Commit Graph

707 Commits

Author SHA1 Message Date
lixiaoyuner
fdc8ce12ce
[Build] Install k8s packages from sonic build storage to mitigate k8s source deprecation issue (#18280)
Why I did it
pkgs.k8s.io: Introducing Kubernetes Community-Owned Package Repositories | Kubernetes

For 1.22.2 k8s packages, source repo has been deprecated, going to store these packages in sonic build storage for installation to mitigate the issue. Will migrate to new repo when we are ready to upgrade k8s version.

Work item tracking
Microsoft ADO (number only): 27075924
How I did it
Store the 1.22.2 k8s package in sonic build storage and install the package there.

How to verify it
"apt list" to check if it's installed.
2024-03-07 13:46:31 +08:00
wumiao_nokia
0c44d3ddff
Make macsec container to build with bookworm (#18148)
Why I did it
We Nokia took the task to make macsec container to work with bookworm.

This PR requires another PR for sonic-wpa-supplicant(sonic-net/sonic-wpa-supplicant#80) to be in first. Otherwise sonic build will fail for bookworm wpasupplicant debian package.

How I did it
How to verify it
After build and boot up system with new image, macsec container should run with bookworm. Corresponding mgmt macsec suite will work here.

Which release branch to backport (provide reason below if selected)
Tested branch (Please provide the tested image version)
Tested with latest master of sonic-buildimage. Built vs image and loaded into vs testing environment. Code pass with macsec test suites.

Description for the changelog
Make macsec container to build with bookworm
2024-03-05 07:47:07 +08:00
Ze Gan
4e1c38a3fe
[sonic-dash-api]: Fix wrong path in sonic-dash-api.dep (#18206)
In some local buildings, an error /bin/bash: line 0: cd: src/sonic-dash-api/sonic-dash-api: No such file or directory will be raised due to the directory structure of sonic-dash-api has been changed.

Signed-off-by: Ze Gan <ganze718@gmail.com>
2024-02-28 22:23:03 -08:00
lixiaoyuner
9fef78c4f0
Install and upgrade packages for k8s master image (#18159)
### Why I did it
- Currently inside k8s master image we are going to use AAD to do authentication related stuff with python language, we need to pre-install several azure key-vault related python packages.
- Need to upgrade cri-dockerd to 0.3.10 to support bookworm
- Need to change netcat package name to netcat-openbsd for bookworm
- Remove the unnecessary apt-get update
##### Work item tracking
- Microsoft ADO **(number only)**: 26435886

#### How I did it
- pip3 install azure-keyvault-secrets
- apt-get -y install netcat-openbsd
- upgrade the cri-dockerd version for bookworm
#### How to verify it
- pip3 list to check if azure-keyvault-secrets is installed inside image
- dpkg -l to check if netcat-openbsd is installed inside image
- systemctl status cri-dockerd.service to check if it's running well
2024-02-27 18:09:12 -08:00
rajib-dutta1
4753953ed0
Ipmitool bookworm: Fix and patch enterprise-numbers URL (#17878)
### Why I did it

ipmitool utility is used to access various HW sensors. Some platforms use "ipmitool raw " to read specific addresses. 

ipmitool_1.8.19-4_amd64.deb, that is part of bookworm has a defect. The package is missing file enterprise.txt that is expected by the "raw read" code path. 
It is so because the file the .deb tries to download at the build time does not have the necessary extension as it is available on remote server: https://www.iana.org/assignments/enterprise-numbers.txt

### How I did it

The defect had been fixed using coding changes in next unstable version of Linux. It is expected to be available in future stable version of the OS. Hence to keep the changes to minimal, the .dsc file is downloaded and only the Makefile is modified to download the correct file. To make is work as patch necessary changes are made.

#### How to verify it
Build log is attached and installation of the file is noted line #2274
When using vanilla bookworm on platforms like 5212 or 5224:
-------------------------------------------------------------------
root@sonic:~# ipmitool raw 0x04 0x2d 0x31
IANA PEN registry open failed: No such file or directory
00 c0 01 80

When fixed we should not see the above error:
--------------------------------------------------
root@sonic:/home/admin# ipmitool raw 0x04 0x2d 0x31
 00 c0 00 80

### Description for the changelog

This change is to address ipmitool raw read issue. This patch must be removed once it is available in next stable Linux release that contains the fix. 

1edb0e27e4
2024-02-26 17:49:06 -08:00
Mridul Bajpai
54c1a49634
Sensormond support (#16089)
Enable Sensormon daemon in PMON container.
Pls see HLD : sonic-net/SONiC#1394
2024-02-23 22:25:48 -08:00
Saikrishna Arcot
8506826348
Update the database, teamd, and radv containers to Bookworm (#18108)
* Update Redis DB start options for multi-asic and chassis cases

Starting with Redis 7.0 (specifically, redis/redis#9034), setting a
custom `--bind` address on the command line no longer disables protected
mode (which blocks connections from non-localhost IP addresses unless a
password is set). For multi-asic and chassis database DBs, we currently
specify a non-localhost IP address and do not specify any password,
which means this change would break things there.

To work around this, if we are specifying a non-localhost IP address on
the command line, then disable protected mode.

* Clean up debug pacakge list for docker-teamd

The debug pacakges for swss and libswsscommon are already installed by
docker-swss-layer-bookworm and docker-config-engine-bookworm, so they
don't need to be specified here again.

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2024-02-21 13:22:07 -08:00
Saikrishna Arcot
34bdfc8b39
Add Bookworm swss-layer (#18062)
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2024-02-09 15:56:26 -08:00
Ze Gan
1c901b8f12
[docker-database]: Install sonic-dash-api CLI in database container (#17479)
Add sonic-dash-api CLI in database container for decoding the dash objects from protobuf to readable json.

Signed-off-by: Ze Gan <ganze718@gmail.com>
2024-02-01 11:13:51 -08:00
Zain Budhwani
c8439cdd4b
Disable eventd and rsyslog plugin in slim images (#17905)
### Why I did it

Disable eventd at buildtime for slim images

##### Work item tracking
- Microsoft ADO **(number only)**:26386286

#### How I did it

Add flags for disabling eventd and only copy rsyslog conf files when eventd is included and not slim image

#### How to verify it

Manual testing
2024-01-30 22:14:23 -08:00
xumia
bb5a420de5
[Build] Fix krb5 package not found issue (#17926)
Why I did it
Fix the build issue caused by the wrong version specified.

See the build error logs:

Try 4: /usr/bin/wget --retry-connrefused failed to get: -O
--2024-01-26 11:38:23--  https://sonicstorage.blob.core.windows.net/public/fips/bullseye/0.10/amd64/libk5crypto3_1.18.3-6+deb11u14+fips_amd64.deb
Resolving sonicstorage.blob.core.windows.net (sonicstorage.blob.core.windows.net)... 20.60.59.131
Connecting to sonicstorage.blob.core.windows.net (sonicstorage.blob.core.windows.net)|20.60.59.131|:443... connected.
HTTP request sent, awaiting response... 404 The specified blob does not exist.
2024-01-26 11:38:23 ERROR 404: The specified blob does not exist..

Try 5: /usr/bin/wget --retry-connrefused failed to get: -O
make[1]: *** [Makefile:12: /sonic/target/debs/bullseye/symcrypt-openssl_0.10_amd64.deb] Error 8
make[1]: Leaving directory '/sonic/src/sonic-fips'
Work item tracking
Microsoft ADO (number only): 26577929
The package not installed but PR passed issue is traced in another issue #17927

How I did it
Add the libkrb5-dev and the depended packages to fix docker-sonic-vs build failure.
The package libzmq3-dev has dependency on the libkrb5-dev.
2024-01-30 21:44:32 +08:00
xumia
235cf3e661
[Security] Fix the krb5 vulnerability issue (#17914)
### Why I did it
Fix the krb5 vulnerable issue
CVE-2021-36222  allows remote attackers to cause a NULL pointer dereference and daemon crash
CVE-2021-37750  NULL pointer dereference in kdc/do_tgs_req.c via a FAST inner body that lacks a server field
DSA 5286-1  remote code execution

##### Work item tracking
- Microsoft ADO **(number only)**: 26577929

#### How I did it
Upgrade the krb5 version to 1.18.3-6+deb11u14+fips.
2024-01-26 15:34:22 -08:00
Mai Bui
e8b1722005
[docker-nat] limit privileged flag for nat container (#17756)
### Why I did it
HLD implementation: Container Hardening (https://github.com/sonic-net/SONiC/pull/1364)
### How I did it
Reduce linux capabilities in privileged flag

#### How to verify it
Check container's settings: Privileged is false and container only has default Linux caps, does not have extended caps.
```
admin@vlab-01:~$ docker inspect nat | grep Privi
            "Privileged": false,


admin@vlab-01:~$ docker exec -it nat bash
root@vlab-01:/# capsh --print
Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep
```
2024-01-26 10:43:35 -08:00
Mai Bui
ff7c993060
[docker-p4rt limit privileged flag for p4rt container (#17796)
### Why I did it
HLD implementation: Container Hardening (https://github.com/sonic-net/SONiC/pull/1364)
##### Work item tracking
- Microsoft ADO **(number only)**: 14807420
#### How I did it
Reduce linux capabilities in privileged flag

#### How to verify it
Check container's settings: Privileged is false and container only has default Linux caps, does not have extended caps.
```
admin@vlab-01:~$ docker inspect p4rt | grep Privi
            "Privileged": false,


admin@vlab-01:~$ docker exec -it p4rt bash
root@vlab-01:/# capsh --print
Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep
```
2024-01-23 11:02:54 -08:00
Yaqiang Zhu
2c08e90203
[dhcp_server] Update dhcp_server container to bookworm (#17647) 2024-01-23 08:33:00 -08:00
Mai Bui
3da08d340c
[docker-iccpd] limit privileged flag for iccpd container (#17835)
### Why I did it
HLD implementation: Container Hardening (https://github.com/sonic-net/SONiC/pull/1364)
##### Work item tracking
- Microsoft ADO **(number only)**: 14807420
#### How I did it
Reduce linux capabilities in privileged flag

#### How to verify it
Check container's settings: Privileged is false and container only has default Linux caps, does not have extended caps.
```
admin@vlab-01:~$ docker inspect iccpd | grep Privi
            "Privileged": false,


admin@vlab-01:~$ docker exec -it iccpd bash
root@vlab-01:/# capsh --print
Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep
```
2024-01-19 10:49:44 -08:00
Saikrishna Arcot
3e3c7aa09d
Add Bookworm base and config-engine layers (#17742)
The layers compile for amd64; however, functionality has not been
tested.

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2024-01-12 09:48:26 -08:00
Liu Shilong
2532661cd9
[ci] Enable sonic-restapi build in PR validation. (#17397)
Why I did it
Enable sonic-restapi build in two platform to avoid build break on restapi target.

Work item tracking
Microsoft ADO (number only): 26048426
How I did it
How to verify it
2023-12-15 16:25:26 +08:00
Ze Gan
7d4f348c09
[submodule]: Update submodule sonic-swss/sonic-dash-api/protobuf (#17413)
### Why I did it
1. Protobuf 3.21 has been released in the Debian bookworm
2. Update submodule sonic-swss and sonic-dash-api because they include related updates.

##### Work item tracking
- Microsoft ADO **(number only)**:

#### How I did it

1. In the protobuf.mk, If it isn't bullseye, ignore to compile the protobuf package
2. Move sonic-swss commits:
```
fd852084 (HEAD, origin/master, origin/HEAD) [dashrouteorch]: Rename dash route namespace (#2966)
```
3. Move sonic-dash-api and move build chain to its submodule
```
d4448c7 (HEAD, origin/master, origin/HEAD, master) [azp]: Add multi-platform artifacts (#11)
8a5e5cc [debian]: Add debian package (#10)
d96163a [misc]: Add dash utils and its tests (#9)
```

#### How to verify it
Check Azp
2023-12-05 17:51:14 -08:00
Yaqiang Zhu
22b18e562f
[dhcp_server] Set to build dhcp_server image in vs image (#17340)
Currently in this repo would not build dhcp_server container image by default, which would cause that building issue for dhcp_server introduced by other modules cannot be noticed in time.
This PR is to set build dhcp_server container in vs image.
2023-11-30 13:52:54 -08:00
Saikrishna Arcot
7c5f616469
Fix sonic-mgmt docker build due to Bookworm changes (#17309)
* Fix sonic-mgmt docker build due to Bookworm changes

Because of the Bookworm upgrade, when some build target is specified on
the command line, the build system will try to build everything for
buster and bullseye distros, even if it's not needed by the target.

As a workaround, call the underlying Makefile.work script with
`BLDENV=bullseye` to have it only build packages related to sonic-mgmt.

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>

* Mark docker-sonic-mgmt as a Bullseye container

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>

---------

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2023-11-28 16:41:13 -08:00
Yaqiang Zhu
59dddb14d4
[dhcp_server] Rename sonic_dhcp_server to sonic_dhcp_utilities (#17276)
Why I did it
sonic_dhcp_server.whl contains not only dhcp_server functionality but also part of dhcp_relay functionality, the existing naming is not appropriate.
2023-11-28 13:28:16 -08:00
Mai Bui
80615f45db
[docker-sonic-mgmt-framework] limit privileged flag for mgmt-framework container (#17217)
Why I did it
HLD implementation: Container Hardening (sonic-net/SONiC#1364)

Work item tracking
Microsoft ADO (number only): 14807420
How I did it
Reduce linux capabilities in privileged flag

How to verify it
Check container's settings: Privileged is false and container only has default Linux caps, does not have extended caps.
2023-11-28 15:35:22 +08:00
Yaqiang Zhu
69f949671c
[dhcp_server] Mark dhcp_server docker as Bullseyse docker (#17290)
How I did it
Mark dhcp_server docker as Bullseyse docker

How to verify it
Set INCLUDE_DHCP_SERVER to y and build image, build successfully
2023-11-27 21:47:59 -08:00
Yaqiang Zhu
da80593ecb
[dhcp_relay] Use dhcprelayd to manage critical processes (#17236)
Modify j2 template files in docker-dhcp-relay. Add dhcprelayd to group dhcp-relay instead of isc-dhcp-relay-VlanXXX, which would make dhcprelayd to become critical process.
In dhcprelayd, subscribe FEATURE table to check whether dhcp_server feature is enabled.
2.1 If dhcp_server feature is disabled, means we need original dhcp_relay functionality, dhcprelayd would do nothing. Because dhcrelay/dhcpmon configuration is generated in supervisord configuration, they will automatically run.
2.2 If dhcp_server feature is enabled, dhcprelayd will stop dhcpmon/dhcrelay processes started by supervisord and subscribe dhcp_server related tables in config_db to start dhcpmon/dhcrelay processes.
2.3 While dhcprelayd running, it will regularly check feature status (by default per 5s) and would encounter below 4 state change about dhcp_server feature:
A) disabled -> enabled
In this scenario, dhcprelayd will subscribe dhcp_server related tables and stop dhcpmon/dhcrelay processes started by supervisord and start new pair of dhcpmon/dhcrelay processes. After this, dhcpmon/dhcrelay processes are totally managed by dhcprelayd.
B) enabled -> enabled
In this scenaro, dhcprelayd will monitor db changes in dhcp_server related tables to determine whether to restart dhcpmon/dhrelay processes.
C) enabled -> disabled
In this scenario, dhcprelayd would unsubscribe dhcp_server related tables and kill dhcpmon/dhcrelay processes started by itself. And then dhcprelayd will start dhcpmon/dhcrelay processes via supervisorctl.
D) disabled -> disabled
dhcprelayd will check whether dhcrelay processes running status consistent with supervisord configuration file. If they are not consistent, dhcprelayd will kill itself, then dhcp_relay container will stop because dhcprelayd is critical process.
2023-11-27 09:30:01 -08:00
Konstantin Vasin
5f4132ad95 don't build debootstrap from source 2023-11-21 18:53:15 -08:00
Vivek
787dd7221d [Mellanox] Upgrade HW-MGMT to 7.0030.2008 and update platform-api (#17134)
Why I did it
Add platform support for Debian 12 (Bookworm) on Mellanox Platform

How I did it
Update hw-management to v7.0030.2008
Deprecate the sfp_count == module_count approach in favour of asic init completion
Ref: Mellanox/hw-mgmt@bf4f593
Add xxd package to base image which is required by hw-management scripts
Add the non-upstream flag into linux kernel cache options
Update the thermalctl logic based on new sysfs attributes
Fix the integrate-mlnx-hw-mgmt script to not populate the arm64 Kconfig
How to verify it
Build kernel and run platform tests

Signed-off-by: Vivek Reddy <vkarri@nvidia.com>
Co-authored-by: Junchao-Mellanox <junchao@nvidia.com>
Co-authored-by: Junchao-Mellanox <57339448+Junchao-Mellanox@users.noreply.github.com>
2023-11-21 18:53:15 -08:00
Saikrishna Arcot
3d0a0da24f Upgrade lldpd to 1.0.16
This fixes lldpcli hitting some error related to being unable to get a
lock on /var/run/lldpd.socket. This version is the version in Debian
Bookworm, even though lldpd is in the lldp container, and that is on
Bullseye. This is because there is a change that went into 1.0.12 that
uses a separate lock file for the lldpd socket instead of locking the
socket file itself. This appears to cause problems in an unprivileged
docker container for unknown reasons (privileged docker container is
fine). Bullseye is on 1.0.11, which isn't new enough to have this
change.

I can't see any specific system capability that might address this.
Rather than debugging this further, just upgrade to the Bookworm
version.

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2023-11-21 18:53:15 -08:00
Vivek
1fccc97ee7 [Nvidia] Fix mlnx-sai build failure (#14)
Signed-off-by: Vivek Reddy <vkarri@nvidia.com>

[Nvidia] Enable iproute2 & fix mft build (#16)

* Enable iproute2 as the SDK is also built

Signed-off-by: Vivek Reddy <vkarri@nvidia.com>

* [Nvidia] Dont use mkbmdeb method of dkms to build the package

Signed-off-by: Vivek Reddy <vkarri@nvidia.com>

* Added linux image to the Depends section of mft

Signed-off-by: Vivek Reddy <vkarri@nvidia.com>

[Nvidia] [Bookworm] Separate KERNEL_MFT into a new target (#16782)

* [Nvidia] Seperate KERNEL_MFT into a new target because of kernel header dependency

Signed-off-by: Vivek Reddy <vkarri@nvidia.com>

* Update linux-kernel submodule

Signed-off-by: Vivek Reddy <vkarri@nvidia.com>

* Fix paralell build problem

Signed-off-by: Vivek Reddy <vkarri@nvidia.com>

---------

Signed-off-by: Vivek Reddy <vkarri@nvidia.com>
2023-11-21 18:53:15 -08:00
Saikrishna Arcot
8ec9672f45 Update sonic-host-services for changes in Python
This fixes 3 issues:
* Specify test dependencies under extra_requires
* Update the PAM configuration for Bookworm
* Break a cyclical dependency between sonic-host-services and
  sonic-buildimage by moving the contents of
  src/sonic-host-services-data into sonic-host-services submodule

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2023-11-21 18:53:15 -08:00
Saikrishna Arcot
675d83066d Update sonic-utilities for changes in Python
This fixes 4 issues:
* Update tabulate to 0.9.0 and deepdiff to 6.2.2
* Specify test dependencies under extra_requires
* Add check_output parameter to the setup function due to the patch
* Fix error about having a mutable default for field headers in
  dataclass

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2023-11-21 18:53:15 -08:00
Saikrishna Arcot
5e292f9e3d Upgrade initramfs-tools to 0.142
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2023-11-21 18:53:15 -08:00
Saikrishna Arcot
15e3f9cc80 Upgrade kdump-tools
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2023-11-21 18:53:15 -08:00
Saikrishna Arcot
3a23c8962d For libyang, don't add an ordering dependency on frr for Bookworm
This ordering dependency causes FRR to get built for Bookworm, which we
don't need currently. Skip this by having it apply only to Bookworm.

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2023-11-21 18:53:15 -08:00
Saikrishna Arcot
e3ebe00051 Mark many (but not all) of the dockers as Bullseye dockers
This tells the build infra that they need to be built as part of
Bullseye and not Bookworm.

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2023-11-21 18:53:15 -08:00
Saikrishna Arcot
eabcc5b720 Update openssh to 9.2p1-2+deb12u1 (the version in Debian Bookworm)
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
Co-authored-by: Aravind Mani <aravind.m1@dell.com>
2023-11-21 18:53:15 -08:00
Saikrishna Arcot
0909c671c6 Update sonic-linux-kernel to use 6.1.38
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2023-11-21 18:53:15 -08:00
Saikrishna Arcot
3bf2c54768 Update slave.mk to assume a Bookworm base image
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2023-11-21 18:53:15 -08:00
Mai Bui
6ea03f9f78
[docker-restapi] limit privileged flag for restapi container (#17138)
Why I did it
HLD implementation: Container Hardening (sonic-net/SONiC#1364)

Work item tracking
Microsoft ADO (number only): 14807420
How I did it
Reduce linux capabilities in privileged flag

How to verify it
Run restapi sonic-mgmt tests on sn4600c
Check container's settings: Privileged is false and container only has default Linux caps, does not have extended caps.
2023-11-21 14:50:31 +08:00
Mai Bui
682057945f
[docker-snmp] limit privileged flag for snmp container (#16971)
Why I did it
HLD implementation: Container Hardening (sonic-net/SONiC#1364)

Work item tracking
Microsoft ADO (number only): 14807420
How I did it
Reduce linux capabilities in privileged flag

How to verify it
Run snmp sonic-mgmt tests
Check container's settings: Privileged is false and container only has default Linux caps, does not have extended caps.

admin@vlab-01:~$ docker inspect snmp | grep Privi
            "Privileged": false,

admin@vlab-01:~$ docker exec -it snmp bash
root@vlab-01:/# capsh --print
Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_se
2023-11-16 22:15:37 +08:00
Xichen96
e6c2e9ff94
add missing variable (#17162)
Without the INSTALL_PYTHON_WHEELS=SONIC_UTILITIES_PY3, slave container won't have needed sonic utilities related packages.
2023-11-15 10:20:39 -08:00
ganglv
c71fb3a30f
Share image for gnmi and telemetry (#16863)
Why I did it
Share docker image to support gnmi container and telemetry container

Work item tracking
Microsoft ADO 25423918:
How I did it
Create telemetry image from gnmi docker image.
Enable gnmi container and disable telemetry container by default.

How to verify it
Run end to end test.
2023-11-08 08:54:36 +08:00
Yaqiang Zhu
274d320443
[dhcp_server] Add dhcprelayd for dhcp_server feature (#16947)
Add support in dhcp_relay container for dhcp_server_ipv4 feature. HLD: sonic-net/SONiC#1282
2023-11-02 08:09:01 -07:00
Mai Bui
753fa0d26e
[docker-sflow] limit privileged flag for sflow container (#16973)
#### Why I did it
HLD implementation: Container Hardening (https://github.com/sonic-net/SONiC/pull/1364)
##### Work item tracking
- Microsoft ADO **(number only)**: 14807420
#### How I did it
Reduce linux capabilities in privileged flag

#### How to verify it
Run sflow sonic-mgmt tests
Check container's settings: Privileged is false and container only has default Linux caps, does not have extended caps.
```
admin@vlab-01:~$ docker inspect sflow | grep Privi
            "Privileged": false,


admin@vlab-01:~$ docker exec -it sflow bash
root@vlab-01:/# capsh --print
Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
```
2023-10-27 11:30:30 -07:00
Samuel Angebault
9d3d4a8a03
Add some config options to make gbsyncd optional (#16840)
Why I did it
In an effort to allow people to build a slim version of SONiC to fit on devices to small storage, there is a need to disable some unneeded features.
The docker-gbsyncd are only applicable to devices with external gearboxes and might not apply to devices that need a small image.
It is therefore desirable to have a knob to not include these gbsyncd containers.

Work item tracking
Microsoft ADO (number only):
How I did it
Add a new config INCLUDE_GBSYNCD which is enabled by default to retain the previous behavior.
Setting it to n will not include the platform/components/docker-gbsyncd-*.mk.

How to verify it
Set INCLUDE_GBSYNCD = n and witness that docker-gbsyncd images are not present in the final image.
2023-10-25 15:39:03 +08:00
Samuel Angebault
e4a497183a
Add build option to reduce final image size (#16729)
* Reduce SONiC image filesystem size

Add a build option to reduce the image size.
The image reduction process is affecting the builds in 2 ways:
 - change some packages that are installed in the rootfs
 - apply a rootfs reduction script

The script itself will perform a few steps:
 - remove file duplication by leveraging hardlinks
   - under /usr/share/sonic since the symlinks under the device folder are lost during the build.
   - under /var/lib/docker since the files there will only be mounted ro
 - remove some extra files (man, docs, licenses, ...)
 - some image specific space reduction (only for aboot images currently)

The script can later be improved but for now it's reducing the rootfs
size by ~30%.

* restore fully featured vim package
2023-10-24 10:01:58 +08:00
Liu Shilong
1eae34993e
[build] Add config to set pip http timeout (#16748)
Why I did it
Add config to set pip HTTP timeout value in building process for build to be more stable.
Default value is 60.

Work item tracking
Microsoft ADO (number only): 25190067
How I did it
Insert timeout options in all pip commands.
2023-10-23 18:05:22 +08:00
Yaqiang Zhu
73dd38a5ce
[dhcp_server] Add dhcpservd to dhcp_server container (#16560)
Why I did it
Part implementation of dhcp_server. HLD: sonic-net/SONiC#1282.
Add dhcpservd to dhcp_server container.

How I did it
Add installing required pkg (psutil) in Dockerfile.
Add copying required file to container in Dockerfile (kea-dhcp related and dhcpservd related)
Add critical_process and supervisor config.
Add support for generating kea config (only in dhcpservd.py) and updating lease table (in dhcpservd.py and lease_update.sh)

How to verify it
Build image with setting INCLUDE_DHCP_SERVER to y and enabled dhcp_server feature after installed image, container start as expected.
Enter container and found that all processes defined in supervisor configuration running as expected.
Kill processes defined in critical_processes, container exist.
2023-10-20 09:52:05 -07:00
Mai Bui
a850f8b2f5
Fix privileged and volumes for macsec container (#16894)
### Why I did it
Privileges and volumes were incorrectly set in macsec container. Privileged flag is set to false and volumes are not mounted properly.
 ```
admin@vlab-01:~$ docker inspect macsec0 | grep Privi
            "Privileged": false,
admin@vlab-01:~$ docker inspect macsec0 | grep -A 10 Binds
            "Binds": [
                "/var/run/redis0:/var/run/redis:rw",
                "/var/run/redis-chassis:/var/run/redis-chassis:ro",
                "/usr/share/sonic/device/x86_64-nokia_ixr7250e_36x400g-r0/Nokia-IXR7250E-36x100G/0:/usr/share/sonic/hwsku:ro",
                "/var/run/redis0/:/var/run/redis0/:rw",
                "/usr/share/sonic/device/x86_64-nokia_ixr7250e_36x400g-r0:/usr/share/sonic/platform:ro"
            ],
```
### How I did it

#### How to verify it
Make sure privileged settings remain unchanged and make sure volumes are properly mounted
```
admin@vlab-01:~$ docker inspect macsec | grep Privi
            "Privileged": false,
admin@vlab-01:~$ docker inspect macsec | grep -A 10 Binds
            "Binds": [
                "/etc/timezone:/etc/timezone:ro",
                "/var/run/redis:/var/run/redis:rw",
                "/var/run/redis-chassis:/var/run/redis-chassis:ro",
                "/etc/fips/fips_enable:/etc/fips/fips_enable:ro",
                "/usr/share/sonic/templates/rsyslog-container.conf.j2:/usr/share/sonic/templates/rsyslog-container.conf.j2:ro",
                "/etc/sonic:/etc/sonic:ro",
                "/host/warmboot:/var/warmboot",
                "/usr/share/sonic/device/x86_64-kvm_x86_64-r0/Force10-S6000/:/usr/share/sonic/hwsku:ro",
                "/usr/share/sonic/device/x86_64-kvm_x86_64-r0:/usr/share/sonic/platform:ro"
            ],
```
2023-10-19 11:17:05 -07:00
xumia
5f224327a9
[Security] Upgrade the OpenSSL/OpenSSH to fix CVE alerts (#16902)
### Why I did it
[Security] Upgrade the OpenSSL/OpenSSH to fix CVE alerts

Upgrade OpenSSL to 1.1.1n-0+deb11u5
Fix CVEs:
      CVE-2023-0464 (Excessive Resource Usage Verifying X.509 Policy
      CVE-2023-0465 (Invalid certificate policies in leaf certificates are
      CVE-2023-0466 (Certificate policy check not enabled).
      CVE-2022-4304 (Timing Oracle in RSA Decryption).
      CVE-2023-2650 (Possible DoS translating ASN.1 object identifiers).

Upgrade OpenSSH to 8.4p1-5+deb11u2
Fix CVEs:
    CVE-2023-38408 (Lacks SSH agent restriction)

##### Work item tracking
- Microsoft ADO **(number only)**: 25506776

#### How I did it
Upgrade the OpenSSL/OpenSSH package version and fix the UT failure.

#### How to verify it
Verified by UTs with and without FIPS enabled.
2023-10-18 15:52:26 -07:00