Commit Graph

82 Commits

Author SHA1 Message Date
xumia
e5e8d46fe1
[Security] Fix some of vulnerability issue relative python packages (#14269) (#14353)
Why I did it
Fix some of vulnerability issue relative python packages #14269
Pillow: [CVE-2021-27921]
Wheel: [CVE-2022-40898]
lxml: [CVE-2022-2309]

How I did it
2023-03-20 16:52:40 -07:00
jhli-cisco
1a83888040 [sonci-slave]: update sonic-slave docker files to include cisco sdk dependencies (#14203)
cisco SDK dependencies needed
2023-03-16 06:32:15 +08:00
xumia
8395de69d3
[Build] Support j2 template for debian sources (#12557) (#13185)
Why I did it
Unify the Debian mirror sources
Make easy to upgrade to the next Debian release, not source url code change required. Support to customize the Debian mirror sources during the build
Relative issue: #12523

How I did it
How to verify it
2022-12-30 09:47:33 +08:00
Saikrishna Arcot
f1243bad1b
Pin version of bazelisk to v1.13.0 (#12027)
* Pin version of bazelisk to v1.13.0

This tries to avoid builds failures due to the latest version of
bazelisk changing and causing hash mismatches.

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2022-09-08 21:15:35 -07:00
xumia
a96a07ec5d [Build] Add the missing debian security mirrors in slave images (#11305)
Why I did it
The build below was broken, it was caused by one of the required debian mirror missing.
https://dev.azure.com/mssonic/build/_build/results?buildId=116719&view=logs&j=88ce9a53-729c-5fa9-7b6e-3d98f2488e3f&t=88f376cf-c35d-5783-0a48-9ad83a873284

 libpci-dev : Depends: libudev-dev (>= 196) but it is not going to be installed
 libsystemd-dev : Depends: libsystemd0 (= 232-25+deb9u14) but 232-25+deb9u13 is to be installed
How I did it
Add the missing mirrors for buster and stretch.
2022-07-05 16:12:12 +00:00
Hasan Naqvi
a477dbb175
Frr 8.2 upgrade (#10691)
Why I did it
Upgrade FRR to version 8.2.2. Build libyang2 required by FRR.

How I did it
Update FRR version and tag.

How to verify it
Following tests were performed on sonic-vs:

BGP docker status check
BGP configuration and session establishment
Route redistribution and ping
Issued show commands to check the bgp neighbor and routes
Checked app-db to ensure bgp routes are installed with correct interface and nexthop.
Create VRF and check FRR knows the VRF
Check VRF routes are installed in app-db with correct Vrf name and next-hop
Establish BGP Evpn session and check if Evpn routes (multicast, mac, prefix) are exchanged and installed correctly in app-db.
2022-05-24 14:47:09 -07:00
Sachin Naik
598ab99469
secureboot: Enable signing SONiC kernel (#10557)
Why I did it
To sign SONiC kernel image and allow secure boot based system to verify SONiC image before loading into the system.

How I did it
Pass following parameter to rules/config.user
Ex:
SONIC_ENABLE_SECUREBOOT_SIGNATURE := y
SIGNING_KEY := /path/to/key/private.key
SIGNING_CERT := /path/to/public/public.cert

How to verify it
Secure boot enabled system enrolled with right public key of the, image in the platform UEFI database will able to verify image before load.

Alternatively one can verify with offline sbsign tool as below.

export SBSIGN_KEY=/abc/bcd/xyz/
sbverify --cert $SBSIGN_KEY/public_cert.cert fsroot-platform-XYZ/boot/vmlinuz-5.10.0-8-2-amd64 mage

O/P:
Signature verification OK
2022-04-19 13:23:15 +08:00
Longxiang Lyu
812f17d6f1
Add libgmock package for linkmgrd (#10294)
Why I did it
Add libgmock-dev to the package list required by linkmgrd unittests.
Required by PR: Azure/sonic-linkmgrd#45

How I did it
Add the package to the package list.

How to verify it
Build docker-mux with KEEP_SLAVE_ON=yes and verify libgmock-dev is present.

Signed-off-by: Longxiang Lyu <lolv@microsoft.com>
2022-04-14 08:59:54 +08:00
Shilong Liu
3fa627f290
Add a config variable to override default container registry instead of dockerhub. (#10166)
* Add variable to reset default docker registry
* fix bug in docker version control
2022-03-14 18:09:20 +08:00
Kebo Liu
fe0a7693f4
[smartmontools] Install smartmontools with apt-get and upgrade it to 7.2-1 (#10087)
Why I did it
Smartmontools 6.6 has an issue with reading SMART info of nvme SSD
Smartmontools can be installed with apt-get, no need to build and install

How I did it
Use apt-get to install smartmontools 7.2-1
Remove previous make files for smartmontools 6.6

How to verify it
verify with "smartctl" can read out correct SMART info on NVME ssd.
verify "show platform ssdhealth" can still work

Signed-off-by: Kebo Liu <kebol@nvidia.com>
2022-03-07 09:39:33 -08:00
Qi Luo
c9cf4d9ff0
sonic-slave-buster pins the versions of Jinja2 and MarkupSafe in py3 (#10043)
#### Why I did it
Upstream breaking change, ref discussion https://github.com/pallets/markupsafe/issues/282
2022-02-24 17:00:13 -08:00
Richard.Yu
49382d773e
[SAIServerV2] Build SAI Serverv2 docker (#9509)
Support saiserver v2 with python3 and thrift 0.13.0

add variables to support the saiserverv2
build different thrift in saithrift depends on saiserver version
build differernt versions of saiserver
make the saiserver and saiserver docker with version number

test done:
build two different versions of sasiserver in local build environment

add saiserver to buster

Co-authored-by: richard.yu <richard.yu@microsoft.comwq>
2022-02-08 02:56:34 -08:00
Qi Luo
5f524e2ec6
Revert "[sonic-slave]: Fix redis version during pip3 install (#9317)" (#9704)
Reverts Azure/sonic-buildimage#9317
Since upstream fixed the issue https://github.com/redis/redis-py/pull/1726
We can continue use latest version on master branch.

Fixes https://github.com/Azure/sonic-buildimage/issues/9318
2022-01-09 18:24:07 -08:00
Qi Luo
c5bcbd55ff
[sonic-slave]: Upgrade python lxml library version to 4.6.5 (#9529)
Bumps lxml from 4.6.5.
2021-12-15 17:55:55 -08:00
Brian O'Connor
46bcda359c
[PINS] Build P4RT container for PINS (#9083)
- Add INCLUDE_PINS to config to enable/disable container
- Add Docker files and supporting resources
- Add sonic-pins submodule and associated make files

Submission containing materials of a third party:
    Copyright Google LLC; Licensed under Apache 2.0

#### Why I did it

Adds P4RT container to SONiC for PINS

The P4RT app is covered by this HLD:
https://github.com/pins/SONiC/blob/master/doc/pins/p4rt_app_hld.md

#### How I did it

Followed the pattern and templates used for other SONiC applications

#### How to verify it

Build SONiC with INCLUDE_P4RT set to "y".
Verify that the resulting build has a container called "p4rt" running.
You can verify that the service is up by running the following command on the SONiC switch:
```bash
sudo netstat -lpnt | grep p4rt
```
You should see the service listening on TCP port 9559.

#### Which release branch to backport (provide reason below if selected)

None

#### Description for the changelog

Build P4RT container for PINS
2021-12-07 11:11:25 -08:00
liuh-80
739c45645c
[TACACS+] Add audisp-tacplus for per-command accounting. (#8750)
This pull request integrate audisp-tacplus to SONiC for per-command accounting.

#### Why I did it
To support TACACS per-command accounting, we integrate audisp-tacplus project to sonic.

#### How I did it
1. Add auditd service to SONiC
2. Port and patch audisp-tacplus to SONiC

#### How to verify it
UT with CUnit to cover all new code in usersecret-filter.c
Also pass all current UT.

#### Which release branch to backport (provide reason below if selected)
N/A

#### Description for the changelog
Add audisp-tacplus for per-command accounting.

#### A picture of a cute animal (not mandatory but encouraged)
2021-12-01 11:50:09 +08:00
Ze Gan
ada0e50218
[iproute2]: Add macsec-xpn-support iproute2 in syncd (#8702)
* Add macsec-xpn-support iproute2 in syncd

Signed-off-by: Ze Gan <ganze718@gmail.com>

* Polish code

Signed-off-by: Ze Gan <ganze718@gmail.com>

* Remove useless files

Signed-off-by: Ze Gan <ganze718@gmail.com>

* Add self-compiled iproute2 to docker sonic vs

Signed-off-by: Ze Gan <ganze718@gmail.com>

* Enhance apt install for iproute2 dependencies

Signed-off-by: Ze Gan <ganze718@gmail.com>
2021-11-25 21:38:17 +08:00
Qi Luo
da1503d7be
[sonic-slave]: Fix redis version during pip3 install (#9317)
The recent release of redis 4.0.0 or newer (for python3) breaks sonic-config-engine unit test. Fix to last known good version.
ref: https://pypi.org/project/redis/#history
2021-11-18 17:07:58 -08:00
Alexander Allen
857937d592 Mellanox bullseye merge (#1)
* Make neccesary changed to mellanox platform code to build on Debian 11

* Revert use of backported kernel to build mft and elect to only build kernel module under bullseye
2021-11-10 15:27:22 -08:00
Alexander Allen
2847265bfd Mellanox bullseye merge (#1)
Allow mellanox platform to build and successfully switch packets in
Debian 11

Upgraded

* Mellanox SDK
* Mellanox Hardware Management
* Mellanox Firmware
* Mellanox Kernel Patches

Adjusted build system to support host system running bullseye and
dockers running buster.
2021-11-10 15:27:22 -08:00
donNewtonAlpha
51c9c98648
[sonic-slave]: Add gmock for sonic-swss-common tests (#8950)
Sonic-swss-common requires gmock for staged unit tests

Signed-off-by: Don Newton <don@opennetworking.org>
2021-10-28 12:14:21 -07:00
liuh-80
7d40384c58
[TACACS+] Add plugin support to bash. (#8660)
This pull request add plugin support library to bash.
    And we will create a TACACS+ plugin for bash in an other PR, which will bring per command authorization feature to bash.

Why I did it
    To support TACACS per command authorization, we check user command before execute it.

How I did it
    Add plugin support to bash.

How to verify it
    UT with CUnit under bash project cover all new code in plugin.c.
    Also pass all current UT.

Which release branch to backport (provide reason below if selected)
    N/A

Description for the changelog
    Add plugin support to bash.
2021-10-11 15:20:51 +08:00
kellyyeh
62a1f5eb19
Add CLI Support for IPv6 Helpers and DHCPv6 Relay Counters (#8593) 2021-09-23 22:01:26 -07:00
lguohan
4e0b2751a8
[openssh]: move build dep installation to sonic-slave-buster (#8381)
install build dep causes dpkg lock issue in parallel build

Signed-off-by: Guohan Lu <lguohan@gmail.com>
2021-08-09 13:48:18 -07:00
Ze Gan
28e394d69d
Remove vanilla libnl3 and libhiredis from slave buster (#8070)
Signed-off-by: Ze Gan <ganze718@gmail.com>
2021-07-08 13:44:08 +08:00
Stepan Blyshchak
c17d67096d
[Makefile.work] Add DOCKER_EXTRA_OPTS (#7775)
#### Why I did it

Usecase:

export DOCKER_EXTRA_OPTS="--registry-mirror=https://some.host" - to avoid DockerHub pull rate limiting.

#### How I did it

Added DOCKER_EXTRA_OPTS

#### How to verify it

export DOCKER_EXTRA_OPTS="--registry-mirror=https://some.host"
make target/sonic-mellanox.bin
2021-06-08 08:24:35 -07:00
Kwan
1347f29178
[docker-mgmt-framework]: update mgmt framework docker to support sonic-cli cmd (#6148)
- Why I did it

migrate to python3 support
add dependent packages for Klish
allow login as non-root user
- How I did it
update sonic-cli script to start Klish with user name, system name and timeout
update the Dockerfile.j2 to resolve dependent packages
add python3-dev for Klish use

- How to verify it
Incremental buster build with Azure/sonic-mgmt-framework#76 and verify the sonic-cli

- Description for the changelog
Migrate to python3.7 support, update sonic-cli script and resolve package dependencies
2021-06-02 19:38:21 -07:00
Kamil Cudnik
43995ab270
[sonic-slave]: Disable aspell on armhf (#7550)
Read more here: https://bugs.launchpad.net/qemu/+bug/1805913
2021-05-06 22:10:41 -07:00
Praveen Chaudhary
803e6d8b57
[sonic-slave-buster]: upgrade pyang version to 2.4.0 and install only using pip3. (#7441)
[sonic-slave-stretch]: upgrade pyang version to 2.4.0.

Signed-off-by: Praveen Chaudhary <pchaudhary@linkedin.com>
2021-04-26 21:53:23 -07:00
Stepan Blyshchak
cd2c86eab6
[dockers] label SONiC Docker with manifest (#5939)
Signed-off-by: Stepan Blyschak stepanb@nvidia.com

This PR is part of SONiC Application Extension

Depends on #5938

- Why I did it
To provide an infrastructure change in order to support SONiC Application Extension feature.

- How I did it
Label every installable SONiC Docker with a minimal required manifest and auto-generate packages.json file based on
installed SONiC images.

- How to verify it
Build an image, execute the following command:

admin@sonic:~$ docker inspect docker-snmp:1.0.0 | jq '.[0].Config.Labels["com.azure.sonic.manifest"]' -r | jq
Cat /var/lib/sonic-package-manager/packages.json file to verify all dockers are listed there.
2021-04-26 13:51:50 -07:00
guxianghong
6fe6d7394d
[arm] support compile sonic arm image on arm server (#7285)
- Support compile sonic arm image on arm server. If arm image compiling is executed on arm server instead of using qemu mode on x86 server, compile time can be saved significantly.
- Add kernel argument systemd.unified_cgroup_hierarchy=0 for upgrade systemd to version 247, according to #7228
- rename multiarch docker to sonic-slave-${distro}-march-${arch}

Co-authored-by: Xianghong Gu <xgu@centecnetworks.com>
Co-authored-by: Shi Lei <shil@centecnetworks.com>
2021-04-18 08:17:57 -07:00
lguohan
fd5841075d
[sonic-slave]: install nose package explicity (#7258)
nose package is required by mockredispy

Signed-off-by: Guohan Lu <lguohan@gmail.com>
2021-04-09 16:58:00 -07:00
Arun Saravanan Balachandran
3015de1dd0
[sonic-host-service] Move to sonic-host-services package (#6273)
- Why I did it

To move ‘sonic-host-service’ which is currently built as a separate package to ‘sonic-host-services' package. 

- How I did it

- Moved 'sonic-host-server' to 'src/sonic-host-services' and included it as part of the python3 wheel.
- Other files were moved to 'src/sonic-host-services-data' and included as part of the deb package.
- Changed build option ‘INCLUDE_HOST_SERVICE’ to ‘ENABLE_HOST_SERVICE_ON_START’ for enabling sonic-hostservice at boot-up by default.
2021-02-08 19:35:08 -08:00
Qi Luo
1c8d5ec500
Bump pyyaml from 5.3.1 to 5.4.1 (#6511)
RCE resolved in new version https://github.com/yaml/pyyaml/issues/420
2021-01-28 10:46:56 -08:00
Tamer Ahmed
8ce1e3ed92
[build-docker-buster]: Install libboost 1.171 In Build Docker (#6532)
Installing newst buster version of libboost (v1.71) in build docker.

signed-off-by: Tamer Ahmed <tamer.ahmed@microsoft.com>
2021-01-23 00:29:35 -08:00
dflynn-Nokia
2830a2bca6
[build arm] fix sonic-slave-buster build break (#6469)
When building the sonic-slave-buster docker container, the node.js package is
installed to meet the requirements of the Azure DevOPs pipleline
build. Recently this install of node.js has been failing.

This commit fixes that build break by upgrading the
sonic-slave-buster build to install version 14.x of node.js which is the
current LTS version for buster.
2021-01-16 22:04:19 -08:00
Joe LeVeque
c141bb90e9
Remove things needed for building Python 3 from source (#6441)
**- Why I did it**

Prior to SONiC using Debian Buster, we needed to build Python 3.5 or newer from source for installation in the SNMP container, becuase it wasn't available from the Debian repository for Jessie or Stretch. Now that all containers are based on Buster, we simply install Python 3.7 from the Debian repository in the host as well as all containers. We are no longer building Python 3 from source, so the Makefile is unused and we no longer need to install build dependencies in the slave containers.

**- How I did it**

- Remove Python 3 makefile
- No longer install Python 3 build dependencies in the slave containers.
2021-01-14 10:25:40 -08:00
Samuel Angebault
68e9b83f3e
Update swi-tools in buster Dockerfile (#6414)
Fixed swi-tools code to work with `python3`
Updated the version of swi-tools downloaded by the `sonic-slave-buster/Dockerfile.j2`
Other Dockerfiles still use the `python2` version, though swi-tools is not used within the stretch builder.
2021-01-13 08:32:22 -08:00
Qi Luo
8b82408ba4
[sonic-slave]: Upgrade python lxml library version to 4.6.2 (#6404) 2021-01-12 06:03:59 -08:00
Ze Gan
c22575218a
[docker-macsec]: MACsec container and wpa_supplicant component (#5700)
The HLD about MACsec feature is at :

https://github.com/Azure/SONiC/blob/master/doc/macsec/MACsec_hld.md

- How to verify it
This PR doesn't set MACsec container automatically start, You should manually start the container by docker run docker-macsec
wpa_supplicant binary can be found at MACsec container.
This PR depends on the PR, WPA_SUPPLICANT, and The MACsec container will be set as automatically start by later PR.

Signed-off-by: zegan <zegan@microsoft.com>
2021-01-10 10:39:59 -08:00
Guohan Lu
0b0da87766 [build]: install node.js for non-amd64 sonic-slave docker
instruct azure pipeline to use node.js in the docker.

https://docs.microsoft.com/en-us/azure/devops/pipelines/process/container-phases?view=azure-devops#bring-your-own-nodejs

Signed-off-by: Guohan Lu <lguohan@gmail.com>
2020-12-28 22:27:28 -08:00
Joe LeVeque
d40c9a1e8d
[docker-base-buster][docker-config-engine-buster] No longer install Python 2 (#6162)
**- Why I did it**

As part of migrating SONiC codebase from Python 2 to Python 3

**- How I did it**

- No longer install Python 2 in docker-base-buster or docker-config-engine-buster.
- Install Python 2 and pip2 in the following containers until we can completely eliminate it there:
    - docker-platform-monitor
    - docker-sonic-mgmt-framework
    - docker-sonic-vs
- Pin pip2 version <21 where it is still temporarily needed, as pip version 21 will drop support for Python 2
- Also preform some other cleanup, ensuring that pip3, setuptools and wheel packages are installed in docker-base-buster, and then removing any attempts to re-install them in derived containers
2020-12-25 21:29:25 -08:00
faraazbrcm
9d35fa19dc
[mgmt-framework]: support python3 in mgmt-framework (#6038)
Fix specific version for mmh3 for python2 and python3 and Add pyang for python3
2020-12-22 12:06:28 -08:00
xumia
0a36de3a89
Recover "Support SONiC Reproduceable Build-debian/pip/web packages (#6255)
* Revert "Revert "Support SONiC Reproduceable Build-debian/pip/web packages (#5718)""

This reverts commit 17497a65e3.

* Revert "Revert "Remove unnecessary sudo authority in build Makefile (#6237)""

This reverts commit 163b7111b5.
2020-12-21 15:31:10 +08:00
Sabareesh-Kumar-Anandan
2f8a5815f7
[slave-buster] Armhf sairedis build fix (#6248)
Aspell check in sairedis SAI submodule in armhf(32-bit) fails with lang
dictionary not found error.
(https://github.com/opencomputeproject/SAI/blob/master/meta/style.pm#L58)
This issue is described at https://bugs.launchpad.net/qemu/+bug/1805913
and similar to https://github.com/Azure/sonic-buildimage/pull/6239
Re-installing aspell language dictionary in slave docker resolves this issue.

Signed-off-by: Sabareesh Kumar Anandan <sanandan@marvell.com>
2020-12-19 11:50:10 -08:00
Guohan Lu
17497a65e3 Revert "Support SONiC Reproduceable Build-debian/pip/web packages (#5718)"
This reverts commit 55a707586b.
2020-12-18 23:37:27 -08:00
arheneus@marvell.com
d88a25c59d
[slave-buster] Armhf sairedis build fix (#6239)
Doxygen https://github.com/opencomputeproject/SAI/blob/master/Makefile#L23
 SAI submodule in libsairedis builds meta using doxygen
 Debian buster doxygen for ARMHF (32bit) fails to recursively
 read subdirectories to parse the header files.
 This issue is described at https://bugs.launchpad.net/qemu/+bug/1805913
 The solution to this is to add FILE_OFFSET_BITS to 64 as desribed at
 https://bugzilla.kernel.org/show_bug.cgi?id=205957

 This issue is not seen in stretch which has glibc 2.24 and is seen only
 on buster which has glibc version 2.28. The above bugs needs to be
 tracked to get rid of this PR change, once debian moves forward to next
 version.

 This PR addresses the readdir() issue for 32bit arch, by adding
 cflag _FILE_OFFSET_BITS=64 through cmake definition to the doxygen
 source downloaded from the debian buster.

Signed-off-by: Antony Rheneus <arheneus@marvell.com>
2020-12-17 22:09:40 -08:00
xumia
55a707586b
Support SONiC Reproduceable Build-debian/pip/web packages (#5718)
* Support SONiC reproduceable build for deb/py2/py3/web

* Remove j2 files

* Fix bug

* Fix some issues

1. Change some code format issues
2. Fix curl calling wget command, pip2 calling pip3 issue
3. Fix wget/curl downloading multiple urls issue

* Fix some code format issue

* Fix bug

* Fix bug

* Fix command path hard code in build info scripts issue

* Add debian package sonic-build-tools

* Fix auto debian package removed issue

* Change build debian package name, and change the folder

* Collect the pre-versions and post-versions

* Change to use debian:buster

* Remove apt-mark and improve code

* Remove set_build_hooks

* Change docker trusted gpg files

* Fix docker build COPY directory name issue

* Move the trusted gpg files into the sonic-build-hooks package
2020-12-17 13:06:53 +08:00
Sabareesh-Kumar-Anandan
9f4ca01388
[sonic-config-engine] Adding dependent pkgs needed for arm compilation (#6186)
libxslt-dev and libz-dev are dependencies for lxml==4.6.1 which is required for pyangbind==0.8.1

lxml-4.6.2-cp37-cp37m-manylinux1_x86_64.whl is directly downloaded in amd64 whereas in arm this is built from lxml-4.6.2.tar.gz

Signed-off-by: Sabareesh Kumar Anandan <sanandan@marvell.com>
2020-12-15 08:44:46 -08:00
Joe LeVeque
641b610115
[build]: Install 'wheel' package in sonic-slave-buster (#6182)
Install the 'wheel' package in sonic-slave-buster container to eliminate error messages like the following:

```
  Running setup.py bdist_wheel for watchdog: started
  Running setup.py bdist_wheel for watchdog: finished with status 'error'
  Complete output from command /usr/bin/python -u -c "import setuptools, tokenize;__file__='/tmp/pip-install-Qd3K08/watchdog/setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, __file__, 'exec'))" bdist_wheel -d /tmp/pip-wheel-0AHpMe --python-tag cp27:
  usage: -c [global_opts] cmd1 [cmd1_opts] [cmd2 [cmd2_opts] ...]
     or: -c --help [cmd1 cmd2 ...]
     or: -c --help-commands
     or: -c cmd --help
  
  error: invalid command 'bdist_wheel'
  
  ----------------------------------------
  Failed building wheel for watchdog

```

These error messages appear to have no impact on the image build, because the Python package seems to still get installed successfully afterward, just the building of a wheel package fails. Therefore, this is more of a cosmetic fix than an actual bug.
2020-12-10 23:18:58 -08:00