Commit Graph

3827 Commits

Author SHA1 Message Date
Petro Bratash
4031791b4e [lldp]: Add verification IPv4 address on LLDP conf Jinja2 Template (#5699)
Fix #5812

LLDP conf Jinja2 Template does not verify IPv4 address and can use IPv6 version. This issue does not effect control LLDP daemon. Issue can be reproduced via `test_snmp_lldp` test. LLDP conf Jinja2 Template selects first item from the list of mgmt interfaces.

TESTBED_1 LLDP conf

```
configure ports eth0 lldp portidsubtype local eth0
configure system ip management pattern FC00:3::32
configure system hostname dut-1
```
TESTBED_2  LLDP conf

```
configure ports eth0 lldp portidsubtype local eth0
configure system ip management pattern 10.22.24.61
configure system hostname dut-2
```
TESTBED_1  MGMT_INTERFACE

```
$ redis-cli -n 4 keys "*" | grep MGMT_INTERFACE
MGMT_INTERFACE|eth0|10.22.24.53/23
MGMT_INTERFACE|eth0|FC00:3::32/64
```
TESTBED_2  MGMT_INTERFACE

```
$ redis-cli -n 4 keys "*" | grep MGMT_INTERFACE
MGMT_INTERFACE|eth0|FC00:3::32/64
MGMT_INTERFACE|eth0|10.22.24.61/23

```

Signed-off-by: Petro Bratash <petrox.bratash@intel.com>
2021-02-11 15:34:06 -08:00
Volodymyr Samotiy
4742eaacc3
[201911][Mellanox] Update SDK to 4.4.2318, FW to *.2008.2312 (#6752)
To have the following fixes:
* All | Port status remains down after warm boot and flapping the port on peer side
* All | LAG HASH  | IPv6 SRC_IP is not accounted in LAG hashing [
* All | ASIC driver | Kernel crash observed when driver reload is initiated before it fully loaded
* Spectrum-3 | Buffer | In lossless configuration, headroom is been evicted only when the shared buffers is free

Signed-off-by: Volodymyr Samotiy <volodymyrs@nvidia.com>
2021-02-10 23:28:33 -08:00
Lior Avramov
eed13d9d53
[submodule] update sonic-sairedis (#6748)
af0d084 2021-02-08 [sairedis] Add get response timeout knob (#776)

Signed-off-by: liora <liora@nvidia.com>
2021-02-10 23:25:41 -08:00
Samuel Angebault
6cc5c93484
[arista]: Update Arista driver submodules (#6670)
On the DCS-7060CX-32S, a SEU can happen on a CPLD which by default would reboot the platform.
Other SEU scenarios are already handled but this one was missed since it's specific to this platform.
It's a pretty rare case which will now be reported in the syslog the same way others are.
2021-02-10 23:15:55 -08:00
Stepan Blyshchak
313bfdfc4c
[Mellanox][SAI] update submodule pointer (#6730)
Include SAI bug fixes:

Apply device MAC on port host interface when port is removed from LAG.
[Shared Headroom]: fixed watermark handling for SHP flow
Decrease verbosity of policer unbind message when no policer is attached

Signed-off-by: Stepan Blyschak <stepanb@nvidia.com>
2021-02-09 14:47:41 -08:00
Andriy Kokhan
33995efed5
[BFN] Updated SAI/SDK packages to 20210128 (#6595)
Signed-off-by: Andriy Kokhan <andriyx.kokhan@intel.com>

Co-authored-by: Andriy Kokhan <andriyx.kokhan@intel.com>
2021-02-04 09:24:52 -08:00
abdosi
fede95da19 Fix Allow prefix Delete case (#6671)
When we add allow-list key with action above route-map gets updated . For eg if we add deny action above template will become to no-export community. Now if we delete the key Issue is we still keep the no-export and do not move back to drop community.

This PR fixes this issue by rolling back default route-map community value back to constants.yml default action.
2021-02-04 09:04:13 -08:00
Eran Dahan
9c9f0453f9
[MLNX] update SAI submodule (#6666)
** Why I did it **
Disable SDK extended dump due to issue found

** How I did it ** 
Update SAI submodule

** How to verify it **
Verify the SDK extended dump is not called.

Signed-off-by: Eran Dahan <erand@nvidia.com>
2021-02-04 09:03:51 +02:00
Guohan Lu
418665cede [ci]: further clean up the source directory before checkout
Signed-off-by: Guohan Lu <lguohan@gmail.com>
2021-02-03 15:41:24 -08:00
xumia
6fc6346263 [ci]: Cleanup fsroot before checking out code (#6639)
Signed-off-by: Guohan Lu <lguohan@gmail.com>
Co-authored-by: Guohan Lu <lguohan@gmail.com>
2021-02-03 15:41:20 -08:00
arlakshm
a750f89630 [multi asic] add ip netns identify command to sudoer (#6591)
Signed-off-by: Arvindsrinivasan Lakshmi Narasimhan <arlakshm@microsoft.com>

- Why I did it
The command sudo ip netns identify <pid> is used in function get_current_namespace
to check in the cli command is running in host context or within a namespace.

This function is used for every CLI command and command sudo ip netns identify <pid> needs to be added in sudoer files to allow users with RO access to run show cli commands

This problem is not there on single asic platforms.

- How I did it
Add ip netns identify [0-9]* to sudoers file.
2021-02-02 10:32:59 -08:00
Abhishek Dosi
075bab813c [submodule update] sonic-sairedis
1f6982d786292390cf0dc7a3da936e035b7685e4 (HEAD -> 201911, origin/201911) [201911 Flex Counters] Add PFC pause duration counters in microseconds (#785)

Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
2021-02-02 09:17:55 -08:00
Guohan Lu
3479308117 [ci]: cleanup source directory upon checkout
Signed-off-by: Guohan Lu <lguohan@gmail.com>
2021-01-30 23:09:39 -08:00
Guohan Lu
67754a843a [ci]: reset the repo
Signed-off-by: Guohan Lu <lguohan@gmail.com>
2021-01-30 06:28:55 -08:00
lguohan
fcf93dda12
[sonic-linux-kernel]: kernel security update to 4.9.246 (#6545)
* [sonic-linux-kernel]: kernel security update to 4.9.246
* [Arista] Update driver submodule (#60)
     Update kernel dependency to 4.9.0-14-2

Signed-off-by: Guohan Lu <lguohan@gmail.com>
Co-authored-by: Samuel Angebault <angebault.samuel@gmail.com>
2021-01-28 08:46:07 -08:00
abdosi
95bcefa7c9
[201911] Fix PTF Docker Build Error (#6583)
We are hitting the issue as described pypa/pip#9520.
Fix to use get_pip.py from 2.7 repo.

Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
2021-01-28 02:19:12 -08:00
Lawrence Lee
e9cab58c2d [minigraph.py]: Check for empty cluster tag before parsing (#6440)
Some non-production minigraphs will have an empty ClusterName tag

Signed-off-by: Lawrence Lee <lawlee@microsoft.com>
2021-01-27 17:52:20 -08:00
Abhishek Dosi
8606d78688 [submodule update] sonic-utilities
d324eaec945081f8718468b39a8cf12dae965fd5 (HEAD -> 201911, origin/201911) [PFCWD] Fix 'start' pfcwd command (#1345)
235c61cccbbbb1f948f53b561c98888681b7071a [ecnconfig] handle backend port names when extracting port I/F ID from the port name (#1361)
7f5c3b497148fdd8e710131c5ac3f9f0a5f2cddf Drop explict 3 seconds pause between two object updates/deletes. (#1359)
12c899207917751eac719916be69c0078671963d add vlan_intf_object only if there are ipv4 or ipv6 mappings (#1377)
52ce2c32bf4e267d043a739641f5eefba3f3910f Add  subcommand description to interfaces counters (#1373)
Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
2021-01-27 17:35:01 -08:00
Abhishek Dosi
1f326ca7e7 [submodule update] sonic-swss
5aa80a0f7b27204e7cc23d99ba24ea716f5fb32f (HEAD -> 201911, origin/201911) [logfile]: Add option to specify swss rec file name (#1546)

Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
2021-01-27 17:21:15 -08:00
arlakshm
3cd536bb45 [Multi Asic] support of swss.rec and sairedis.rec for multi asic (#6310)
Signed-off-by: Arvindsrinivasan Lakshmi Narasimhan arlakshm@microsoft.com

- Why I did it
This PR has the changes to support having different swss.rec and sairedis.rec for each asic.
The logrotate script is updated as well

- How I did it

Update the orchagent.sh script to use the logfile name options in these PRs(Azure/sonic-swss#1546 and Azure/sonic-sairedis#747)
In multi asic platforms the record files will be different for each asic, with the format swss.asic{x}.rec and sairedis.asic{x}.rec

Update the logrotate script for multiasic platform .
2021-01-27 17:12:32 -08:00
bingwang-ms
869b3bc415 [bgpmon]: Fix exception in bgpmon caused by duplicate bgp neighbor ID (#6546)
* Fix exception in bgpmon caused by duplicate keys
It is possible that BGP neighbors in IPv4 and IPv6 address families
share the same name (such as bgp monitor). However, such case is not
handled in bgpmon, and an Exception will be raised. This commit will
address the issue by Using set instead of list to avoid duplicate keys.
2021-01-27 17:08:52 -08:00
abdosi
9779560b63 [baseimage]: Updates for Ebtables and support for multi-asic (#6542)
Following changes were done for ebtables:

- Support for Multi-asic platforms. Ebtable filters are installed in namespace for multi-asic and not host. On Single asic installed on  host.

- For Multi-asic platforms we don't want to install on host otherwise Namespace-to-Namespace communication does not happens since ARP Request are not forwarded.

- Updated to use text file to restore ebtables rules then the binary format. Rules are restore as part of Database docker init instead of rc.local

- Removed the ebtable service files for buster as not needed as filters are restored/installed as part of database docker init.
   All the binaries are pre-installed with ebtables* binary are same as ebatbles-legacy-*

Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
2021-01-27 16:59:10 -08:00
arheneus@marvell.com
e9d3d96c69 [ebtbles] Replace binary config file to text config file for ebtables (#5252)
Issue: Binary ebtables config file is CPU arch dependent
Fix: Load the text config during firsttime boot and
     Generate the binary persistent atomic file

Signed-off-by: Antony Rheneus <arheneus@marvell.com>
2021-01-27 16:57:41 -08:00
Guohan Lu
cc998f3059 [build]: fix dpkg uninstall bug
fix a bug when there are multiple debian packages to be uninstalled

Signed-off-by: Guohan Lu <lguohan@gmail.com>
2021-01-27 14:08:36 -08:00
lguohan
22a19e87aa [build]: wait for conflicts package to be uninstalled (#5039)
when parallel build is enabled, both docker-fpm-frr and docker-syncd-brcm
is built at the same time, docker-fpm-frr requires swss which requires to
install libsaivs-dev. docker-syncd-brcm requires syncd package which requires
to install libsaibcm-dev.

since libsaivs-dev and libsaibcm-dev install the sai header in the same
location, these two packages cannot be installed at the same time. Therefore,
we need to serialize the build between these two packages. Simply uninstall
the conflict package is not enough to solve this issue. The correct solution
is to have one package wait for another package to be uninstalled.

For example, if syncd is built first, then it will install libsaibcm-dev.
Meanwhile, if the swss build job starts and tries to install libsaivs-dev,
it will first try to query if libsaibcm-dev is installed or not. if it is
installed, then it will wait until libsaibcm-dev is uninstalled. After syncd
job is finished, it will uninstall libsaibcm-dev and swss build job will be
unblocked.

To solve this issue, _UNINSTALLS is introduced to uninstall a package that
is no longer needed and to allow blocked job to continue.

Signed-off-by: Guohan Lu <lguohan@gmail.com>
2021-01-27 14:07:30 -08:00
Abhishek Dosi
16233ad877 [Submodule update] sonic-swss
0b662807d6c3e23349ef3ce4cd63c961c991fd09 (HEAD -> 201911, origin/201911) [201911-SWSS] Change Error log to NOTICE log for FDB flush notification failure (#1593)
4db83289f60f307788106143a3be43f66da3458f [pfcwd] Update PFC storm detection logic for Mellanox platforms (#1587)

Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
2021-01-27 13:56:34 -08:00
lguohan
8bcdefbc34 [docker-orchagent]: make build depends only on sairedis package (#6467)
backport c4b5b002c3

make swss build depends only on libsairedis instead of syncd. This allows to build swss without depending
on vendor sai library.

Currently, libsairedis build also buils syncd which requires vendor SAI lib. This makes difficult to build
swss docker in buster while still keeping syncd docker in stretch, as swss requires libsairedis which also
build syncd and requires vendor to provide SAI for buster. As swss docker does not really contain syncd
binary, so it is not necessary to build syncd for swss docker.

[submodule]: update sonic-sairedis
1e42517996bfe41ac58d4c25ee3f93502befcb9d (HEAD -> 201911) [build]: add option to build without syncd

Signed-off-by: Guohan Lu <lguohan@gmail.com>
2021-01-27 13:51:24 -08:00
zzhiyuan
511541f7f0
[Arista] Use thermalctld instead of fancontrol (#6173)
**- Why I did it**
There is a preference to use thermalctld instead of fancontrol for 201911 release branch. The Arista platform submodule updates and thermal policies in the platforms will allow Arista devices to use thermalctld instead of fancontrol.

**- How I did it**
I cherry-picked the necessary commits from master branch for sonic-platform-modules-arista into 201911 branch. I've also added the file to skip fancontrol and added the thermal policies json.

**- How to verify it**
On Gardena, Upperlake, Clearlake, and Lodoga thermalctld is up and running with no errors. Fans show ~29%.

Co-authored-by: Zhi Yuan Carl Zhao <zyzhao@arista.com>
2021-01-27 08:31:32 -08:00
Kebo Liu
35d93ff8a3
[201911][Mellanox] Add hw-mgmt patch to support SDK OFFLINE event handling during ISSU (#6551)
In order to prevent "mlxsw_minimal" driver accessing ASIC during in
service firmware upgrade flow, SDK will raise "OFFLINE" 'udev' event
at early beginning of such flow. When this event is received,
hw-managemnet will remove "mlxsw_minimal" driver.
There is no need to implement opposite "ONLINE" event, since this flow
is ended up with "kexec".

Signed-off-by: Kebo Liu <kebol@nvidia.com>
2021-01-26 16:49:13 -08:00
Kebo Liu
687e1b9931
[mellanox]: Update SDK to 4.4.2308, FW to *.2008.2308 (#6553)
Bugs fixes:
    All | Kernel | During system reload when CPU is loaded with heavy traffic, a Kernel Panic may occur.
    All | Modules, Port split | FW stuck when device rebooted with locked Optical Transceivers in split mode
    Spectrum-3 | PFC | On Spectrum-3 systems, slow reaction time to Rx pause packets on 40GbE ports may lead to buffer overflow on servers.
    Spectrum-3 | SN4700, Port Split | On rare occasion SN4700, conducting 100G split (4x25G) in NRZ when splitter port 1 or 2 are down, ports 3 and 4 will also go down.

Enahncments:
    All | Kernel | new notification on ISSU start, so other kernel drivers can disable any interface to ASIC

Signed-off-by: Kebo Liu <kebol@nvidia.com>
2021-01-25 20:10:15 -08:00
lguohan
a90eac73bf [mellanox]: fix mellanox hw-management build (#6471)
use dpkg-buildpackage build with fakeroot

Signed-off-by: Guohan Lu <lguohan@gmail.com>
2021-01-25 12:44:50 -08:00
Tamer Ahmed
c5bd46f857 [dhcp-relay]: Launch DHCP Relay On L3 Vlan (#6527)
Recent changes brought l2 vlan concept which do not have DHCP
clients behind them and so DHCP relay is not required. Also,
dhcpmon fails to launch on those vlans as their interfaces
lack IP addresses. This PR limit launch of both DHCP relay
and dhcpmon to L3 vlans only.

singed-off-by: Tamer Ahmed <tamer.ahmed@microsoft.com>
2021-01-25 12:38:16 -08:00
Abhishek Dosi
0a537f755b Revert "[submodule update] sonic-linux-kernel"
This reverts commit 629a9b2545.
2021-01-25 11:20:49 -08:00
Abhishek Dosi
629a9b2545 [submodule update] sonic-linux-kernel
35fec8528bbf3fad9451554de16922f8c59dda4 (HEAD -> 201911, origin/201911) [201911]: security update kernel to 4.9.246 (#188)
d992e63eee24a6a598e58c8b2b468e5440ae56f0 [ci]: add azure pipeline for 201911 (#189)

Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
2021-01-25 11:01:47 -08:00
Guohan Lu
93e513d5de [build]: make libsaivs-dev depends on libsaivs
install libsaivs-dev will trigger install libsaivs

Signed-off-by: Guohan Lu <lguohan@gmail.com>
2021-01-25 09:45:31 -08:00
Guohan Lu
1fbaec8b3f [ci]: add azure pipeline yaml
Signed-off-by: Guohan Lu <lguohan@gmail.com>
2021-01-25 09:45:31 -08:00
lguohan
570976380a [build]: setup -t option in docker run correctly (#6320)
use bash -t test flag to check if input device is tty or not

Signed-off-by: Guohan Lu <lguohan@gmail.com>
2021-01-25 09:45:31 -08:00
lguohan
b41944a93d [build]: fix dpkg admindir corruption issue in parallel build (#6408)
Fix #119

when parallel build is enable, multiple dpkg-buildpackage
instances are running at the same time. /var/lib/dpkg is shared
by all instances and the /var/lib/dpkg/updates could be corrupted
and cause the build failure.

the fix is to use overlay fs to mount separate /var/lib/dpkg
for each dpkg-buildpackage instance so that they are not affecting
each other.

Signed-off-by: Guohan Lu <lguohan@gmail.com>
2021-01-25 09:45:31 -08:00
lguohan
50550c1637 [build]: change user name to lower case when used in sonic-slave tag (#6319)
sonic-slave tag only allows all lower case. In case the user
name is mixed case, we need to change user name to all lower case.

Signed-off-by: Guohan Lu <lguohan@gmail.com>
2021-01-25 09:45:31 -08:00
abdosi
01871c46dc
[baseimage]: pin down pip to 20.3.3 (#6539)
With the release of pip21.0 (https://pypi.org/project/pip/#history) on branch 201911 stretch build is failing with below error logs:
As per https://pypi.org/project/pip/ pip21.0 does not not support python2 from Jan 2021. To fix this tag the pip to 20.3.3 version which was being used last and is working fine.

Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
2021-01-23 16:34:39 -08:00
abdosi
a87f56cce9 Updated BBR to use peer group name as prefix. (#6515)
To make BBR configured for peer-group if it's name starts with (prefixed) with the string define in constants.yml instead of exact string match.
2021-01-22 14:26:04 -08:00
pavel-shirshov
beaaf3316d [docker-frr]: Use egrep with regexp to match correct TSA rules (#6403)
**- Why I did it**
Earlier today we found a bug in the SONiC TSA implementation.
TSC shows incorrect output (see below) in case we have a route-map which contains TSA route-map as a prefix.
```
admin@str-s6100-acs-1:~$ TSC
Traffic Shift Check:
System Mode: Not consistent
```
The reason is that TSC implementation has too loose regexps in TSA utilities, which match wrong route-map entries:
For example, current TSC matches following
```
route-map TO_BGP_PEER_V4 permit 200
route-map TO_BGP_PEER_V6 permit 200
```
But it should match only
```
route-map TO_BGP_PEER_V4 permit 20
route-map TO_BGP_PEER_V4 deny 30
route-map TO_BGP_PEER_V6 permit 20
route-map TO_BGP_PEER_V6 deny 30
```

**- How I did it**
I fixed it by using egrep with `^` and `$` regexp markers which match begin and end of the line.

**- How to verify it**
1. Add follwing entry to FRR config:
```
str-s6100-acs-1# 
str-s6100-acs-1# conf t
str-s6100-acs-1(config)# route-map TO_BGP_PEER_V4 permit 200 
str-s6100-acs-1(config-route-map)# end
```
2. Use the TSC command and check output. It should show normal.
```
admin@str-s6100-acs-1:~$ TSC
Traffic Shift Check:
System Mode: Normal```
2021-01-20 10:37:10 -08:00
Abhishek Dosi
c9e91105fa [submodule update] sonic-py-swsssdk
[configdb] Remove call to "bgsave" from table update (#86)

Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
2021-01-20 10:30:56 -08:00
Stephen Sun
9e90fac18b
[201911] Advance submodule head for sonic-utilities (#6379)
[Submodule update] sonic-utilities
- [db_migrator][201911] Support shared headroom in db_migrator on Mellanox platform (#1261)
- Multi-ASIC support show ip/v6 route additional parameters (#1333)

Signed-off-by: Stephen Sun <stephens@nvidia.com>
2021-01-15 08:29:11 -08:00
Kebo Liu
4c17298d74
[sonic-linux-kernel]: Update sonic-linux-kernel repo to pick up new patches (#6434)
To pick up new commits from sonic-linux-kernel repo:

[201911] Backport patches to increase critical threshold for ASIC and validate transceiver temperature 2f173b45da29f3643212d6c9111db321797453ec Azure/sonic-linux-kernel@2f173b4

Signed-off-by: Kebo Liu <kebol@nvidia.com>
2021-01-13 10:29:37 -08:00
Junchao-Mellanox
88c9bec14a
[submodule][201911] Update sonic-snmpagent (#6354)
b8f0c3a [snmpagent] [201911] Fix hardcoded qsfp lane count by reading sensor status from DB (#183)

**- Why I did it**

Update submodule pointer for snmpagent to include fix for hardcoded qsfp lane count

**- How I did it**

Update snmpagent submodule

**- How to verify it**

Run build.
2021-01-12 13:15:25 -08:00
Renuka Manavalan
b346a3a699 Take a copy of existing TACACS credentials and restore it during upgrade (#6285)
In scenario where upgrade gets config from minigraph, it could miss tacacs credentials as they are not in minigraph. Hence restore explicitly upon load-minigraph, if present.

- Why I did it
Upon boot, when config migration is required, the switch could load config from minigraph. The config-load from minigraph would wipe off TACACS key and disable login via TACACS, which would disable all remote user access. This change, would re-configure the TACACS if there is a saved copy available.

- How I did it
When config is loaded from minigraph, look for a TACACS credentials back up (tacacs.json) under /etc/sonic/old_config. If present, load the credentials into running config, before config-save is called.

- How to verify it
Remove /etc/sonic/config_db.json and do an image update. Upon reboot, w/o this change, you would not be able ssh in as remote user. You may login as admin and check out, "show tacacs" & "show aaa" to verify that tacacs-key is missing and login is not enabled for tacacs.
With this change applied, remove /etc/sonic/config_db.json, but save tacacs & aaa credentials as tacacs.json in /etc/sonic/. Upon reboot, you should see remote user access possible.
2021-01-09 08:13:52 -08:00
pavel-shirshov
f4245fb18d [bgpcfgd]: Support default action for "Allow prefix" feature (#6370)
* Use 20 and 30 route-map entries instead of 2 and 3 for TSA

* Added support for dynamic "Allow list" default action.

Co-authored-by: Pavel Shirshov <pavel.contrib@gmail.com>
2021-01-08 15:12:52 -08:00
Stephen Sun
386f4e190a
[Mellanox] [201911] Support shared headroom pool (#5908) 2021-01-07 09:20:22 +02:00
abdosi
a3d093a82a Updated imfile configuration for supervisord logs (#6368)
Updated imfile configuration for supervisord logs for stretch and buster.
2021-01-06 18:48:24 -08:00