Commit Graph

8277 Commits

Author SHA1 Message Date
mssonicbld
c8dfe5cd07
[submodule] Update submodule sonic-platform-daemons to the latest HEAD automatically (#16182) 2023-08-21 14:54:09 +08:00
mssonicbld
bc073f0af3
[submodule] Update submodule sonic-gnmi to the latest HEAD automatically (#16218) 2023-08-21 14:42:14 +08:00
mssonicbld
c3831d556c
[submodule] Update submodule sonic-utilities to the latest HEAD automatically (#16159) 2023-08-20 15:42:24 +08:00
mssonicbld
363dd0ba9b
[submodule] Update submodule dhcpmon to the latest HEAD automatically (#16197) 2023-08-20 15:33:53 +08:00
mssonicbld
c64728525d
[submodule] Update submodule sonic-swss-common to the latest HEAD automatically (#16128) 2023-08-20 15:27:34 +08:00
mssonicbld
1e648daa84
[submodule] Update submodule sonic-gnmi to the latest HEAD automatically (#16167) 2023-08-20 15:19:36 +08:00
mssonicbld
54c5f2fa7b
[submodule] Update submodule sonic-mgmt-common to the latest HEAD automatically (#16200) 2023-08-20 15:03:42 +08:00
mssonicbld
ca40b00351
[submodule] Update submodule sonic-platform-common to the latest HEAD automatically (#16155) 2023-08-20 14:57:55 +08:00
mssonicbld
ec91ff30c9 [ci/build]: Upgrade SONiC package versions 2023-08-20 14:32:25 +08:00
Ye Jianquan
5204bfb5e5
Revert "Remove privileged flag for database and snmp docker (#13783)" (#16210)
This reverts commit cf72683f12.
2023-08-19 21:03:42 +03:00
judyjoseph
0bd8c3bf11
sudo not required explicitly as /bin/ip netns identify is part of READ_ONLY_CMDS in sudoers file (#16115)
Why I did it
Few commands in multiasic platforms when run with the "sudo ip netns exec asic0 " option was taking like 15 mins to get the o/p. This behavior of sudo getting hung was seen by just doing this

jujoseph@svcstr-server-2:~ sudo ip netns exec asic0 bash
jujoseph@svcstr-server-2:~ sudo ls

deally sudo is not needed as we have /bin/ip netns identify present in /etc/sudoers file. Hence removing it
2023-08-18 14:25:41 -07:00
Aaron Payment
a4098de529
Misc platform improvements for DCS-7060DX5-64S (#13875)
* sonic-buildimage: Add 7060DX5-64S brcm tunnel config

Add bcm_tunnel_term_compatible_mode: 1 support, which allows
Loopback configuration to no longer result in SAI failure
"tunnel terminator add failed with error Feature unavailable"
that caused Orchagent SIGABRT

Signed-off-by: Aaron Payment <aaronp@arista.com>

* sonic-buildimage: Set port config ENABLE:0 in 7060DX5-64S brcm config

Set ENABLE:0 for the front panel ports in the brcm config so that the
ports are default admin down. This change prevents the issue that ports
are able to link up and pass traffic resulting in mac learn events after
SAI create switch and before SAI admin state up. The unexpected mac learn events
resulted in Orch agent crash in PortsOrch init, which occurs after SAI
create switch and before SAI admin state up.

* fix sensors.conf on CatalinaDD

* Add support for two sfp ports

* Add copper 50g tuning to babbagelp on catalina

---------

Signed-off-by: Aaron Payment <aaronp@arista.com>
Co-authored-by: enes.oncu <enes.oncu@arista.com>
Co-authored-by: Boyang Yu <byu@arista.com>
2023-08-18 13:05:05 -07:00
Marty Y. Lok
a28352e781
[Nokia][DeviceData] Update the Nokia platform IXR-7250E device data (#16028)
Why I did it
Update the platform_reboot of Nokia Platform IXR-7250E-36x400G to displays the correct reboot-cause history when reboot from supervisor card.

Work item tracking
Microsoft ADO (number only):
How I did it
Modify the platform_reboot script to copy the correct reboo-cause.txt file from NDK to the /host/reboot-cause directory at the down cycle when the reboot is issued from Supervisor (for both reboot right after install a new image and normal reboot)

Signed-off-by: mlok <marty.lok@nokia.com>
2023-08-17 16:35:21 -07:00
Mai Bui
6c96b29484
[docker-teamd] limit privileged flag for teamd container (#15829)
Signed-off-by: Mai Bui <maibui@microsoft.com>
2023-08-17 09:48:57 -07:00
Saikrishna Arcot
5723ba29e4
Remove depot_tools repo (#16114)
It appears that this was initially added to provide the git-retry
command (which doesn't appear to be used today). However, this repo is
now also providing bazel (which is actually used in our build today),
and this command (along with git-retry) expects some vpython3 binary to
be set up/installed.

Rather than going through that, just get rid of this repo.
2023-08-16 14:18:50 -07:00
Vivek
d4923615d6
[Mellanox] [SN4410] Support new breakout modes for PAM4 (#15668)
- Why I did it
Add new breakout modes to be used in PAM4 supported cables

- How I did it

- How to verify it
Verified the 50G per lane breakout modes are applied properly on the switch

Signed-off-by: Vivek Reddy Karri <vkarri@nvidia.com>
2023-08-16 08:30:33 +03:00
Mai Bui
030c57200d
[docker-lldp] limit privileged flag for lldp container (#15830)
#### Why I did it
HLD implementation: Container Hardening (https://github.com/sonic-net/SONiC/pull/1364)
##### Work item tracking
- Microsoft ADO **(number only)**: 14807420

#### How I did it
Reduce linux capabilities in privileged flag, retain NET_ADMIN capability
2023-08-15 11:27:12 -07:00
Andriy Dobush
cf72683f12
Remove privileged flag for database and snmp docker (#13783)
#### Why I did it
Reduce docker privilege 
This is part of HLD https://github.com/sonic-net/SONiC/pull/1364

#### How I did it
Remove flag --privileged
#### How to verify it
docker exec -it database bash
root@0048b82b460b:/# ip link add dummy0 type dummy
RTNETLINK answers: Operation not permitted
2023-08-15 11:18:50 -07:00
Kebo Liu
1626e198a8
[Mellanox] Update SDK/FW/SAI to 4.6.1020/2012.1020/SAIBuild2305.25.0.3 (#16096)
SONiC changes:
1. Support Spectrum4 ASIC FW binary building.
2. Support new SDK sx-obj-desc lib building since new SAI need it.
3. Remove SX_SCEW debian package from Mellanox SDK build since we are no longer using it (we use libxml2 instead).
4. Update SAI, SDK, FW to version 4.6.1020/2012.1020/SAIBuild2305.25.0.3

SDK/FW bug fixes
1. In SPC-1 platforms: Fastboot mode is not operational for Split port with Force mode in 50G speed
SFP modules are kept in disabled state after set LPM (low power mode) on/off for at least 3 minutes.
2. When preforming fast boot from an old SDK version (currently installed) to a newer one (target version), and the system was initially loaded with a new SDK version (past version), and the system has not been wiped, under specific conditions, the fast boot would use the past version's data and may fail.

SDK/FW Features
1. On SN2700 all ports can support y cable by credo

SAI bug Fixes
1. When creating an ACL rule with SAI_ACL_ENTRY_ATTR_FIELD_SRC_IP/SAI_ACL_ENTRY_ATTR_FIELD_DST_IP enabled, and then disabling the field by setting enable=false, a match on L3_type=IPv4 will remain programmed for the rule Issue resolved after the fix
2. Allow the max scale of virtual routers to be configure for SPC-1, SPC-2, SPC-3 when fastboot enable 
3. Remove default hash key of SRC_MAC, DST_MAC and ETH_TYPE

SAI features
1. Port init profile

- How I did it
Update SDK/FW/SAI make files

- How to verify it
Run full sonic-mgmt regression on Mellanox platform

Signed-off-by: Kebo Liu <kebol@nvidia.com>
2023-08-15 15:32:52 +03:00
mssonicbld
4acaaf8179
[submodule] Update submodule sonic-swss to the latest HEAD automatically (#16157) 2023-08-15 15:07:17 +08:00
Kebo Liu
5aa2417c71
[Mellanox] Update MFT to newer version 4.25.0-62 (#16149)
- Why I did it
Update Mellanox MFT tool to version 4.25.0-62

- How I did it
Update the MFT tool make file

- How to verify it
Run full sonic-mgmt regression.

Signed-off-by: Kebo Liu <kebol@nvidia.com>
2023-08-15 09:49:19 +03:00
Zhaohui Sun
286ec3edbf
Change orchagent pop batch size from 8192 to 1024 (#16125)
### Why I did it
Background running lua script may cause redis-server quite busy if batch size is 8192.
If handling time exceeded default 5s, the redis-server will not response to other process and will cause syncd crash.

```
Aug  9 07:46:29.512326 str-s6100-acs-5 INFO database#supervisord: redis 68:M 09 Aug 2023 07:46:29.511 # Lua slow script detected: still in execution after 5186 milliseconds. You can try killing the script using the SCRIPT KILL command. Script SHA1 is: 88270a7c5c90583e56425aca8af8a4b8c39fe757
Aug  9 07:46:29.523716 str-s6100-acs-5 ERR syncd#syncd: :- checkReplyType: Expected to get redis type 5 got type 6, err: BUSY Redis is busy running a script. You can only call SCRIPT KILL or SHUTDOWN NOSAVE.
Aug  9 07:46:29.524818 str-s6100-acs-5 INFO syncd#supervisord: syncd terminate called after throwing an instance of '
Aug  9 07:46:29.525268 str-s6100-acs-5 ERR pmon#CCmisApi: :- checkReplyType: Expected to get redis type 5 got type 6, err: BUSY Redis is busy running a script. You can only call SCRIPT KILL or SHUTDOWN NOSAVE.
Aug  9 07:46:29.526148 str-s6100-acs-5 INFO syncd#supervisord: syncd std::system_error'
Aug  9 07:46:29.528308 str-s6100-acs-5 ERR pmon#psud[32]: :- checkReplyType: Expected to get redis type 5 got type 6, err: BUSY Redis is busy running a script. You can only call SCRIPT KILL or SHUTDOWN NOSAVE.
Aug  9 07:46:29.529048 str-s6100-acs-5 ERR lldp#python3: :- guard: RedisReply catches system_error: command: *2#015#012$3#015#012DEL#015#012$27#015#012LLDP_ENTRY_TABLE:Ethernet37#015#012, reason: BUSY Redis is busy running a script. You can only call SCRIPT KILL or SHUTDOWN NOSAVE.: Input/output error
Aug  9 07:46:29.529720 str-s6100-acs-5 ERR snmp#python3: :- guard: RedisReply catches system_error: command: *2#015#012$7#015#012HGETALL#015#012$28#015#012COUNTERS:oid:0x100000000000a#015#012, reason: BUSY Redis is busy running a script. You can only call SCRIPT KILL or SHUTDOWN NOSAVE.: Input/output error
```

88270a7c5c90583e56425aca8af8a4b8c39fe757 is /usr/share/swss/consumer_state_table_pops.lua
##### Work item tracking
- Microsoft ADO **24741990**:

#### How I did it
Change batch size from 8192 to1024.
#### How to verify it
Run all test cases in sonic-mgmt to verify the system stability.

### Tested branch (Please provide the tested image version)

- [x] 20220531.36
2023-08-14 17:49:49 -07:00
Nonodark Huang
1acafa4873
[Ufispace][PDDF] Add PDDF support on S9110-32X, S8901-54XC, S7801-54XS and S6301-56ST (#16017)
Why I did it
Add PDDF support on following Ufispace platforms with Broadcom ASIC

S9110-32X
S8901-54XC
S7801-54XS
S6301-56ST
How I did it
Add PDDF configuration files, scripts and python files

How to verify it
Run pddf commands and show commands.

Signed-off-by: nonodark <ef67891@yahoo.com.tw>
2023-08-14 15:56:03 -07:00
Saikrishna Arcot
dfe5ea6e52
Fix the clean target reporting "Is a directory" error (#16029)
### Why I did it

Since directories are being removed, the `-r` flag is required.

Fixes #15922

##### Work item tracking
- Microsoft ADO **(number only)**: 24752770
2023-08-14 10:00:30 -07:00
mssonicbld
7bea886f1d
[submodule] Update submodule sonic-utilities to the latest HEAD automatically (#16123)
#### Why I did it
src/sonic-utilities
```
* 5b492d54 - (HEAD -> master, origin/master, origin/HEAD) [chassis][voq] clear: Fix clear queuecounters to also clear VOQ counters (#2878) (2 days ago) [Patrick MacArthur]
```
#### How I did it
#### How to verify it
#### Description for the changelog
2023-08-14 18:32:40 +08:00
Zhijian Li
ab7c4ee661
[Celestica-E1031] Enable CPU watchdog (#16083)
Enable CPU watchdog on Celestica-E1031.
2023-08-13 21:33:19 -07:00
mssonicbld
34bad34495
[submodule] Update submodule sonic-platform-common to the latest HEAD automatically (#16122) 2023-08-13 14:59:45 +08:00
mssonicbld
2547968d3c
[submodule] Update submodule sonic-swss to the latest HEAD automatically (#16080) 2023-08-13 14:54:22 +08:00
mssonicbld
ae48f7db6b
[submodule] Update submodule linkmgrd to the latest HEAD automatically (#16121) 2023-08-12 14:42:38 +08:00
mssonicbld
388f5c51fe
[submodule] Update submodule sonic-sairedis to the latest HEAD automatically (#16004)
#### Why I did it
src/sonic-sairedis
```
* eb24302 - (HEAD -> master, origin/master, origin/HEAD) Build both the regular and RPC version when the RPC profile is enabled (#1273) (28 hours ago) [Saikrishna Arcot]
* 9e855c2 - [FEC] Adding support for vs testing for SAI_PORT_ATTR_AUTO_NEG_FEC_MODE_OVERRIDE (#1271) (2 days ago) [Sudharsan Dhamal Gopalarathnam]
* 4dbdb21 - Fix RPC package build failure due to shell syntax issue (#1268) (10 days ago) [Saikrishna Arcot]
* 588d596 - Make sure new binaries replace existing binaries in docker-sonic-vs (#1269) (11 days ago) [Saikrishna Arcot]
* ce8f642 - [vs] Use boost join to concatenate switch types in config (#1266) (3 weeks ago) [Kamil Cudnik]
* d6055a2 - [vslib]: Temporaily map DPU switch type to NVDA_MBF2H536C (#1259) (4 weeks ago) [prabhataravind]
* e1cdb4d - [CodeQL]: Use dependencies with relevant versions in azp template. (#1262) (5 weeks ago) [Nazarii Hnydyn]
* c08f9a2 - [CI]: Fix collect log error in azp template. (#1260) (5 weeks ago) [Nazarii Hnydyn]
* eed856c - [CodeQL]: Fix syncd compilation in azp template. (#1261) (5 weeks ago) [Nazarii Hnydyn]
* a3f1f1a - Reland 'Make changes to building and packaging sairedis (#1116)' (#1194) (6 weeks ago) [Saikrishna Arcot]
```
#### How I did it
#### How to verify it
#### Description for the changelog
2023-08-12 14:32:27 +08:00
Ze Gan
055fe90d3f
[build]: Remove uselses proto package (#16093)
Why I did it
The protoc-dev isn't used by SONiC, but it was added to the derived package.

Work item tracking
Microsoft ADO (number only): 17417902

How I did it
Remove protoc-dev from protobuf.mk

Signed-off-by: Ze Gan <ganze718@gmail.com>
2023-08-11 11:52:24 -07:00
bingwang-ms
d50ae1fd09
[arista]: Always set sai_tunnel_support on Arista-7260cx3 (#16097)
Why I did it
To overwrite the default DSCP_TO_TC_MAP for tunnel traffic, the attribute sai_tunnel_support must be set to 1.
Before this change, the attribute is set only on dual-tor platform when remap is enabled.
This PR is to set the attribute on all Arista-7260cx3 devices.

Work item tracking
Microsoft ADO 24785776

How I did it
Update the config.bcm template for Arista-7260cx3 devices.

How to verify it
The change is verified by manually rendering the j2 on a T1 testbed.
2023-08-11 11:51:25 -07:00
FuzailBrcm
bb8ce50cbe
Adding support for extra GPIO chips in the common PDDF driver (#16082) 2023-08-11 09:31:18 -07:00
Liu Shilong
3500f69fdb
Revert "[Ufispace][PDDF] Add PDDF support on S9180-32X (#14909)" (#16092)
This reverts commit d2b5d774c5.
2023-08-11 09:13:53 -07:00
Saikrishna Arcot
519a1e4a91
Update sairedis submodule (#16072)
* Update sairedis submodule

This submodule update needs to be manually done due to build changes
done in the sairedis submodule. Specifically, Debian build profiles are
now being used instead of dpkg build targets, and dbgsym packages are
being used instead of dbg packages. Because of this, there needs to be
changes on the sonic-buildimage side for this.

This is a reland of #15720, which was reverted in #15995 due to the RPC
package build failing. That failure has since been fixed, and the
PR pipeline has been updated to build the RPC package so that this is
checked at the PR stage.

This submodule update brings in the following changes:

```
4dbdb21 Fix RPC package build failure due to shell syntax issue (#1268)
588d596 Make sure new binaries replace existing binaries in docker-sonic-vs (#1269)
ce8f642 [vs] Use boost join to concatenate switch types in config (#1266)
d6055a2 [vslib]: Temporaily map DPU switch type to NVDA_MBF2H536C (#1259)
e1cdb4d [CodeQL]: Use dependencies with relevant versions in azp template. (#1262)
c08f9a2 [CI]: Fix collect log error in azp template. (#1260)
eed856c [CodeQL]: Fix syncd compilation in azp template. (#1261)
a3f1f1a Reland 'Make changes to building and packaging sairedis (#1116)' (#1194)
```

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>

* Update sairedis submodule with the fix for the RPC package build

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>

---------

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2023-08-11 09:00:46 -07:00
mssonicbld
0269e60a36
[submodule] Update submodule sonic-platform-common to the latest HEAD automatically (#16106)
#### Why I did it
src/sonic-platform-common
```
* ab70e66 - (HEAD -> master, origin/master, origin/HEAD) Add new SSD type support (#390) (21 hours ago) [Junchao-Mellanox]
```
#### How I did it
#### How to verify it
#### Description for the changelog
2023-08-11 16:32:43 +08:00
Aaron Payment
eedaa2adbf
sonic-buildimage: Fix SAI_API_TUNNEL SAI_STATUS_NOT_SUPPORTED error (#13874)
Syncd will abort in handleSaiCreateStatus with
'Encountered failure in create operation, exiting orchagent,SAI API: SAI_API_TUNNEL, status: SAI_STATUS_NOT_SUPPORTED'

The fix is to add the following brcm config to prevent the error:
sai_tunnel_global_sip_mask_enable=1
bcm_tunnel_term_compatible_mode=1

Signed-off-by: Aaron Payment <aaronp@arista.com>
2023-08-11 13:36:18 +08:00
vmittal-msft
12d24d572a
Updated PG headroom settings for 40g port speed (#16038) 2023-08-10 17:35:43 -07:00
Arun LK
97113bae61
Dell: E3224F platform onboarding (#16002)
* Dell: E3224F platform onboarding

* Dell: E3224F platform onboarding
2023-08-10 17:27:30 -07:00
mssonicbld
a86eb95005
[submodule] Update submodule sonic-platform-common to the latest HEAD automatically (#16078)
#### Why I did it
src/sonic-platform-common
```
* 537095c - (HEAD -> master, origin/master, origin/HEAD) Added new RegBitsFields (#391) (32 hours ago) [Prince George]
```
#### How I did it
#### How to verify it
#### Description for the changelog
2023-08-10 17:22:28 +08:00
mssonicbld
51761149cc
[submodule] Update submodule sonic-platform-daemons to the latest HEAD automatically (#16079)
#### Why I did it
src/sonic-platform-daemons
```
* f3c2631 - (HEAD -> master, origin/master, origin/HEAD) Revert pcied enhancements (#392) (28 hours ago) [Ashwin Srinivasan]
```
#### How I did it
#### How to verify it
#### Description for the changelog
2023-08-10 17:22:23 +08:00
Sachin Holla
04ffd67fda
Ensure sonic yangs wheel is built before sonic-mgmt-common (#15226)
* Enhanced slave.mk to accept python wheels as dependency for a deb
  target. Dependent wheel names should be specified through the new
  {deb_name}_WHEEL_DEPENDS variable in the deb's make rules. The wheel
  will be built and installed in the slave docker before starting the
  deb build.

* Added sonic_yang_models-1.0-py3-none-any.whl as dependency for
  sonic-mgmt-common.deb. This is required for using the sonic yangs in
  UMF

Signed-off-by: Sachin Holla <sachin.holla@broadcom.com>
2023-08-09 11:40:00 -07:00
Ze Gan
96757a335c
Remove temporary files and import dash_api to python3 env (#16033)
1. Remove useless temporary protobuf deb packages
2. Import dash_api to python3 env

### Why I did it
1. There are some temporary Debian packages,protobuf packages, needs to be deleted
2. The dash-api was installed in the system folder that cannot be imported by the virtual python3 environment. But the testcases of DASH in sonic-mgmt are executed in virtual python3 environment.

##### Work item tracking
- Microsoft ADO **(number only)**: 17417902

#### How I did it
1. Add missed `&&` so that all protobuf debian packaged can be downloaded to the /tmp folder
2. Add ` --system-site-packages ` to env-python so that the system library can be accessed by virtual environment

#### How to verify it
Check the dash_api can be imported in env-python3
```
AzDevOps@46a900cf8477:~$ source env-python3/bin/activate
(env-python3) zegan@46a900cf8477:~$ ls
bin  env-python3
(env-python3) zegan@46a900cf8477:~$ python3
Python 3.8.10 (default, May 26 2023, 14:05:08)
[GCC 9.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import dash_api
>>>

```
2023-08-08 21:04:54 -07:00
FuzailBrcm
8524e563d3
PDDF: Supporting extra system fans in the common PDDF drivers (#15956) 2023-08-08 14:59:36 -07:00
SuvarnaMeenakshi
803c71c86a
[SNMP][IPv6]: Fix to use link local IPv6 address as snmp agentAddress (#16013)
<!--
     Please make sure you've read and understood our contributing guidelines:
     https://github.com/Azure/SONiC/blob/gh-pages/CONTRIBUTING.md

     ** Make sure all your commits include a signature generated with `git commit -s` **

     If this is a bug fix, make sure your description includes "fixes #xxxx", or
     "closes #xxxx" or "resolves #xxxx"

     Please provide the following information:
-->

#### Why I did it
fixes: https://github.com/sonic-net/sonic-buildimage/issues/16001
Caused by: https://github.com/sonic-net/sonic-buildimage/pull/15487

The above PR introduced change to use Management and Loopback Ipv4 and ipv6 addresses as snmpagent address in snmpd.conf file.
With this change, if Link local IP address is configured as management or Loopback IPv6 address, then snmpd tries to open socket on that ipv6 address and fails with the below error:
```
Error opening specified endpoint "udp6:[fe80::5054:ff:fe6f:16f0]:161"
Server Exiting with code 1
```
From RFC4007, if we need to specify non-global ipv6 address without ambiguity, we need to use zone id along with the ipv6 address: <address>%<zone_id>
Reference: https://datatracker.ietf.org/doc/html/rfc4007

##### Work item tracking
- Microsoft ADO **(number only)**:

#### How I did it
Modify snmpd.conf file to use the %zone_id representation for ipv6 address.
#### How to verify it
In VS testbed, modify config_db to use link local ipv6 address as management address:
    "MGMT_INTERFACE": {
        "eth0|10.250.0.101/24": {
            "forced_mgmt_routes": [
                "172.17.0.1/24"
            ],
            "gwaddr": "10.250.0.1"
        },
        "eth0|fe80::5054:ff:fe6f:16f0/64": {
            "gwaddr": "fe80::1"
        }
    },

Execute config_reload after the above change.
snmpd comes up and check if snmpd is listening on ipv4 and ipv6 addresses:
```
admin@vlab-01:~$ sudo netstat -tulnp | grep 161
tcp        0      0 127.0.0.1:3161          0.0.0.0:*               LISTEN      274060/snmpd        
udp        0      0 10.1.0.32:161           0.0.0.0:*                           274060/snmpd        
udp        0      0 10.250.0.101:161        0.0.0.0:*                           274060/snmpd        
udp6       0      0 fc00:1::32:161          :::*                                274060/snmpd        
udp6       0      0 fe80::5054:ff:fe6f::161 :::*                                274060/snmpd      -- Link local 
 
admin@vlab-01:~$ sudo ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.250.0.101  netmask 255.255.255.0  broadcast 10.250.0.255
        inet6 fe80::5054:ff:fe6f:16f0  prefixlen 64  scopeid 0x20<link>
        ether 52:54:00:6f:16:f0  txqueuelen 1000  (Ethernet)
        RX packets 36384  bytes 22878123 (21.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 261265  bytes 46585948 (44.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

admin@vlab-01:~$ docker exec -it snmp snmpget -v2c -c public fe80::5054:ff:fe6f:16f0 1.3.6.1.2.1.1.1.0
iso.3.6.1.2.1.1.1.0 = STRING: "SONiC Software Version: SONiC.master.327516-04a6031b2 - HwSku: Force10-S6000 - Distribution: Debian 11.7 - Kernel: 5.10.0-18-2-amd64"
```
Logs from snmpd:
```
Turning on AgentX master support.
NET-SNMP version 5.9
Connection from UDP/IPv6: [fe80::5054:ff:fe6f:16f0%eth0]:44308
```
Ran test_snmp_loopback test to check if loopback ipv4 and ipv6 works:
```
./run_tests.sh -n vms-kvm-t0 -d vlab-01 -c snmp/test_snmp_loopback.py  -f vtestbed.yaml -i ../ansible/veos_vtb -e "--skip_sanity --disable_loganalyzer" -u
=== Running tests in groups ===
Running: pytest snmp/test_snmp_loopback.py --inventory ../ansible/veos_vtb --host-pattern vlab-01 --testbed vms-kvm-t0 --testbed_file vtestbed.yaml --log-cli-level warning --log-file-level debug --kube_master unset --showlocals --assert plain --show-capture no -rav --allow_recover --ignore=ptftests --ignore=acstests --ignore=saitests --ignore=scripts --ignore=k8s --ignore=sai_qualify --junit-xml=logs/tr.xml --log-file=logs/test.log --skip_sanity --disable_loganalyzer
..                                                                        

snmp/test_snmp_loopback.py::test_snmp_loopback[vlab-01] PASSED 
```
<!--
If PR needs to be backported, then the PR must be tested against the base branch and the earliest backport release branch and provide tested image version on these two branches. For example, if the PR is requested for master, 202211 and 202012, then the requester needs to provide test results on master and 202012.
-->

#### Which release branch to backport (provide reason below if selected)

<!--
- Note we only backport fixes to a release branch, *not* features!
- Please also provide a reason for the backporting below.
- e.g.
- [x] 202006
-->

- [ ] 201811
- [ ] 201911
- [ ] 202006
- [x] 202012
- [x] 202106
- [x] 202111
- [x] 202205
- [x] 202211
- [x] 202305

#### Tested branch (Please provide the tested image version)

<!--
- Please provide tested image version
- e.g.
- [x] 20201231.100
-->

- [ ] <!-- image version 1 -->
- [ ] <!-- image version 2 -->

#### Description for the changelog
<!--
Write a short (one line) summary that describes the changes in this
pull request for inclusion in the changelog:
-->

<!--
 Ensure to add label/tag for the feature raised. example - PR#2174 under sonic-utilities repo. where, Generic Config and Update feature has been labelled as GCU.
-->

#### Link to config_db schema for YANG module changes
<!--
Provide a link to config_db schema for the table for which YANG model
is defined
Link should point to correct section on https://github.com/Azure/sonic-buildimage/blob/master/src/sonic-yang-models/doc/Configuration.md
-->

#### A picture of a cute animal (not mandatory but encouraged)
2023-08-08 14:47:33 -07:00
mssonicbld
345b5e2000
[submodule] Update submodule sonic-swss to the latest HEAD automatically (#16073)
#### Why I did it
src/sonic-swss
```
* 23cb2e50 - (HEAD -> master, origin/master, origin/HEAD) [ASAN] Fix Indirect Mem Leaks in Orchagent (#2869) (10 hours ago) [Vivek]
```
#### How I did it
#### How to verify it
#### Description for the changelog
2023-08-08 15:32:55 +08:00
Arvindsrinivasan Lakshmi Narasimhan
46817036fd
[chassis]: removed dependency for bgp and swss for chassis supervisor (#15734)
Fixes #15667 and #13293

Work item tracking
Microsoft ADO 24472854:

How I did it
On chassis supervisor bgp feature is disabled in hostcfgd. The dependency between swss and bgp causes the bgp containers to start even though the feature is disabled.

How to verify it
Tests on chassis supervisor and LC
2023-08-07 09:52:48 -07:00
shdasari
d9393b0149
[radius]: Use execl instead of popen in RADIUS NSS code to fix vulnerability. (#15512)
Why I did it
#15284 fixes a case of shell escape exploit for TACACS+. This applies to RADIUS as well. RADIUS creates an unconfirmed user locally on the switch while attempting authentication. popen() is used to execute useradd,usermod and userdel commands. This exposes a vulnerability where a tactically designed username (which could contain explicit linux commands) can lead to getting executed as root.

An example of such a username could be "asd";echo>remoteRCE2;#". This leads to remoteRCE2 getting created in "/".

How I did it
All calls to popen() used to execute useradd, usermod and userdel are replaced with fork()/execl().

How to verify it
Prior to the fix, following is the behavior:

[s@i vm] ssh "asd";echo>remoteRCE2;#"@1.1.1.1
asd";echo>remoteRCE2;#@1.1.1.1's password:
Permission denied, please try again.

On the SONiC switch,

root@sonic:/# ls
accton_as7816_monitor.log home lib64 remoteRCE2 sys
bin host libx32 root tmp
boot initrd.img media run usr
cache.tgz initrd.img.old mnt sbin var
dev lib opt sonic vmlinuz
etc lib32 proc srv vmlinuz.old
root@sonic:/# ls -l

With the fix:

[s@i vm] ssh "asd";echo>remoteRCE2;#"@1.1.1.1
asd";echo>remoteRCE2;#@1.1.1.1's password:
Permission denied, please try again.

root@sonic:/# ls
accton_as7816_monitor.log etc lib mnt sbin usr
bin home lib32 opt sonic var
boot host lib64 proc srv vmlinuz
cache.tgz initrd.img libx32 root sys vmlinuz.old
dev initrd.img.old media run tmp

Verified that RADIUS authentication works as expected for valid users as well.
2023-08-07 09:48:18 -07:00
Sudharsan Dhamal Gopalarathnam
7bdd0d8011
[frr]: FRR 8.5.1 integration changes (#15965)
Why I did it
Upgrading FRR 8.5.1 to include latest fixes.

New patches that were added:

Patch	FRR Pull request	Issue fixed
0012-zebra-Rename-vrf_lookup_by_tableid-to-zebra_vrf_look.patch	FRRouting/frr#13396	#14866
0013-zebra-Move-protodown_r_bit-to-a-better-spot.patch	FRRouting/frr#13396	#14866
0014-zebra-Remove-unused-dplane_intf_delete.patch	FRRouting/frr#13396	#14866
0015-zebra-Remove-unused-add-variable.patch	FRRouting/frr#13396	#14866
0016-zebra-Remove-duplicate-function-for-netlink-interfac.patch	FRRouting/frr#13396	#14866
0017-zebra-Add-code-to-get-set-interface-to-pass-up-from-.patch	FRRouting/frr#13396	#14866
0018-zebra-Use-zebra-dplane-for-RTM-link-and-addr.patch	FRRouting/frr#13396	#14866
0019-zebra-Abstract-dplane_ctx_route_init-to-init-route-w.patch	FRRouting/frr#13757	FRRouting/frr#13754
00020-zebra-Fix-crash-when-dplane_fpm_nl-fails-to-process-.patch	FRRouting/frr#13757	FRRouting/frr#13754

Removed patches:

Patch	Upstream FRR commit that is present in 8.5.1
0001-Add-support-of-bgp-tcp-DSCP-value.patch	FRRouting/frr@425bd64
0010-zebra-Note-when-the-netlink-DUMP-command-is-interrup.patch	FRRouting/frr@2f71996
0011-bgpd-enhanced-capability-is-always-turned-on-for-int.patch	FRRouting/frr@8e89adc
0012-Ensure-ospf_apiclient_lsa_originate-cannot-accidently-write-into-stack.patch	FRRouting/frr@d2aeac3 , FRRouting/frr@49efc80, FRRouting/frr@ff6db10
0013-zebra-fix-dplane-fpm-nl-to-allow-for-fast-configuration.patch	FRRouting/frr@551fa8c
0014-bgpd-Allow-network-XXX-to-work-with-bgp-suppress-fib.patch	FRRouting/frr@4801fc4
0015-zebra-Return-statements-do-not-use-paranthesis.patch	FRRouting/frr@871a16c
0016-zebra-Add-zrouter.asic_notification_nexthop_control.patch	FRRouting/frr@06525c4
0017-zebra-Re-arrange-fpm_read-to-reduce-code-duplication.patch	FRRouting/frr@7d83e13
0018-zebra-Add-dplane_ctx_get-set_flags.patch	FRRouting/frr@10388e9
0019-zebra-Rearrange-dplane_ctx_route_init.patch	FRRouting/frr@f935122
0020-zebra-Add-ctx-to-netlink-message-parsing.patch	FRRouting/frr@45f0a10
0021-zebra-Read-from-the-dplane_fpm_nl-a-route-update.patch	FRRouting/frr@a0e1173
0022-zebra-Fix-code-because-missing-backport.patch	FRRouting/frr@07fd1f7
0024-zebra-continue-fpm-read-when-we-decide-a-netlink-message-is-not-needed.patch	FRRouting/frr@c0275ab
0025-zebra-Send-nht-resolved-entry-up-to-concerned-protoc.patch	FRRouting/frr@8ce0e51
0027-bgpd-Ensure-FRR-has-enough-data-to-read-in-peek_for_as4_capability-and-bgp_open_option_parse.patch	FRRouting/frr@3e46b43
0028-bgpd-Ensure-that-bgp-open-message-stream-has-enough-data-to-read.patch	FRRouting/frr@766eec1

Realigned patches:

Old Patch	New patch
0002-Reduce-severity-of-Vty-connected-from-message.patch	0001-Reduce-severity-of-Vty-connected-from-message.patch
0004-Allow-BGP-attr-NEXT_HOP-to-be-0.0.0.0-due-to-allevia.patch	0002-Allow-BGP-attr-NEXT_HOP-to-be-0.0.0.0-due-to-allevia.patch
0005-nexthops-compare-vrf-only-if-ip-type.patch	0003-nexthops-compare-vrf-only-if-ip-type.patch
0006-frr-remove-frr-log-outchannel-to-var-log-frr.log.patch	0004-frr-remove-frr-log-outchannel-to-var-log-frr.log.patch
0007-Add-support-of-bgp-l3vni-evpn.patch	0005-Add-support-of-bgp-l3vni-evpn.patch
0008-Link-local-scope-was-not-set-while-binding-socket-for-bgp-ipv6-link-local-neighbors.patch	0006-Link-local-scope-was-not-set-while-binding-socket-for-bgp-ipv6-link-local-neighbors.patch
0009-ignore-route-from-default-table.patch	0007-ignore-route-from-default-table.patch
0009-ignore-route-from-default-table.patch	0007-ignore-route-from-default-table.patch
0023-Use-vrf_id-for-vrf-not-tabled_id.patch	0008-Use-vrf_id-for-vrf-not-tabled_id.patch
0026-bgpd-Ensure-suppress-fib-pending-works-with-network-.patch	0009-bgpd-Ensure-suppress-fib-pending-works-with-network-.patch
0029-bgpd-Change-log-level-for-graceful-restart-events.patch	0010-bgpd-Change-log-level-for-graceful-restart-events.patch
0030-zebra-Static-routes-async-notification-do-not-need-t.patch	0011-zebra-Static-routes-async-notification-do-not-need-t.patch

How I did it
Upgrade FRR submodule. Align the patches. Integrate new patches to fix issues.

How to verify it
Run sonic-mgmt regression to verify
2023-08-07 09:45:13 -07:00
abdosi
c6d1dae741
Fix the Loopback0 IPv6 address of LC's in chassis not reachable from (#16026)
What I did:
Fix the Loopback0 IPv6 address of LC's in chassis not reachable from peer devices.

Why I did:
For Ipv6 Loopback0 address we only advertise /64 subnet to the peer devices. However, in case of chassis each LC will have it own /128 address of that /64 subnet . Since this /128 address does not get advertised peer devices can-not ping/reach the LC's loopback0.

How I fix:
Advertise /128 Loopback0 Ipv6 address only between i-BGP peers. This way even though /64 is advertised to e-BGP peer devices when packet reaches any of LC's it can reach the appropriate LC's.

How I verify:
Manual verification
UT added for same.

Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
2023-08-06 22:36:33 -07:00