[MACsec]: Set MACsec feature to be auto-start (#6678)

1. Add supervisord as the entrypoint of docker-macsec 2. Add wpa_supplicant conf into docker-macsec 3. Set the macsecmgrd as the critical_process 4. Configure supervisor to monitor macsecmgrd 5. Set macsec in the features list 6. Add config variable `INCLUDE_MACSEC` 7. Add macsec.service **- How to verify it** Change the `/etc/sonic/config_db.json` as follow ``` { "PORT": { "Ethernet0": { ... "macsec": "test" } } ... "MACSEC_PROFILE": { "test": { "priority": 64, "cipher_suite": "GCM-AES-128", "primary_cak": "0123456789ABCDEF0123456789ABCDEF", "primary_ckn": "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435", "policy": "security" } } } ``` To execute `sudo config reload -y`, We should find the following new items were inserted in app_db of redis ``` 127.0.0.1:6379> keys *MAC* 1) "MACSEC_EGRESS_SC_TABLE:Ethernet0:72152375678227538" 2) "MACSEC_PORT_TABLE:Ethernet0" 127.0.0.1:6379> hgetall "MACSEC_EGRESS_SC_TABLE:Ethernet0:72152375678227538" 1) "ssci" 2) "" 3) "encoding_an" 4) "0" 127.0.0.1:6379> hgetall "MACSEC_PORT_TABLE:Ethernet0" 1) "enable" 2) "false" 3) "cipher_suite" 4) "GCM-AES-128" 5) "enable_protect" 6) "true" 7) "enable_encrypt" 8) "true" 9) "enable_replay_protect" 10) "false" 11) "replay_window" 12) "0" ``` Signed-off-by: Ze Gan <ganze718@gmail.com>
2021-02-24 05:22:45 +08:00 · 2021-02-24 05:22:45 +08:00 · 4068944202
commit 4068944202
parent 8ec75803a7
10 changed files with 75 additions and 5 deletions
--- a/dockers/docker-macsec/Dockerfile.j2
+++ b/dockers/docker-macsec/Dockerfile.j2
@ -26,5 +26,6 @@ COPY ["start.sh", "/usr/bin/"]
 COPY ["supervisord.conf", "/etc/supervisor/conf.d/"]
 COPY ["files/supervisor-proc-exit-listener", "/usr/bin"]
 COPY ["critical_processes", "/etc/supervisor"]
+COPY ["etc/wpa_supplicant.conf", "/etc/wpa_supplicant.conf"]

-# ENTRYPOINT ["/usr/bin/supervisord"]
+ENTRYPOINT ["/usr/local/bin/supervisord"]
--- a/dockers/docker-macsec/critical_processes
+++ b/dockers/docker-macsec/critical_processes
@ -0,0 +1 @@
+program:macsecmgrd
--- a/dockers/docker-macsec/etc/wpa_supplicant.conf
+++ b/dockers/docker-macsec/etc/wpa_supplicant.conf
@ -0,0 +1,3 @@
+eapol_version=3
+ap_scan=0
+fast_reauth=1
--- a/dockers/docker-macsec/supervisord.conf
+++ b/dockers/docker-macsec/supervisord.conf
@ -0,0 +1,38 @@
+[supervisord]
+logfile_maxbytes=1MB
+logfile_backups=2
+nodaemon=true
+
+[eventlistener:dependent-startup]
+command=python3 -m supervisord_dependent_startup
+autostart=true
+autorestart=unexpected
+startretries=0
+exitcodes=0,3
+events=PROCESS_STATE
+buffer_size=25
+
+[eventlistener:supervisor-proc-exit-listener]
+command=/usr/bin/supervisor-proc-exit-listener --container-name macsec
+events=PROCESS_STATE_EXITED,PROCESS_STATE_RUNNING
+autostart=true
+autorestart=unexpected
+
+[program:rsyslogd]
+command=/usr/sbin/rsyslogd -n -iNONE
+priority=1
+autostart=false
+autorestart=false
+stdout_logfile=syslog
+stderr_logfile=syslog
+dependent_startup=true
+
+[program:macsecmgrd]
+command=/usr/bin/macsecmgrd
+priority=2
+autostart=false
+autorestart=false
+stdout_logfile=syslog
+stderr_logfile=syslog
+dependent_startup=true
+dependent_startup_wait_for=rsyslogd:running
--- a/files/build_templates/init_cfg.json.j2
+++ b/files/build_templates/init_cfg.json.j2
@ -34,6 +34,7 @@
 {%- if include_nat == "y" %}{% do features.append(("nat", "disabled", false, "enabled")) %}{% endif %}
 {%- if include_restapi == "y" %}{% do features.append(("restapi", "enabled", false, "enabled")) %}{% endif %}
 {%- if include_sflow == "y" %}{% do features.append(("sflow", "disabled", false, "enabled")) %}{% endif %}
+{%- if include_macsec == "y" %}{% do features.append(("macsec", "disabled", false, "enabled")) %}{% endif %}
 {%- if include_system_telemetry == "y" %}{% do features.append(("telemetry", "enabled", true, "enabled")) %}{% endif %}
    "FEATURE": {
 {# has_timer field if set, will start the feature systemd .timer unit instead of .service unit #}
--- a/files/build_templates/macsec.service.j2
+++ b/files/build_templates/macsec.service.j2
@ -0,0 +1,17 @@
+[Unit]
+Description=MACsec container
+Requires=swss.service
+After=swss.service syncd.service
+StartLimitIntervalSec=1200
+StartLimitBurst=3
+
+[Service]
+User=root
+ExecStartPre=/usr/bin/macsec.sh start
+ExecStart=/usr/bin/macsec.sh wait
+ExecStop=/usr/bin/macsec.sh stop
+Restart=always
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target
--- a/rules/config
+++ b/rules/config
@ -146,6 +146,9 @@ INCLUDE_NAT = y
 # run as worker node in kubernetes cluster.
 INCLUDE_KUBERNETES = n

+# INCLUDE_MACSEC - build docker-macsec for macsec support
+INCLUDE_MACSEC = y
+
 # KUBERNETES_VERSION - Set to the required version.
 # K8s_GCR_IO_PAUSE_VERSION - Version of k8s universal pause container image
 # These are Used *only* when INCLUDE_KUBERNETES=y
--- a/rules/docker-macsec.mk
+++ b/rules/docker-macsec.mk
@ -16,17 +16,18 @@ $(DOCKER_MACSEC)_DBG_IMAGE_PACKAGES = $($(DOCKER_CONFIG_ENGINE_BUSTER)_DBG_IMAGE
 $(DOCKER_MACSEC)_LOAD_DOCKERS += $(DOCKER_CONFIG_ENGINE_BUSTER)

 SONIC_DOCKER_IMAGES += $(DOCKER_MACSEC)
+ifeq ($(INCLUDE_MACSEC), y)
 SONIC_INSTALL_DOCKER_IMAGES += $(DOCKER_MACSEC)
-SONIC_BUSTER_DOCKERS += $(DOCKER_MACSEC)
+endif

 SONIC_DOCKER_DBG_IMAGES += $(DOCKER_MACSEC_DBG)
+ifeq ($(INCLUDE_MACSEC), y)
 SONIC_INSTALL_DOCKER_DBG_IMAGES += $(DOCKER_MACSEC_DBG)
-SONIC_BUSTER_DBG_DOCKERS += $(DOCKER_MACSEC_DBG)
+endif

 $(DOCKER_MACSEC)_CONTAINER_NAME = macsec
 $(DOCKER_MACSEC)_RUN_OPT += --privileged -t
 $(DOCKER_MACSEC)_RUN_OPT += -v /etc/sonic:/etc/sonic:ro
 $(DOCKER_MACSEC)_RUN_OPT += -v /host/warmboot:/var/warmboot

-# $(DOCKER_MACSEC)_BASE_IMAGE_FILES += macsecctl:/usr/bin/macsecctl
 $(DOCKER_MACSEC)_FILES += $(SUPERVISOR_PROC_EXIT_LISTENER_SCRIPT)
--- a/slave.mk
+++ b/slave.mk
@ -138,6 +138,9 @@ ifeq ($(SONIC_INCLUDE_NAT),y)
 INCLUDE_NAT = y
 endif

+ifeq ($(SONIC_INCLUDE_MACSEC),y)
+INCLUDE_MACSEC = y
+endif

 include $(RULES_PATH)/functions

@ -252,6 +255,7 @@ $(info "INCLUDE_RESTAPI"                 : "$(INCLUDE_RESTAPI)")
 $(info "INCLUDE_SFLOW"                   : "$(INCLUDE_SFLOW)")
 $(info "INCLUDE_NAT"                     : "$(INCLUDE_NAT)")
 $(info "INCLUDE_KUBERNETES"              : "$(INCLUDE_KUBERNETES)")
+$(info "INCLUDE_MACSEC"                  : "$(INCLUDE_MACSEC)")
 $(info "TELEMETRY_WRITABLE"              : "$(TELEMETRY_WRITABLE)")
 $(info "PDDF_SUPPORT"                    : "$(PDDF_SUPPORT)")
 $(info )
@ -892,6 +896,7 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
 	export include_restapi="$(INCLUDE_RESTAPI)"
 	export include_nat="$(INCLUDE_NAT)"
 	export include_sflow="$(INCLUDE_SFLOW)"
+	export include_macsec="$(INCLUDE_MACSEC)"
 	export include_mgmt_framework="$(INCLUDE_MGMT_FRAMEWORK)"
 	export include_iccpd="$(INCLUDE_ICCPD)"
 	export pddf_support="$(PDDF_SUPPORT)"
--- a/src/wpasupplicant/sonic-wpa-supplicant
+++ b/src/wpasupplicant/sonic-wpa-supplicant
@ -1 +1 @@
-Subproject commit 3b330db4a331d591cea5a1f3e820435181625793
+Subproject commit 7b6c1604a5e0fa5cf092d844eb7c2a64ae2b8ea6