Commit Graph

220 Commits

Author SHA1 Message Date
Harish Venkatraman
3e69427ac0 [baseimage] management VRF support via l3mdev (#2585)
This commit adds support for New feature management VRF using L3mdev.  Added
commands to enable/disable management VRF. Config vrf add mgmt will enable
management VRF, enslave the eth0 device to the master device mgmt and restart
interfaces-configs in mgmt-vrf context.

management interface (eth0) can be configured using config interface eth0 ip
add command and removed using config interface eth0 ip remove command.

Requirement and design are covered in mgmt vrf design document.  Currently show
command displays linux command output; will update show command display in next
PR after concluding what would be the output for the show commands. Added
metric for default routes in dhcp and static, any changes for metric will be
addressed subsequently after discussing.

Signed-off-by: Harish Venkatraman <harish_venkatraman@dell.com>
2019-07-24 16:18:40 -07:00
Neetha John
f64e79172c [docker-engine]: Update docker engine to 18.09.8 (#3211)
Signed-off-by: Neetha John <nejo@microsoft.com>
2019-07-24 09:44:14 -07:00
rajendra-dendukuri
40c8bc14cd [baseimage]: Upgrade ifupdown2 to version 1.2.8 (#3180)
* Upgrade ifupdown2 to version 1.2.8

Required by ZTP to support ZTP over IPv6 transport

Signed-off-by: Rajendra Dendukuri <rajendra.dendukuri@broadcom.com>
2019-07-19 23:09:14 -07:00
Joe LeVeque
fa8b22ad93 [baseimage]: Install mcelog package to host OS; log machine check exceptions (MCE) to syslog (#3158)
* Install mcelog package to host OS; log machine check exceptions (MCE) to syslog
2019-07-17 09:43:05 -07:00
Qi Luo
6a99dd81be [baseimage]: Remove old ping permission fix because of aufs->overlay filesystem (#3154)
Signed-off-by: Qi Luo <qiluo-msft@users.noreply.github.com>
2019-07-13 12:38:10 -07:00
Joe LeVeque
8329ce1d63 [sshd] Close all SSH connetions after 15 minutes of inactivity (#3031)
- What I did

Configure sshd to close all SSH connetions after 15 minutes of inactivity.

- How I did it

Set ClientAliveInterval to 900 (900 seconds = 15 minutes) and ClientAliveCountMax to 0
in /etc/ssh/sshd_config using augtool in build_debian.sh. In the process, I refactored the existing augtool command for sshd_config so as to add comments and empty lines to file for readability.

- How to verify it

Log into device via management port. Wait 15 minutes without sending a keystroke -- you should be automatically logged out.
2019-07-07 00:41:14 -07:00
Renuka Manavalan
76bf5a0bc4 [build]: Added debug symbols to many debug dockers. (#3098)
* Added debug symbols to many debug dockers.

* For debug images *only*:
1) Archive source files into debug image
2) Archived source is copied into /src
3) Created an empty dir /debug
4) Mount both /src as ro & /debug as rw into every docker
5) Login banner will give some details on /src & /debug
6) Devs can copy core file into /debug and view it from inside a container.
7) Dev may create all gdb logs and other data directly into /debug.

* Dropped redundant REDIS_TOOLS per review comments.

* Added debug symbols to frr package and hence FRR based BGP docker.

* 1) Moved dbg_files.sh to scripts/
2) Src directories to archive are now collected from individual Makefiles.
3) Added few more debug symbols
4) Added few more debug dockers.

Here after no more changes except per review comments.

To debug:
Install required version of debug image in Switch or VM.
Copy core file into /debug of host
Get into Docker
gdb /usr/bin/<daemon> -c /debug/<your core file>
set directory /src/... <-- inside gdb to get the source

For non-in-depth debugging:

Download corresponding debug Docker image (docker-...-dbg.gz) to your VM
Load the image
Run image with entrypoint as 'bash' with dir containing core mapped in.
Run gdb on the core.
2019-07-03 22:13:55 -07:00
Joe LeVeque
f14354f003
[monit] Restart rsyslog service if rsyslogd consumes > 800 MB memory (#3117) 2019-07-03 18:21:05 -07:00
Qi Luo
e7b1988638
[submodule] update sonic-linux-kernel (#2985)
* [submodule] update sonic-linux-kernel
* update linux kernel version
* Fix many version strings
* update mellanox components (built with new kernel)
* [mlnx] add make files for SDK WJH libs
* Update arista driver submodule (#8)
Make the debian packaging point to a newer kernel version.
2019-06-18 10:00:16 -07:00
SuvarnaMeenakshi
0f665bdd06 [baseimage] kernel oom-killer to panic when the system is truly out of memory (#2988)
- What I did
Currently when the system is under memory pressure, the OOM killer kicks in and kills a rogue process. Killing a rogue process can cause the device to be un-healthy leading to blackholing of the traffic.

To avoid this, configure the OOM to do a kernel panic which will cause the device to reboot and come back up healthy.

- How I did it
Added the sysctl variable panic_on_oom and set the value to 2.
Setting it to 2 will ensure OOM killer to always do a kernel panic.
2019-06-11 16:19:49 -07:00
lguohan
30b37ec6fb
[build]: make sonic-slave-stretch as the default build docker (#2921)
Signed-off-by: Guohan Lu <gulv@microsoft.com>
2019-05-27 15:50:51 -07:00
Qi Luo
62ef8593e7 [monit] Set memory usage alert at 50% (#2939)
Signed-off-by: Qi Luo <qiluo-msft@users.noreply.github.com>
2019-05-24 02:38:41 -07:00
Ying Xie
9efcf1759a
[ebtables] install ebtables in base image and install filter rules (#2805)
- Add ebtables package, and install some filter rules:
  1. ebtables -A FORWARD -d BGA -j DROP
  2. ebtables -A FORWARD -p ARP -j DROP

Basically, we let the ARP packets in the VLAN being forwarded by the ASIC,
kernel gets a copy of these ARP packets and the forwarding from Kenerl gets
dropped. So there is always only one copy of ARP/response in the VLAN.

Signed-off-by: Ying Xie <ying.xie@microsoft.com>
2019-05-09 09:44:41 -07:00
paavaanan
e7485fdcef [baseimage]: Flashrom utitily support for BIOS upgrade (#2867) 2019-05-09 00:09:01 -07:00
paavaanan
b56124bf48 removing dhcp- turn- off option from initrd (#2555)
* removing dhcp changes from initrd

* removing mgmt-intf-dhcp file
2019-04-02 15:48:04 -07:00
Qi Luo
145c1348b3
[docker] Update docker package version for CVE-2019-5736 fix (#2663) 2019-03-18 18:50:05 -07:00
yurypm
d632569a6a Add initramfs hook for Arista devices (#2595)
We are going to use initramfs hook for firmware upgrades
To install Arista hook:
- create folder /mnt/flash/<image dir>/platform/hooks/boot1/ from Aboot or
  /host/<image dir>/platform/hooks/boot1/ from Sonic
- add executable script to created folder
2019-02-27 10:28:04 -08:00
Ying Xie
97f5e05b70
[ntp] disable ntp time jump (#2589)
- removing -g to disable jump when time difference is greater than 1000s
- add -x to disable initial jump
2019-02-20 08:04:12 -08:00
Ramesh Santhanakrishnan
734dcb2185 [build]: apply proxy setting to curl. (#2544) 2019-02-08 22:01:29 -08:00
Mykola F
460281d663 [baseimage] install dmidecode (#2540)
Signed-off-by: Mykola Faryma <mykolaf@mellanox.com>
2019-02-08 11:52:12 -08:00
lguohan
f20665008c
[build]: put stretch debian packages under target/debs/stretch/ (#2519)
* [build]: put stretch debian packages under target/debs/stretch/

* in stretch build phase, all debian packages built in that stage are placed under target/debs/stretch directory.
* for python-based debian packages, since they are really the same for jessie and stretch, they are placed under target/python-debs directory.

Signed-off-by: Guohan Lu <gulv@microsoft.com>
2019-02-04 22:06:37 -08:00
Prince Sunny
5fe13ad93b
Disable IPv6 ra for eth0 interface (#2493)
* Disable IPv6 ra for eth0 interface
2019-01-29 09:03:23 -08:00
lguohan
36a9678d3e
[baseimage]: install cgroup-tools and set udp_l3mdev_accept=1 (#2485)
cgroup-tools is required to bind a process to l3mdev master

Signed-off-by: Guohan Lu <gulv@microsoft.com>
2019-01-25 11:47:09 -08:00
lguohan
4ccd35bc25
[kernel]: update sonic kernel to 4.9.0-8-2 (#2468)
* [kernel]: update sonic kernel to 4.9.0-8-2

* 3b2114d 2019-01-20 | [sonic-linux-kernel] add udp_l3mdev_accept kernel upstream patch (#70) (HEAD, azure/master) [Harish Venkatraman]
* 37734aa 2019-01-10 | L3mdev cgroup (#73) [lguohan]
* d631eeb 2018-12-15 | yet another uart race condition fix (#75) [lguohan]

Signed-off-by: Guohan Lu <gulv@microsoft.com>

* Update Mellanox SDK

Signed-off-by: Guohan Lu <gulv@microsoft.com>

* Update arista platform driver to match 4.9.0-8-2 kernel

Signed-off-by: Guohan Lu <gulv@microsoft.com>
2019-01-25 00:46:09 -08:00
Samuel Angebault
bfe46e0f1d [docker-engine] fix systemd shutdown hang (#2451)
When rebooting without the platform_reboot plugin, systemd takes a few
minutes to properly shutdown. It's blocking on some docker cleanup
operation.

As described by https://github.com/docker/for-linux/issues/421 there
is a race between docker.service and containerd.service.
docker needs containerd to properly stop the containers.
2019-01-16 01:54:14 -08:00
Nikos
e55a7d7db7 [baseimage]: Initial changes for dhcp to support eth0 in a mgmt vrf (#2348)
* Initial changes to support eth0 in a mgmt vrf
2019-01-15 18:15:56 -08:00
lguohan
b57a376622
[docker-engine]: upgrade docker engine to 18.09 (#2417)
* [docker-engine]: upgrade docker engine to 18.09
2019-01-04 20:47:43 -08:00
Nikos
1eecdb31bf [baseimage]: Install netifaces package in sonic-slave docker and sonic image (#1353) 2018-12-15 11:52:36 -08:00
zhenggen-xu
f093ef2a9f [security kernel] Upgrade kernel from 4.9.110-3+deb9u2 to 4.9.110-3+deb9u6 (#2367)
* [security kernel] Upgrade kernel from 4.9.110-3+deb9u2 to 4.9.110-3+deb9u6
short version: 4.9.0-7 to 4.9.0-8

See changelogs for security fixes:
https://tracker.debian.org/media/packages/l/linux/changelog-4.9.110-3deb9u6

Signed-off-by: Zhenggen Xu <zxu@linkedin.com>

* Update sonic-linux-kernel submodule after it was merged

Signed-off-by: Zhenggen Xu <zxu@linkedin.com>
2018-12-11 04:17:17 -08:00
lguohan
64a2b1ce99
[vs]: build sonic vs kvm image (#2269)
Signed-off-by: Guohan Lu <gulv@microsoft.com>
2018-11-20 22:32:40 -08:00
Joe LeVeque
1e1add90f9
Remove Arista-specific service ACL solution; All platforms now use caclmgrd (#2202) 2018-10-29 10:25:18 -07:00
ironjosh
2d43385927 [baseimage] set default locale en_US.UTF-8 (#1988)
* [baseimage] set default locale en_US.UTF-8

Signed-off-by: chenhu <chenhu@didichuxing.com>

* [baseimage]set default locale to en_US.UTF-8, clean all other unused

* [baseimage] update-locale after locale-gen

* correct update-locale command line

Signed-off-by: Guohan Lu <gulv@microsoft.com>
2018-09-11 03:15:19 -07:00
Shuotian Cheng
f85a75c811
[debian]: Enable keep_addr_on_down to keep IPv6 addresses (#1992)
Starting from kernel 4.6, this new attribute keep_addr_on_down
is introduced (https://kernelnewbies.org/Linux_4.6).

If set, static global addresses with no expiration time are not
flushed.

Ref:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f1705ec197e705b79ea40fe7a2cc5acfa1d3bfac

Signed-off-by: Shu0T1an ChenG <shuche@microsoft.com>
2018-08-28 14:40:01 -07:00
Joe LeVeque
98082d56a0 [baseimage]: Download picocom version 3.1-2 from stretch-backports; No longer build from source (#1946) 2018-08-17 17:38:20 -07:00
lguohan
c059d9982a
[baseimage]: install picocom 3.1 in base image (#1943)
* [baseimage]: install picocom 3.1 in base image

Signed-off-by: Guohan Lu <gulv@microsoft.com>

* add picocom to stretch build

Signed-off-by: Guohan Lu <gulv@microsoft.com>

* fix slave.mk bug

Signed-off-by: Guohan Lu <gulv@microsoft.com>
2018-08-17 09:06:05 -07:00
lguohan
38f3eba695
[kernel]: upgrade kernel to 4.9.0-7 (4.9.110-3+deb9u1) (#1922)
* [kernel]: upgrade kernel to 4.9.0-7 (4.9.110-3+deb9u1)

Signed-off-by: Guohan Lu <gulv@microsoft.com>

* [mellanox]: Update SDK pointer for 4.9.0-7 kernel (#44)

Signed-off-by: Volodymyr Samotiy <volodymyrs@mellanox.com>

* Update arista drivers for 4.9.0-7 linux kernel (#43)
2018-08-16 08:56:56 -07:00
cawand
9f545456c9 Added picocom and pexpect to base image, for use in consutil (#1935)
Signed-off-by: Cayla Wanderman-Milne <t-cawand@microsoft.com>
2018-08-15 21:41:12 -07:00
Qi Luo
40bb27ca1c Simplify script to install docker (#1925)
Signed-off-by: Qi Luo <qiluo-msft@users.noreply.github.com>
2018-08-13 18:30:00 -07:00
lguohan
647af39ff0
[build]: create empty /var/lib/docker if needed (#1920)
stretch docker-engine in base image is not started by default
in the build process. Need to create empty /var/lib/docker

Signed-off-by: Guohan Lu <gulv@microsoft.com>
2018-08-12 22:23:43 -07:00
zhenggen-xu
d761630f73 Fix potential blackholing/looping traffic when link-local was used and refresh ipv6 neighbor to avoid CPU hit (#1904)
* Fix potential blackholing/looping traffic and refresh ipv6 neighbor to avoid CPU hit

In case ipv6 global addresses were configured on L3 interfaces and used for peering,
and routing protocol was using link-local addresses on the same interfaces as prefered nexthops,
the link-local addresses could be aged out after a while due to no activities towards the link-local
addresses themselves. And when we receive new routes with the link-local nexthops, SONiC won't insert
them to the HW, and thus cause looping or blackholing traffic.

Global ipv6 addresses on L3 interfaces between switches are refreshed by BGP keeplive and other messages.

On server facing side, traffic may hit fowarding plane only, and no refresh for the ipv6 neighbor entries regularly.
This could age-out the linux kernel ipv6 neighbor entries, and HW neighbor table entries could be removed,
and thus traffic going to those neighbors would hit CPU, and cause traffic drop and temperary CPU high load.

Also, if link-local addresses were not learned, we may not get them at all later.

It is intended to fix all above issues.

Changes:
Add ndisc6 package in swss docker and use it for ipv6 ndp ping to update the neighbors' state on Vlan interfaces
Change the default ipv6 neighbor reachable timer to 30mins
Add periodical ipv6 multicast ping to ff02::11 to get/refresh link-local neighbor info.

* Fix review comments:
Add PORTCHANNEL_INTERFACE interface for ipv6 multicast ping
format issue

* Combine regular L3 interface and portchannel interface for looping

* Add ndisc6 package to vs docker
2018-08-12 03:14:55 -07:00
Guohan Lu
002bff4e45 [baseimage]: use rsyslog in baseimage from stretch repo
Signed-off-by: Guohan Lu <gulv@microsoft.com>
2018-08-11 18:00:10 +00:00
Guohan Lu
0d2ffd885f [baseimage]: move update initramfs to later stage
some platform drivers install blacklist.conf in /etc/modprobe.d.
Those configuration should be proprogated into initramfs to avoid
loading those blacklisted driver.
2018-08-11 09:09:03 +00:00
Guohan Lu
5ae64e7f2d [ixgbe]: compile and install ixgbe to 4.9.0-5 kernel 2018-08-11 09:09:03 +00:00
lguohan
35ab7a6e09 [kernel]: upgrade linux kernel to 4.9.0-5 (4.9.65-3+deb9u2) (#8) 2018-08-11 09:09:03 +00:00
Guohan Lu
0e141a54e9 [baseimage]: install acl package 2018-08-11 09:07:59 +00:00
Guohan Lu
2449fafae0 [kernel]: update kernel submodule and remove standalone igb driver 2018-08-11 09:07:59 +00:00
Guohan Lu
f64ffe8571 [baseimage]: build root filesystem via overlay fs instead of aufs 2018-08-11 09:07:59 +00:00
Guohan Lu
72d70e98be [baseimage]: install systemd-sysv in the base image 2018-08-11 09:07:59 +00:00
Guohan Lu
b6af83ccf8 [baseimage]: upgrade initramfs to 0.130 2018-08-11 09:07:59 +00:00
Guohan Lu
ff1f508f33 [baseimage]: use debian 4.9.0-3 kernel 2018-08-11 09:07:59 +00:00
Guohan Lu
4d701ad037 [baseimage]: update base image from jessie to stretch 2018-08-11 09:07:59 +00:00
Joe LeVeque
7aefa185d4 Download newer version (8.23.0-2) of rsyslog from jessie-backports in hopes of eliminating memory leaks (#1912) 2018-08-09 23:56:41 -07:00
Qi Luo
162e9b6f56 Add monit for /var/log disk usage (#1836)
Signed-off-by: Qi Luo <qiluo-msft@users.noreply.github.com>
2018-07-03 17:00:31 -07:00
lguohan
0e5c5f2601
[baseimage]: add commonly used network tools (#1832)
* [baseimage]: add commonly used network tools
2018-07-01 09:46:25 -07:00
Serhey Popovych
8d88455509 [baseimage]: Improve password hashing for default user account (#1748)
* [slave.mk]: Fix displaying username and password in build summary

We display contents of DEFAULT_USERNAME and DEFAULT_PASSWORD, while
image can be build with USERNAME and/or PASSWORD given on make(1)
command line. For example:

  $ make USERNAME=adm PASSWORD=mypass target/sonic-broadcom.bin

Fix by displaying USERNAME and PASSWORD variables in build summary.

Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>

* [baseimage]: Improve default user account handling

There are couple of issues with current implementation of default
user account management in baseimage:

  1) It uses DES to encrypt accounts password. Furthermore this
     effectively limits password length to 8 symbols, even if more
     provided with PASSWORD or DEFAULT_PASSWORD from rules/config.

  2) Salt value for password is same on all builds even with different
     password increasing attack surface.

  3) During the build process password passed as command line parameter
     either as plain text (if given to make(1) as "make PASSWORD=...")
     or DES encrypted (if given to build_debian.sh) can be seen by
     non-build users using /proc/<pid>/cmdline file that has group and
     world readable permissions.

Both 1) and 2) come from:

  perl -e 'print crypt("$(PASSWORD)", "salt"),"\n"')"

that by defalt uses DES if salt does not have format $<id>$<salt>$,
where <id> is hashing function id. See crypt(3) for more details on
valid <id> values.

To address issues above we propose following changes:

  1) Do not create password by hands (e.g. using perl snippet above):
     put this job to chpasswd(8) which is aware about system wide
     password hashing policy specified in /etc/login.defs with
     ENCRYPT_METHOD (by default it is SHA512 for Debian 8).

  2) Now chpasswd(8) will take care about proper salt value.

  3) This has two steps:

    3.1) For compatibility reasons accept USERNAME and PASSWORD as
         make(1) parameters, but warn user that this is unsafe.

    3.2) Use process environment to pass USERNAME and PASSWORD variables
         from Makefile to build_debian.sh as more secure alternative to
         passing via command line parameters: /proc/<pid>/environ
         readable only by user running process or privileged users like
         root.

Before change:
--------------

  hash1
  -----
  # u='admin'
  # p="$(LANG=C perl -e 'print crypt("YourPaSs", "salt"),"\n"')"
                                      ^^^^^^^^
                                      8 symbols
  # echo "$u:$p" | chpasswd -e

  # getent shadow admin
  admin:sazQDkwgZPfSk:17680:0:99999:7:::
        ^^^^^^^^^^^^^
        Note the hash (DES encrypted password)

  hash2
  -----
  # u='admin'
  # p="$(LANG=C perl -e 'print crypt("YourPaSsWoRd", "salt"),"\n"')"
                                      ^^^^^^^^^^^^
                                      12 symbols
  # echo "$u:$p" | chpasswd -e

  # getent shadow admin
  admin:sazQDkwgZPfSk:17680:0:99999:7:::
        ^^^^^^^^^^^^^
        Hash is the same as for "YourPaSs"

After change:
-------------

  hash1
  -----
  # echo "admin:YourPaSs" | chpasswd
  # getent shadow admin
  admin:$6$1Nho1jHC$T8YwK58FYToXMFuetQta7/XouAAN2q1IzWC3bdIg86woAs6WuTg\
           ^^^^^^^^
           Note salt here
  ksLO3oyQInax/wNVq.N4de6dyWZDsCAvsZ1:17681:0:99999:7:::

  hash2
  -----
  # echo "admin:YourPaSs" | chpasswd
  # getent shadow admin
  admin:$6$yKU5g7BO$kdT02Z1wHXhr1VCniKkZbLaMPZXK0WSSVGhSLGrNhsrsVxCJ.D9\
           ^^^^^^^^
           Here salt completely different from case above
  plFpd8ksGNpw/Vb92hvgYyCL2i5cfI8QEY/:17681:0:99999:7:::

Since salt is different hashes for same password different too.

  hash1
  -----
  # LANG=C perl -e 'print crypt("YourPaSs", "\$6\$salt\$"),"\n"'
                                             ^^^^^
                                             We want SHA512 hash
  $6$salt$qkwPvXqUeGpexO1vatnIQFAreOTXs6rnDX.OI.Sz2rcy51JrO8dFc9aGv82bB\
  yd2ELrIMJ.FQLNjgSD0nNha7/

  hash2
  -----
  # LANG=C perl -e 'print crypt("YourPaSsWoRd", "\$6\$salt\$"),"\n"'
  $6$salt$1JVndGzyy/dj7PaXo6hNcttlQoZe23ob8GWYWxVGEiGOlh6sofbaIvwl6Ho7N\
  kYDI8zwRumRwga/A29nHm4mZ1

Now with same "salt" and $<id>$, and same 8 symbol prefix in password, but
different password length we have different hashes.

Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
2018-06-09 11:29:16 -07:00
Qi Luo
d54a7ae566
[baseimage] Adding setuid permissions to ping binaries, so sudo is no longer needed (#1765) 2018-06-04 21:01:53 -07:00
Prince Sunny
5e64310a56 [baseimage]: Disable DAD for eth0 explicitly (#1701) 2018-05-12 01:31:17 -07:00
lguohan
d269263938
[baseimage]: add screen package (#1644) 2018-04-26 13:53:54 -07:00
padmanarayana
dda00292f3 Sonic fstrim (#1520)
* Update Dell submodule for fstrim support

* Revert PR 1500 since fstrim files are now part of submodule
2018-03-21 13:15:05 -07:00
Shuotian Cheng
871161e868
[build_debian]: Add quote to specify values as string (#1503) 2018-03-16 01:09:33 -07:00
padmanarayana
3bb24a975d [debian]: Add fstrim service files to systemd (#1500) 2018-03-15 13:16:00 -07:00
AndriiS
9065e09bee [baseimage] Added net.core.wmem_max value required by Copp test (#1489) 2018-03-14 09:20:47 -07:00
padmanarayana
02b62ac9bb [fast-reboot]: Support OS9 -> SONiC fast-reboot migration (#1414)
* Support OS9 -> SONiC fast-reboot migration

* Address review comments. Update NOS mac in EEPROM and net.rules for eth0

* Address review comments. Update sonic-platform-modules-dell to fac81d...

* Fix script for POSIX compliance
2018-03-08 16:42:41 -08:00
byu343
ecf5c8d311 ssh and snmp allow list (#1363)
- Service ACL framework for Arista platforms
2018-02-08 17:43:52 -08:00
padmanarayana
0d0752e099 Reduce SONiC migration partition from 8G to 1G. (#1343)
* Reduce SONiC migration partition from 8G to 1G.

* Changes to create 1G partition with ability to resize post migration.

* Remove redundant changes in varlog

* Use findfs to interpret root. Move resize in case cmdline params are reordered
2018-02-07 22:07:01 +08:00
Qi Luo
358949b4e5
Upgrade linux-image version (#1294)
* Upgrade linux-image version
* Add missing dependency of igb
* Fix mft build rule
* Add missing dependency of ixgbe
* [Broadcom]: Update OpenNSL modules to be compatible with kernel 3.16.0-5 (#3)
* [Nephos] Update SDK version to support new kernel module 3.16.0-5 (#4)
* [mellanox]: Update URL for SDK (#5)
2018-01-31 11:39:48 -08:00
pavel-shirshov
9e2facbdc9 [baseimage]: Install sysfsutils package into SONiC host system (#1290) 2018-01-10 03:04:32 -08:00
Joe LeVeque
0fffa6c63b
Add caclmgrd and related files to translate and install control plane ACL rules (#1240) 2018-01-09 17:55:10 -08:00
Qi Luo
f077f41ce9
Let debootstrap uses the same sources link as apt (#1279) 2018-01-03 22:22:58 -08:00
Taoyu Li
39a99e1a07 [image]: Explicitly specify kernel_version as string (#1280) 2018-01-03 21:43:06 -08:00
lguohan
15d433d975
[build]: allow to use http(s) proxy in the build (#1265)
* allow to use http(s) proxy in the build

To enable this, use following command
http_proxy=[your_proxy] https_proxy=[your_proxy] make
2017-12-23 23:34:15 -08:00
kaiyu22
63de341dd6 [Platform] Add Ingrasys S9130-32X and S9230-64X with Nephos Switch ASIC (#1245)
* Add switch ASIC vendor and platforms for Nephos

- What I did
Add switch ASIC vendor: Nephos
Add Nephos platforms: Ingrasys S9130-32X, Ingrasys S9230-64X

- How I did it
Add platform/nephos files
Add platform/nephos/sonic-platform-modules-ingrasys submodule
Add device/ingrasys/x86_64-ingrasys_s9130_32x-r0 files
Add device/ingrasys/x86_64-ingrasys_s9230_64x-r0 files
Add SONiC to support Nephos platform

- How to verify it
To build SONiC installer image and docker images, run the following commands:
make configure PLATFORM=nephos
make target/sonic-nephos.bin
Check system and network feature is worked as well

- Description for the changelog
Add switch ASIC vendor and platforms for Nephos

- A picture of a cute animal (not mandatory but encouraged)

Signed-off-by: Sam Yang <yang.kaiyu@gmail.com>

* Advance sonic-sairedis submodule to include #271 (Add Nephos ASIC)
2017-12-22 10:04:29 -08:00
Samuel Angebault
7f25b94378 [aboot]: Add setfacl in the initramfs (#1185)
Arista platforms need the filesystem ACLs to be removed on boot to
prevent invalid permission to be set for new files.
2017-11-24 17:30:11 -08:00
Shuotian Cheng
b07886ec3c [build_debian]: Install grub-common in the base image (#1014) 2017-10-05 21:43:25 -07:00
ravijo2
458093fee5 Framework to plugin Organization specific scripts during ONIE Image build (#951)
* Framework to plugin Organization specific scripts

* Framework to plugin Organization specific scripts

* Framework to plugin Organization specific scripts

* add getopt option to organization script
2017-09-19 16:23:31 -07:00
padmanarayana
6935e00909 [build/onie installer] Install grub for SONiC post migration from another NOS (#949)
* Install grub for SONiC post migration from another NOS

* Install grub from bundled debian package instead of using ONIE's. Address review comments
2017-09-17 11:41:29 -07:00
lguohan
116ba4b180 [baseimage]: allocate varlog disk in the initramfs stage (#936)
moving to initramfs unifies disk allocate on different platforms.
use fallocate instead of dd to speed up the disk allocation.

By default, mkfs.ext4 has -E discard option which discards the blocks
at the mkfs time, also speed up the initialization time.
2017-09-06 20:07:32 -07:00
Ying Xie
1a4f039f55 [quagga] enable core dump for bgpd and zebra (#927)
* [core dump] pass unix time to coredump-compress script

Currently we only have program name (e.g. bgpd) and PID in the core file
name. PID could collide especially after docker restart or recreate.

Passing the unix time to coredump-compress so it could also add time to
the core file name.

* [utilities] include the change to coredump_compress script

* [quagga] enable core dump for bgpd and zebra

bgpd and zebra downgrade their privilege shortly after started. For that
sysctrl kernel.suid_dumpable needs to be set to 2, so that they can dump
core.

Note that fs.suid_dumpable SHOULD NOT be set to 1. Which will bypass all
system security.
2017-08-30 09:41:47 -07:00
byu343
a92f5a9ffe Add arista-net initramfs hook (#899) 2017-08-19 21:32:10 -07:00
Qi Luo
9925aab2e6 Ignore return value of umount (#801)
* Ignore return value of umount

* Refine the umount process, more diagnostic info output
2017-07-12 01:28:36 -07:00
pavel-shirshov
3ac724ecb0 [baseimage]: Increase net.core.rmem_max to 2097152 (#767)
* Increase net.core.rmem_max to 2097152
2017-06-29 01:40:22 -07:00
Haiyang Zheng
9041288359 [build_debian]: Add dbus package to update timezone (#702)
Signed-off-by: Hiayang Zheng haiyang.z@alibaba.inc
2017-06-15 10:31:13 -07:00
Qi Luo
8ebf0b0832 Add monit for disk>85% into pmon docker (#582)
* Add monit for disk>85% into pmon docker

* Revert "Add monit for disk>85% into pmon docker"

This reverts commit 9cbbf591c08bce4b52a0f68cbbddae102d7fc614.

* Install monit in base image
2017-05-18 10:57:19 -07:00
Shuotian Cheng
8af03fd0f9 [orchagent]: Add ARP update script to maintain VLAN neighbors (#401)
- Extend ARP reachable time to 30min
- Add arping to docker-swss
- Add arp_update script to routinely probe neighbors

Signed-off-by: Shuotian Cheng <shuche@microsoft.com>
2017-05-15 17:06:19 -07:00
Qi Luo
2cfa289d3e Image version safely treats slash in branch name (#596) 2017-05-12 10:56:50 -07:00
pavel-shirshov
a5088ae9ec [debian]: Add kernel configuration to reboot on kernel soft lockup (#594) 2017-05-11 18:57:00 -07:00
pavel-shirshov
b26ec863e8 [docker-base]: Add less, strace, and configuration for vim (#591)
* Add less in docker-base. Add strace in docker_base_dbg.
* Make link vim to vim.tiny and have vim config file
2017-05-11 18:46:11 -07:00
pavel-shirshov
3af7c3a132 [debian]: Disable receiving default routes for ipv6 on mgmt interface (#588)
* Disable net.ipv6.conf.eth0.accept_ra_defrtr.
It will remain IPv6 working on mgmt interface, but it will disable receiving default routes
2017-05-10 17:39:51 -07:00
Andriy Moroz
b549adc36c [image]: SONiC-to-SONiC update (#464) 2017-04-21 17:23:36 -07:00
lguohan
fae53f7ea2 [build]: add commit id and build number in sonic_version (#508) 2017-04-16 01:17:22 -07:00
Marian Pritsak
6dbe979e5f [build]: Include SONiC version into installer. (#472)
* [build]: Include SONiC version into installer.

Signed-off-by: marian-pritsak <marianp@mellanox.com>

* Append dirty if contains local changes

Signed-off-by: marian-pritsak <marianp@mellanox.com>

* Update config

* Use correct name for kernel version field

* Update sysDescription.j2
2017-04-05 16:14:41 -07:00
Shuotian Cheng
e2cc409f8a [database]: Mount /var/run/redis/ folder from host for all dockers (#418)
- Create /var/run/redis/ folder on the host
- Install Python client for Redis on the host
- Mount /var/run/redis/ as read/write from host for all dockers
- Enable accessing the database everywhere including on the host and from remote

Signed-off-by: Shuotian Cheng <shuche@microsoft.com>
2017-03-23 12:18:52 -07:00
Shuotian Cheng
6a6bc88dcb [interfaces]: Remove bridge-utils from swss docker and add it to base image (#417)
The reason is that /etc/network/interfaces file is in base image. After booting,
docker-swss is not ready and thus the empty VLAN interfaces cannot be created
when the brctl is pointing to the binary inside the swss docker.

Add the bridge-utils into the base image and add bridge_ports none to the
/etc/network/interfaces file so that after boot-up the empty VLAN interfaces
will be created to let the members to join later.

Signed-off-by: Shuotian Cheng <shuche@microsoft.com>
2017-03-20 21:39:09 -07:00
pavel-shirshov
d7c70665de [baseimage]: Add kexec-tools package into the baseimage (#397)
* Include kexec-tools package which could be used for fast reboot

* Use sudo for sed
2017-03-15 18:38:55 -07:00
Qi Luo
d3891a2a42 Keep pip in the debian image (#356) 2017-03-02 16:04:18 -08:00
lguohan
b9b7d7a295 [installer]: support platform driver lazy installation (#340)
allow one image to support multiple switch devices, install
corresponding platform driver during the first boot time.
2017-02-27 13:08:41 -08:00
Taoyu Li
ea372cc7c1 Add get_graph service to fetch minigraph automatically (#288)
- Add a functionality to get SNMP community from DHCP (option 224)
- Add a functionality to get minigraph from http service instead of using default minigraph
  - The url for graph service is passed through DHCP option 225
  - This feature is by default disabled. Modify rule/config to enable it on build time, or modify /etc/sonic/graph_service_url on run time.
- Fix a bug that getting hostname from DHCP is not working correctly
2017-02-17 13:47:01 -08:00
lguohan
6119a58e4a [build_debian]: install deps in rootfs instead of just extracting the packages (#280)
packages contains post-install that needs to be performed
2017-02-10 07:39:05 -08:00
lguohan
8826beb597 [docker]: change hardcoded value to DOCKERFS_DIR for docker directory on the disk (#269) 2017-02-06 08:17:16 -08:00
Oleksandr Ivantsiv
793b842d60 Add DHCP client hook to update hostname. (#235)
* Add DHCP client hook to update hostname.

* Remove interface checking

* Update hostname in /etc/hosts file
2017-02-02 11:19:48 -08:00
lguohan
c2b4c870c6 remove fsroot after build (#228) 2017-01-31 22:05:24 -08:00
Oleksandr Ivantsiv
34ea91349c one image implementation (#215)
* Single image

* Fix review comments

* Update syncd service. Add HW mgmt to Mellanox single image.

* Add single image template for Broadcom platform.

SKU should be provided during configure:
make configure PLATFORM=broadcom SKU=Force10-S6000

* Add single image template for Cavium platform.

SKU should be provided during configure:
make configure PLATFORM=cavium SKU=AS7512

* Add description to sonic_debian_extension.j2 file.
2017-01-29 11:33:33 -08:00
byu343
6d8f57631b [Arista]: Add support to convert vfat file system to ext4 (#201)
This commit will convert the existing file system of flash drive on Arista switches from VFAT to EXT4 in the booting of SONiC. It will take the whole flash and therefore remove the recovery partition. There is a check in the script making sure that the conversion operation will not happen on a non-Arista switch or if the existing file system is not VFAT.
2017-01-23 22:25:47 -08:00
Qi Luo
930ee3f89d [baseimage] Install package without starting service (#171)
* Install package without starting service

* No need to mount /sys in chroot

* (comment)
2016-12-30 10:40:40 -08:00
lguohan
26930e5e17 install latest intel igb driver 5.3.5.4 in the base image (#167) 2016-12-28 19:05:09 -08:00
Marian Pritsak
e9098b99fb Build improvements (#80)
* Build improvements

Fix dependencies
Add configuration options
Automatically build sonic-slave

* Set default number of jobs to 1

* Auto generate target/debs directory

Signed-off-by: marian-pritsak <marianp@mellanox.com>

* Automatically remove sonic-slave container after exit

* Silence clean-logs

* Add SONIC_CLEAN_TARGETS to clean

* Use second expansion for clean dependencies

* Avoid creating empty log files

Remove log file on flush instead of writing empty string

* Put dpkg install inside lock

Use same lock as debian install targets do to avoid
race condition in dpkg installation

* Remove redirect to log from docker save

* Add .platform dependency to all and clean targets

* Remove header and footer from clean targets

* Disable messages for SONIC_CLEAN_TARGETS

* Exit with error if dpkg-buildpackage fails

* Set new location for debs in build_debian.sh

* Add recipe for docker-database

* Update redis version to 3.2.4

* Add support for p4 platform

* Add recipe for snmpd

* Add slave targets to phony and make all target default

* Remove build.sh from thrift

* Add versioning to team, nl, hiredis and initramfs

* Change sonic-slave to support snmpd build from sources

* Remove src/tenjin

* Add recipe for lldpd

* Add recipe for mpdecimal

* Remove hiredis directory on rebuild

* Add recipe for Mellanox hw management

* Remove generic image from all targets for Mellanox

* Add support for python wheels

* Add lldp and snmp dockers

* Sync docker-database to include libjemalloc

* Fix asyncsnmp variable name

* Change default build configuration

Redirect output to log files by default
Set number of jobs to nproc value
Do not print dependencies
Fix logging to print log of failed job into console

* Use docker inspect to check if sonic-slave image exists

* Use config in slave.mk directly

* Disable color output by default

* Remove sswsdk dependency from lldp and snmp dockers

* Fix comment in py wheels install targets

* Add dependency between two versions of sswsdk

* Add containers to mellanox platform

lldp, snmp and database containers

* Add recipe for team docker

* Add team docker to mellanox platform

* Encrypt password passed to build_debian.sh

* Update mellanox SAI version

Make version and revision setting only in main recipe

* Fix error handling in makefiles

As makefiles use .ONESHELL we should add -e
option to shell options in order to exit after any command fails

* Add recipe for platform monitor image

* Add platfotm monitor to mellanox targets

* Ignore submodules when building base image
2016-12-05 11:12:19 -08:00
Qi Luo
af38c0e77d Config apt inside docker images to save disk space: auto clean, gz, no trans (#69) 2016-11-16 12:46:15 -08:00
lguohan
81d6382321 use seperate sources.list for debian base image build (#61) 2016-11-08 03:04:52 -08:00
Shuotian Cheng
27cddbcb62 build_debian: Enable IPv6 forwarding (#60)
Router behavior is assumed.
1. IsRouter flag is set in Neighbor Advertisements
2. Router Solicitations are not sent.
3. Router Advertisements are ignored.
4. Redirects are ignored.

ref: http://mirrors.deepspace6.net/Linux+IPv6-HOWTO/proc-sys-net-ipv6..html
2016-11-04 19:47:36 -07:00
Shuotian Cheng
5405b576e6 build_debian: Disable IPv6 DAD (#56)
This change disables DAD (IPv6's Duplicate Address Detection). DAD
protects against IP address conflicts. The way it works is that after
an address is added to an interface, the operating system uses the
Neighbor Discovery Protocol to check if any other host on the network
has the same address. If it finds a neighbor with the same address,
the address is removed from the interface.

The problem here is that the time waiting for DAD to be done is fairly
long and because that we set the host interface operating status to be
down at first, the port cannot exchange the Neighbor Discovery Protocol
and DAD will time out. The host interface is only brought up after we
have received the port admin status up notification from the kernel,
which happens only after the DAD is done or times out. This makes the
whole host interfaces bringing up procedure very slow.

This the DAD is disabled. When it is disabled, addresses are immediately
usable. Without DAD, we need to make sure that the IPv6 addresses don't
have conflicts. For now, we have two IPv6 addresses. One is assigned
manually, which prevents conflicts at first. Another one is the IPv6
link-local address. It is derived from the MAC address and thus all the
link-local addresses are the same on one box. Because link-local addresses
are not used, it will not trigger issues even if they are the same.
2016-11-03 12:15:25 -07:00
Marian Pritsak
51fa77fa8d Automatic fw upgrade for mlnx platform (#31)
* Automatic fw upgrade for mlnx platform

Implement script for firmware upgrade to required version
Add firmware binary and script to ops-syncd-mlnx container
Add pciutils and usbutils to sonic-generic.bin

* Update firmware installation message

It is possible to do both upgrade and downgrade
Change "Upgrading" to "Installing compatible version"

Signed-off-by: marian-pritsak <marianp@mellanox.com>
2016-10-18 11:40:20 -07:00
Denys Haryachyy
9c3b7ccaf7 Add support for cavium SAI (#5) 2016-09-25 21:48:25 -07:00
Qi Luo
83c48fe9fc Rename hostname (#6) 2016-09-15 15:22:29 -07:00
John Arnold (AZURE)
4843e0671f Changed ACS references to SONiC in image, added timestamp to base image volume label 2016-09-07 18:36:14 -07:00
Qi Luo
e4bd20c18a Squash merge master (11de390) 2016-08-04 10:39:33 -07:00
Qi Luo
a79966998a Squash merge latest code to github branch 2016-07-26 12:01:58 -07:00
Qi Luo
85f354b77b Sqush merge latest code to github branch 2016-05-27 13:35:44 -07:00
Qi Luo
931fced027 Remove dependency apt-transport-sftp 2016-03-22 21:03:27 -07:00
Qi Luo
462208b23b Build Arista Aboot image 2016-03-15 23:38:26 -07:00
Qi Luo
8228558d38 New release v1.0.0 2016-03-08 11:42:20 -08:00