Commit Graph

6604 Commits

Author SHA1 Message Date
Alexander Allen
b4bc051267
Add logging for slave container builds (#10628)
#### Why I did it

No logs currently exist for sonic-save-X containers which makes it difficult to debug.

#### How I did it

Altered Makefile.work to create logs in the sonic-slave-X folder while still displaying the log to the screen to prevent interfering with any existing tooling. 

#### How to verify it

Do `make configure` and verify that logs show up in `sonic-slave-buster/` and `sonic-slave-bullseye/`

#### Description for the changelog
Add logging for slave container builds

#### A picture of a cute animal (not mandatory but encouraged)
TBD
2022-05-31 09:59:52 -07:00
Lukas Stockner
c9b27cde71
[swss] Clear VXLAN tunnel table from State DB on startup (#10822)
* When reloading config after crashes, VTEP interfaces are sometimes not created since the tunnel still exists in the STATE_DB.
* Adding VXLAN_TUNNEL_TABLE to the list of tables to be cleaned in swss.sh fixes the problem.
2022-05-31 08:54:31 -07:00
Yakiv Huryk
7306d68411
[build][asan] make dpkg cache asan-aware (#10750)
Currently, the build with ASAN_ENABLE=y reuses the packages built with
ASAN_ENABLE=n (and vice versa). To address this issue, ASAN_ENABLE is added to DEP_FLAGS for asan-enabled packages (docker-syncd-mlnx, syncd, docker-orchagent, swss).

- Why I did it
To make dpkg cache use/rebuild the packages for ASAN_ENABLE=y/n.

- How I did it
Added ASAN_ENABLE to the DEP_FLAGS for asan-enabled packages.

- How to verify it
Built with ASAN_ENABLE=y/n and checked the .flags .log files.

Signed-off-by: Yakiv Huryk <yhuryk@nvidia.com>
2022-05-31 11:15:44 +03:00
Yakiv Huryk
bd91b2eef3
[asan] add debug package for asan-enabled containers (#10953)
This is to improve the readability of ASAN reports. The debug package adds function names and source code references to the backtrace (currently, there are only binary addresses of functions)

Another way to address this issue is to build the image with "INSTALL_DEBUG_TOOLS=y". The downside of this approach is that the image size and compilation time are unnecessarily big. Also, the idea is to make the "ENABLE_ASAN" self-sufficient, which would not be the case for this approach.

- Why I did it
To improve the readability of asan logs.

- How I did it
Added SYNCD_DBG and SWSS_DBG to corresponding docker images for ASAN_ENABLE=y build

- How to verify it
Add artificial memory leak
Build with ASAN_ENABLE=y
Test the image and check the ASAN report

Signed-off-by: Yakiv Huryk <yhuryk@nvidia.com>
2022-05-31 09:24:18 +03:00
Eric Zhu
8c1ded61b0
[SONiC-CEL]: fix platform fancontrol testcase failure issue (#10934) 2022-05-31 10:54:55 +08:00
Samuel Angebault
912923f47b
[Arista] Update supervisor configurations (#10913)
* Removed unused default_config.json

* Remove asic.conf file from HW SKUs directories as they are not used by upstream code

* Enable dynamic PCI ID identification on Otterlake2

Co-authored-by: Maxime Lorrillere <mlorrillere@arista.com>
2022-05-30 13:34:55 -07:00
xumia
5072315c89
[Ci]: Fix the target directory not empty issue when publishing artifacts #10972
Why I did it
Fix the target directory not empty issue when publishing artifacts.
Some of the artifacts are published to $(Build.ArtifactStagingDirectory)/target/ before source code checked out.
2022-05-30 16:50:06 +08:00
Guohan Lu
73c5ac11ee
[CODEOWNERS]: update code owners for various repos (#10980)
Signed-off-by: Guohan Lu <lguohan@gmail.com>
2022-05-30 01:25:51 -07:00
Shilong Liu
650b00e41e
[ci] Publish logs when building image job is canceled by timeout. (#10919) 2022-05-30 16:02:27 +08:00
Jing Zhang
b3e33d4f45
[sonic-linkmgrd][master] submodule updates (#10925)
[sonic-linkmgrd][master] submodule updates

d744bfb Longxiang Lyu Wed May 25 08:40:42 2022 +0800 Support switch between using wellknown mac or server mac addr (#73)
684e989 Jing Zhang Wed May 18 09:59:02 2022 -0700 Avoid switching active when LinkState == Down (#77)
e4aa4fd Longxiang Lyu Tue May 17 09:13:23 2022 +0800 [Makefile] Remove redundant optimization options (#75)
4ec7505 Jing Zhang Thu May 12 08:19:20 2022 -0700 [ci]: uplift diff coverage threshold to 80% (#71)

sign-off: Jing Zhang zhangjing@microsoft.com
2022-05-29 22:53:46 -07:00
xumia
b9ecaa3234
[Build]: Support to use the base image version when a package version not specified (#10971)
Why I did it
It is to fix issue: #10952
[Build]: Support to use the base image version when a package version not specified
2022-05-30 12:06:32 +08:00
Ying Xie
ed27eff71f
[swss] advance sonic-swss submodule head (#10959)
* 910bfd4 2022-05-28 | [ACL] Add default action_list for default ACL table type (#2298) (github/master) [bingwang-ms]
* 4d6fa42 2022-05-27 | [ci] Change artifact reference pipeline to common lib pipeline. (#2294) [Shilong Liu]
* 583236f 2022-05-26 | [P4Orch] Lazy UDF match creation to avoid failure during warm reboot (#2282) [Yilan Ji]
* d7b5ff7 2022-05-26 | [ci] Use correct branch when downloading artifact. (#2292) [Shilong Liu]
* 2f13244 2022-05-26 | [ci] Improve azp trigger settings to automaticlly support new release branch. (#2289) [Shilong Liu]

Signed-off-by: Ying Xie <ying.xie@microsoft.com>
2022-05-30 09:21:03 +08:00
davidpil2002
ab0930313b
[YANG] Add support for Password Hardening (#10322)
- Why I did it
Yang Model about password hardening feature, the sonic CLI of this feature was autogenerated from this Yang model

- How I did it
Create new Yang model in src/sonic-yang-models/yang-models/sonic-passwh.yang.

- How to verify it
There are unitests(yang test) in this P.R covering all the passwords policies with good and bad values cases.
Or is possible manually using the config/show password commands that were autogenerated from this Yang model. (this CLI code added in sonic-utilities)
2022-05-29 13:54:51 +03:00
Andriy Yurkiv
29043ff026
[MFT] Update MFT version to MFT 4.20.0-34 (#10933)
- Why I did it
Update MFT to newer version

- How I did it
Update MFT_VERSION in platform/mellanox/mft.mk

- How to verify it
Check version via dpkg -l | grep mft

Signed-off-by: Andriy Yurkiv <ayurkiv@nvidia.com>
2022-05-28 15:45:02 +03:00
bingwang-ms
b62526c46c
Define SYSTEM_DEFAULTS table to control tunnel_qos_remap (#10877)
* Define SYSTEM_DEFAULTS table to control tunnel_qos_remap

Signed-off-by: bingwang <wang.bing@microsoft.com>
2022-05-28 15:34:28 +08:00
Ze Gan
9bf84fcad5
[submodule]: Update submodule for sonic-wpa-supplicant (#10957)
1069d2dd4 [sonic_operators.cpp]: Fixbug wait with false positive to return success

Signed-off-by: Ze Gan <ganze718@gmail.com>
2022-05-28 12:01:32 +08:00
Hasan Naqvi
1ac60d39f0
[frr]: fix official build break (#10947)
Official build fails complaining missing below targets:
2022-05-25T10:50:38.0560306Z tar: target/debs/buster/libyang2-cpp1_2.0.112-6_amd64.deb: Cannot stat: No such file or directory
2022-05-25T10:50:38.0571392Z tar: target/debs/buster/libyang2-cpp-dev_2.0.112-6_amd64.deb: Cannot stat: No such file or directory
2022-05-25T10:50:38.0588893Z tar: target/debs/buster/libyang2-cpp1-dbgsym_2.0.112-6_amd64.deb: Cannot stat: No such file or directory
2022-05-25T10:50:38.0590887Z tar: target/debs/buster/yang-tools_2.0.112-6_all.deb: Cannot stat: No such file or directory
2022-05-27 13:49:58 -07:00
Alexander Allen
71c868f56a
Upgrade libasan to version 6 in docker-syncd-mlnx to align with bullseye libasan (#10886) 2022-05-27 11:28:01 -07:00
Neetha John
1bce88ad29
[sonic-config-engine] Fix typo in hwsku name in sample graph (#10941)
Signed-off-by: Neetha John <nejo@microsoft.com>

Why I did it
There was a typo in hwsku specified as part of #10889

How I did it
Replaced with the correct hwsku

How to verify it
test_cfggen.py is passing
2022-05-27 09:46:23 -07:00
Sudharsan Dhamal Gopalarathnam
441cd1d283
[yang] add Sample configuration for ACL_TABLE_TYPE (#10937)
Signed-off-by: Sudharsan Dhamal Gopalarathnam <sudharsand@nvidia.com>
2022-05-27 09:45:29 -07:00
Hua Liu
054eb25c85
Update sonic-swss-common submodule (#10872)
Updating sonic-utilities sub module with the following commits

    84dbd93 Clear the fvs vector before popping the message out of notification
    a90b2b7 selectabletimer: add mutex to start() and stop()
    7ae22be Fix SIGTERM can't terminate PubSub::listen issue

#### Why I did it

    To fix hostcfgd can't terminate by sigint issue, need update sonic-swss-common submodule.  

#### How I did it

#### How to verify it

#### Which release branch to backport (provide reason below if selected)

#### Description for the changelog

    84dbd93 Clear the fvs vector before popping the message out of notification
    a90b2b7 selectabletimer: add mutex to start() and stop()
    7ae22be Fix SIGTERM can't terminate PubSub::listen issue

#### A picture of a cute animal (not mandatory but encouraged)
2022-05-27 08:58:40 +08:00
AmitKaushik7
e61bfd7bb4
Add crm sample data for snat/dnat/ipmc entries for Yang Model (#10865)
#### Why I did it
For yang model, sample_config_db.json file was missing Sample data for the features SNAT/DNAT/IPMC

#### How I did it
Added the SNAT,DNAT,IPMC(low Threshold/high threshold/threshold_type)entries in CRM table.

#### How to verify it
With sanity Build/test only.
2022-05-26 11:50:07 -07:00
Dror Prital
a5932e3264
[submodule] Advanced sonic-swss pointer (#10926)
[muxorch] Handling optional attributes in muxorch (#2288)
Update netlink messages handler (#2233)
Broadcast Unknown-multicast and Unknown-unicast Storm-control (#1306)
[vstest]: Increase PollingConfig default timeout (#2285)
[FDB] Fix fbdorch to properly handle syncd FDB FLUSH Notif (#2254)
[macsecorch]: Support for non-default sa per sc (#2250)
Migrating the NAT vs tests from Click to direct DB access (#2278)
[neighsync] Ignoring IPv4 link local addresses (#2260)
[IntfMgrd] Retry adding ipv6 prefix by setting disabled_ipv6 flag  (#2267)
Increase Redis Timeout value for Switch Create Opration for Packet (#2243)
Update fdborch.cpp (#2261)

Signed-off-by: dprital <drorp@nvidia.com>
2022-05-26 18:33:59 +03:00
Kebo Liu
c618a653a1
[yang] Support new interface types CR8/SR8/KR8/LR8 (#10826)
- Why I did it
With SAI V.1.10.2, new interface types CR8/SR8/KR8/LR8 have been introduced, we should also support them from the CLI configuration.

- How I did it
Add new enum for the new interface types

- How to verify it
Run the "config interface type" command to verify new interface types can be accepted and handled correctly.

Signed-off-by: Kebo Liu <kebol@nvidia.com>
2022-05-26 18:16:23 +03:00
xumia
cc9a4beb0c
Touch the donwload files to change the modified time (#10929)
Why I did it
It is to improve the build performance, when building multiple targets.
The modified time of downloaded files should be not older than the file .platform.
If not, the file will be downloaded again, when building any dependent targets.

How I did it
When downloading the packages from web site, the modified time will be changed by the command "touch".
2022-05-26 21:55:13 +08:00
xumia
f0dfd398a6
Revert "Reduce image size for lazy installation packages (#10775)" (#10916)
This reverts commit 15cf9b0d70.
Why I did it
Revert the PR #10775, for it has impact on onie installation.
It is caused by the symbol links not supported in some of the onie unzip.
We will enable after fixing the issue, see #10914
2022-05-26 09:39:48 +08:00
Neetha John
b5e59a1355
[sonic-config-engine] Change hwsku for sample graph in unit tests (#10889)
#### Why I did it
To ensure that some internal testcases do not break due to external changes

#### How to verify it
Ran test_cfggen.py with the changes and it passed
2022-05-25 15:48:02 -07:00
Zain Budhwani
8315d11959
Add YANG model and unit tests for sonic-telemetry (#10840)
- Why I did it

YANG schema is missing for sonic-telemetry

- How I did it

Added YANG schema to sonic-yang-models and appropriate unit tests inside of test and test_config

- How to verify it

Build sonic-yang-models python wheels target and verify that unit tests are passing
2022-05-25 10:17:47 -07:00
Taylor Cai
11f0bffe13
[device/celestica]:Fix failed test case of Haliburton snmp (#10844) 2022-05-26 00:06:50 +08:00
abdosi
0285bfe42e
[chassis] Fix issues regarding database service failure handling and mid-plane connectivity for namespace. (#10500)
What/Why I did:

Issue1: By setting up of ipvlan interface in interface-config.sh we are not tolerant to failures. Reason being interface-config.service is one-shot and do not have restart capability. 

Scenario: For example if let's say database service goes in fail state  then interface-services also gets failed because of dependency check but later database service gets restart but interface service will remain in stuck state and the ipvlan interface nevers get created.

Solution: Moved all the logic in database service from interface-config service which looks more align logically also since the namespace is created here and all the network setting (sysctl) are happening here.With this if database starts we recreate the interface.

Issue 2: Use of IPVLAN vs MACVLAN

Currently we are using ipvlan mode.  However above failure scenario is not handle correctly by ipvlan mode. Once the ipvlan interface is created and ip address assign to it and if we restart interface-config or database (new PR) service Linux Kernel gives error "Error: Address already assigned to an ipvlan device."  based on this:https://github.com/torvalds/linux/blob/master/drivers/net/ipvlan/ipvlan_main.c#L978Reason being if we do not do cleanup of ip address assignment (need to be unique for IPVLAN)  it remains in Kernel Database and never goes to free pool even though namespace is deleted. 

Solution: Considering this hard dependency of unique ip macvlan mode is better for us and since everything is managed by Linux Kernel and no dependency for on user configured IP address.

Issue3: Namespace database Service do not check reachability to Supervisor Redis Chassis   Server.

Currently there is no explicit check as we never do Redis PING from namespace to Supervisor Redis Chassis  Server. With this check it's possible we will start database and all other docker even though there is no connectivity and will hit the error/failure late in cycle

Solution: Added explicit PING from namespace that will check this reachability.

Issue 4:flushdb give exception when trying to accces Chassis Server DB over Unix Sokcet.

Solution: Handle gracefully via try..except and log the message.
2022-05-24 16:54:12 -07:00
Hasan Naqvi
a477dbb175
Frr 8.2 upgrade (#10691)
Why I did it
Upgrade FRR to version 8.2.2. Build libyang2 required by FRR.

How I did it
Update FRR version and tag.

How to verify it
Following tests were performed on sonic-vs:

BGP docker status check
BGP configuration and session establishment
Route redistribution and ping
Issued show commands to check the bgp neighbor and routes
Checked app-db to ensure bgp routes are installed with correct interface and nexthop.
Create VRF and check FRR knows the VRF
Check VRF routes are installed in app-db with correct Vrf name and next-hop
Establish BGP Evpn session and check if Evpn routes (multicast, mac, prefix) are exchanged and installed correctly in app-db.
2022-05-24 14:47:09 -07:00
kellyyeh
2ead3aaefc
[dhcp6relay] Fix option parsing and add dhcpv6 client messages (#10819) 2022-05-24 14:37:16 -07:00
arlakshm
915f2834b0
[voq][chassis]fix recirc port admin status (#10769)
Signed-off-by: Arvindsrinivasan Lakshmi Narasimhan arlakshm@microsoft.com

Why I did it
resolves #10761.
For VOQ chassis, the Recirc port, which was added for the Everflow, stays admin down after load minigraph.
This PR add the fix to make the recirc port as admin up

How I did it
The PR adds a change in minigraph.py,  if port has role as Rec make the the port as admin-status up.

How to verify it
UT

Signed-off-by: Arvindsrinivasan Lakshmi Narasimhan <arlakshm@microsoft.com>
2022-05-24 14:36:09 -07:00
Ze Gan
a6b1b0a968
[submodule]: Update submodule for sonic-wpa-supplicant (#10904)
64caafe38 [driver_macsec_sonic]: Fixing missing zeros at the beginning of SCI (#52)

Signed-off-by: Ze Gan <ganze718@gmail.com>
2022-05-25 05:25:57 +08:00
Ze Gan
0156c21eff
[macsec-cli]: Fixing to config MACsec on the port will clear port attributes in config db (#10903)
Why I did it
There is a bug that the Port attributes in CONFIG_DB will be cleared if using sudo config macsec port add Ethernet0 or sudo config macsec port del Ethernet0

How I did it
To fetch the port attributes before set/remove MACsec field in port table.

Signed-off-by: Ze Gan <ganze718@gmail.com>
2022-05-24 18:42:54 +08:00
Longxiang Lyu
8f7ef1e593
[dualtor][minigraph.py] Add soc_ipv4 and cable_type to MUX_CABLE (#10776)
Why I did it
To further add cable_type and soc_ipv4 field to table MUX_CABLE, this PR tries to parse the minigraph like the following:
```
      <Device i:type="SmartCable">
        <ElementType>SmartCable</ElementType>
        <SubType>active-active</SubType>
        <Address xmlns:d5p1="Microsoft.Search.Autopilot.NetMux">
          <d5p1:IPPrefix>192.168.0.3/21</d5p1:IPPrefix>
        </Address>
        <AddressV6 xmlns:d5p1="Microsoft.Search.Autopilot.NetMux">
          <d5p1:IPPrefix>::/0</d5p1:IPPrefix>
        </AddressV6>
        <ManagementAddress xmlns:d5p1="Microsoft.Search.Autopilot.NetMux">
          <d5p1:IPPrefix>0.0.0.0/0</d5p1:IPPrefix>
        </ManagementAddress>
        <ManagementAddressV6 xmlns:d5p1="Microsoft.Search.Autopilot.NetMux">
          <d5p1:IPPrefix>::/0</d5p1:IPPrefix>
        </ManagementAddressV6>
        <SerialNumber i:nil="true" />
        <Hostname>svcstr-7050-acs-1-Servers0-SC</Hostname>
      </Device>
      <Device i:type="Server">
        <ElementType>Server</ElementType>
        <Address xmlns:d5p1="Microsoft.Search.Autopilot.NetMux">
          <d5p1:IPPrefix>192.168.0.2/21</d5p1:IPPrefix>
        </Address> 
        <AddressV6 xmlns:d5p1="Microsoft.Search.Autopilot.NetMux">
          <d5p1:IPPrefix>fc02:1000::2/64</d5p1:IPPrefix>
        </AddressV6>
        <ManagementAddress xmlns:d5p1="Microsoft.Search.Autopilot.NetMux">
          <d5p1:IPPrefix>0.0.0.0/0</d5p1:IPPrefix>
        </ManagementAddress>
        <Hostname>Servers0</Hostname>
      </Device>
```
Signed-off-by: Longxiang Lyu lolv@microsoft.com

How I did it
get_mux_cable_entries will try to get the mux cable device from the devices list and get the cable type and soc ip address from the device definition.

How to verify it
Pass the unit-test
2022-05-24 15:10:48 +08:00
Ze Gan
2faa69eed2
[Azp]: Ignore the result of t0-sonic pool (#10905)
Signed-off-by: Ze Gan <ganze718@gmail.com>
2022-05-24 10:42:09 +08:00
jerseyang
c92bfe0728
Add belgite support (#9511)
Why I did it
add celestica belgite platform

How I did it
add belgite platform in celestica

Co-authored-by: nicwu-cel <nicwu@celestica.com>
Co-authored-by: anjian <anjian@celestica.com>
Co-authored-by: sandycelestica <sandyli@celestica.com>
2022-05-23 18:45:37 -07:00
Song Yuan
b23ad6748a
[Arista] Add QOS and buffer profiles for SKU Arista-7800R3-48CQM2-C48 (#10752)
* Add QOS and buffer profiles for Arista SKU.

* Add unit test for SKU Arista-7800R3-48CQM2-C48.
2022-05-23 13:50:04 -07:00
Samuel Angebault
70e2727b02
[Arista] Update platform submodules (#10800)
This update has following changes
Refactor pci topology logic for chassis (fixes some chassis commands and chassisd on linecard)
Introduce new cooling algorithm
Fix linecard poweroff logic when supervisor is going down
Fix linecard status led leading to system-health crashing
Misc fixes
2022-05-23 13:28:13 -07:00
Shilong Liu
b313563986
[ci] Add arm artifacts in common lib azure pipeline (#10817)
* [ci] Add arm artifacts in common lib azure pipeline
2022-05-23 17:52:56 +08:00
Maxime Lorrillere
392899682f
[Arista] Add support for Wolverine linecards (#8887)
Add support for WolverineQCpu, WolverineQCpuMs, WolverineQCpuBk, WolverineQCpuBkMs

Co-authored-by: Maxime Lorrillere <mlorrillere@arista.com>
2022-05-20 14:11:06 -07:00
Senthil Kumar Guruswamy
f37dd770cd
System Ready (#10479)
Why I did it
At present, there is no mechanism in an event driven model to know that the system is up with all the essential sonic services and also, all the docker apps are ready along with port ready status to start the network traffic. With the asynchronous architecture of SONiC, we will not be able to verify if the config has been applied all the way down to the HW. But we can get the closest up status of each app and arrive at the system readiness.

How I did it
A new python based system monitor tool is introduced under system-health framework to monitor all the essential system host services including docker wrapper services on an event based model and declare the system is ready. This framework gives provision for docker apps to notify its closest up status. CLIs are provided to fetch the current system status and also service running status and its app ready status along with failure reason if any.

How to verify it
"show system-health sysready-status" click CLI
Syslogs for system ready
2022-05-20 13:25:11 -07:00
xumia
f6927606b3
[Ci]: Fix to trigger the publish pipeline in failure build issue (#10847)
Why I did it
It is not necessary to trigger the publish pipeline when build is failed.

How I did it
Remove the condition in the azp task, change to use template condition.
2022-05-20 14:32:53 +08:00
abdosi
4fd629c021
Added Support for BGP allow list feature to have route-map action of setting tag (#10731)
What I did:
Added support to create route-map action set tag <user define value>
when the the allow prefix list matches. The tag can ben define by user in
constants.yml.

Why I did:
Since for Allow List feature we call from base route-map allow-list route-map having set tag option provides way for base route-map to do match tag and take any further action if needed. Adding tag provide metadata that can used by base route-map
2022-05-19 22:51:02 -07:00
Marty Y. Lok
937bf09c92
{nokia] Update Nokia IXR7250e supervisor card device data (#10595)
Signed-off-by: mlok <marty.lok@nokia.com>
2022-05-19 11:38:34 -07:00
vmittal-msft
f7882b3885
Fix for libsaithrift build for BRCM image (#10852)
Updated libsaibcm to fix libsaithrift compile issue on BRCM image
2022-05-19 11:15:34 -07:00
Ze Gan
b21cd70955
[Submodule]: update submodule for sonic-swss and sonic-wpa-supplicant (#10842)
Signed-off-by: Ze Gan <ganze718@gmail.com>
2022-05-20 01:21:11 +08:00
Andriy Yurkiv
70d71f99f5
[Mellanox] Credo Y-cable | add more log info, checks, fix exception message (#10779)
- Why I did it
Script fails when there is an exception while reading

- How I did it
Add more logs and checks. Fix wrong variable naming and messages.

- How to verify it
Provoke exception while read_eeprom() and check that it is handled properly
2022-05-19 17:36:02 +03:00
Ze Gan
910e1c6eb4
[docker-macsec]: MACsec CLI Plugin (#9390)
#### Why I did it
To provide MACsec config and show CLI for manipulating MACsec

#### How I did it
Add `config macsec` and `show macsec`.

#### How to verify it

This PR includes unittest for MACsec CLI, check Azp status.
- Add MACsec profile
```
admin@sonic:~$ sudo config macsec profile add --help
Usage: config macsec profile add [OPTIONS] <profile_name>

  Add MACsec profile

Options:
  --priority <priority>           For Key server election. In 0-255 range with
                                  0 being the highest priority.  [default:
                                  255]
  --cipher_suite <cipher_suite>   The cipher suite for MACsec.  [default: GCM-
                                  AES-128]
  --primary_cak <primary_cak>     Primary Connectivity Association Key.
                                  [required]
  --primary_ckn <primary_cak>     Primary CAK Name.  [required]
  --policy <policy>               MACsec policy. INTEGRITY_ONLY: All traffic,
                                  except EAPOL, will be converted to MACsec
                                  packets without encryption.  SECURITY: All
                                  traffic, except EAPOL, will be encrypted by
                                  SecY.  [default: security]
  --enable_replay_protect / --disable_replay_protect
                                  Whether enable replay protect.  [default:
                                  False]
  --replay_window <enable_replay_protect>
                                  Replay window size that is the number of
                                  packets that could be out of order. This
                                  field works only if ENABLE_REPLAY_PROTECT is
                                  true.  [default: 0]
  --send_sci / --no_send_sci      Send SCI in SecTAG field of MACsec header.
                                  [default: True]
  --rekey_period <rekey_period>   The period of proactively refresh (Unit
                                  second).  [default: 0]
  -?, -h, --help                  Show this message and exit.
```
- Delete MACsec profile
```
admin@sonic:~$ sudo config macsec profile del --help
Usage: config macsec profile del [OPTIONS] <profile_name>

  Delete MACsec profile

Options:
  -?, -h, --help  Show this message and exit.
```
- Enable MACsec on the port
```
admin@sonic:~$ sudo config macsec port add --help
Usage: config macsec port add [OPTIONS] <port_name> <profile_name>

  Add MACsec port

Options:
  -?, -h, --help  Show this message and exit.
```
- Disable MACsec on the port
```
admin@sonic:~$ sudo config macsec port del --help
Usage: config macsec port del [OPTIONS] <port_name>

  Delete MACsec port

Options:
  -?, -h, --help  Show this message and exit.

```
Show MACsec
```
MACsec port(Ethernet0)
---------------------  -----------
cipher_suite           GCM-AES-256
enable                 true
enable_encrypt         true
enable_protect         true
enable_replay_protect  false
replay_window          0
send_sci               true
---------------------  -----------
	MACsec Egress SC (5254008f4f1c0001)
	-----------  -
	encoding_an  2
	-----------  -
		MACsec Egress SA (1)
		-------------------------------------  ----------------------------------------------------------------
		auth_key                               849B69D363E2B0AA154BEBBD7C1D9487
		next_pn                                1
		sak                                    AE8C9BB36EA44B60375E84BC8E778596289E79240FDFA6D7BA33D3518E705A5E
		salt                                   000000000000000000000000
		ssci                                   0
		SAI_MACSEC_SA_ATTR_CURRENT_XPN         179
		SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED    0
		SAI_MACSEC_SA_STAT_OCTETS_PROTECTED    0
		SAI_MACSEC_SA_STAT_OUT_PKTS_ENCRYPTED  0
		SAI_MACSEC_SA_STAT_OUT_PKTS_PROTECTED  0
		-------------------------------------  ----------------------------------------------------------------
		MACsec Egress SA (2)
		-------------------------------------  ----------------------------------------------------------------
		auth_key                               5A8B8912139551D3678B43DD0F10FFA5
		next_pn                                1
		sak                                    7F2651140F12C434F782EF9AD7791EE2CFE2BF315A568A48785E35FC803C9DB6
		salt                                   000000000000000000000000
		ssci                                   0
		SAI_MACSEC_SA_ATTR_CURRENT_XPN         87185
		SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED    0
		SAI_MACSEC_SA_STAT_OCTETS_PROTECTED    0
		SAI_MACSEC_SA_STAT_OUT_PKTS_ENCRYPTED  0
		SAI_MACSEC_SA_STAT_OUT_PKTS_PROTECTED  0
		-------------------------------------  ----------------------------------------------------------------
	MACsec Ingress SC (525400edac5b0001)
		MACsec Ingress SA (1)
		---------------------------------------  ----------------------------------------------------------------
		active                                   true
		auth_key                                 849B69D363E2B0AA154BEBBD7C1D9487
		lowest_acceptable_pn                     1
		sak                                      AE8C9BB36EA44B60375E84BC8E778596289E79240FDFA6D7BA33D3518E705A5E
		salt                                     000000000000000000000000
		ssci                                     0
		SAI_MACSEC_SA_ATTR_CURRENT_XPN           103
		SAI_MACSEC_SA_STAT_IN_PKTS_DELAYED       0
		SAI_MACSEC_SA_STAT_IN_PKTS_INVALID       0
		SAI_MACSEC_SA_STAT_IN_PKTS_LATE          0
		SAI_MACSEC_SA_STAT_IN_PKTS_NOT_USING_SA  0
		SAI_MACSEC_SA_STAT_IN_PKTS_NOT_VALID     0
		SAI_MACSEC_SA_STAT_IN_PKTS_OK            0
		SAI_MACSEC_SA_STAT_IN_PKTS_UNCHECKED     0
		SAI_MACSEC_SA_STAT_IN_PKTS_UNUSED_SA     0
		SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED      0
		SAI_MACSEC_SA_STAT_OCTETS_PROTECTED      0
		---------------------------------------  ----------------------------------------------------------------
		MACsec Ingress SA (2)
		---------------------------------------  ----------------------------------------------------------------
		active                                   true
		auth_key                                 5A8B8912139551D3678B43DD0F10FFA5
		lowest_acceptable_pn                     1
		sak                                      7F2651140F12C434F782EF9AD7791EE2CFE2BF315A568A48785E35FC803C9DB6
		salt                                     000000000000000000000000
		ssci                                     0
		SAI_MACSEC_SA_ATTR_CURRENT_XPN           91824
		SAI_MACSEC_SA_STAT_IN_PKTS_DELAYED       0
		SAI_MACSEC_SA_STAT_IN_PKTS_INVALID       0
		SAI_MACSEC_SA_STAT_IN_PKTS_LATE          0
		SAI_MACSEC_SA_STAT_IN_PKTS_NOT_USING_SA  0
		SAI_MACSEC_SA_STAT_IN_PKTS_NOT_VALID     0
		SAI_MACSEC_SA_STAT_IN_PKTS_OK            0
		SAI_MACSEC_SA_STAT_IN_PKTS_UNCHECKED     0
		SAI_MACSEC_SA_STAT_IN_PKTS_UNUSED_SA     0
		SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED      0
		SAI_MACSEC_SA_STAT_OCTETS_PROTECTED      0
		---------------------------------------  ----------------------------------------------------------------
MACsec port(Ethernet1)
---------------------  -----------
cipher_suite           GCM-AES-256
enable                 true
enable_encrypt         true
enable_protect         true
enable_replay_protect  false
replay_window          0
send_sci               true
---------------------  -----------
	MACsec Egress SC (5254008f4f1c0001)
	-----------  -
	encoding_an  1
	-----------  -
		MACsec Egress SA (1)
		-------------------------------------  ----------------------------------------------------------------
		auth_key                               35FC8F2C81BCA28A95845A4D2A1EE6EF
		next_pn                                1
		sak                                    1EC8572B75A840BA6B3833DC550C620D2C65BBDDAD372D27A1DFEB0CD786671B
		salt                                   000000000000000000000000
		ssci                                   0
		SAI_MACSEC_SA_ATTR_CURRENT_XPN         4809
		SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED    0
		SAI_MACSEC_SA_STAT_OCTETS_PROTECTED    0
		SAI_MACSEC_SA_STAT_OUT_PKTS_ENCRYPTED  0
		SAI_MACSEC_SA_STAT_OUT_PKTS_PROTECTED  0
		-------------------------------------  ----------------------------------------------------------------
	MACsec Ingress SC (525400edac5b0001)
		MACsec Ingress SA (1)
		---------------------------------------  ----------------------------------------------------------------
		active                                   true
		auth_key                                 35FC8F2C81BCA28A95845A4D2A1EE6EF
		lowest_acceptable_pn                     1
		sak                                      1EC8572B75A840BA6B3833DC550C620D2C65BBDDAD372D27A1DFEB0CD786671B
		salt                                     000000000000000000000000
		ssci                                     0
		SAI_MACSEC_SA_ATTR_CURRENT_XPN           5033
		SAI_MACSEC_SA_STAT_IN_PKTS_DELAYED       0
		SAI_MACSEC_SA_STAT_IN_PKTS_INVALID       0
		SAI_MACSEC_SA_STAT_IN_PKTS_LATE          0
		SAI_MACSEC_SA_STAT_IN_PKTS_NOT_USING_SA  0
		SAI_MACSEC_SA_STAT_IN_PKTS_NOT_VALID     0
		SAI_MACSEC_SA_STAT_IN_PKTS_OK            0
		SAI_MACSEC_SA_STAT_IN_PKTS_UNCHECKED     0
		SAI_MACSEC_SA_STAT_IN_PKTS_UNUSED_SA     0
		SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED      0
		SAI_MACSEC_SA_STAT_OCTETS_PROTECTED      0
		---------------------------------------  ----------------------------------------------------------------
```
2022-05-19 21:59:37 +08:00