[dockers]: Upgrade SNMP docker to stretch build (#2620)
* [dockers]: Upgrade SNMP docker to stretch build * Removed patch-> 0003-CHANGES-BUG-2743-snmpd-crashes-when-receiving-a-GetN.patch * update platform-common submodule * adding PyYAML package to stretch dockerfile * Installing redis package via pip in stretch dockerfile * again updating platform-common submodule * revert back the snmpd version to 5.7.3+dfsg-1.5 * upgrading the snmpd version to 5.7.3+dfsg-1.7+deb9u1 with openssl backport support * update sonic-snmpagent submodule * purge libdpkg-perl package in Dockerfile * revert back the snmpd version to 5.7.3+dfsg-1.5 * minor change in series file
This commit is contained in:
parent
6a4ffef1fd
commit
e798b9389f
@ -1,4 +1,4 @@
|
||||
FROM docker-config-engine
|
||||
FROM docker-config-engine-stretch
|
||||
|
||||
ARG docker_container_name
|
||||
RUN [ -f /etc/rsyslog.conf ] && sed -ri "s/%syslogtag%/$docker_container_name#%syslogtag%/;" /etc/rsyslog.conf
|
||||
@ -19,6 +19,10 @@ RUN apt-get install -y curl ca-certificates
|
||||
# Install gcc which is required for installing hiredis
|
||||
RUN apt-get install -y gcc make
|
||||
|
||||
# Install libdpkg-perl which is required for python3.6-3.6.0 as one of its specs i.e. no-pie-compile.specs
|
||||
# The file referenced (`/usr/share/dpkg/no-pie-compile.specs`) is in the `libdpkg-perl` package on Debian
|
||||
RUN apt-get install -y libdpkg-perl
|
||||
|
||||
{% if docker_snmp_sv2_debs.strip() -%}
|
||||
# Copy locally-built Debian package dependencies
|
||||
{%- for deb in docker_snmp_sv2_debs.split(' ') %}
|
||||
@ -56,7 +60,7 @@ RUN pip install /python-wheels/{{ whl }}
|
||||
RUN python3.6 -m sonic_ax_impl install
|
||||
|
||||
# Clean up
|
||||
RUN apt-get -y purge libpython3.6-dev curl gcc make
|
||||
RUN apt-get -y purge libpython3.6-dev curl gcc make libdpkg-perl
|
||||
RUN apt-get clean -y && apt-get autoclean -y && apt-get autoremove -y --purge
|
||||
RUN find / | grep -E "__pycache__" | xargs rm -rf
|
||||
RUN rm -rf /debs /python-wheels ~/.cache
|
||||
|
@ -5,9 +5,10 @@ $(DOCKER_SNMP_SV2)_PATH = $(DOCKERS_PATH)/docker-snmp-sv2
|
||||
## TODO: remove LIBPY3_DEV if we can get pip3 directly
|
||||
$(DOCKER_SNMP_SV2)_DEPENDS += $(SNMP) $(SNMPD) $(PY3) $(LIBPY3_DEV)
|
||||
$(DOCKER_SNMP_SV2)_PYTHON_WHEELS += $(SONIC_PLATFORM_COMMON_PY3) $(SWSSSDK_PY3) $(ASYNCSNMP_PY3)
|
||||
$(DOCKER_SNMP_SV2)_LOAD_DOCKERS += $(DOCKER_CONFIG_ENGINE)
|
||||
$(DOCKER_SNMP_SV2)_LOAD_DOCKERS += $(DOCKER_CONFIG_ENGINE_STRETCH)
|
||||
SONIC_DOCKER_IMAGES += $(DOCKER_SNMP_SV2)
|
||||
SONIC_INSTALL_DOCKER_IMAGES += $(DOCKER_SNMP_SV2)
|
||||
SONIC_STRETCH_DOCKERS += $(DOCKER_SNMP_SV2)
|
||||
|
||||
$(DOCKER_SNMP_SV2)_CONTAINER_NAME = snmp
|
||||
$(DOCKER_SNMP_SV2)_RUN_OPT += --net=host --privileged -t
|
||||
|
@ -259,6 +259,13 @@ RUN pip install j2cli
|
||||
# For sonic utilities testing
|
||||
RUN pip install click-default-group click natsort tabulate netifaces==0.10.7 fastentrypoints
|
||||
|
||||
# For sonic snmpagent mock testing
|
||||
RUN pip3 install mockredispy==2.9.3
|
||||
RUN pip3 install PyYAML>=5.1
|
||||
|
||||
# For sonic-platform-common testing
|
||||
RUN pip3 install redis
|
||||
|
||||
# For supervisor build
|
||||
RUN pip install meld3 mock
|
||||
|
||||
|
@ -0,0 +1,184 @@
|
||||
From: Andreas Henriksson <andreas@fatal.se>
|
||||
Date: Sat, 23 Dec 2017 22:25:41 +0000
|
||||
Subject: [PATCH] Port OpenSSL 1.1.0 with support for 1.0.2
|
||||
|
||||
Initial support for OpenSSL 1.1.0
|
||||
|
||||
Changes by sebastian@breakpoint.cc:
|
||||
- added OpenSSL 1.0.2 glue layer for backwarts compatibility
|
||||
- dropped HAVE_EVP_MD_CTX_CREATE + DESTROY and added a check for OpenSSL
|
||||
version instead (and currently 1.0.2 is the only one supported).
|
||||
|
||||
BTS: https://bugs.debian.org/828449
|
||||
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
|
||||
---
|
||||
apps/snmpusm.c | 43 ++++++++++++++++++++++++++++++++++++-------
|
||||
configure.d/config_os_libs2 | 6 ------
|
||||
snmplib/keytools.c | 13 ++++++-------
|
||||
snmplib/scapi.c | 17 +++++------------
|
||||
4 files changed, 47 insertions(+), 32 deletions(-)
|
||||
|
||||
--- a/apps/snmpusm.c
|
||||
+++ b/apps/snmpusm.c
|
||||
@@ -183,6 +183,31 @@ setup_oid(oid * it, size_t * len, u_char
|
||||
}
|
||||
|
||||
#if defined(HAVE_OPENSSL_DH_H) && defined(HAVE_LIBCRYPTO)
|
||||
+
|
||||
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
|
||||
+
|
||||
+static void DH_get0_pqg(const DH *dh,
|
||||
+ const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
|
||||
+{
|
||||
+ if (p != NULL)
|
||||
+ *p = dh->p;
|
||||
+ if (q != NULL)
|
||||
+ *q = dh->q;
|
||||
+ if (g != NULL)
|
||||
+ *g = dh->g;
|
||||
+}
|
||||
+
|
||||
+static void DH_get0_key(const DH *dh, const BIGNUM **pub_key,
|
||||
+ const BIGNUM **priv_key)
|
||||
+{
|
||||
+ if (pub_key != NULL)
|
||||
+ *pub_key = dh->pub_key;
|
||||
+ if (priv_key != NULL)
|
||||
+ *priv_key = dh->priv_key;
|
||||
+}
|
||||
+
|
||||
+#endif
|
||||
+
|
||||
int
|
||||
get_USM_DH_key(netsnmp_variable_list *vars, netsnmp_variable_list *dhvar,
|
||||
size_t outkey_len,
|
||||
@@ -190,7 +215,7 @@ get_USM_DH_key(netsnmp_variable_list *va
|
||||
oid *keyoid, size_t keyoid_len) {
|
||||
u_char *dhkeychange;
|
||||
DH *dh;
|
||||
- BIGNUM *other_pub;
|
||||
+ const BIGNUM *p, *g, *pub_key, *other_pub;
|
||||
u_char *key;
|
||||
size_t key_len;
|
||||
|
||||
@@ -205,25 +230,29 @@ get_USM_DH_key(netsnmp_variable_list *va
|
||||
dh = d2i_DHparams(NULL, &cp, dhvar->val_len);
|
||||
}
|
||||
|
||||
- if (!dh || !dh->g || !dh->p) {
|
||||
+ if (dh)
|
||||
+ DH_get0_pqg(dh, &p, NULL, &g);
|
||||
+
|
||||
+ if (!dh || !g || !p) {
|
||||
SNMP_FREE(dhkeychange);
|
||||
return SNMPERR_GENERR;
|
||||
}
|
||||
|
||||
- DH_generate_key(dh);
|
||||
- if (!dh->pub_key) {
|
||||
+ if (!DH_generate_key(dh)) {
|
||||
SNMP_FREE(dhkeychange);
|
||||
return SNMPERR_GENERR;
|
||||
}
|
||||
|
||||
- if (vars->val_len != (unsigned int)BN_num_bytes(dh->pub_key)) {
|
||||
+ DH_get0_key(dh, &pub_key, NULL);
|
||||
+
|
||||
+ if (vars->val_len != (unsigned int)BN_num_bytes(pub_key)) {
|
||||
SNMP_FREE(dhkeychange);
|
||||
fprintf(stderr,"incorrect diffie-helman lengths (%lu != %d)\n",
|
||||
- (unsigned long)vars->val_len, BN_num_bytes(dh->pub_key));
|
||||
+ (unsigned long)vars->val_len, BN_num_bytes(pub_key));
|
||||
return SNMPERR_GENERR;
|
||||
}
|
||||
|
||||
- BN_bn2bin(dh->pub_key, dhkeychange + vars->val_len);
|
||||
+ BN_bn2bin(pub_key, dhkeychange + vars->val_len);
|
||||
|
||||
key_len = DH_size(dh);
|
||||
if (!key_len) {
|
||||
--- a/configure.d/config_os_libs2
|
||||
+++ b/configure.d/config_os_libs2
|
||||
@@ -291,12 +291,6 @@ if test "x$tryopenssl" != "xno" -a "x$tr
|
||||
AC_CHECK_LIB(${CRYPTO}, AES_cfb128_encrypt,
|
||||
AC_DEFINE(HAVE_AES_CFB128_ENCRYPT, 1,
|
||||
[Define to 1 if you have the `AES_cfb128_encrypt' function.]))
|
||||
-
|
||||
- AC_CHECK_LIB(${CRYPTO}, EVP_MD_CTX_create,
|
||||
- AC_DEFINE([HAVE_EVP_MD_CTX_CREATE], [],
|
||||
- [Define to 1 if you have the `EVP_MD_CTX_create' function.])
|
||||
- AC_DEFINE([HAVE_EVP_MD_CTX_DESTROY], [],
|
||||
- [Define to 1 if you have the `EVP_MD_CTX_destroy' function.]))
|
||||
fi
|
||||
if echo " $transport_result_list " | $GREP "DTLS" > /dev/null; then
|
||||
AC_CHECK_LIB(ssl, DTLSv1_method,
|
||||
--- a/snmplib/keytools.c
|
||||
+++ b/snmplib/keytools.c
|
||||
@@ -149,13 +149,13 @@ generate_Ku(const oid * hashtype, u_int
|
||||
*/
|
||||
#ifdef NETSNMP_USE_OPENSSL
|
||||
|
||||
-#ifdef HAVE_EVP_MD_CTX_CREATE
|
||||
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
|
||||
ctx = EVP_MD_CTX_create();
|
||||
#else
|
||||
- ctx = malloc(sizeof(*ctx));
|
||||
- if (!EVP_MD_CTX_init(ctx))
|
||||
- return SNMPERR_GENERR;
|
||||
+ ctx = EVP_MD_CTX_new();
|
||||
#endif
|
||||
+ if (!ctx)
|
||||
+ return SNMPERR_GENERR;
|
||||
#ifndef NETSNMP_DISABLE_MD5
|
||||
if (ISTRANSFORM(hashtype, HMACMD5Auth)) {
|
||||
if (!EVP_DigestInit(ctx, EVP_md5()))
|
||||
@@ -259,11 +259,10 @@ generate_Ku(const oid * hashtype, u_int
|
||||
memset(buf, 0, sizeof(buf));
|
||||
#ifdef NETSNMP_USE_OPENSSL
|
||||
if (ctx) {
|
||||
-#ifdef HAVE_EVP_MD_CTX_DESTROY
|
||||
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
|
||||
EVP_MD_CTX_destroy(ctx);
|
||||
#else
|
||||
- EVP_MD_CTX_cleanup(ctx);
|
||||
- free(ctx);
|
||||
+ EVP_MD_CTX_free(ctx);
|
||||
#endif
|
||||
}
|
||||
#endif
|
||||
--- a/snmplib/scapi.c
|
||||
+++ b/snmplib/scapi.c
|
||||
@@ -486,15 +486,10 @@ sc_hash(const oid * hashtype, size_t has
|
||||
}
|
||||
|
||||
/** initialize the pointer */
|
||||
-#ifdef HAVE_EVP_MD_CTX_CREATE
|
||||
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
|
||||
cptr = EVP_MD_CTX_create();
|
||||
#else
|
||||
- cptr = malloc(sizeof(*cptr));
|
||||
-#if defined(OLD_DES)
|
||||
- memset(cptr, 0, sizeof(*cptr));
|
||||
-#else
|
||||
- EVP_MD_CTX_init(cptr);
|
||||
-#endif
|
||||
+ cptr = EVP_MD_CTX_new();
|
||||
#endif
|
||||
if (!EVP_DigestInit(cptr, hashfn)) {
|
||||
/* requested hash function is not available */
|
||||
@@ -507,13 +502,11 @@ sc_hash(const oid * hashtype, size_t has
|
||||
/** do the final pass */
|
||||
EVP_DigestFinal(cptr, MAC, &tmp_len);
|
||||
*MAC_len = tmp_len;
|
||||
-#ifdef HAVE_EVP_MD_CTX_DESTROY
|
||||
+
|
||||
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
|
||||
EVP_MD_CTX_destroy(cptr);
|
||||
#else
|
||||
-#if !defined(OLD_DES)
|
||||
- EVP_MD_CTX_cleanup(cptr);
|
||||
-#endif
|
||||
- free(cptr);
|
||||
+ EVP_MD_CTX_free(cptr);
|
||||
#endif
|
||||
return (rval);
|
@ -2,3 +2,4 @@
|
||||
0002-at.c-properly-check-return-status-from-realloc.-Than.patch
|
||||
0003-CHANGES-BUG-2743-snmpd-crashes-when-receiving-a-GetN.patch
|
||||
0004-Disable-SNMPv1.patch
|
||||
0005-Port-OpenSSL-1.1.0-with-support-for-1.0.2.patch
|
||||
|
@ -1 +1 @@
|
||||
Subproject commit 4944a64c39809685ce8daa864643b5a6c9847e43
|
||||
Subproject commit 92b54b1984db0b71196e4fe68cc5a09796fd185c
|
@ -1 +1 @@
|
||||
Subproject commit bd41744dc213e122d4e60709fdd1368c6d832d01
|
||||
Subproject commit 70a6c7dad4fcfa750fb4d4efbf267842d19ca8ef
|
Loading…
Reference in New Issue
Block a user