Commit Graph

637 Commits

Author SHA1 Message Date
xumia
a6437d8ab6
[202305] Support FIPS for armhf (#18283)
* [Security] Fix the krb5 vulnerability issue (#17914)

### Why I did it
Fix the krb5 vulnerable issue
CVE-2021-36222  allows remote attackers to cause a NULL pointer dereference and daemon crash
CVE-2021-37750  NULL pointer dereference in kdc/do_tgs_req.c via a FAST inner body that lacks a server field
DSA 5286-1  remote code execution

##### Work item tracking
- Microsoft ADO **(number only)**: 26577929

#### How I did it
Upgrade the krb5 version to 1.18.3-6+deb11u14+fips.

* [Build] Fix krb5 package not found issue (#17926)

Why I did it
Fix the build issue caused by the wrong version specified.

See the build error logs:

Try 4: /usr/bin/wget --retry-connrefused failed to get: -O
--2024-01-26 11:38:23--  https://sonicstorage.blob.core.windows.net/public/fips/bullseye/0.10/amd64/libk5crypto3_1.18.3-6+deb11u14+fips_amd64.deb
Resolving sonicstorage.blob.core.windows.net (sonicstorage.blob.core.windows.net)... 20.60.59.131
Connecting to sonicstorage.blob.core.windows.net (sonicstorage.blob.core.windows.net)|20.60.59.131|:443... connected.
HTTP request sent, awaiting response... 404 The specified blob does not exist.
2024-01-26 11:38:23 ERROR 404: The specified blob does not exist..

Try 5: /usr/bin/wget --retry-connrefused failed to get: -O
make[1]: *** [Makefile:12: /sonic/target/debs/bullseye/symcrypt-openssl_0.10_amd64.deb] Error 8
make[1]: Leaving directory '/sonic/src/sonic-fips'
Work item tracking
Microsoft ADO (number only): 26577929
The package not installed but PR passed issue is traced in another issue #17927

How I did it
Add the libkrb5-dev and the depended packages to fix docker-sonic-vs build failure.
The package libzmq3-dev has dependency on the libkrb5-dev.

* [202305] Support FIPS for armhf

* Remove no use mirror

* Fix fips options issue
2024-03-09 11:39:12 +08:00
Liu Shilong
ac82e2f824 [build] Update debootstrap version from deb11u1 to deb11u2 (#18185)
Why I did it
deb11u1 is deprecated.
Use deb11u2 instead.
Other branches are not impacted, because their reproducible build version files are up to date.

Work item tracking
Microsoft ADO (number only): 26964185
How I did it
How to verify it
2024-03-06 07:00:54 +08:00
Zain Budhwani
7c88542d6e
Disable eventd and rsyslog plugin in slim images (#17905) (#17972)
Disable eventd at buildtime for slim images

- Microsoft ADO **(number only)**:26386286

Add flags for disabling eventd and only copy rsyslog conf files when eventd is included and not slim image

Manual testing
2024-02-01 10:14:20 +08:00
StormLiangMS
2c28502ddd
Revert "Share docker image and use telemetry container for 202305 (#17255)" (#17356)
This reverts commit 2c7d53e5fb.
2023-11-30 20:41:38 +08:00
ganglv
2c7d53e5fb
Share docker image and use telemetry container for 202305 (#17255)
Why I did it
Need to share docker image for telemetry and gnmi, and only use telemetry container for 202305 branch

Work item tracking
Microsoft ADO (number only):
How I did it
Add a new docker image, base-gnmi, build sonic-gnmi and sonic-telemetry on this docker image.
Enable telemetry container.

How to verify it
Run end to end test for telemetry and gnmi.
2023-11-24 11:22:48 +08:00
ganglv
733a902a70
Revert "[202305] Share image for gnmi and telemetry (#17137)" (#17261)
This reverts commit f2a495f7e5.
2023-11-22 23:51:34 +08:00
Mai Bui
52bebb94eb
[202305] [docker-macsec] fix privileged and volumes settings (#17130)
cherry pick #16894

Why I did it
Privileges and volumes were incorrectly set in macsec container. Privileged flag is set to false and volumes are not mounted properly.

admin@vlab-01:~$ docker inspect macsec0 | grep Privi
           "Privileged": false,
admin@vlab-01:~$ docker inspect macsec0 | grep -A 10 Binds
           "Binds": [
               "/var/run/redis0:/var/run/redis:rw",
               "/var/run/redis-chassis:/var/run/redis-chassis:ro",
               "/usr/share/sonic/device/x86_64-nokia_ixr7250e_36x400g-r0/Nokia-IXR7250E-36x100G/0:/usr/share/sonic/hwsku:ro",
               "/var/run/redis0/:/var/run/redis0/:rw",
               "/usr/share/sonic/device/x86_64-nokia_ixr7250e_36x400g-r0:/usr/share/sonic/platform:ro"
           ],
Work item tracking
Microsoft ADO (number only):
How I did it
How to verify it
Make sure privileged settings remain unchanged and make sure volumes are properly mounted

admin@vlab-01:~$ docker inspect macsec | grep Privi
            "Privileged": false,
admin@vlab-01:~$ docker inspect macsec | grep -A 10 Binds
            "Binds": [
                "/etc/timezone:/etc/timezone:ro",
                "/var/run/redis:/var/run/redis:rw",
                "/var/run/redis-chassis:/var/run/redis-chassis:ro",
                "/etc/fips/fips_enable:/etc/fips/fips_enable:ro",
                "/usr/share/sonic/templates/rsyslog-container.conf.j2:/usr/share/sonic/templates/rsyslog-container.conf.j2:ro",
                "/etc/sonic:/etc/sonic:ro",
                "/host/warmboot:/var/warmboot",
                "/usr/share/sonic/device/x86_64-kvm_x86_64-r0/Force10-S6000/:/usr/share/sonic/hwsku:ro",
                "/usr/share/sonic/device/x86_64-kvm_x86_64-r0:/usr/share/sonic/platform:ro"
            ],
2023-11-16 21:49:43 +08:00
ganglv
f2a495f7e5
[202305] Share image for gnmi and telemetry (#17137)
Why I did it
Share docker image to support gnmi container and telemetry container
backport #16863

Work item tracking
Microsoft ADO 25423918:
How I did it
Create telemetry image from gnmi docker image.
Enable gnmi container and disable telemetry container by default.

How to verify it
Run end to end test.
2023-11-15 11:28:21 +08:00
Samuel Angebault
7982c3a2a8 Add some config options to make gbsyncd optional (#16840)
Why I did it
In an effort to allow people to build a slim version of SONiC to fit on devices to small storage, there is a need to disable some unneeded features.
The docker-gbsyncd are only applicable to devices with external gearboxes and might not apply to devices that need a small image.
It is therefore desirable to have a knob to not include these gbsyncd containers.

Work item tracking
Microsoft ADO (number only):
How I did it
Add a new config INCLUDE_GBSYNCD which is enabled by default to retain the previous behavior.
Setting it to n will not include the platform/components/docker-gbsyncd-*.mk.

How to verify it
Set INCLUDE_GBSYNCD = n and witness that docker-gbsyncd images are not present in the final image.
2023-10-25 22:32:41 +08:00
Samuel Angebault
274e929f11
Reduce SONiC image filesystem size (#16948)
Why I did it
Running SONiC releases past 202012 has become really challenging on system with small storage devices (4GB).
Some of these devices can also be limited by only having 4GB of RAM which complicates mitigations.
The main contributor to these issues is the SONiC image growth.
Being able to reduce it by some decent amount should allow these systems to run SONiC longer.
It would also reduce some impacts related to space savings mitigations.

Work item tracking
Microsoft ADO (number only):
How I did it
Add a build option to reduce the image size.
The image reduction process is affecting the builds in 2 ways:

change some packages that are installed in the rootfs
apply a rootfs reduction script
The script itself will perform a few steps:

remove file duplication by leveraging hardlinks
under /usr/share/sonic since the symlinks under the device folder are lost during the build.
under /var/lib/docker since the files there will only be mounted ro
remove some extra files (man, docs, licenses, ...)
some image specific space reduction (only for aboot images currently)
The script can later be improved but for now it's reducing the rootfs size by ~30%.

How to verify it
Compare the size of an image with this option enabled and this option enabled.
Expect the fully extracted content to be ~30% less.

Which release branch to backport (provide reason below if selected)
This is a backport of #16729

Description for the changelog
Add build option to reduce final image size
2023-10-24 21:08:38 +08:00
Saikrishna Arcot
d554cd55d6
[202305] Update Linux kernel to 5.10.179 (#16958)
Why I did it
Update the kernel to 5.10.179 for the 202305 branch

Work item tracking
Microsoft ADO (number only): 24592132
How I did it
How to verify it
2023-10-23 22:37:30 +08:00
xumia
ba7aacd49e [Security] Upgrade the OpenSSL/OpenSSH to fix CVE alerts (#16902)
### Why I did it
[Security] Upgrade the OpenSSL/OpenSSH to fix CVE alerts

Upgrade OpenSSL to 1.1.1n-0+deb11u5
Fix CVEs:
      CVE-2023-0464 (Excessive Resource Usage Verifying X.509 Policy
      CVE-2023-0465 (Invalid certificate policies in leaf certificates are
      CVE-2023-0466 (Certificate policy check not enabled).
      CVE-2022-4304 (Timing Oracle in RSA Decryption).
      CVE-2023-2650 (Possible DoS translating ASN.1 object identifiers).

Upgrade OpenSSH to 8.4p1-5+deb11u2
Fix CVEs:
    CVE-2023-38408 (Lacks SSH agent restriction)

##### Work item tracking
- Microsoft ADO **(number only)**: 25506776

#### How I did it
Upgrade the OpenSSL/OpenSSH package version and fix the UT failure.

#### How to verify it
Verified by UTs with and without FIPS enabled.
2023-10-21 12:32:21 +08:00
Saikrishna Arcot
fb618b6e0b
[202305] Backport PRs to fix build (#16896, #16859, #16636) (#16934)
* Remove main deb installation for derived deb build (#16859)

* Don't install dependencies of derived debs

When "building" a derived deb package, don't install the dependencies of
the package into the container. It's not needed at this stage.

* Re-add openssh-client and openssh-sftp-server as derived debs

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>

---------

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
(cherry picked from commit 9ae77bc2dd)

* Re-add missing dependency for derived debs. (#16896)

* Re-add missing dependency for derived debs.

My previous changed removed the whole dependency on the main deb
existing, not just the installation of the main deb. Fix this by
readding a dependency on the main deb being built/pulled from cache.

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>

---------

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
(cherry picked from commit 963d40a77b)

* [build] Fix build issue in docker-ptf-sai caused by setuptools_scm new release (#16636)

docker-ptf-sai build fails on setuptools_scm's new release on 09/20/2023.
Use old version instead.

(cherry picked from commit bfa05c8349)

---------

Co-authored-by: Liu Shilong <shilongliu@microsoft.com>
2023-10-20 15:39:54 +08:00
Saikrishna Arcot
39cdee57e1 [baseimage]: Update openssh to 1:8.4p1-5+deb11u2 (#16826)
Openssh in Debian Bullseye has been updated to 1:8.4p1-5+deb11u2 to fix CVE-2023-38408. 
Since we're building openssh with some patches, we need to update our version as well.

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2023-10-17 16:34:18 +08:00
Liu Shilong
a4e6e3da8b [build] Add sonic-utilities to sonic-host-services dependencies list. (#15987)
Why I did it
sonic-host-services depends on sonic-utilities because of FIPS feature.
Add dependency to unblock submodule sonic-host-services HEAD pointer update.

Work item tracking
Microsoft ADO (number only): 24671218
How I did it
2023-10-12 12:32:53 +08:00
Sudharsan Dhamal Gopalarathnam
d92eade3d3 [build]Fix FRR build cache issue (#16713)
### Why I did it
When FRR is built with Cache enabled, the build failed with the following error logs
```
[2023-09-20T15:17:00.273Z] fatal: Unable to hash src/sonic-frr/frr/tests/topotests/grpc_basic/lib
[2023-09-20T15:17:00.273Z] fatal: Unable to hash src/sonic-frr/frr/tests/topotests/ospfapi/lib
[2023-09-20T15:17:00.273Z] make: *** [Makefile.cache:528: target/debs/bullseye/frr_8.5.1-sonic-0_amd64.deb.smdep] Error 123
[2023-09-20T15:17:00.273Z] make: *** Waiting for unfinished jobs....
```
#### How I did it
Currently symlinks are excluded in hardcoded fashion. With FRR upgrades new symlinks might get introduced. To overcome it modified the way in which symlinks are excluded by finding symlinks using find command

#### How to verify it
Build FRR with cache enabled
2023-10-11 02:33:09 +08:00
Liu Shilong
0772884971 [build] Fix frr dpkg cache calculation issue on symbolic link file. (#16700)
Why I did it
Now build will fail on:

fatal: Unable to hash src/sonic-frr/frr/tests/topotests/grpc_basic/lib
fatal: Unable to hash src/sonic-frr/frr/tests/topotests/ospfapi/lib
make: *** [Makefile.cache:528: target/debs/buster/frr_8.5.1-sonic-0_amd64.deb.smdep] Error 123
make: *** Waiting for unfinished jobs....
Root cause is that these files are symbol links.
git hash-object can't hash symbol links.

Work item tracking
Microsoft ADO (number only): 25271730
How I did it
These two files are symbol links.
When calculate sha value, skip these two files.
2023-10-10 16:33:28 +08:00
Feng-msft
94696fe4cc Stop installing development packages from telemetry docker images to (#16603)
Stop installing development packages from telemetry docker images to avoid unnecessary space usage.

### Why I did it
From 202305, libswsscommon-dev and the Boost headers were brought in telemetry docker image incorrectly, which result in unnecessary space usage.

##### Work item tracking
- Microsoft ADO **(number only)**:25176224

#### How I did it
Remove  libswsscommon-dev accordingly.

#### How to verify it
Image building.
2023-09-22 00:36:18 +08:00
Gokulnath Raja
8e85fba740 Upgrading hsflowd version from 2.0.35 to 2.0.51-26 to address for [sflow]ERR sflow#hsflowd: device Loopback0 Get SIOCGIFFLAGS failed : No such device #13407 (#15362)
Signed-off-by: Gokulnath-Raja <Gokulnath_R@dell.com>
Co-authored-by: mohanapriya-meganathan <mohanapriya.m1@dell.com>
2023-09-21 18:34:19 +08:00
mssonicbld
a897f1e312
[P4RT]Disabling p4rt by default to overcome build issues (#16343) (#16427) 2023-09-03 21:11:22 +08:00
mssonicbld
8e749e957a
[frr]: FRR 8.5.1 integration changes (#15965) (#16212) 2023-08-19 21:06:09 +08:00
mssonicbld
74598e568a
Add health check probe for k8s upgrade containers. (#15223) (#15867)
#### Why I did it
After k8s upgrade a container, k8s can only know the container is running, don't know the service's status inside container. So we need a probe inside container, k8s will call the probe to check whether the container is really ready.
##### Work item tracking
- Microsoft ADO **(number only)**: 22453004
#### How I did it
Add a health check probe inside config engine container, the probe will check whether the start service exit normally or not if the start service exists and call the python script to do container self-related specific checks if the script is there. The python script should be implemented by feature owner if it's needed.

more details: [design doc](https://github.com/sonic-net/SONiC/blob/master/doc/kubernetes/health-check.md)
#### How to verify it
Check path /usr/bin/readiness_probe.sh inside container.

#### Which release branch to backport (provide reason below if selected)

- [ ] 201811
- [ ] 201911
- [ ] 202006
- [ ] 202012
- [ ] 202106
- [ ] 202111
- [x] 202205
- [x] 202211

#### Tested branch (Please provide the tested image version)
- [x] 20220531.28

Co-authored-by: lixiaoyuner <35456895+lixiaoyuner@users.noreply.github.com>
2023-07-19 16:11:13 +08:00
Masaru OKI
8c94e32fe5 Pick dependency files in submodules. (#15142)
#### Why I did it

Failed to build sonic-dhcp6relay_1.0.0-0_amd64.deb

#### How I did it

src/dhcprelay has git submodule.
Dependency files by "git ls-files" are not picked files in submodules.
Add --recurse-submodules, work again.

#### How to verify it

make all
2023-07-19 14:34:12 +08:00
lixiaoyuner
c59f55f6a3
Move k8s script to docker-config-engine (#14788) (#15768)
Why I did it
To reduce the container's dependency from host system

Work item tracking
Microsoft ADO (number only):
17713469
How I did it
Move the k8s container startup script to config engine container, other than mount it from host.

How to verify it
Check file path(/usr/share/sonic/scripts/container_startup.py) inside config engine container.

Signed-off-by: Yun Li <yunli1@microsoft.com>
Co-authored-by: Qi Luo <qiluo-msft@users.noreply.github.com>
2023-07-17 23:21:01 +08:00
xumia
8904545b16 Upgrade sonic-fips packages (#15400)
Why I did it
Downgrade the symcrypt version, use the SymCrypt version v103.0.1 for certification.

Work item tracking
Microsoft ADO (number only): 24222567
How I did it
How to verify it
2023-06-29 20:55:05 +08:00
Malte Janduda
2b8b19f00e
[buildsystem] Fix hiredis package version: 0.14.1-1 (#15461) (#15569)
- Why I did it
To fix hiredis compilation

- How I did it
Changed package version: 0.14.0-3~bpo9+1 -> 0.14.1-1

- How to verify it
make configure PLATFORM=mellanox
make target/sonic-mellanox.bin

Signed-off-by: Nazarii Hnydyn <nazariig@nvidia.com>
Co-authored-by: Nazarii Hnydyn <nazariig@nvidia.com>
2023-06-22 18:18:27 -07:00
Rajkumar-Marvell
94790bef04
[sflow] Add egress sflow support. (#14630)
* [sflow] Add egress sflow support.
- Updated sonic-yang-model
- change hsflowd version to 2.0.45
2023-06-06 11:23:39 -07:00
DavidZagury
5acec530bb
Add SECURE_UPGRADE_PROD_TOOL_ARGS flag to make it possible for vendors to pass their own arguments on the prod signing script (#14581)
- Why I did it
Since the prod signing tool is vendor specific, and each vendor may have different arguments they would like to use in the script, we would need a way to inject those arguments to the script.

- How I did it
Add a compilation flag SECURE_UPGRADE_PROD_TOOL_ARGS which vendors can use to inject any flag they would want to the prod signing script.

- How to verify it
Build SONiC using your own prod script
2023-05-16 08:36:13 +03:00
Konstantin Vasin
ee1ab4448f
[build] update isc-dhcp to 4.4.1-2.3+deb11u2 to fix build failure (#15002)
Why I did it
Fix #15000
isc-dhcp 4.4.1-2.3+deb11u1 is no longer available in debian repository

How I did it
update isc-dhcp to new version 4.4.1-2.3+deb11u2
2023-05-11 22:14:20 +08:00
Dror Prital
7dcd55ca18
Support pulling sonic-slave-docker image from path at REGISTRY_SERVER (#14907)
- Why I did it
In order to reduce sonic build time, there is an option to acquire sonic slave docker(s) from artifact server (reduce sonic make configure time).
Current implementation supports only convention of:

<REGISTRY_SERVER>:<REGISTRY_PORT>/<SLAVE_BASE_IMAGE>:<SLAVE_BASE_TAG>

In case the SLAVE_BASE_IMAGE appear in internal path inside the server, the convention should be like that:

<REGISTRY_SERVER>:<REGISTRY_PORT><REGISTRY_SERVER_PATH>/<SLAVE_BASE_IMAGE>:<SLAVE_BASE_TAG>

When REGISTRY_SERVER_PATH (that is set on rules/config) will have to start with "/".

If REGISTRY_SERVER_PATH will not be set, the behavior will remain the same it works today.

- How I did it
Add ability to set REGISTRY_SERVER_PATH and update the code for docker image tag and docker image pull accordingly

- How to verify it
Use sonic slave docker image from artifact server in which the image is kept in internal folder and make sure it consume it.
2023-05-04 11:41:10 +03:00
Yevhen Fastiuk
46615f5563
[Profiler] Add ability to print elapsed build time for target packages (#14778)
- Why I did it
To be able to see how much time was consumed to build a specific target.
A newly added code does those things:

1. Print build start time for target
2. Print build end time for target
3. Print elapsed time for target

- How I did it
Add a macro to record the time
Add macros to print end time and elapsed time

- How to verify it
Just build an image and check any *.log file

Signed-off-by: Yevhen Fastiuk <yfastiuk@nvidia.com>
2023-05-03 13:26:22 +03:00
ganglv
010dc39579
If gnmi is included, remove dbus from telemetry (#14853)
#### Why I did it
Remove dbus when telemetry does not use it.

##### Work item tracking
- Microsoft ADO **(number only)**: 17852550

#### How I did it
Use INCLUDE_SYSTEM_GNMI to determine if telemetry needs dbus.

#### How to verify it
Build image and check telemetry container.
2023-04-26 22:18:54 -07:00
ganglv
41a1c13c03
Enable GNMI native write by default (#14845)
#### Why I did it
SONiC master image needs GNMI native write.

#### How I did it
Update rules/config to enable.

#### How to verify it
Run end2end test.
2023-04-26 22:08:07 -07:00
DavidZagury
90f45d9774
Change SECURE_UPGRADE_DEV_SIGNING_CERT to SECURE_UPGRADE_SIGNING_CERT (#14591)
Depends on https://github.com/sonic-net/sonic-linux-kernel/pull/315

#### Why I did it
The name SECURE_UPGRADE_DEV_SIGNING_CERT is misleading, this flag is relevant to both to dev and prod signing.

#### How I did it
Rename all mentions of name SECURE_UPGRADE_DEV_SIGNING_CERT to SECURE_UPGRADE_SIGNING_CERT - this is also done with PR in sonic-linux-kernel repository

#### How to verify it
Build SONiC using your own prod script
2023-04-24 11:17:51 -07:00
DavidZagury
03bf4ff549
Remove default value from SECURE_UPGRADE_DEV_SIGNING_KEY (#14582)
This is done because when there is a default value, we mount to this path, and this creates this folder on the host.

#### Why I did it
Fix issue that running without overwriting SECURE_UPGRADE_DEV_SIGNING_KEY and SECURE_UPGRADE_DEV_SIGNING_CERT dummy folders are being created on the host.

#### How I did it
Removed the default assignment to SECURE_UPGRADE_DEV_SIGNING_KEY and SECURE_UPGRADE_DEV_SIGNING_CERT

#### How to verify it
Build SONiC using your own prod script
2023-04-18 15:48:47 -07:00
xumia
f1fd42558a
Support to add SONiC OS Version in device info (#14601)
Why I did it
Support to add SONiC OS Version in device info.
It will be used to display the version info in the SONiC command "show version". The version is used to do the FIPS certification. We do not do the FIPS certification on a specific release, but on the SONiC OS Version.

SONiC Software Version: SONiC.master-13812.218661-7d94c0c28
SONiC OS Version: 11
Distribution: Debian 11.6
Kernel: 5.10.0-18-2-amd64
How I did it
2023-04-12 09:20:08 +08:00
Vivek
0df155b014
Made non-upstream patch design order aware (#14434)
- Why I did it

Currently, non upstream patches are applied only after upstream patches.

Depends on sonic-net/sonic-linux-kernel#313. Can be merged in any order, preferably together

- What I did it

Non upstream Patches that reside in the sonic repo will not be saved in a tar file bur rather in a folder pointed out by EXTERNAL_KERNEL_PATCH_LOC. This is to make changes to the non upstream patches easily traceable.
The build variable name is also updated to INCLUDE_EXTERNAL_PATCHES
Files/folders expected under EXTERNAL_KERNEL_PATCH_LOC
EXTERNAL_KERNEL_PATCH_LOC/
       ├──── patches/
             ├── 0001-xxxxx.patch
             ├── 0001-yyyyyyyy.patch
             ├── .............
       ├──── series.patch
series.patch should contain a diff that is applied on the sonic-linux-kernel/patch/series file. The diff should include all the non-upstream patches.
How to verify it

Build the Kernel and verified if all the patches are applied properly

Signed-off-by: Vivek Reddy Karri <vkarri@nvidia.com>
2023-04-10 19:48:27 +03:00
Kuanyu Chen
cffd87a627
Add monit_snmp file to monitor memory usage (#14464)
#### Why I did it

When CPU is busy, the sonic_ax_impl may not have sufficient speed to handle the notification message sent from REDIS.
Thus, the message will keep stacking in the memory space of sonic_ax_impl.

If the condition continues, the memory usage will keep increasing.

#### How I did it

Add a monit file to check if the SNMP container where sonic_ax_impl resides in use more than 4GB memory.
If yes, restart the sonic_ax_impl process.

#### How to verify it

Run a lot of this command: `while true; do ret=$(redis-cli -n 0 set LLDP_ENTRY_TABLE:test1 test1); sleep 0.1; done;`
And check the memory used by sonic_ax_impl keeps increasing.

After a period, make sure the sonic_ax_impl is restarted when the memory usage reaches the 4GB threshold.
And verify the memory usage of sonic_ax_impl drops down from 4GB.
2023-04-06 12:19:11 -07:00
Christian Svensson
bce824723c
[sflow] Switch to bullseye (#14494)
Change references to use bullseye instead of buster

Why I did it
Almost all daemons in 202211 and master uses bullseye, and sflow was easy to migrate.

How I did it
Replaced the references, built and tested in 202211.
How to verify it

Build with the changes, enable sflow:
admin@sonic:~$ sudo config sflow collector add test 1.2.3.4
admin@sonic:~$ sudo config sflow collector enable
tcpdump on 1.2.3.4 and see that UDP sFlow are being sent.

Signed-off-by: Christian Svensson <blue@cmd.nu>
2023-04-03 09:49:35 -07:00
Christian Svensson
67abcff944
[nat] Switch to bullseye (#14495)
Change references to use bullseye instead of buster

Why I did it
Almost all daemons in 202211 and master uses bullseye, and NAT seems easy to migrate.

How I did it
Replaced the references, built with 202211 branch.

How to verify it
Not sure, it builds and tests pass as far as I can tell but I don't use the feature myself.

Signed-off-by: Christian Svensson <blue@cmd.nu>
2023-04-02 14:02:33 -07:00
kellyyeh
2843923549
Add sonic-dhcpmon as a submodule (#14285)
Why I did it
Add sonic-dhcpmon as a submodule

How to verify it
Tested dhcpmon on dualtor and single tor
2023-03-30 08:32:56 -07:00
Saikrishna Arcot
3bbfaa1ee8
Upgrade docker-sonic-vs and docker-syncd-vs to Bullseye (#13294)
* Upgrade docker-sonic-vs and docker-syncd-vs to Bullseye

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>

* iproute2: Force a new version and timestamp to be used for the package

There is an issue with Docker's overlay2 storage driver when not using
native diffs (and thus falling back to naive diff mode), which is the
case in the CI builds. The way the naive diff mode detects changes is by
comparing the file size and comparing the timestamps (specifically, I
believe it's the modification timestamp), and if there's a change there,
then it's considered a change that needs to be recorded as part of that
layer.

The problem is that with the code being added in the patch, the file
size remains the same, and the timestamp of binary files appear to be
the same timestamp as the changelog entry (likely for reproducible build
purposes). The file size remains the same likely due to extra padding
within the file introduced by relro. Because of this, Docker doesn't
detect this file has changed, and doesn't save the new file as part of
this layer.

To work around this, create a new changelog entry (with a new version as
well) with a new timestamp. This will result in the binary files having
a different timestamp, and thus will get saved by Docker as part of that
layer.

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>

---------

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2023-03-19 21:14:27 -07:00
lixiaoyuner
935f5dc5f0
Install kubernetes-cni for kubelet (#14163)
Why I did it
Find a new bug on kubelet side. The kubernetes-cni plug-in was removed in #12997, the reason is that the plug-in will be auto installed when install kubeadm, and will report error if we don't remove the install code. But after removal, the version auto installed is different from what we installed before. This will affect the kubelet action in some scenarios we don't find before. Need to install it by another way.

How I did it
Install kubernetes-cni==0.8.7-00 before install kubeadm

How to verify it
Flannel binary will be installed under /opt/cni/bin/ folder
2023-03-16 17:21:37 -07:00
davidpil2002
8098bc4bf5
Add Secure Boot Support (#12692)
- Why I did it
Add Secure Boot support to SONiC OS.
Secure Boot (SB) is a verification mechanism for ensuring that code launched by a computer's UEFI firmware is trusted. It is designed to protect a system against malicious code being loaded and executed early in the boot process before the operating system has been loaded.

- How I did it
Added a signing process to sign the following components:
shim, grub, Linux kernel, and kernel modules when doing the build, and when feature is enabled in build time according to the HLD explanations (the feature is disabled by default).

- How to verify it
There are self-verifications of each boot component when building the image, in addition, there is an existing end-to-end test in sonic-mgmt repo that checks that the boot succeeds when loading a secure system (details below).

How to build a sonic image with secure boot feature: (more description in HLD)

Required to use the following build flags from rules/config:
SECURE_UPGRADE_MODE="dev"
SECURE_UPGRADE_DEV_SIGNING_KEY="/path/to/private/key.pem"
SECURE_UPGRADE_DEV_SIGNING_CERT="/path/to/cert/key.pem"
After setting those flags should build the sonic-buildimage.
Before installing the image, should prepared the setup (switch device) with the follow:
check that the device support UEFI
stored pub keys in UEFI DB

enabled Secure Boot flag in UEFI
How to run a test that verify the Secure Boot flow:
The existing test "test_upgrade_path" under "sonic-mgmt/tests/upgrade_path/test_upgrade_path", is enough to validate proper boot
You need to specify the following arguments:
Base_image_list your_secure_image
Taget_image_list your_second_secure_image
Upgrade_type cold
And run the test, basically the test will install the base image given in the parameter and then upgrade to target image by doing cold reboot and validates all the services are up and working correctly
2023-03-14 14:55:22 +02:00
Saikrishna Arcot
3556e6c2eb
[submodule] Advance sonic-swss-common pointer (#14142)
Update sonic-swss-common submodule pointer to include the following:

565ad4b Fix common path issue (#751)
3352881 Prevent sonic-db-cli generate core dump (#749)
43cadec Add ProfileProvider class to support read profile config from PROFILE_DB. (#683)
8b09f90 Update path to sairedis tests (#747)
85f3776 Non recursive automake and Debian packaging changes (#700)
This is a reland of #13950, with the debug image build fix.
2023-03-12 14:12:02 +02:00
Andriy Dobush
c1dd94f368
Add California-SB237 feature. Requires to change default user password (#12678)
#### Why I did it
Add support of California-SB237 conformance.
https://github.com/sonic-net/SONiC/tree/master/doc/California-SB237

#### How I did it
Expire user passwords during build

#### How to verify it
Enable build flag and check if default user is prompted for a new password
2023-02-23 15:36:37 -08:00
ganglv
23dbdf525b
Enable host services #13800
Why I did it
Need to enable host service to suport GNMI native write

How I did it
Update rules/config

How to verify it
Run GNMI end2end test
2023-02-15 14:40:09 +08:00
xumia
71f778f62a
[Security] Upgrade the openssl version to 1.1.1n-0+deb11u4+fips (#13737)
Why I did it
[Security] Upgrade the openssl version to 1.1.1n-0+deb11u4+fips

f6df7303d8 Update expired certs.
84540b59c1 CVE-2022-2068
f763d8a93e Prepare 1.1.1n-0+deb11u2
576562cebe CVE-2022-1292
How I did it
Upgrade the OpenSSL version
2023-02-09 13:57:50 -08:00
xumia
77745f55cc
[FIPS] Upgrade Open-SymCrypt version to 0.6 (#13461)
Why I did it
[FIPS] Upgrade Open-SymCrypt version to 0.6

Improve the SymCrypt performance
Support to download the debug packages from storage account in version 0.6.
How I did it
Upgrade to symcrypt-openssl from version 0.4 to version 0.6

Changes in https://github.com/sonic-net/sonic-fips:
0c29b23 Upgrade the submodules: SymCrypt and SymCrypt-OpenSSL #40
80022f3 Fix the ARM64 build failure
2e76a3d Disable the unsupported tests

Other changes will be added as well:
55b8e0a Merge pull request #35 from xumia/change-license
120c1a7 Upgrade SymCrypt and SymCrypt-OpenSSL
2f9c084 Merge pull request #39 from liuh-80/dev/liuh/update-openssh-version
a3be6c5 Revert openssh version
e02fa1e Update fips version

How to verify it
2023-01-27 11:54:44 +08:00
judyjoseph
96cecc385a
Add explicit dependency on sonic_platform_common (#13446)
Why I did it
Add explicit dependency on sonic_platform_common in sonic-chassisd mk. This was needed because sonic-chassisd depends on sonic-platform-base which is present in sonic-platform-common wheel package.

How I did it
Add explicit dependency on sonic_platform_common in sonic-chassisd mk.

How to verify it
Verified by building all platforms broadcom, mellanox, marvel_arm
2023-01-19 22:42:28 -08:00