Commit Graph

7340 Commits

Author SHA1 Message Date
xumia
a6c64c9d35
[Security][202211] Upgrade the openssl version to 1.1.1n-0+deb11u4+fips #13737 (#13763)
* [Security] Upgrade the openssl version to 1.1.1n-0+deb11u4+fips (#13737)

Why I did it
[Security] Upgrade the openssl version to 1.1.1n-0+deb11u4+fips

f6df7303d8 Update expired certs.
84540b59c1 CVE-2022-2068
f763d8a93e Prepare 1.1.1n-0+deb11u2
576562cebe CVE-2022-1292
How I did it
Upgrade the OpenSSL version

* [Security] Upgrade OpenSSL version for armhf
2023-02-10 21:50:57 +08:00
Jing Zhang
5b64d825de [sudoers] add /usr/local/bin/storyteller to READ_ONLY_CMDS (#13422)
Adding /usr/local/bin/storyteller to READ_ONLY_CMDS. So no write access or prompt for password is needed to run storyteller.

Tested on 202205 clusters, user who didn't request write access was able to grep log using storyteller.

sign-off: Jing Zhang zhangjing@microsoft.com
2023-02-07 20:54:03 +08:00
bingwang-ms
f9d0f25c66 Support both port name and alias in ACL table AttachTo attribute (#13444)
Why I did it
This PR is an enhancement of PR #13105
Because the input string of AttachTo for ACL table can appear in both port name group and port alias group, I added a logic to determine whether the string should be port name or port alias

If all the input strings belong to port name group, then we treat all of them as port name
If all the input strings belong to port alias, then we treat all of them as port alias
If all the input string belongs to both port alias group and port name group, we prefer port alias. The behavior is as before.
How I did it
Walk through all port names/alias in the input to make a decision.

How to verify it
Verified by adding UT.
2023-02-07 20:53:56 +08:00
ganglv
00a8df68a6
Enable host service. (#13544)
#### Why I did it
Back port GNMI to 202211 branch

#### How I did it
Update rules/config to enable host service

#### How to verify it
Run GNMI end2end test
2023-02-06 20:52:13 -08:00
Junhua Zhai
200342261a [gearbox] use credo sai v0.8.2 (#13565)
Update credo sai package to the latest v0.8.2, which also has the fix for aristanetworks/sonic#52.
2023-02-07 04:32:28 +08:00
Liu Shilong
fa5f03bb33 [build] Check if patches are applied before applying patches (#13386)
Why I did it
If make fails, we can't rerun the make process, because existing patches can't apply again.

How I did it
Check if patches are applied. if yes, don't apply patches again.

How to verify it
2023-02-06 16:37:03 +08:00
Tomer Shalvi
55822424bc Moving multiprocessing.Manager to the correct sub-process (#13377)
Why I did it
There is a queue in sysmonitor.py that is created based on an object of multiprocessing.Manager.
After performing fast-reboot, system health monitor is being shut down, what causes this Manager to be shut down as well, since it is a child-process of healthd.
That's why I moved the creation of this Manager from the top of the file to the function Sysmonitor.system_service() (The only place it is used), to make Manager a child-process of Sysmonitor, instead of Healthd. This way both the queue (the Manager) and the processes that uses this queue will be child-processes of the same process, and the problematic scenario of sysmonitor sending messages to a dead queue will not be possible.

How I did it
Removed the definition of manager as global and moved it to system_service() function

How to verify it
Perform a fast reboot and verify the traceback issue is fixed
2023-02-06 14:37:36 +08:00
Jing Kan
1f9ff1ca3d [Arista 720DT] Create SKU alias Arista-720DT-G48S4 (#12905) 2023-02-06 12:36:59 +08:00
Vivek
ee7724e74d Fix dependency of dhcp-mon on VLAN with only v6 (#13006)
Signed-off-by: Vivek Reddy Karri <vkarri@nvidia.com>

Signed-off-by: Vivek Reddy Karri <vkarri@nvidia.com>
2023-02-06 12:36:55 +08:00
xumia
81dd4b8f7b [Build] Support j2 template for debian sources for docker ptf (#13198)
Change to use the sources.list from the file generated from the j2 template
2023-02-06 12:36:51 +08:00
mssonicbld
7fc672c3e8
Use tmpfs for /var/log for Arista 7260 (#13587) (#13667) 2023-02-05 23:08:51 +08:00
mssonicbld
6f3f7f30b2
[build] Adjust teamd and radv features configuration according to the compilation options. (#13139) (#13644) 2023-02-05 04:44:02 +08:00
mssonicbld
d699d32553
[BugFix] Fix the bug that it gets error system-mac of centec platform (#12721) (#13625) 2023-02-05 02:17:56 +08:00
mssonicbld
d9b15aea0d
[Seastone] Enhancement fix for PR12200 syseeprom issue (#13344) (#13664) 2023-02-05 01:22:04 +08:00
Oleksandr Ivantsiv
a754c753bb [build] Add the possibility to disable compilation of teamd and radv containers. (#12920)
- Why I did it
This optimization is needed for DPU SONiC. DPU SONiC runs a limited set of containers and teamd and radv containers are not part of them. Unlike the other containers, there was no possibility to disable teamd and radv containers compilation.
To reduce DPU SONiC compilation time and reduce the image size this commit adds the possibility to disable their compilation.

- How I did it
Two new configuration options are added to rules/config file:

INCLUDE_TEAMD
INCLUDE_ROUTER_ADVERTISER
By default to preserve the existing behavior both options are enabled. There are two ways to override them:

To change option value to "n" in rules/config file.
To override their value using SONIC_OVERRIDE_BUILD_VARS env variable:
SONIC_OVERRIDE_BUILD_VARS="SONIC_INCLUDE_TEAMD=y SONIC_INCLUDE_ROUTER_ADVERTISER=n"

- How to verify it
The default behavior is preserved. To verify it compile the image without overriding new options. Install the image and verify that both teamd and radv containers are present and running.
To verify the new options override them with "n" value. Compile and install image. Verify that no docker containers are present. Verify that SWSS can start without errors.
2023-02-04 10:48:18 +08:00
byu343
2f27120c8a [Arista]: Add hwSku Arista-7260CX3-D108C10 (#13242)
* [Arista]: Add hwSku Arista-7260CX3-D108C10

* Add buffer-related config for Arista-7260CX3-D108C10
2023-02-04 10:48:14 +08:00
kenneth-arista
e3790d3044 [device/arista] Disabled polled_irq_mode for DNX SKUs (#13349)
Disabled polled_irq_mode for all Arista DNX devices as this mode
leads to excessive use of the CPU via an unneeded interrupt
polling thread.
2023-02-04 10:48:10 +08:00
Ikki Zhu
2ab45b1127 [Celestica Seastone] fix multi sonic platform issues (#13356)
Why I did it
Fix the following issues for Seastone platform:

- system-health issue: show system-health detail will not complete #9530, Celestica Seastone DX010-C32: show system-health detail fails with 'Chassis' object has no attribute 'initizalize_system_led' #11322
- show platform firmware updates issue: Celestica Seastone DX010-C32: show platform firmware updates #11317
- other platform optimization

How I did it
Modify and optimize the platform implememtation.

How to verify it
Manual run the test commands described in these issues.
2023-02-04 10:48:05 +08:00
Sudharsan Dhamal Gopalarathnam
ce8ffb6812 [yang] Add collector_vrf to sflow yang model (#12897)
- Why I did it
Fixed sflow yang model to include collector_vrf field.

- How I did it
Added leaf for collector_vrf under sflow_collector. Additionally aligned the configuration guide

- How to verify it
Added UT to verify.
2023-02-04 09:54:17 +08:00
Saikrishna Arcot
2e760823c1 Replace logrotate cron file with (adapted) systemd timer file (#12921)
Debian is shipping a systemd timer unit for logrotate, but we're also
packaging in a cron job, which means both of them will run, potentially
at the same time. Remove our cron file, and add an override to the
shipped timer file to have it be run every 10 minutes.

Fixes #12392.

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2023-02-04 09:54:12 +08:00
Liu Shilong
56c2c65372 [build]: increase raw image disk size to 4GB (#12958)
3GB disk size is not enough for broadcom raw image.
2023-02-04 09:54:08 +08:00
Longxiang Lyu
918e2d11f8 [dualtor] Let T0 delay 10 seconds before sending BGP updates (#12996)
Why I did it
To ensure, that after a BGP startup, dualtor T0 receives BGP updates before sending out BGP updates.
Please refer to sonic-net/SONiC#1161 for more details.

How I did it
add coalesce-time 10000 to the frr bgp startup config.

Signed-off-by: Longxiang Lyu <lolv@microsoft.com>
2023-02-04 09:54:05 +08:00
lixiaoyuner
7161ff46ca Add k8s support feature set and Add platform label for scheduler usage (#12997)
Why I did it
We plan to pilot k8s feature, need to fix several bugs including enable telemetry feature and add platform label.

How I did it
Add support feature set, only enable telemetry container upgrade for now
Add platform label for scheduler usage
Remove CNI installation code, it would be auto installed when install kubeadm
How to verify it
After sonic device join k8s cluster, show node labels to check if platform label is visible.

Signed-off-by: Yun Li yunli1@microsoft.com
2023-02-04 09:54:01 +08:00
Zain Budhwani
24be87504f Change bgp notification leaf name and mem_usage leaf type (#13012)
#### Why I did it

Improve naming convention for bgp notification events and change type of leaf for sonic-events-host mem usage from uint64 to decimal64

#### How I did it

Replace "-" with "_"

Replace uint64 with decimal64

#### How to verify it

Run yang model unit tests

#### Description for the changelog

Change YANG model leaf naming convention for bgp notification
2023-02-04 09:53:57 +08:00
kellyyeh
f4ae6219bf [dhcpmon] Fix dhcpmon socket filter and tx count issue (#13065)
Why I did it
Fix issue caused by dualtor support PR [dhcpmon] Open different socket for dual tor to enable interface filtering #11201
Improve code
How I did it
On single ToR, packets received count was duplicated due to socket filter set to "inbound"
Tx count not increasing due to filter set to "inbound". Added an outbound socket to count tx packets
Added vlan member interface mapping for Ethernet interface to vlan interface lookup in reference to PR Fix multiple vlan issue sonic-dhcp-relay#27
Exit when socket fails to initialize to allow dhcp_relay docker to restart
How to verify it
Tested on vstestbed single tor and dual tor, sent packets and verify printed out dhcpmon rx and tx counters is correct

Correct number of tx increases
Tx does not increase when ToR is on standby
2023-02-04 09:53:53 +08:00
Zain Budhwani
b4e22e2752 Fix segfault issue inside memory_checker (#13066)
#### Why I did it

Segfault was occuring when running memory_checker

#### How I did it

Deinit publisher immediately after publishing

#### How to verify it

Manual testing
2023-02-04 09:53:49 +08:00
Ikki Zhu
e182d03f57 Seastone add platform capability enhancement config (#13079) 2023-02-04 09:53:45 +08:00
andywongarista
19e94dfbfc [Arista] Update ip packet checksum when set to 0xffff on 720DT-48S (#13088)
Why I did it
This is to fix test_forward_ip_packet_with_0xffff_chksum_tolerant test failure on 720DT-48S. IP packets with checksum set to 0xffff will be forwarded with the same checksum on this platform, instead of updating to the correct value.

How I did it
Add bcm config sai_verify_incoming_chksum=0 so that checksum is updated instead of being left unchanged when checksum is 0xffff. Note that packets with invalid checksum are still dropped with this config.
2023-02-04 09:53:41 +08:00
bingwang-ms
3d2611b5c6 [minigraph]: Support port name in ACL table AttachTo attribute (#13105)
Why I did it
This PR is to update minigraph.py to support both port alias and port name as input of AttachTo attribute of ACL table.
Before this change, only port alias is supported.

How I did it
Add a global variable to store port names
Search both port names and port alias wheh parsing the value of AttachTo.

How to verify it
Verified by a new unit test case test_minigraph_acl_attach_to_ports
Verified by copying the new minigraph.py to a testbed and run conflg load_minigraph.
2023-02-04 09:53:37 +08:00
Yaqiang Zhu
39c1f878b3 [dhcp-relay] Add support for dhcp_relay config cli (#13373)
Why I did it
Currently the config cli of dhcpv4 is may cause confusion and config of dhcpv6 is missing.

How I did it
Add dhcp_relay config cli and test cases.

config dhcp_relay ipv4 helper (add | del) <vlan_id> <helper_ip_list>
config dhcp_relay ipv6 destination (add | del) <vlan_id> <destination_ip_list>
Updated docs for it in sonic-utilities: https://github.com/sonic-net/sonic-utilities/pull/2598/files
How to verify it
Build docker-dhcp-relay.gz with and without INCLUDE_DHCP_RELAY, and check target/docker-dhcp-relay.gz.log
2023-02-04 09:53:30 +08:00
Ikki Zhu
62fb0726ee [Platform/Seastone]: fix syseeprom tlv read issue (#12200)
Why I did it
Fix Seastone syseeprom tlv header read incorrect issue

How I did it
Set mux idle_state

How to verify it
i2cdump -y -f 12 0x50 i
2023-02-04 04:32:29 +08:00
Liu Shilong
cd84a1f26e [ci] Disable Shallow fetch in pipeline build. (#12964) 2023-02-04 02:36:55 +08:00
Vadym Hlushko
3530fdbea1 [SFP] Change logging severity when failed to read EEPROM (#13011)
- Why I did it
In order to prevent the sonic-mgmt/tests/platform_tests/sfp/test_sfputil.py test failing on the log analyzer step.

The mentioned test is performing the sfputil reset EthernetX for every interface on the SONiC switch, this action will flap the SFP device status (INSTERTED -> REMOVED -> INSTERTED).

The SONiC XCVRD daemon will catch this SFP device status change (because it is monitoring the presence status of the cable).
To judge the cable presence status, currently, we are still leveraging to read the first bytes of the EEPROM, and the EEPROM could be not ready at some moment and the SONiC XCVRD daemon will print the error log to Syslog:

ERR pmon#xcvrd: Error! Unable to read data for 'xx' port, page 'xx' offset 128, rc = 1, err msg: Sending access register

- How I did it
Change logging severity from ERR to WARNING

- How to verify it
Run the sonic-mgmt/tests/platform_tests/sfp/test_sfputil.py

OR much faster way to run the next script on the switch:

#!/bin/bash

START=0
END=248

for (( intf=$START; intf<=$END; intf+=8))
do
    sfputil reset Ethernet"${intf}"
done

sfputil show presence
2023-02-04 02:36:51 +08:00
Junchao-Mellanox
cf6f31b215 [Mellanox] Remove TODO comments which are no longer needed (#13023)
- Why I did it
Remove TODO comments which are no longer needed

- How I did it
Remove TODO comments which are no longer needed

- How to verify it
Only comment change
2023-02-04 02:36:47 +08:00
Kebo Liu
9680479661 [Mellanox] change the implementation of is_host() to fix a stuck issue on simx platform (#13100)
- Why I did it
Following code to judge whether a process is running inside a docker could get stuck on the simx platform

subprocess.Popen(["docker", "--version"],
                                stdout=subprocess.PIPE,
                                stderr=subprocess.STDOUT,
                                universal_newlines=True)
When it gets stuck, the config-chassisdb service can not be successfully started, thus the system can not be booted up.

root@sonic:/# service config-chassisdb status
     config-chassisdb.service - Config chassis_db
     Loaded: loaded (/lib/systemd/system/config-chassisdb.service; enabled; vendor preset: enabled)
     Active: activating (start) since Thu 2022-12-15 09:23:02 UTC; 29min ago
   Main PID: 571 (config-chassisd)
      Tasks: 14 (limit: 9501)
     Memory: 132.4M
     CGroup: /system.slice/config-chassisdb.service
                        ├─571 /bin/bash /usr/bin/config-chassisdb
			├─575 /usr/bin/python3 /usr/local/bin/sonic-cfggen -H -v DEVICE_METADATA.localhost.platform
			├─602 /bin/sh -c sudo decode-syseeprom -m
			├─603 sudo decode-syseeprom -m
			├─607 /usr/bin/python3 /usr/local/bin/decode-syseeprom -m
			├─616 /bin/sh -c docker --version 2>/dev/null
			└─617 docker --version

- How I did it
Use an alternative way to implement this function and issue can be avoided:

docker_env_file = '/.dockerenv'
return os.path.exists(docker_env_file) is False

- How to verify it
run regression on real hardware and simx platform.
2023-02-04 02:36:43 +08:00
Yoush
d59b43566f [centec]: reference to v1.11.0-1 sai debian package for master (#13206) 2023-02-04 02:36:38 +08:00
Kebo Liu
ab54549d53 [Mellanox] Skip the leftover hardware reboot cause in case of last boot is warm/fast reboot (#13246)
- Why I did it
In case of warm/fast reboot, the hardware reboot cause will NOT be cleared because CPLD will not be touched in this flow. To not confuse the reboot cause determine logic, the leftover hardware reboot cause shall be skipped by the platform API, platform API will return the 'REBOOT_CAUSE_NON_HARDWARE' instead of the "hardware" reboot cause.

- How I did it
Check the proc cmdline to see whether the last reboot is a warm or fast reboot, if yes skip checking the leftover hardware reboot cause.

- How to verify it
a. Manual test:
    - Perform a power loss
    - Perform a warm/fast reboot
    - Check the reboot cause should be "warm-reboot" or "fast-reboot" instead of "power loss"
b. Run reboot cause related regression test.

Signed-off-by: Kebo Liu <kebol@nvidia.com>
2023-01-31 18:34:36 +08:00
Junchao-Mellanox
e631f426f4
[infra] Support syslog rate limit configuration (#12490) (#13535)
Backport of https://github.com/sonic-net/sonic-buildimage/pull/12490 into 202211

- Why I did it
Support syslog rate limit configuration feature

- How I did it
Remove unused rsyslog.conf from containers
Modify docker startup script to generate rsyslog.conf from template files
Add metadata/init data for syslog rate limit configuration

- How to verify it
Manual test
New sonic-mgmt regression cases
2023-01-30 20:11:44 +02:00
xumia
e50123bc71 [FIPS] Upgrade Open-SymCrypt version to 0.6 (#13461)
Why I did it
[FIPS] Upgrade Open-SymCrypt version to 0.6

Improve the SymCrypt performance
Support to download the debug packages from storage account in version 0.6.
How I did it
Upgrade to symcrypt-openssl from version 0.4 to version 0.6

Changes in https://github.com/sonic-net/sonic-fips:
0c29b23 Upgrade the submodules: SymCrypt and SymCrypt-OpenSSL #40
80022f3 Fix the ARM64 build failure
2e76a3d Disable the unsupported tests

Other changes will be added as well:
55b8e0a Merge pull request #35 from xumia/change-license
120c1a7 Upgrade SymCrypt and SymCrypt-OpenSSL
2f9c084 Merge pull request #39 from liuh-80/dev/liuh/update-openssh-version
a3be6c5 Revert openssh version
e02fa1e Update fips version

How to verify it
2023-01-30 14:37:28 +08:00
Zain Budhwani
537ecc5fa7
Update gnmi submodule ptr (#13323) 2023-01-27 10:39:14 -08:00
mssonicbld
18c7a5e239
rsyslog to start after interfaces-config (#13503) (#13528) 2023-01-27 16:22:04 +08:00
Stepan Blyshchak
e33b92fcaf
[202211][swss.sh] optimize macsec feature state query (#12946) (#13509)
backport of #12946

- Why I did it
There's a slowdown in bootup related to the execution of a show command during startup of swss service. show is a pretty heavy command and takes long time to execute ~2 sec.

- How I did it
I replaced show with sonic-db-cli which takes a ms to run.

- How to verify it
Boot the switch and verify swss is active.

Signed-off-by: Stepan Blyschak <stepanb@nvidia.com>
2023-01-25 20:49:47 +02:00
StormLiangMS
65e080c349
[submodule] Advance sonic-platform-common pointer (#13481)
d0e1ccf - [syseeprom] Remove the trailing space in the value of VENDOR_EXT field in the eepromTlvInfo decode (Add Ingrasys S9100 platform submodule #333) (8 minutes ago)
b662bf1 - add SOP ROC in bulk status (Add default dhcp_relay.yml file to OneImage build #341) (17 minutes ago)
cdc887c - Don't read AUX_MON_TYPE if memory model is flat ([kernel]: update linux kernel to support z9100 #339) (17 minutes ago)
2236776 - Fix TODO comment ([boardcom]: update saibcm to 2.1.3.1-3 #336) (18 minutes ago)
56397d2 - Removing null characters while decoding from syseeprom ([Makefile]: Automatically rebuild sonic-slave #338) (18 minutes ago)
4651bb0 - [Ci] Upgrade to bullseye and fix the branch reference issue ([platform]: add z9100 platform modules #331) (18 minutes ago)
caed733 - Add get_transceiver_status and get_transceiver_pm to API interface (configurations are re-generated across reboots #315) (19 minutes ago)
75d7664 - Use github code scanning instead of LGTM ([platform]: add port_config.ini for dell z9100 #328) (4 weeks ago)
94595a8 - Add warning/critical thresholds for PSU power (Combine alias_map.json with port_config.ini #304) (6 weeks ago)
2023-01-24 09:16:40 +02:00
Dror Prital
d12c3b79bc
[202211][Mellanox] Add ASIC simulation version tag to fw.mk (#13473)
Signed-off-by: dprital <drorp@nvidia.com>
2023-01-23 13:28:19 +02:00
mssonicbld
87ef9f3543
[ci/build]: Upgrade SONiC package versions (#13464) 2023-01-22 22:27:06 +08:00
mssonicbld
80cd7876e5
[ci/build]: Upgrade SONiC package versions (#13462) 2023-01-21 22:45:44 +08:00
mssonicbld
05fb3f628f
[Arista] add support for hardware sku Arista-7260CX3-D92C16 (#13438) (#13448) 2023-01-20 17:36:37 +08:00
mssonicbld
76cedec3a2
[ci/build]: Upgrade SONiC package versions (#13416) 2023-01-18 22:51:15 +08:00
xumia
47649f4ad1 [Bug] Fix SONiC installation failure caused by pip/pip3 not found (#13284)
The main issue is the pip/pip3 command cannot be found when the package is being installed by apt-get.
When using the dpkg install, the searching path is PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
When using the apt-get install, the searching path is PATH=/usr/sbin:/usr/bin:/sbin:/bin
But the pip/pip3 default path is at /usr/local/bin, so dpkg works, but apt-get not work.

How I did it
Export the path /usr/local/bin for pip/pip3.
Make the deb packages can be installed by apt-get.
2023-01-18 16:37:02 +08:00
Stephen Sun
76c74de53e
[202211][submodule] Advance sonic-host-services pointer (#13383)
4a2ef996 Avoid printing message in error level when DEVICE_METADATA|localhost updates (25)
6c131c42 Use github code scanning instead of LGTM(26)
c55f5d18 Use github code scanning instead of LGTM

Signed-off-by: Stephen Sun <stephens@nvidia.com>
2023-01-17 18:05:36 +02:00