[config/acl] Get ACL config from DHCP and load it in swss container (#432)

Get ACL config from DHCP and load it in swss container
This commit is contained in:
Taoyu Li 2017-03-29 13:33:54 -07:00 committed by GitHub
parent 4359f137f4
commit 4546372f48
5 changed files with 50 additions and 3 deletions

View File

@ -12,6 +12,18 @@ function start_app {
done done
} }
function config_acl {
if [ -f "/etc/sonic/acl.json" ]; then
mkdir -p /etc/swss/config.d/acl
rm -rf /etc/swss/config.d/acl/*
translate_acl -m /etc/sonic/minigraph.xml -o /etc/swss/config.d/acl /etc/sonic/acl.json
for filename in /etc/swss/config.d/acl/*.json; do
[ -e "$filename" ] || break
swssconfig $filename
done
fi
}
function clean_up { function clean_up {
pkill -9 orchagent pkill -9 orchagent
pkill -9 portsyncd pkill -9 portsyncd
@ -60,6 +72,7 @@ while true; do
result=`echo -en "SELECT 1\nHLEN HIDDEN" | redis-cli | sed -n 2p` result=`echo -en "SELECT 1\nHLEN HIDDEN" | redis-cli | sed -n 2p`
if [ "$result" != "0" ]; then if [ "$result" != "0" ]; then
start_app start_app
config_acl
read read
fi fi
sleep 1 sleep 1

View File

@ -14,11 +14,12 @@
option rfc3442-classless-static-routes code 121 = array of unsigned integer 8; option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;
option snmp-community code 224 = text; option snmp-community code 224 = text;
option minigraph-url code 225 = text; option minigraph-url code 225 = text;
option acl-url code 226 = text;
send host-name = gethostname(); send host-name = gethostname();
request subnet-mask, broadcast-address, time-offset, routers, request subnet-mask, broadcast-address, time-offset, routers,
domain-name, domain-name-servers, domain-search, host-name, domain-name, domain-name-servers, domain-search, host-name,
dhcp6.name-servers, dhcp6.domain-search, dhcp6.name-servers, dhcp6.domain-search,
netbios-name-servers, netbios-scope, interface-mtu, netbios-name-servers, netbios-scope, interface-mtu,
rfc3442-classless-static-routes, ntp-servers, snmp-community, minigraph-url; rfc3442-classless-static-routes, ntp-servers, snmp-community, minigraph-url, acl-url;

View File

@ -5,5 +5,8 @@ case $reason in
else else
echo "N/A" > /tmp/dhcp_graph_url echo "N/A" > /tmp/dhcp_graph_url
fi fi
if [ -n "$new_acl_url" ]; then
echo $new_acl_url > /tmp/dhcp_acl_url
fi
;; ;;
esac esac

View File

@ -12,6 +12,8 @@ if [ "$enabled" != "true" ]; then
exit 0 exit 0
fi fi
ACL_URL=$acl_src
if [ "$src" = "dhcp" ]; then if [ "$src" = "dhcp" ]; then
while [ ! -f /tmp/dhcp_graph_url ]; do while [ ! -f /tmp/dhcp_graph_url ]; do
echo "Waiting for DHCP response..." echo "Waiting for DHCP response..."
@ -38,6 +40,18 @@ if [ "$src" = "dhcp" ]; then
sed -i "/src=/d" /etc/sonic/updategraph.conf sed -i "/src=/d" /etc/sonic/updategraph.conf
echo "src=\"$GRAPH_URL\"" >> /etc/sonic/updategraph.conf echo "src=\"$GRAPH_URL\"" >> /etc/sonic/updategraph.conf
fi fi
if [ -f /tmp/dhcp_acl_url ]; then
ACL_URL=`sonic-cfggen -t /tmp/dhcp_acl_url -a "{\"hostname\": \"$HOSTNAME\"}"`
if [[ ! $ACL_URL =~ $URL_REGEX ]]; then
echo "\"$ACL_URL\" is not a valid url. Skipping acl update."
ACL_URL=""
fi
if [ "$dhcp_as_static" = "true" ]; then
sed -i "/acl_src=/d" /etc/sonic/updategraph.conf
echo "acl_src=\"$ACL_URL\"" >> /etc/sonic/updategraph.conf
fi
fi
else else
GRAPH_URL=$src GRAPH_URL=$src
fi fi
@ -53,3 +67,19 @@ while true; do
curl -f $GRAPH_URL -o /etc/sonic/minigraph.xml --connect-timeout 15 && break curl -f $GRAPH_URL -o /etc/sonic/minigraph.xml --connect-timeout 15 && break
sleep 5 sleep 5
done done
if [ -n "$ACL_URL" ]; then
if [ -f /etc/sonic/acl.json ]; then
echo "Renaming acl.json to acl.json.old"
mv /etc/sonic/acl.json /etc/sonic/acl.json.old
fi
echo "Getting ACL config from $ACL_URL"
while true; do
curl -f $ACL_URL -o /etc/sonic/acl.json --connect-timeout 15 && break
sleep 5
done
else
echo "Skip ACL config download."
fi

View File

@ -129,7 +129,6 @@ def translate_acl_fixed_port(filename, output_path, port, max_priority):
def translate_acl(filename, output_path, attach_to, max_priority): def translate_acl(filename, output_path, attach_to, max_priority):
yang_acl = pybindJSON.load(filename, openconfig_acl, "openconfig_acl") yang_acl = pybindJSON.load(filename, openconfig_acl, "openconfig_acl")
print attach_to.keys()
for aclsetname in yang_acl.acl.acl_sets.acl_set: for aclsetname in yang_acl.acl.acl_sets.acl_set:
tablename = aclsetname.replace(" ", "_").replace("-", "_") tablename = aclsetname.replace(" ", "_").replace("-", "_")
if attach_to.has_key(tablename): if attach_to.has_key(tablename):
@ -151,7 +150,8 @@ def main():
translate_acl_fixed_port(args.input, args.output_path, args.port, args.max_priority) translate_acl_fixed_port(args.input, args.output_path, args.port, args.max_priority)
elif args.minigraph: elif args.minigraph:
mini_data = parse_xml(args.minigraph) mini_data = parse_xml(args.minigraph)
translate_acl(args.input, args.output_path, mini_data['minigraph_acls'], args.max_priority) if mini_data['minigraph_acls']:
translate_acl(args.input, args.output_path, mini_data['minigraph_acls'], args.max_priority)
if __name__ == "__main__": if __name__ == "__main__":
main() main()