- What I did
Configure sshd to close all SSH connetions after 15 minutes of inactivity.
- How I did it
Set ClientAliveInterval to 900 (900 seconds = 15 minutes) and ClientAliveCountMax to 0
in /etc/ssh/sshd_config using augtool in build_debian.sh. In the process, I refactored the existing augtool command for sshd_config so as to add comments and empty lines to file for readability.
- How to verify it
Log into device via management port. Wait 15 minutes without sending a keystroke -- you should be automatically logged out.
2) Install debug tools in every debug docker image
3) Install available debug symbols in debug docker image
4) Provide additional host/docker mapping for host dirs /src & /debug
4.1) The one-image will have source code under /src
4.2) /debug is mapped as rw. User can put his core file there and use this dir to
collect debug session logs too.
5) Build debug image using debug dockers
6) Source code is archived into /src of debug image
7) The welcome banner is extended to display these additional facilities in debug image.
Upgrade the version of rsyslog installed in Docker containers to the latest version available from jessie-backports repo (currently 8.23.0-2~bpo). Based off my change to the 201803 branch (#2709). This should eliminate some memory leaks and will prevent any regressions if moving from the 201803 branch to the 201811 branch.
* [submodule] update sonic-linux-kernel (#2985)
* Fix many version strings
* Update minor version
* Update arista-drivers submodule (#9)
* Rebuild SDK on new kernel (#10)
* Set the default mac ageing time to 300 seconds
The current mac ageing was disabled, this could lead the mac address
table to increase over time and lead to resource and performance issues.
Signed-off-by: Zhenggen Xu <zxu@linkedin.com>
* Update the default HW ageing timer to be 600 seconds.
This is to be on the safer side where ARP update interval
is 300 seconds and SONiC does not flood when ARP is aged out.
Signed-off-by: Zhenggen Xu <zxu@linkedin.com>
- Broadcom SAI GA version 20190513
- Broadcom fix for CS7999193, CS7913246, CS4529162, CS8180755, CS8242625
Signed-off-by: Ying Xie <ying.xie@microsoft.com>
- What I did
Currently when the system is under memory pressure, the OOM killer kicks in and kills a rogue process. Killing a rogue process can cause the device to be un-healthy leading to blackholing of the traffic.
To avoid this, configure the OOM to do a kernel panic which will cause the device to reboot and come back up healthy.
- How I did it
Added the sysctl variable panic_on_oom and set the value to 2.
Setting it to 2 will ensure OOM killer to always do a kernel panic.
Submodule src/sonic-utilities 6b4d1a0..46b5aa8:
> [show ip interface] Add support for 'alias' interface naming mode (#486)
Submodule src/sonic-swss 9c4ae18..a637562:
> Suppress storm detect counter increment for ongoing pfc storm case during a warm reboot (#869)
> Remove *_LEFT fields to allow PFC watchdog to enter fresh into the (#897)
> Set LAG mtu value based on kernel netlink msg (#922)
> [warm restart assist] assume vector values could be reordered (#921)
Signed-off-by: Ying Xie <ying.xie@microsoft.com>
Submodule src/sonic-utilities 7a2348c..4488525:
> use vlan members (#542)
> [sonic_installer] If asked to install an image which is already installed, simply set as default (#534)
Submodule src/sonic-swss 8246bd9..9c4ae18:
> Ignore neighbor entry with BCAST MAC, check SAI status exists (#914)
Signed-off-by: Ying Xie <ying.xie@microsoft.com>
* [logrotate] Decrease frequency to every 10 minutes; kill any lingering logrotate processes
* [logrotate] Delete all *.1.gz files as firstaction; Remove note about init-system-helpers < 1.47 workaround
However, continue to send SIGHUP directly to rsyslogd process
because 'service rsyslog rotate' still doesn't work properly with
init-system-helpers version 1.48
* [mlnx] fix mlnx-sfpd shutdown
Signed-off-by: Stepan Blyschak <stepanb@mellanox.com>
* fix type and handle only EINTR and EAGAIN errors from select
Signed-off-by: Stepan Blyschak <stepanb@mellanox.com>
* handle select.error as well during init/run
Signed-off-by: Stepan Blyschak <stepanb@mellanox.com>
* Switch the nss look up order as "compat" followed by "tacplus".
This helps use the legacy passwd file for user info and go to tacacs only if not found.
This means, we never contact tacacs for local users like "admin".
This isolates local users from any issues with tacacs servers.
W/o this fix, the sudo commands by local users could take <count of servers> * <tacacs timeout> seconds, if the tacacs servers are unreachable.
* Skip tacacs server access for local non-tacacs users.
Revert the order of 'compat tacplus' to original 'tacplus compat' as tacplus
access is required for all tacacs users, who also get created locally.
* Change URL for isc-dhcp source repository
* Modify supervisor conf to generate dhcrelay commands with '-id' and '-iu' options
* Comments; Also clean up jinja2 syntax
* Patch relay to open one socket per interface and send to all servers on all upstream interfaces
* Patch relay agent to properly forward BOOTREQUEST only on appropriate interface if it is a directed broadcast
* Port upstream patches to isc-dhcp-relay to support upstream/downstream interfaces
* Update patch to properly support interfaces with multiple IP addresses assigned
* Pass --enable-use-sockets to configure instead of uncommenting USE_SOCKETS directly
Submodule src/sonic-utilities 6130695..a1f961c:
> update scheme variable name (#531)
> [teamshow]: Add * to indicate if the state has been synced into database (#395)
Signed-off-by: Ying Xie <ying.xie@microsoft.com>