* [rc.local] Move all constants and functions to top of file; Unify style; Reword messages
* Add function to process reboot cause upon boot
* Simplify retrieval of SONIC_VERSION per comments
* Change wording
Move the ingress lossless profile from buffers.json.j2 to pg_profile_lookup.ini
Move pool and the rest of the profile from buffers.json.j2 to
buffers_defaults_t1.j2
Add port speed info in port_config.ini
Make buffers_default_t1.j2 the default profile in buffers.json.j2
Signed-off-by: Wenda Ni <wenni@microsoft.com>
After commit 832be7b8f4 ("[dockers] Prevent apt-get from installing
suggested and recommended packages by default (#1666)") SONiC fails
to build when FRR is used for routing stack (e.g. SONIC_ROUTING_STACK
is set to frr in rules/config).
To fix issue just replicate changes from docker-fpm-quagga to
docker-fpm-frr to make dependencies installed correctly after above
change to package installing behaviour.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
* First part of skipping not used port for qos configuration
* Use active ports only to set QoS parameters for 6100
* Add a test for qos.json.j2
* Add a test for Dell S6100 buffers.json template
* Update submodulre
* Add Broadcom config files for Arista-7050-QX32 and Arista-7050-Q16S64 SKUs under respective directories
* Remove 'serdes_firmware_mode_xe=0x1' line from Arista 7050 Broadcom config files
* [slave.mk]: Fix displaying username and password in build summary
We display contents of DEFAULT_USERNAME and DEFAULT_PASSWORD, while
image can be build with USERNAME and/or PASSWORD given on make(1)
command line. For example:
$ make USERNAME=adm PASSWORD=mypass target/sonic-broadcom.bin
Fix by displaying USERNAME and PASSWORD variables in build summary.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
* [baseimage]: Improve default user account handling
There are couple of issues with current implementation of default
user account management in baseimage:
1) It uses DES to encrypt accounts password. Furthermore this
effectively limits password length to 8 symbols, even if more
provided with PASSWORD or DEFAULT_PASSWORD from rules/config.
2) Salt value for password is same on all builds even with different
password increasing attack surface.
3) During the build process password passed as command line parameter
either as plain text (if given to make(1) as "make PASSWORD=...")
or DES encrypted (if given to build_debian.sh) can be seen by
non-build users using /proc/<pid>/cmdline file that has group and
world readable permissions.
Both 1) and 2) come from:
perl -e 'print crypt("$(PASSWORD)", "salt"),"\n"')"
that by defalt uses DES if salt does not have format $<id>$<salt>$,
where <id> is hashing function id. See crypt(3) for more details on
valid <id> values.
To address issues above we propose following changes:
1) Do not create password by hands (e.g. using perl snippet above):
put this job to chpasswd(8) which is aware about system wide
password hashing policy specified in /etc/login.defs with
ENCRYPT_METHOD (by default it is SHA512 for Debian 8).
2) Now chpasswd(8) will take care about proper salt value.
3) This has two steps:
3.1) For compatibility reasons accept USERNAME and PASSWORD as
make(1) parameters, but warn user that this is unsafe.
3.2) Use process environment to pass USERNAME and PASSWORD variables
from Makefile to build_debian.sh as more secure alternative to
passing via command line parameters: /proc/<pid>/environ
readable only by user running process or privileged users like
root.
Before change:
--------------
hash1
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSs", "salt"),"\n"')"
^^^^^^^^
8 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Note the hash (DES encrypted password)
hash2
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSsWoRd", "salt"),"\n"')"
^^^^^^^^^^^^
12 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Hash is the same as for "YourPaSs"
After change:
-------------
hash1
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$1Nho1jHC$T8YwK58FYToXMFuetQta7/XouAAN2q1IzWC3bdIg86woAs6WuTg\
^^^^^^^^
Note salt here
ksLO3oyQInax/wNVq.N4de6dyWZDsCAvsZ1:17681:0:99999:7:::
hash2
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$yKU5g7BO$kdT02Z1wHXhr1VCniKkZbLaMPZXK0WSSVGhSLGrNhsrsVxCJ.D9\
^^^^^^^^
Here salt completely different from case above
plFpd8ksGNpw/Vb92hvgYyCL2i5cfI8QEY/:17681:0:99999:7:::
Since salt is different hashes for same password different too.
hash1
-----
# LANG=C perl -e 'print crypt("YourPaSs", "\$6\$salt\$"),"\n"'
^^^^^
We want SHA512 hash
$6$salt$qkwPvXqUeGpexO1vatnIQFAreOTXs6rnDX.OI.Sz2rcy51JrO8dFc9aGv82bB\
yd2ELrIMJ.FQLNjgSD0nNha7/
hash2
-----
# LANG=C perl -e 'print crypt("YourPaSsWoRd", "\$6\$salt\$"),"\n"'
$6$salt$1JVndGzyy/dj7PaXo6hNcttlQoZe23ob8GWYWxVGEiGOlh6sofbaIvwl6Ho7N\
kYDI8zwRumRwga/A29nHm4mZ1
Now with same "salt" and $<id>$, and same 8 symbol prefix in password, but
different password length we have different hashes.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
* [caclmgrd] Heuristically determine whether ACL is IPv4 or IPv6, use iptables/ip6tables accordingly
* Check all rules in table until we find one with a SRC_IP
* Revert "[serial watchdog] remove serial watchdog service dependency to rc.local (#1752)"
* Revert "[service] introducing serial port watchdog service (#1743)"
https://github.com/Azure/azure-kusto-python
azure-kusto-data Package provides the capability to query Kusto clusters with Python.
azure-kusto-ingest Package allows sending data to Kusto service - i.e. ingest data.
The removed package adal is a dependent of the Azure Kusto Library.
The removed azure-storage is deprecated and being replaced with new packages that are
also the dependents of the Azure Kusto Library. (https://github.com/Azure/azure-storage-python)
Signed-off-by: Shu0T1an ChenG <shuche@microsoft.com>
* [serial watchdog] remove serial watchdog service dependency to rc.local
When restarting this service in rc.local, the dependency causes an error
in syslog. Removing the dependency to mute the error log entry.
* remove lines with empty inputs
