UID) \
--build-arg guid = $( GUID) \
2018-06-25 12:48:42 -05:00
--build-arg docker_container_name = $( $* .gz_CONTAINER_NAME) \
2018-11-26 20:19:12 -06:00
--build-arg frr_user_uid = $( FRR_USER_UID) \
--build-arg frr_user_gid = $( FRR_USER_GID) \
2018-09-21 12:44:28 -05:00
--label Tag = $( SONIC_GET_VERSION) \
2017-12-24 01:34:15 -06:00
-t $* $( $* .gz_PATH) $( LOG)
2016-12-05 13:12:19 -06:00
docker save $* | gzip -c > $@
2018-02-15 19:48:49 -06:00
# Clean up
if [ -f $( $* .gz_PATH) .patch/series ] ; then pushd $( $* .gz_PATH) && quilt pop -a -f; popd; fi
2016-12-05 13:12:19 -06:00
$( FOOTER)
2019-03-19 11:16:33 -05:00
SONIC_TARGET_LIST += $( addprefix $( TARGET_PATH) /, $( DOCKER_IMAGES) )
2017-07-29 17:34:27 -05:00
2019-04-13 19:05:18 -05:00
# Targets for building docker images
2019-04-19 20:49:21 -05:00
$(addprefix $(TARGET_PATH)/, $(DOCKER_DBG_IMAGES)) : $( TARGET_PATH ) /%-$( DBG_IMAGE_MARK ) .gz : .platform docker -start \
2019-04-13 19:05:18 -05:00
$$ ( addprefix $( DEBS_PATH) /,$$ ( $$ *.gz_DBG_DEPENDS) ) \
$$ ( addsuffix -load,$$ ( addprefix $( TARGET_PATH) /,$$ *.gz) )
$( HEADER)
mkdir -p $( $* .gz_PATH) /debs $( LOG)
sudo mount --bind $( DEBS_PATH) $( $* .gz_PATH) /debs $( LOG)
# Export variables for j2. Use path for unique variable names, e.g. docker_orchagent_debs
$( eval export $( subst -,_,$( notdir $( $* .gz_PATH) ) ) _dbg_debs = $( shell printf " $( subst $( SPACE) ,\n ,$( call expand,$( $* .gz_DBG_DEPENDS) ,RDEPENDS) ) \n " | awk '!a[$$0]++' ) )
$( eval export $( subst -,_,$( notdir $( $* .gz_PATH) ) ) _image_dbgs = $( shell printf " $( subst $( SPACE) ,\n ,$( call expand,$( $* .gz_DBG_IMAGE_PACKAGES) ) ) \n " | awk '!a[$$0]++' ) )
./build_debug_docker_j2.sh $* $( subst -,_,$( notdir $( $* .gz_PATH) ) ) _dbg_debs $( subst -,_,$( notdir $( $* .gz_PATH) ) ) _image_dbgs > $( $* .gz_PATH) /Dockerfile-dbg.j2
j2 $( $* .gz_PATH) /Dockerfile-dbg.j2 > $( $* .gz_PATH) /Dockerfile-dbg
docker info $( LOG)
[build]: Build sonic-broadcom.bin using debug dockers for all stretch based dockers (#2833)
* Updated Makefile infrastructure to build debug images.
As a sample, platform/broadcom/docker-orchagent-brcm.mk is updated to add a docker-orchagent-brcm-dbg.gz target.
Now "BLDENV=stretch make target/docker-orchagent-brcm-dbg.gz" will build the debug image.
NOTE: If you don't specify NOSTRETcH=1, it implicitly calls "make stretch", which builds all stretch targets and that would include debug dockers too.
This debug image can be used in any linux box to inspect core file. If your module's external dependency can be suitably mocked, you my even manually run it inside.
"docker run -it --entrypoint=/bin/bash e47a8fb8ed38"
You may map the core file path to this docker run.
* Dropped the regular binary using DBG_PACKAGES and a small name change to help readability.
* Tweaked the changes to retain the existing behavior w.r.t INSTALL_DEBUG_TOOLS=y.
When this change ('building debug docker image transparently') is extended to all dockers, this flag would become redundant. Yet, there can be some test based use cases that rely on this flag.
Until after all the dockers gets their debug images by default and we switch all use cases of this flag to use the newly built debug images, we need to maintain the existing behavior.
* 1) slave.mk - Dropped unused Docker build args
2) Debug template builder: renamed build_dbg_j2.sh to build_debug_docker_j2.sh
3) Dropped insignifcant statement CMD from debug Docker file, as base docker has Entrypoint.
* Reverted some changes, per review comments.
"User, uid, guid, frr-uid & frr-guid" are required for all docker images, with exception of debug images.
* Get in sync with the new update that filters out dockers to be built (SONIC_STRETCH_DOCKERS_FOR_INSTALLERS) and build debug-dockers only for those to be built and debug target is available.
* Mkae a template for each target that can be shared by all platforms.
Where needed a platform entry can override the template.
This avoids duplication, hence easier to maintain.
* A small change, that can fit better with other targets too.
Just take the platform code and do the rest in template.
* Extended debug to all stretch based docker images
* 1) Combined all orchagent makefiles into one platform independent make under rules/docker-orchagent.mk
2) Extened debug image to all stretch dockers
* Changes per review comments:
1) Dropped LIBSAIREDIS_DBG from database, teamd, router-advertiser, telemetry, and platform-monitor docker*.mk files from _DBG_DEPENDS list
2) W.r.t docker make for syncd, moved DEPENDS from template to specific makefile and let the template has stuff that is applicable to all.
* 1) Corrected a copy/paste mistake
* Fixed a copy/paste bug
* The base syncd dockers follow a template, which defines the base docker as DOCKER_SYNCD_BASE instead of DOCKER_SYNCD_<platform code>. Fix the docker-syncd-<mlnx, bfn>.mk to use the new one.
[Yet to be tested locally]
* Fixed spelling mistake
* Enable build of dbg-sonic-broadcom.bin, which uses dbg-dockers in place of regular dockers, for dockers that build debug version. For dockers that do not build debug version, it uses the regular docker.
This debug bin is installable and usable in a DUT, just like a regular bin.
* Per review comments:
1) Share a single rule for final image for normal & debug flavors (e.g. sonic-broadcom.bin & sonic-broadcom-dbg.bin)
2) Put dbg as suffix in final image name.
3) Compared target/sonic-broadcom.bin.logs with & w/o fix to verify integrity of sonic-broadcom.bin
4) Compared target/sonic-broadcom.bin.logs with sonic-broadcom-dbg.bin.log for verification
This fix takes care of ONIE image only. The next PR will cover the rest.
The next PR, will also make debug image conditional with flag.
* Updated per comments.
Now that debug dockers are available, do not need a way to install debug symbols in regular dockers.
With this commit, when INSTALL_DEBUG_TOOLS=y is set, it builds debug dockers (for dockers that enable debug build) and the final image uses debug dockers. For dockers that do not enable debug build, regular dockers get used in the final image.
Note:
The debug dockers are explicitly named as <docker name>-dbg.gz. But there is no "-dbg" suffix for image.
Hence if you make two runs with and w/o INSTALL_DEBUG_TOOLS=y, you have complete set of regular dockers + debug dockers. But the image gets overwritten.
Hence if both regular & debug images are needed, make two runs, as one with INSTALL_DEBUG_TOOLS=y and one w/o. Make sure to copy/rename the final image, before making the second run.
2019-06-12 03:36:21 -05:00
docker build \
$( if $( $* .gz_DBG_DEPENDS) , --squash --no-cache, --no-cache) \
2019-04-13 19:05:18 -05:00
--build-arg http_proxy = $( HTTP_PROXY) \
--build-arg https_proxy = $( HTTPS_PROXY) \
--build-arg docker_container_name = $( $* .gz_CONTAINER_NAME) \
--label Tag = $( SONIC_GET_VERSION) \
--file $( $* .gz_PATH) /Dockerfile-dbg \
-t $* -dbg $( $* .gz_PATH) $( LOG)
docker save $* -dbg | gzip -c > $@
# Clean up
if [ -f $( $* .gz_PATH) .patch/series ] ; then pushd $( $* .gz_PATH) && quilt pop -a -f; popd; fi
$( FOOTER)
SONIC_TARGET_LIST += $( addprefix $( TARGET_PATH) /, $( DOCKER_DBG_IMAGES) )
2016-12-05 13:12:19 -06:00
DOCKER_LOAD_TARGETS = $( addsuffix -load,$( addprefix $( TARGET_PATH) /, \
$( SONIC_SIMPLE_DOCKER_IMAGES) \
2019-03-19 11:16:33 -05:00
$( DOCKER_IMAGES) ) )
2019-04-13 19:05:18 -05:00
2016-12-05 13:12:19 -06:00
$(DOCKER_LOAD_TARGETS) : $( TARGET_PATH ) /%.gz -load : .platform docker -start $$( TARGET_PATH ) /$$*.gz
$( HEADER)
docker load -i $( TARGET_PATH) /$* .gz $( LOG)
$( FOOTER)
###############################################################################
## Installers
###############################################################################
# targets for building installers with base image
2017-11-16 14:27:03 -06:00
$(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $( TARGET_PATH ) /% : \
.platform \
onie-image.conf \
2017-09-01 02:35:36 -05:00
build_debian.sh \
2019-07-04 00:13:55 -05:00
scripts/dbg_files.sh \
2017-09-01 02:35:36 -05:00
build_image.sh \
2019-02-05 00:06:37 -06:00
$$ ( addsuffix -install,$$ ( addprefix $( STRETCH_DEBS_PATH) /,$$ ( $$ *_DEPENDS) ) ) \
$$ ( addprefix $( STRETCH_DEBS_PATH) /,$$ ( $$ *_INSTALLS) ) \
$$ ( addprefix $( STRETCH_DEBS_PATH) /,$$ ( $$ *_LAZY_INSTALLS) ) \
$( addprefix $( STRETCH_DEBS_PATH) /,$( INITRAMFS_TOOLS) \
2017-11-16 14:27:03 -06:00
$( LINUX_KERNEL) \
$( SONIC_DEVICE_DATA) \
2018-06-29 11:59:46 -05:00
$( PYTHON_CLICK) \
2019-07-20 01:09:14 -05:00
$( IFUPDOWN2) \
2017-12-07 05:36:17 -06:00
$( LIBPAM_TACPLUS) \
2018-08-17 19:38:20 -05:00
$( LIBNSS_TACPLUS) ) \
2017-11-16 14:27:03 -06:00
$$ ( addprefix $( TARGET_PATH) /,$$ ( $$ *_DOCKERS) ) \
2019-02-05 00:06:37 -06:00
$$ ( addprefix $( FILES_PATH) /,$$ ( $$ *_FILES) ) \
2019-08-06 23:33:14 -05:00
$( addprefix $( STRETCH_FILES_PATH) /, $( if $( filter $( CONFIGURED_ARCH) ,amd64) , $( IXGBE_DRIVER) ) ) \
2019-02-05 00:06:37 -06:00
$( addprefix $( PYTHON_DEBS_PATH) /,$( SONIC_UTILS) ) \
$( addprefix $( PYTHON_WHEELS_PATH) /,$( SONIC_CONFIG_ENGINE) ) \
$( addprefix $( PYTHON_WHEELS_PATH) /,$( SONIC_PLATFORM_COMMON_PY2) ) \
$( addprefix $( PYTHON_WHEELS_PATH) /,$( REDIS_DUMP_LOAD_PY2) )
2016-12-05 13:12:19 -06:00
$( HEADER)
2017-09-07 16:02:17 -05:00
# Pass initramfs and linux kernel explicitly. They are used for all platforms
2019-02-05 00:06:37 -06:00
export debs_path = " $( STRETCH_DEBS_PATH) "
2019-05-27 17:50:51 -05:00
export files_path = " $( FILES_PATH) "
2019-02-05 00:06:37 -06:00
export python_debs_path = " $( PYTHON_DEBS_PATH) "
export initramfs_tools = " $( STRETCH_DEBS_PATH) / $( INITRAMFS_TOOLS) "
2019-06-05 11:31:29 -05:00
export linux_kernel = " $( STRETCH_DEBS_PATH) / $( LINUX_KERNEL) "
2018-11-21 00:32:40 -06:00
export onie_recovery_image = " $( FILES_PATH) / $( ONIE_RECOVERY_IMAGE) "
2017-01-29 13:33:33 -06:00
export kversion = " $( KVERSION) "
export image_type = " $( $* _IMAGE_TYPE) "
export sonicadmin_user = " $( USERNAME) "
2019-07-26 00:06:41 -05:00
export sonic_asic_platform = " $( patsubst %-$( CONFIGURED_ARCH) ,%,$( CONFIGURED_PLATFORM) ) "
2018-03-27 15:39:04 -05:00
export enable_organization_extensions = " $( ENABLE_ORGANIZATION_EXTENSIONS) "
2017-02-17 15:47:01 -06:00
export enable_dhcp_graph_service = " $( ENABLE_DHCP_GRAPH_SERVICE) "
2017-06-12 13:05:22 -05:00
export shutdown_bgp_on_start = " $( SHUTDOWN_BGP_ON_START) "
2018-03-06 01:55:37 -06:00
export enable_pfcwd_on_start = " $( ENABLE_PFCWD_ON_START) "
2019-02-05 00:06:37 -06:00
export installer_debs = " $( addprefix $( STRETCH_DEBS_PATH) /,$( $* _INSTALLS) ) "
export lazy_installer_debs = " $( foreach deb, $( $* _LAZY_INSTALLS) ,$( foreach device, $( $( deb) _PLATFORM) ,$( addprefix $( device) @, $( STRETCH_DEBS_PATH) /$( deb) ) ) ) "
2017-04-04 01:56:15 -05:00
export installer_images = " $( addprefix $( TARGET_PATH) /,$( $* _DOCKERS) ) "
export config_engine_wheel_path = " $( addprefix $( PYTHON_WHEELS_PATH) /,$( SONIC_CONFIG_ENGINE) ) "
export swsssdk_py2_wheel_path = " $( addprefix $( PYTHON_WHEELS_PATH) /,$( SWSSSDK_PY2) ) "
2018-01-17 19:11:31 -06:00
export platform_common_py2_wheel_path = " $( addprefix $( PYTHON_WHEELS_PATH) /,$( SONIC_PLATFORM_COMMON_PY2) ) "
2018-11-20 21:27:56 -06:00
export redis_dump_load_py2_wheel_path = " $( addprefix $( PYTHON_WHEELS_PATH) /,$( REDIS_DUMP_LOAD_PY2) ) "
2019-07-04 00:13:55 -05:00
export install_debug_image = " $( INSTALL_DEBUG_TOOLS) "
2018-03-27 15:39:04 -05:00
2017-01-29 13:33:33 -06:00
$( foreach docker, $( $* _DOCKERS) ,\
export docker_image = " $( docker) "
export docker_image_name = " $( basename $( docker) ) "
[build]: Build sonic-broadcom.bin using debug dockers for all stretch based dockers (#2833)
* Updated Makefile infrastructure to build debug images.
As a sample, platform/broadcom/docker-orchagent-brcm.mk is updated to add a docker-orchagent-brcm-dbg.gz target.
Now "BLDENV=stretch make target/docker-orchagent-brcm-dbg.gz" will build the debug image.
NOTE: If you don't specify NOSTRETcH=1, it implicitly calls "make stretch", which builds all stretch targets and that would include debug dockers too.
This debug image can be used in any linux box to inspect core file. If your module's external dependency can be suitably mocked, you my even manually run it inside.
"docker run -it --entrypoint=/bin/bash e47a8fb8ed38"
You may map the core file path to this docker run.
* Dropped the regular binary using DBG_PACKAGES and a small name change to help readability.
* Tweaked the changes to retain the existing behavior w.r.t INSTALL_DEBUG_TOOLS=y.
When this change ('building debug docker image transparently') is extended to all dockers, this flag would become redundant. Yet, there can be some test based use cases that rely on this flag.
Until after all the dockers gets their debug images by default and we switch all use cases of this flag to use the newly built debug images, we need to maintain the existing behavior.
* 1) slave.mk - Dropped unused Docker build args
2) Debug template builder: renamed build_dbg_j2.sh to build_debug_docker_j2.sh
3) Dropped insignifcant statement CMD from debug Docker file, as base docker has Entrypoint.
* Reverted some changes, per review comments.
"User, uid, guid, frr-uid & frr-guid" are required for all docker images, with exception of debug images.
* Get in sync with the new update that filters out dockers to be built (SONIC_STRETCH_DOCKERS_FOR_INSTALLERS) and build debug-dockers only for those to be built and debug target is available.
* Mkae a template for each target that can be shared by all platforms.
Where needed a platform entry can override the template.
This avoids duplication, hence easier to maintain.
* A small change, that can fit better with other targets too.
Just take the platform code and do the rest in template.
* Extended debug to all stretch based docker images
* 1) Combined all orchagent makefiles into one platform independent make under rules/docker-orchagent.mk
2) Extened debug image to all stretch dockers
* Changes per review comments:
1) Dropped LIBSAIREDIS_DBG from database, teamd, router-advertiser, telemetry, and platform-monitor docker*.mk files from _DBG_DEPENDS list
2) W.r.t docker make for syncd, moved DEPENDS from template to specific makefile and let the template has stuff that is applicable to all.
* 1) Corrected a copy/paste mistake
* Fixed a copy/paste bug
* The base syncd dockers follow a template, which defines the base docker as DOCKER_SYNCD_BASE instead of DOCKER_SYNCD_<platform code>. Fix the docker-syncd-<mlnx, bfn>.mk to use the new one.
[Yet to be tested locally]
* Fixed spelling mistake
* Enable build of dbg-sonic-broadcom.bin, which uses dbg-dockers in place of regular dockers, for dockers that build debug version. For dockers that do not build debug version, it uses the regular docker.
This debug bin is installable and usable in a DUT, just like a regular bin.
* Per review comments:
1) Share a single rule for final image for normal & debug flavors (e.g. sonic-broadcom.bin & sonic-broadcom-dbg.bin)
2) Put dbg as suffix in final image name.
3) Compared target/sonic-broadcom.bin.logs with & w/o fix to verify integrity of sonic-broadcom.bin
4) Compared target/sonic-broadcom.bin.logs with sonic-broadcom-dbg.bin.log for verification
This fix takes care of ONIE image only. The next PR will cover the rest.
The next PR, will also make debug image conditional with flag.
* Updated per comments.
Now that debug dockers are available, do not need a way to install debug symbols in regular dockers.
With this commit, when INSTALL_DEBUG_TOOLS=y is set, it builds debug dockers (for dockers that enable debug build) and the final image uses debug dockers. For dockers that do not enable debug build, regular dockers get used in the final image.
Note:
The debug dockers are explicitly named as <docker name>-dbg.gz. But there is no "-dbg" suffix for image.
Hence if you make two runs with and w/o INSTALL_DEBUG_TOOLS=y, you have complete set of regular dockers + debug dockers. But the image gets overwritten.
Hence if both regular & debug images are needed, make two runs, as one with INSTALL_DEBUG_TOOLS=y and one w/o. Make sure to copy/rename the final image, before making the second run.
2019-06-12 03:36:21 -05:00
export docker_container_name = " $( $( docker:-dbg.gz= .gz) _CONTAINER_NAME) "
$( eval $( docker:-dbg.gz= .gz) _RUN_OPT += $( $( docker:-dbg.gz= .gz) _$( $* _IMAGE_TYPE) _RUN_OPT) )
export docker_image_run_opt = " $( $( docker:-dbg.gz= .gz) _RUN_OPT) "
j2 files/build_templates/docker_image_ctl.j2 > $( $( docker:-dbg.gz= .gz) _CONTAINER_NAME) .sh
if [ -f files/build_templates/$( $( docker:-dbg.gz= .gz) _CONTAINER_NAME) .service.j2 ] ; then
j2 files/build_templates/$( $( docker:-dbg.gz= .gz) _CONTAINER_NAME) .service.j2 > $( $( docker:-dbg.gz= .gz) _CONTAINER_NAME) .service
2017-03-01 12:57:35 -06:00
fi
[build]: Build sonic-broadcom.bin using debug dockers for all stretch based dockers (#2833)
* Updated Makefile infrastructure to build debug images.
As a sample, platform/broadcom/docker-orchagent-brcm.mk is updated to add a docker-orchagent-brcm-dbg.gz target.
Now "BLDENV=stretch make target/docker-orchagent-brcm-dbg.gz" will build the debug image.
NOTE: If you don't specify NOSTRETcH=1, it implicitly calls "make stretch", which builds all stretch targets and that would include debug dockers too.
This debug image can be used in any linux box to inspect core file. If your module's external dependency can be suitably mocked, you my even manually run it inside.
"docker run -it --entrypoint=/bin/bash e47a8fb8ed38"
You may map the core file path to this docker run.
* Dropped the regular binary using DBG_PACKAGES and a small name change to help readability.
* Tweaked the changes to retain the existing behavior w.r.t INSTALL_DEBUG_TOOLS=y.
When this change ('building debug docker image transparently') is extended to all dockers, this flag would become redundant. Yet, there can be some test based use cases that rely on this flag.
Until after all the dockers gets their debug images by default and we switch all use cases of this flag to use the newly built debug images, we need to maintain the existing behavior.
* 1) slave.mk - Dropped unused Docker build args
2) Debug template builder: renamed build_dbg_j2.sh to build_debug_docker_j2.sh
3) Dropped insignifcant statement CMD from debug Docker file, as base docker has Entrypoint.
* Reverted some changes, per review comments.
"User, uid, guid, frr-uid & frr-guid" are required for all docker images, with exception of debug images.
* Get in sync with the new update that filters out dockers to be built (SONIC_STRETCH_DOCKERS_FOR_INSTALLERS) and build debug-dockers only for those to be built and debug target is available.
* Mkae a template for each target that can be shared by all platforms.
Where needed a platform entry can override the template.
This avoids duplication, hence easier to maintain.
* A small change, that can fit better with other targets too.
Just take the platform code and do the rest in template.
* Extended debug to all stretch based docker images
* 1) Combined all orchagent makefiles into one platform independent make under rules/docker-orchagent.mk
2) Extened debug image to all stretch dockers
* Changes per review comments:
1) Dropped LIBSAIREDIS_DBG from database, teamd, router-advertiser, telemetry, and platform-monitor docker*.mk files from _DBG_DEPENDS list
2) W.r.t docker make for syncd, moved DEPENDS from template to specific makefile and let the template has stuff that is applicable to all.
* 1) Corrected a copy/paste mistake
* Fixed a copy/paste bug
* The base syncd dockers follow a template, which defines the base docker as DOCKER_SYNCD_BASE instead of DOCKER_SYNCD_<platform code>. Fix the docker-syncd-<mlnx, bfn>.mk to use the new one.
[Yet to be tested locally]
* Fixed spelling mistake
* Enable build of dbg-sonic-broadcom.bin, which uses dbg-dockers in place of regular dockers, for dockers that build debug version. For dockers that do not build debug version, it uses the regular docker.
This debug bin is installable and usable in a DUT, just like a regular bin.
* Per review comments:
1) Share a single rule for final image for normal & debug flavors (e.g. sonic-broadcom.bin & sonic-broadcom-dbg.bin)
2) Put dbg as suffix in final image name.
3) Compared target/sonic-broadcom.bin.logs with & w/o fix to verify integrity of sonic-broadcom.bin
4) Compared target/sonic-broadcom.bin.logs with sonic-broadcom-dbg.bin.log for verification
This fix takes care of ONIE image only. The next PR will cover the rest.
The next PR, will also make debug image conditional with flag.
* Updated per comments.
Now that debug dockers are available, do not need a way to install debug symbols in regular dockers.
With this commit, when INSTALL_DEBUG_TOOLS=y is set, it builds debug dockers (for dockers that enable debug build) and the final image uses debug dockers. For dockers that do not enable debug build, regular dockers get used in the final image.
Note:
The debug dockers are explicitly named as <docker name>-dbg.gz. But there is no "-dbg" suffix for image.
Hence if you make two runs with and w/o INSTALL_DEBUG_TOOLS=y, you have complete set of regular dockers + debug dockers. But the image gets overwritten.
Hence if both regular & debug images are needed, make two runs, as one with INSTALL_DEBUG_TOOLS=y and one w/o. Make sure to copy/rename the final image, before making the second run.
2019-06-12 03:36:21 -05:00
chmod +x $( $( docker:-dbg.gz= .gz) _CONTAINER_NAME) .sh
2017-01-29 13:33:33 -06:00
)
[build]: Build sonic-broadcom.bin using debug dockers for all stretch based dockers (#2833)
* Updated Makefile infrastructure to build debug images.
As a sample, platform/broadcom/docker-orchagent-brcm.mk is updated to add a docker-orchagent-brcm-dbg.gz target.
Now "BLDENV=stretch make target/docker-orchagent-brcm-dbg.gz" will build the debug image.
NOTE: If you don't specify NOSTRETcH=1, it implicitly calls "make stretch", which builds all stretch targets and that would include debug dockers too.
This debug image can be used in any linux box to inspect core file. If your module's external dependency can be suitably mocked, you my even manually run it inside.
"docker run -it --entrypoint=/bin/bash e47a8fb8ed38"
You may map the core file path to this docker run.
* Dropped the regular binary using DBG_PACKAGES and a small name change to help readability.
* Tweaked the changes to retain the existing behavior w.r.t INSTALL_DEBUG_TOOLS=y.
When this change ('building debug docker image transparently') is extended to all dockers, this flag would become redundant. Yet, there can be some test based use cases that rely on this flag.
Until after all the dockers gets their debug images by default and we switch all use cases of this flag to use the newly built debug images, we need to maintain the existing behavior.
* 1) slave.mk - Dropped unused Docker build args
2) Debug template builder: renamed build_dbg_j2.sh to build_debug_docker_j2.sh
3) Dropped insignifcant statement CMD from debug Docker file, as base docker has Entrypoint.
* Reverted some changes, per review comments.
"User, uid, guid, frr-uid & frr-guid" are required for all docker images, with exception of debug images.
* Get in sync with the new update that filters out dockers to be built (SONIC_STRETCH_DOCKERS_FOR_INSTALLERS) and build debug-dockers only for those to be built and debug target is available.
* Mkae a template for each target that can be shared by all platforms.
Where needed a platform entry can override the template.
This avoids duplication, hence easier to maintain.
* A small change, that can fit better with other targets too.
Just take the platform code and do the rest in template.
* Extended debug to all stretch based docker images
* 1) Combined all orchagent makefiles into one platform independent make under rules/docker-orchagent.mk
2) Extened debug image to all stretch dockers
* Changes per review comments:
1) Dropped LIBSAIREDIS_DBG from database, teamd, router-advertiser, telemetry, and platform-monitor docker*.mk files from _DBG_DEPENDS list
2) W.r.t docker make for syncd, moved DEPENDS from template to specific makefile and let the template has stuff that is applicable to all.
* 1) Corrected a copy/paste mistake
* Fixed a copy/paste bug
* The base syncd dockers follow a template, which defines the base docker as DOCKER_SYNCD_BASE instead of DOCKER_SYNCD_<platform code>. Fix the docker-syncd-<mlnx, bfn>.mk to use the new one.
[Yet to be tested locally]
* Fixed spelling mistake
* Enable build of dbg-sonic-broadcom.bin, which uses dbg-dockers in place of regular dockers, for dockers that build debug version. For dockers that do not build debug version, it uses the regular docker.
This debug bin is installable and usable in a DUT, just like a regular bin.
* Per review comments:
1) Share a single rule for final image for normal & debug flavors (e.g. sonic-broadcom.bin & sonic-broadcom-dbg.bin)
2) Put dbg as suffix in final image name.
3) Compared target/sonic-broadcom.bin.logs with & w/o fix to verify integrity of sonic-broadcom.bin
4) Compared target/sonic-broadcom.bin.logs with sonic-broadcom-dbg.bin.log for verification
This fix takes care of ONIE image only. The next PR will cover the rest.
The next PR, will also make debug image conditional with flag.
* Updated per comments.
Now that debug dockers are available, do not need a way to install debug symbols in regular dockers.
With this commit, when INSTALL_DEBUG_TOOLS=y is set, it builds debug dockers (for dockers that enable debug build) and the final image uses debug dockers. For dockers that do not enable debug build, regular dockers get used in the final image.
Note:
The debug dockers are explicitly named as <docker name>-dbg.gz. But there is no "-dbg" suffix for image.
Hence if you make two runs with and w/o INSTALL_DEBUG_TOOLS=y, you have complete set of regular dockers + debug dockers. But the image gets overwritten.
Hence if both regular & debug images are needed, make two runs, as one with INSTALL_DEBUG_TOOLS=y and one w/o. Make sure to copy/rename the final image, before making the second run.
2019-06-12 03:36:21 -05:00
export installer_start_scripts = " $( foreach docker, $( $* _DOCKERS) ,$( addsuffix .sh, $( $( docker:-dbg.gz= .gz) _CONTAINER_NAME) ) ) "
export installer_services = " $( foreach docker, $( $* _DOCKERS) ,$( addsuffix .service, $( $( docker:-dbg.gz= .gz) _CONTAINER_NAME) ) ) "
export installer_extra_files = " $( foreach docker, $( $* _DOCKERS) , $( foreach file, $( $( docker:-dbg.gz= .gz) _BASE_IMAGE_FILES) , $( $( docker:-dbg.gz= .gz) _PATH) /base_image_files/$( file) ) ) "
2017-01-29 13:33:33 -06:00
2017-02-06 10:17:16 -06:00
j2 -f env files/initramfs-tools/union-mount.j2 onie-image.conf > files/initramfs-tools/union-mount
j2 -f env files/initramfs-tools/arista-convertfs.j2 onie-image.conf > files/initramfs-tools/arista-convertfs
2018-03-27 15:39:04 -05:00
$( if $( $* _DOCKERS) ,
2017-01-29 13:33:33 -06:00
j2 files/build_templates/sonic_debian_extension.j2 > sonic_debian_extension.sh
chmod +x sonic_debian_extension.sh,
)
2019-08-28 11:29:48 -05:00
DEBUG_IMG = " $( INSTALL_DEBUG_TOOLS) " \
DEBUG_SRC_ARCHIVE_DIRS = " $( DBG_SRC_ARCHIVE) " \
DEBUG_SRC_ARCHIVE_FILE = " $( DBG_SRC_ARCHIVE_FILE) " \
scripts/dbg_files.sh
2019-07-04 00:13:55 -05:00
DEBUG_IMG = " $( INSTALL_DEBUG_TOOLS) " \
2019-08-28 11:29:48 -05:00
DEBUG_SRC_ARCHIVE_FILE = " $( DBG_SRC_ARCHIVE_FILE) " \
[baseimage]: Improve password hashing for default user account (#1748)
* [slave.mk]: Fix displaying username and password in build summary
We display contents of DEFAULT_USERNAME and DEFAULT_PASSWORD, while
image can be build with USERNAME and/or PASSWORD given on make(1)
command line. For example:
$ make USERNAME=adm PASSWORD=mypass target/sonic-broadcom.bin
Fix by displaying USERNAME and PASSWORD variables in build summary.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
* [baseimage]: Improve default user account handling
There are couple of issues with current implementation of default
user account management in baseimage:
1) It uses DES to encrypt accounts password. Furthermore this
effectively limits password length to 8 symbols, even if more
provided with PASSWORD or DEFAULT_PASSWORD from rules/config.
2) Salt value for password is same on all builds even with different
password increasing attack surface.
3) During the build process password passed as command line parameter
either as plain text (if given to make(1) as "make PASSWORD=...")
or DES encrypted (if given to build_debian.sh) can be seen by
non-build users using /proc/<pid>/cmdline file that has group and
world readable permissions.
Both 1) and 2) come from:
perl -e 'print crypt("$(PASSWORD)", "salt"),"\n"')"
that by defalt uses DES if salt does not have format $<id>$<salt>$,
where <id> is hashing function id. See crypt(3) for more details on
valid <id> values.
To address issues above we propose following changes:
1) Do not create password by hands (e.g. using perl snippet above):
put this job to chpasswd(8) which is aware about system wide
password hashing policy specified in /etc/login.defs with
ENCRYPT_METHOD (by default it is SHA512 for Debian 8).
2) Now chpasswd(8) will take care about proper salt value.
3) This has two steps:
3.1) For compatibility reasons accept USERNAME and PASSWORD as
make(1) parameters, but warn user that this is unsafe.
3.2) Use process environment to pass USERNAME and PASSWORD variables
from Makefile to build_debian.sh as more secure alternative to
passing via command line parameters: /proc/<pid>/environ
readable only by user running process or privileged users like
root.
Before change:
--------------
hash1
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSs", "salt"),"\n"')"
^^^^^^^^
8 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Note the hash (DES encrypted password)
hash2
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSsWoRd", "salt"),"\n"')"
^^^^^^^^^^^^
12 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Hash is the same as for "YourPaSs"
After change:
-------------
hash1
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$1Nho1jHC$T8YwK58FYToXMFuetQta7/XouAAN2q1IzWC3bdIg86woAs6WuTg\
^^^^^^^^
Note salt here
ksLO3oyQInax/wNVq.N4de6dyWZDsCAvsZ1:17681:0:99999:7:::
hash2
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$yKU5g7BO$kdT02Z1wHXhr1VCniKkZbLaMPZXK0WSSVGhSLGrNhsrsVxCJ.D9\
^^^^^^^^
Here salt completely different from case above
plFpd8ksGNpw/Vb92hvgYyCL2i5cfI8QEY/:17681:0:99999:7:::
Since salt is different hashes for same password different too.
hash1
-----
# LANG=C perl -e 'print crypt("YourPaSs", "\$6\$salt\$"),"\n"'
^^^^^
We want SHA512 hash
$6$salt$qkwPvXqUeGpexO1vatnIQFAreOTXs6rnDX.OI.Sz2rcy51JrO8dFc9aGv82bB\
yd2ELrIMJ.FQLNjgSD0nNha7/
hash2
-----
# LANG=C perl -e 'print crypt("YourPaSsWoRd", "\$6\$salt\$"),"\n"'
$6$salt$1JVndGzyy/dj7PaXo6hNcttlQoZe23ob8GWYWxVGEiGOlh6sofbaIvwl6Ho7N\
kYDI8zwRumRwga/A29nHm4mZ1
Now with same "salt" and $<id>$, and same 8 symbol prefix in password, but
different password length we have different hashes.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
2018-06-09 13:29:16 -05:00
USERNAME = " $( USERNAME) " \
PASSWORD = " $( PASSWORD) " \
./build_debian.sh $( LOG)
2018-11-21 00:32:40 -06:00
USERNAME = " $( USERNAME) " \
PASSWORD = " $( PASSWORD) " \
[baseimage]: Improve password hashing for default user account (#1748)
* [slave.mk]: Fix displaying username and password in build summary
We display contents of DEFAULT_USERNAME and DEFAULT_PASSWORD, while
image can be build with USERNAME and/or PASSWORD given on make(1)
command line. For example:
$ make USERNAME=adm PASSWORD=mypass target/sonic-broadcom.bin
Fix by displaying USERNAME and PASSWORD variables in build summary.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
* [baseimage]: Improve default user account handling
There are couple of issues with current implementation of default
user account management in baseimage:
1) It uses DES to encrypt accounts password. Furthermore this
effectively limits password length to 8 symbols, even if more
provided with PASSWORD or DEFAULT_PASSWORD from rules/config.
2) Salt value for password is same on all builds even with different
password increasing attack surface.
3) During the build process password passed as command line parameter
either as plain text (if given to make(1) as "make PASSWORD=...")
or DES encrypted (if given to build_debian.sh) can be seen by
non-build users using /proc/<pid>/cmdline file that has group and
world readable permissions.
Both 1) and 2) come from:
perl -e 'print crypt("$(PASSWORD)", "salt"),"\n"')"
that by defalt uses DES if salt does not have format $<id>$<salt>$,
where <id> is hashing function id. See crypt(3) for more details on
valid <id> values.
To address issues above we propose following changes:
1) Do not create password by hands (e.g. using perl snippet above):
put this job to chpasswd(8) which is aware about system wide
password hashing policy specified in /etc/login.defs with
ENCRYPT_METHOD (by default it is SHA512 for Debian 8).
2) Now chpasswd(8) will take care about proper salt value.
3) This has two steps:
3.1) For compatibility reasons accept USERNAME and PASSWORD as
make(1) parameters, but warn user that this is unsafe.
3.2) Use process environment to pass USERNAME and PASSWORD variables
from Makefile to build_debian.sh as more secure alternative to
passing via command line parameters: /proc/<pid>/environ
readable only by user running process or privileged users like
root.
Before change:
--------------
hash1
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSs", "salt"),"\n"')"
^^^^^^^^
8 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Note the hash (DES encrypted password)
hash2
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSsWoRd", "salt"),"\n"')"
^^^^^^^^^^^^
12 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Hash is the same as for "YourPaSs"
After change:
-------------
hash1
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$1Nho1jHC$T8YwK58FYToXMFuetQta7/XouAAN2q1IzWC3bdIg86woAs6WuTg\
^^^^^^^^
Note salt here
ksLO3oyQInax/wNVq.N4de6dyWZDsCAvsZ1:17681:0:99999:7:::
hash2
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$yKU5g7BO$kdT02Z1wHXhr1VCniKkZbLaMPZXK0WSSVGhSLGrNhsrsVxCJ.D9\
^^^^^^^^
Here salt completely different from case above
plFpd8ksGNpw/Vb92hvgYyCL2i5cfI8QEY/:17681:0:99999:7:::
Since salt is different hashes for same password different too.
hash1
-----
# LANG=C perl -e 'print crypt("YourPaSs", "\$6\$salt\$"),"\n"'
^^^^^
We want SHA512 hash
$6$salt$qkwPvXqUeGpexO1vatnIQFAreOTXs6rnDX.OI.Sz2rcy51JrO8dFc9aGv82bB\
yd2ELrIMJ.FQLNjgSD0nNha7/
hash2
-----
# LANG=C perl -e 'print crypt("YourPaSsWoRd", "\$6\$salt\$"),"\n"'
$6$salt$1JVndGzyy/dj7PaXo6hNcttlQoZe23ob8GWYWxVGEiGOlh6sofbaIvwl6Ho7N\
kYDI8zwRumRwga/A29nHm4mZ1
Now with same "salt" and $<id>$, and same 8 symbol prefix in password, but
different password length we have different hashes.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
2018-06-09 13:29:16 -05:00
TARGET_MACHINE = $( $* _MACHINE) \
IMAGE_TYPE = $( $* _IMAGE_TYPE) \
./build_image.sh $( LOG)
2017-01-29 13:33:33 -06:00
$( foreach docker, $( $* _DOCKERS) , \
[build]: Build sonic-broadcom.bin using debug dockers for all stretch based dockers (#2833)
* Updated Makefile infrastructure to build debug images.
As a sample, platform/broadcom/docker-orchagent-brcm.mk is updated to add a docker-orchagent-brcm-dbg.gz target.
Now "BLDENV=stretch make target/docker-orchagent-brcm-dbg.gz" will build the debug image.
NOTE: If you don't specify NOSTRETcH=1, it implicitly calls "make stretch", which builds all stretch targets and that would include debug dockers too.
This debug image can be used in any linux box to inspect core file. If your module's external dependency can be suitably mocked, you my even manually run it inside.
"docker run -it --entrypoint=/bin/bash e47a8fb8ed38"
You may map the core file path to this docker run.
* Dropped the regular binary using DBG_PACKAGES and a small name change to help readability.
* Tweaked the changes to retain the existing behavior w.r.t INSTALL_DEBUG_TOOLS=y.
When this change ('building debug docker image transparently') is extended to all dockers, this flag would become redundant. Yet, there can be some test based use cases that rely on this flag.
Until after all the dockers gets their debug images by default and we switch all use cases of this flag to use the newly built debug images, we need to maintain the existing behavior.
* 1) slave.mk - Dropped unused Docker build args
2) Debug template builder: renamed build_dbg_j2.sh to build_debug_docker_j2.sh
3) Dropped insignifcant statement CMD from debug Docker file, as base docker has Entrypoint.
* Reverted some changes, per review comments.
"User, uid, guid, frr-uid & frr-guid" are required for all docker images, with exception of debug images.
* Get in sync with the new update that filters out dockers to be built (SONIC_STRETCH_DOCKERS_FOR_INSTALLERS) and build debug-dockers only for those to be built and debug target is available.
* Mkae a template for each target that can be shared by all platforms.
Where needed a platform entry can override the template.
This avoids duplication, hence easier to maintain.
* A small change, that can fit better with other targets too.
Just take the platform code and do the rest in template.
* Extended debug to all stretch based docker images
* 1) Combined all orchagent makefiles into one platform independent make under rules/docker-orchagent.mk
2) Extened debug image to all stretch dockers
* Changes per review comments:
1) Dropped LIBSAIREDIS_DBG from database, teamd, router-advertiser, telemetry, and platform-monitor docker*.mk files from _DBG_DEPENDS list
2) W.r.t docker make for syncd, moved DEPENDS from template to specific makefile and let the template has stuff that is applicable to all.
* 1) Corrected a copy/paste mistake
* Fixed a copy/paste bug
* The base syncd dockers follow a template, which defines the base docker as DOCKER_SYNCD_BASE instead of DOCKER_SYNCD_<platform code>. Fix the docker-syncd-<mlnx, bfn>.mk to use the new one.
[Yet to be tested locally]
* Fixed spelling mistake
* Enable build of dbg-sonic-broadcom.bin, which uses dbg-dockers in place of regular dockers, for dockers that build debug version. For dockers that do not build debug version, it uses the regular docker.
This debug bin is installable and usable in a DUT, just like a regular bin.
* Per review comments:
1) Share a single rule for final image for normal & debug flavors (e.g. sonic-broadcom.bin & sonic-broadcom-dbg.bin)
2) Put dbg as suffix in final image name.
3) Compared target/sonic-broadcom.bin.logs with & w/o fix to verify integrity of sonic-broadcom.bin
4) Compared target/sonic-broadcom.bin.logs with sonic-broadcom-dbg.bin.log for verification
This fix takes care of ONIE image only. The next PR will cover the rest.
The next PR, will also make debug image conditional with flag.
* Updated per comments.
Now that debug dockers are available, do not need a way to install debug symbols in regular dockers.
With this commit, when INSTALL_DEBUG_TOOLS=y is set, it builds debug dockers (for dockers that enable debug build) and the final image uses debug dockers. For dockers that do not enable debug build, regular dockers get used in the final image.
Note:
The debug dockers are explicitly named as <docker name>-dbg.gz. But there is no "-dbg" suffix for image.
Hence if you make two runs with and w/o INSTALL_DEBUG_TOOLS=y, you have complete set of regular dockers + debug dockers. But the image gets overwritten.
Hence if both regular & debug images are needed, make two runs, as one with INSTALL_DEBUG_TOOLS=y and one w/o. Make sure to copy/rename the final image, before making the second run.
2019-06-12 03:36:21 -05:00
rm -f $( $( docker:-dbg.gz= .gz) _CONTAINER_NAME) .sh
rm -f $( $( docker:-dbg.gz= .gz) _CONTAINER_NAME) .service
2017-01-29 13:33:33 -06:00
)
$( if $( $* _DOCKERS) ,
rm sonic_debian_extension.sh,
)
2017-02-26 18:00:44 -06:00
chmod a+x $@
2016-12-05 13:12:19 -06:00
$( FOOTER)
2017-07-29 17:34:27 -05:00
SONIC_TARGET_LIST += $( addprefix $( TARGET_PATH) /, $( SONIC_INSTALLERS) )
2016-12-05 13:12:19 -06:00
###############################################################################
## Clean targets
###############################################################################
SONIC_CLEAN_DEBS = $( addsuffix -clean,$( addprefix $( DEBS_PATH) /, \
$( SONIC_ONLINE_DEBS) \
$( SONIC_COPY_DEBS) \
$( SONIC_MAKE_DEBS) \
$( SONIC_DPKG_DEBS) \
2017-03-01 10:32:58 -06:00
$( SONIC_DERIVED_DEBS) \
$( SONIC_EXTRA_DEBS) ) )
2017-07-28 12:57:51 -05:00
SONIC_CLEAN_FILES = $( addsuffix -clean,$( addprefix $( FILES_PATH) /, \
$( SONIC_ONLINE_FILES) \
2018-11-21 00:32:40 -06:00
$( SONIC_COPY_FILES) \
$( SONIC_MAKE_FILES) ) )
2017-07-28 12:57:51 -05:00
2017-03-01 10:32:58 -06:00
$(SONIC_CLEAN_DEBS) : $( DEBS_PATH ) /%-clean : .platform $$( addsuffix -clean ,$ $ ( addprefix $ ( DEBS_PATH ) /,$ $ ( $ $ *_MAIN_DEB ) ) )
@# remove derived or extra targets if main one is removed, because we treat them
2016-12-05 13:12:19 -06:00
@# as part of one package
2017-03-01 10:32:58 -06:00
@rm -f $( addprefix $( DEBS_PATH) /, $* $( $* _DERIVED_DEBS) $( $* _EXTRA_DEBS) )
2016-12-05 13:12:19 -06:00
2017-07-28 12:57:51 -05:00
$(SONIC_CLEAN_FILES) : $( FILES_PATH ) /%-clean : .platform
@rm -f $( FILES_PATH) /$*
2016-12-05 13:12:19 -06:00
SONIC_CLEAN_TARGETS += $( addsuffix -clean,$( addprefix $( TARGET_PATH) /, \
$( SONIC_DOCKER_IMAGES) \
2019-04-13 19:05:18 -05:00
$( SONIC_DOCKER_DBG_IMAGES) \
2017-03-07 14:34:24 -06:00
$( SONIC_SIMPLE_DOCKER_IMAGES) \
$( SONIC_INSTALLERS) ) )
2016-12-05 13:12:19 -06:00
$(SONIC_CLEAN_TARGETS) : $( TARGET_PATH ) /%-clean : .platform
@rm -f $( TARGET_PATH) /$*
2019-08-15 02:34:34 -05:00
SONIC_CLEAN_STDEB_DEBS = $( addsuffix -clean,$( addprefix $( PYTHON_DEBS_PATH) /, \
$( SONIC_PYTHON_STDEB_DEBS) ) )
$(SONIC_CLEAN_STDEB_DEBS) : $( PYTHON_DEBS_PATH ) /%-clean : .platform
@rm -f $( PYTHON_DEBS_PATH) /$*
2016-12-05 13:12:19 -06:00
SONIC_CLEAN_WHEELS = $( addsuffix -clean,$( addprefix $( PYTHON_WHEELS_PATH) /, \
$( SONIC_PYTHON_WHEELS) ) )
$(SONIC_CLEAN_WHEELS) : $( PYTHON_WHEELS_PATH ) /%-clean : .platform
@rm -f $( PYTHON_WHEELS_PATH) /$*
clean-logs : .platform
2019-08-15 02:34:34 -05:00
@rm -f $( TARGET_PATH) /*.log $( DEBS_PATH) /*.log $( FILES_PATH) /*.log $( PYTHON_DEBS_PATH) /*.log $( PYTHON_WHEELS_PATH) /*.log
2016-12-05 13:12:19 -06:00
2019-08-15 02:34:34 -05:00
clean : .platform clean -logs $$( SONIC_CLEAN_DEBS ) $$( SONIC_CLEAN_FILES ) $$( SONIC_CLEAN_TARGETS ) $$( SONIC_CLEAN_STDEB_DEBS ) $$( SONIC_CLEAN_WHEELS )
2016-12-05 13:12:19 -06:00
###############################################################################
## all
###############################################################################
all : .platform $$( addprefix $ ( TARGET_PATH ) /,$ $ ( SONIC_ALL ) )
2018-11-21 00:32:40 -06:00
stretch : $$( addprefix $ ( DEBS_PATH ) /,$ $ ( SONIC_STRETCH_DEBS ) ) \
2019-02-06 23:28:07 -06:00
$$ ( addprefix $( FILES_PATH) /,$$ ( SONIC_STRETCH_FILES) ) \
2019-04-13 19:05:18 -05:00
$$ ( addprefix $( TARGET_PATH) /,$$ ( SONIC_STRETCH_DOCKERS_FOR_INSTALLERS) ) \
$$ ( addprefix $( TARGET_PATH) /,$$ ( SONIC_STRETCH_DBG_DOCKERS_FOR_INSTALLERS) )
2018-11-21 00:32:40 -06:00
2019-05-27 17:50:51 -05:00
jessie : $$( addprefix $ ( TARGET_PATH ) /,$ $ ( SONIC_JESSIE_DOCKERS_FOR_INSTALLERS ) )
2018-03-01 03:24:35 -06:00
2016-12-05 13:12:19 -06:00
###############################################################################
## Standard targets
###############################################################################
2019-08-15 02:34:34 -05:00
.PHONY : $( SONIC_CLEAN_DEBS ) $( SONIC_CLEAN_FILES ) $( SONIC_CLEAN_TARGETS ) $( SONIC_CLEAN_STDEB_DEBS ) $( SONIC_CLEAN_WHEELS ) $( SONIC_PHONY_TARGETS ) clean distclean configure
2016-12-05 13:12:19 -06:00
2017-03-02 06:08:25 -06:00
.INTERMEDIATE : $( SONIC_INSTALL_TARGETS ) $( SONIC_INSTALL_WHEELS ) $( DOCKER_LOAD_TARGETS ) docker -start .platform