Commit Graph

8605 Commits

Author SHA1 Message Date
Mai Bui
e8b1722005
[docker-nat] limit privileged flag for nat container (#17756)
### Why I did it
HLD implementation: Container Hardening (https://github.com/sonic-net/SONiC/pull/1364)
### How I did it
Reduce linux capabilities in privileged flag

#### How to verify it
Check container's settings: Privileged is false and container only has default Linux caps, does not have extended caps.
```
admin@vlab-01:~$ docker inspect nat | grep Privi
            "Privileged": false,


admin@vlab-01:~$ docker exec -it nat bash
root@vlab-01:/# capsh --print
Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep
```
2024-01-26 10:43:35 -08:00
ganglv
c798ea8e08
Change tcp port range to support telemetry and gnmi (#17907)
* Reserve tcp port for telemetry and gnmi

* Use ip_local_port_range instead

* Fix sysctl config
2024-01-26 09:31:09 -08:00
mssonicbld
12f6d85352
[submodule] Update submodule sonic-swss-common to the latest HEAD automatically (#17910)
#### Why I did it
src/sonic-swss-common
```
* e4db436 - (HEAD -> master, origin/master, origin/HEAD) [schema] Add SAG table for static anycast gateway (#540) (8 hours ago) [Jimi Chen]
```
#### How I did it
#### How to verify it
#### Description for the changelog
2024-01-26 16:33:31 +08:00
mssonicbld
4e6a128369
[submodule] Update submodule sonic-utilities to the latest HEAD automatically (#17911)
#### Why I did it
src/sonic-utilities
```
* b3d856bf - (HEAD -> master, origin/master, origin/HEAD) Add all SKUs to the generic config update list (#3131) (7 hours ago) [Stephen Sun]
```
#### How I did it
#### How to verify it
#### Description for the changelog
2024-01-26 16:33:27 +08:00
Hua Liu
bdb24676eb
Change orchagent stuck message from ERR to WARNING (#17872)
Change orchagent stuck message from ERR to WARNING

#### Why I did it
During switch initialization, sometime Orchagent will busy for more than 40seconds and will trigger process stuck workdog error.
To improve this issue, change watchdog error message to warning message.

##### Work item tracking
- Microsoft ADO: 26517622

#### How I did it
Change orchagent stuck message from ERR to WARNING.

#### How to verify it
Pass all UT.

### Description for the changelog
Change orchagent stuck message from ERR to WARNING.
2024-01-26 00:01:50 -08:00
Hua Liu
d712861634
[TACACS] Fix when set TACACS to "tacacs+, local" user can run blocked command with local permission issue. (#17749)
Fix when set TACACS to "tacacs+, local" user can run blocked command with local permission issue.

#### Why I did it
When set TACACS to "tacacs+, local", user still can run a blocked command with local permission.

##### Work item tracking
- Microsoft ADO: 26399545

#### How I did it
Fix code to reject command when authorized failed from TACACS server side.

#### How to verify it
Pass all UT.

### Description for the changelog
Fix when set TACACS to "tacacs+, local" user can run blocked command with local permission issue.
2024-01-26 00:00:00 -08:00
Zain Budhwani
b557488608
Remove echo log to /tmp/{$SERVICE}-debug.log in service_mgmt.sh (#17838)
### Why I did it

Unnecessary for logs to be written out to /tmp/${SERVICE}-debug.log as they are already being written to syslog. Therefore, removing writing to a new log in concern for memory space and not being able to startup some services in RO state.

##### Work item tracking
- Microsoft ADO **(number only)**:26458976

#### How I did it

Remove DEBUGLOG definition and line that echo's message to mentioned log file.

#### How to verify it

Manually verified, /tmp/${SERVICE}-debug.log files do not exist and log for service starting still appears in syslog
2024-01-25 17:14:21 -08:00
Liu Shilong
fb2c3cdf14
[ci] Use correct branch when downloading SONiC vs image in elastic test. (#17873)
Why I did it
Use dynamic variable for branch reference.

Work item tracking
Microsoft ADO (number only): 26563706
How I did it
How to verify it
2024-01-25 19:00:04 +08:00
mssonicbld
001668e34a
[submodule] Update submodule sonic-swss to the latest HEAD automatically (#17889)
#### Why I did it
src/sonic-swss
```
* 41330abf - (HEAD -> master, origin/master, origin/HEAD) [Build] Support to collect the test coverage in cobertura format (#3019) (33 hours ago) [xumia]
```
#### How I did it
#### How to verify it
#### Description for the changelog
2024-01-25 16:34:58 +08:00
mssonicbld
1a838dda2f
[submodule] Update submodule sonic-gnmi to the latest HEAD automatically (#17896)
#### Why I did it
src/sonic-gnmi
```
* 2c862b8 - (HEAD -> master, origin/master, origin/HEAD) Merge pull request #184 from abdosi/master (9 hours ago) [Rita Hui]
* 1d7f24c - Fix (4 days ago) [Abhishek Dosi]
* eda628c - Fix (4 days ago) [Abhishek Dosi]
* e37da40 - Fix Compile Error (4 days ago) [Abhishek Dosi]
* 22d0d0f - Update db_client.go (5 days ago) [abdosi]
```
#### How I did it
#### How to verify it
#### Description for the changelog
2024-01-25 16:34:54 +08:00
mssonicbld
1fb9732f41 [ci/build]: Upgrade SONiC package versions 2024-01-25 14:35:40 +08:00
Xichen96
caefe1d17b
[Dhcp_server] add config dhcp_server bind/unbind (#17811)
* add dhcp_server bind/unbind
2024-01-24 19:38:29 -08:00
abdosi
24f8f8b966
[chassis] update service_checker module to handle database-chassis service (#17836)
* Update service_checker.py

Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
2024-01-24 10:36:01 -08:00
Oleksandr Ivantsiv
c693e75f0f
[dns] Do not apply dynamic DNS configuration when MGMT interface has static IP address. (#17769)
### Why I did it
Fix the issue detected by[ TestStaticMgmtPortIP::test_dynamic_dns_not_working_when_static_ip_configured ](https://github.com/sonic-net/sonic-mgmt/blob/master/tests/dns/static_dns/test_static_dns.py#L105C9-L105C63) test.

### How I did it
Query MGMT interface configuration. Do not apply dynamic DNS configuration when MGMT interface has static IP address.

#### How to verify it
Run `tests/dns/static_dns/test_static_dns.py` sonic-mgmt tests.
2024-01-23 16:29:55 -08:00
Mai Bui
ff7c993060
[docker-p4rt limit privileged flag for p4rt container (#17796)
### Why I did it
HLD implementation: Container Hardening (https://github.com/sonic-net/SONiC/pull/1364)
##### Work item tracking
- Microsoft ADO **(number only)**: 14807420
#### How I did it
Reduce linux capabilities in privileged flag

#### How to verify it
Check container's settings: Privileged is false and container only has default Linux caps, does not have extended caps.
```
admin@vlab-01:~$ docker inspect p4rt | grep Privi
            "Privileged": false,


admin@vlab-01:~$ docker exec -it p4rt bash
root@vlab-01:/# capsh --print
Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep
```
2024-01-23 11:02:54 -08:00
Liu Shilong
2d96186091
[ci] Update reproducible build pipeline, disable barefoot build. (#17857)
Fix reproducible build Upgrade version pipeline.

Remove barefoot build. Because it failed on sai package.
add marvell-arm64/pensando build.

Microsoft ADO (number only): 26515265
2024-01-23 09:01:14 -08:00
Yaqiang Zhu
2c08e90203
[dhcp_server] Update dhcp_server container to bookworm (#17647) 2024-01-23 08:33:00 -08:00
Hua Liu
b1750b7cee
Improve SSHD config to use more secure settings (#17798)
Improve SSHD config to use more secure settings

Why I did it
According to Sonic OS review result, SSHD config file /etc/ssh/sshd_config using insecure settings.

Work item tracking
Microsoft ADO: 15022083
How I did it
Change build_debian.sh script to set following settings to /etc/ssh/sshd_config:
ClientAliveInterval is set to 300
MaxAuthTries is set to default of 3
Banner set to /etc/issue

How to verify it
Pass all E2E test case.
2024-01-23 13:49:47 +08:00
Hua Liu
a2e57d849b
[TACACS] Ignore TACACS accounting trace log when debug disabled. (#16482)
Ignore TACACS accounting trace log when debug disabled.

#### Why I did it
TACACS accounting trace log is only for debug, improve code to not generate trace log when debug disabled.

##### Work item tracking
- Microsoft ADO: 25270078

#### How I did it
Ignore TACACS accounting trace log when debug disabled.

#### How to verify it
Pass all UT.
Manually verified the auditd-tacplus not generate trace log when debug disabled. 

### Description for the changelog
Ignore TACACS accounting trace log when debug disabled.
2024-01-22 20:13:48 -08:00
Yaqiang Zhu
27edaf7857
[dhcp_server] Remove dependency in port-name-alias-map.txt.j2 (#17858)
* [dhcp_server] Remove dependency in port-name-alias-map.txt.j2
2024-01-22 15:21:16 -08:00
Yaqiang Zhu
ec31420329
[dhcp_server] Fix parse_dpus error (#17870) 2024-01-22 15:20:20 -08:00
dbarashinvd
927dde73f1
fix low polarity wrong value for hw_reset deassert and seek(0) before reading sysfs upon poll event (#17627)
* fix hw_reset low polarity (reverse values)

* move seek to beginning of sysfs fd before reading to resolve power_good
sysfs returns empty upon plug out cable
2024-01-22 10:53:55 -08:00
Hua Liu
c274be2e59
Fix IPV6 forced-mgmt-route not work issue (#17299)
ix IPV6 forced-mgmt-route not work issue

Why I did it
IPV6 forced-mgmt-route not work

When add a IPV6 route, should use 'ip -6 rule add pref 32764 address' command, but currently in the template the '-6' parameter are missing, so the IPV6 route been add to IPV4 route table.

Also this PR depends on #17281 , which will fix the IPV6 'default' route table missing in IPV6 route lookup issue. 

Microsoft ADO (number only):24719238
2024-01-22 09:59:12 -08:00
Junchao-Mellanox
91d77fe7ae
Fix error log while creating PSU thermal object (#17789)
- Why I did it
If a PSU is not present, there could be error log while restarting psud or thermalctld:

Jan  8 17:15:52.689616 sonic ERR pmon#psud: Thermal sysfs /run/hw-management/thermal/psu2_temp1_max does not exist

Jan  8 17:15:57.747723 sonic ERR pmon#thermalctld: Thermal sysfs /run/hw-management/thermal/psu2_temp1 does not exist

- How I did it
if a PSU is not present, we should not check the PSU temperature sysfs.
2024-01-22 16:22:07 +02:00
mssonicbld
da0f4ace7a
[submodule] Update submodule sonic-swss-common to the latest HEAD automatically (#17864)
#### Why I did it
src/sonic-swss-common
```
* ad4d386 - (HEAD -> master, origin/master, origin/HEAD) Add support of 'with' statement to ConfigDBConnector (#838) (19 hours ago) [Hua Liu]
```
#### How I did it
#### How to verify it
#### Description for the changelog
2024-01-20 16:32:41 +08:00
Nazarii Hnydyn
ac09abd72a
[sonic-cfggen]: Optimize template rendering and database access. (#17740)
#### Why I did it
* Improved switch init time

### How I did it
* Replaced: `sonic-cfggen` -> `sonic-db-cli`
* Aggregated template list for `sonic-cfggen`

#### How to verify it
1. Run `warm-reboot`
2024-01-19 21:52:30 -08:00
Saikrishna Arcot
96ae68fedf
Fix docker-base-bookworm build (#17795)
* Add missing pip.conf for docker-base-bookworm

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2024-01-19 17:25:31 -08:00
Mai Bui
3da08d340c
[docker-iccpd] limit privileged flag for iccpd container (#17835)
### Why I did it
HLD implementation: Container Hardening (https://github.com/sonic-net/SONiC/pull/1364)
##### Work item tracking
- Microsoft ADO **(number only)**: 14807420
#### How I did it
Reduce linux capabilities in privileged flag

#### How to verify it
Check container's settings: Privileged is false and container only has default Linux caps, does not have extended caps.
```
admin@vlab-01:~$ docker inspect iccpd | grep Privi
            "Privileged": false,


admin@vlab-01:~$ docker exec -it iccpd bash
root@vlab-01:/# capsh --print
Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep
```
2024-01-19 10:49:44 -08:00
Zhijian Li
6a8aea8d50
[docker-sonic-mgmt] Upgrade scapy to 2.5.0 (#17738) 2024-01-19 09:11:52 -08:00
mssonicbld
fcceb3fceb
[submodule] Update submodule sonic-swss to the latest HEAD automatically (#17854)
#### Why I did it
src/sonic-swss
```
* 09ffb25d - (HEAD -> master, origin/master, origin/HEAD) [RouteOrch] Publish route state for route to Loopback interface (#3013) (58 minutes ago) [Stepan Blyshchak]
```
#### How I did it
#### How to verify it
#### Description for the changelog
2024-01-19 18:35:57 +08:00
mssonicbld
fd08edf82f
[submodule] Update submodule sonic-dash-api to the latest HEAD automatically (#17847)
#### Why I did it
src/sonic-dash-api
```
* 8f481de - (HEAD -> master, origin/master, origin/HEAD) [misc]: Add utils CLI (#12) (24 hours ago) [Ze Gan]
```
#### How I did it
#### How to verify it
#### Description for the changelog
2024-01-19 16:35:07 +08:00
mssonicbld
c014eec627
[submodule] Update submodule sonic-gnmi to the latest HEAD automatically (#17848)
#### Why I did it
src/sonic-gnmi
```
* 07a64ab - (HEAD -> master, origin/master, origin/HEAD) Azp: install sonic yangs during pipline build (8 hours ago) [Sachin Holla]
```
#### How I did it
#### How to verify it
#### Description for the changelog
2024-01-19 16:35:03 +08:00
mssonicbld
4b57845f86
[submodule] Update submodule sonic-host-services to the latest HEAD automatically (#17850)
#### Why I did it
src/sonic-host-services
```
* 970e7b3 - (HEAD -> master, origin/master, origin/HEAD) Fix sonic host service (#101) (5 hours ago) [ganglv]
```
#### How I did it
#### How to verify it
#### Description for the changelog
2024-01-19 16:34:59 +08:00
mssonicbld
9516c67be0
[submodule] Update submodule sonic-mgmt-framework to the latest HEAD automatically (#17852)
#### Why I did it
src/sonic-mgmt-framework
```
* 796eb59 - (HEAD -> master, origin/master, origin/HEAD) OpenAPI 3.0 upgrade, swagger tool chain update (8 hours ago) [Mohammed Faraaz]
```
#### How I did it
#### How to verify it
#### Description for the changelog
2024-01-19 16:34:51 +08:00
Longxiang Lyu
9a9ab183c8
[dualtor] Disable zebra link-detect for vlan interfaces (#17784)
* [dualtor] Disable zebra link-detect for vlan interfaces

Signed-off-by: Longxiang Lyu <lolv@microsoft.com>
2024-01-18 08:36:06 -08:00
Nazarii Hnydyn
e173987a56
[swss/syncd]: Remove dependency on interfaces-config.service (#17739)
Signed-off-by: Nazarii Hnydyn <nazariig@nvidia.com>
Co-authored-by: Stepan Blyshchak <38952541+stepanblyschak@users.noreply.github.com>
2024-01-18 08:04:00 -08:00
mssonicbld
ed7a5d15d4
[submodule] Update submodule sonic-mgmt-common to the latest HEAD automatically (#17801)
#### Why I did it
src/sonic-mgmt-common
```
* 1e84a49 - (HEAD -> master, origin/master, origin/HEAD) Remove Duplicates in topsort results (25 hours ago) [Mohammed Faraaz]
```
#### How I did it
#### How to verify it
#### Description for the changelog
2024-01-18 16:34:10 +08:00
mssonicbld
fc2c319c3d
[submodule] Update submodule linkmgrd to the latest HEAD automatically (#17820)
#### Why I did it
src/linkmgrd
```
* 74c33ea - (HEAD -> master, origin/master, origin/HEAD) [active-standby] Probe the link in suspend timeout (#235) (12 hours ago) [Longxiang Lyu]
```
#### How I did it
#### How to verify it
#### Description for the changelog
2024-01-18 16:34:04 +08:00
mssonicbld
ee72c068b2
[submodule] Update submodule sonic-platform-common to the latest HEAD automatically (#17822)
#### Why I did it
src/sonic-platform-common
```
* 65e3cc3 - (HEAD -> master, origin/master, origin/HEAD) Fix memory map parsing issue (#427) (18 minutes ago) [Stephen Sun]
```
#### How I did it
#### How to verify it
#### Description for the changelog
2024-01-18 16:33:56 +08:00
mssonicbld
080bbd5492
[submodule] Update submodule sonic-sairedis to the latest HEAD automatically (#17823)
#### Why I did it
src/sonic-sairedis
```
* b26ce7a - (HEAD -> master, origin/master, origin/HEAD) Skip FABRIC PORT Attributes from sairedis logging (#1339) (2 hours ago) [saksarav-nokia]
```
#### How I did it
#### How to verify it
#### Description for the changelog
2024-01-18 16:33:52 +08:00
Oleksandr Ivantsiv
c94a233f67
[smartswitch] Align the smart switch config generator with the YANG model. (#17636)
- Why I did it
Align the smart switch config generator with the YANG model.

- How I did it
Change MID_PLANE_BRIDGE table field name in the generated config from address to ip_prefix.

- How to verify it
Run UT. The tests are aligned with the changes.

Signed-off-by: Oleksandr Ivantsiv <oivantsiv@nvidia.com>
2024-01-18 10:00:05 +02:00
mssonicbld
07a43b96b7
[submodule] Update submodule sonic-snmpagent to the latest HEAD automatically (#17824)
#### Why I did it
src/sonic-snmpagent
```
* 4a6de8b - (HEAD -> master, origin/master, origin/HEAD) Set the execute bit on sysDescr_pass.py (#306) (6 hours ago) [Andre Kostur]
```
#### How I did it
#### How to verify it
#### Description for the changelog
2024-01-18 14:35:59 +08:00
Saikrishna Arcot
d9517c77f1
dhcrelay: Don't look up the ifindex for the fallback interface (#17797)
Currently, whenever isc-dhcp-relay forwards a packet upstream,
internally, it will try to send it on a "fallback" interface. My
understanding is that this isn't meant to be a real interface, but
instead is basically saying to use Linux's regular routing stack to
route the packet appropriately (rather than having isc-dhcp-relay
specify specifically which interface to use).

The problem is that on systems with a weak CPU, a large number of
interfaces, and many upstream servers specified, this can introduce a
noticeable delay in packets getting sent. The delay comes from trying to
get the ifindex of the fallback interface. In one test case, it got to
the point that only 2 packets could be processed per second. Because of
this, dhcrelay will easily get backlogged and likely get to a point
where packets get dropped in the kernel.

Fix this by adding a check saying if we're using the fallback interface,
then don't try to get the ifindex of this interface. We're never going
to have an interface named this in SONiC.

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2024-01-18 10:50:22 +08:00
mssonicbld
774cd910a0
[submodule] Update submodule sonic-platform-daemons to the latest HEAD automatically (#17802)
#### Why I did it
src/sonic-platform-daemons
```
* d8977f3 - (HEAD -> master, origin/master, origin/HEAD) Unable to retrieve media settings with just Vendor name (#419) (8 hours ago) [mihirpat1]
```
#### How I did it
#### How to verify it
#### Description for the changelog
2024-01-17 18:36:07 +08:00
mssonicbld
c8707dc78e
[submodule] Update submodule sonic-gnmi to the latest HEAD automatically (#17800)
#### Why I did it
src/sonic-gnmi
```
* c44d154 - (HEAD -> master, origin/master, origin/HEAD) Account for GLOBAL key in PFC_WD (#178) (6 hours ago) [Zain Budhwani]
```
#### How I did it
#### How to verify it
#### Description for the changelog
2024-01-17 16:34:55 +08:00
mssonicbld
0fb13590c0
[submodule] Update submodule sonic-swss-common to the latest HEAD automatically (#17803)
#### Why I did it
src/sonic-swss-common
```
* 2711f6f - (HEAD -> master, origin/master, origin/HEAD) Use selectable event to terminate logger thread (#848) (15 hours ago) [Junchao-Mellanox]
```
#### How I did it
#### How to verify it
#### Description for the changelog
2024-01-17 16:34:49 +08:00
Xichen96
a100f15ba2
[dhcp_server] add config dhcp server range (#17741)
* add range related function and ut
2024-01-16 19:24:57 -08:00
Saikrishna Arcot
00fa56760f
Fix building the SONiC slave container for QEMU-based build (#17571)
Why I did it
The existing source of multiarch/debian-debootstrap doesn't appear to have Bookworm-based images available. Because of this, slave containers for cross-compilation of SONiC (with QEMU) cannot be built.

Work item tracking
Microsoft ADO (number only): 26214341
How I did it
Since those images don't do anything to the Debian container besides add QEMU to it (which we overwrite anyways with the latest version of QEMU available from multiarch/qemu-user-static, just take the platform-specific version of the official Debian image and add QEMU to it.

How to verify it
2024-01-17 10:27:06 +08:00
vdahiya12
9f18587234
[Arista] Update config.bcm of 7060_cx32s for handling 40g optics with unreliable los settings (#17768)
For 40G optics there is SAI handling of T0 facing ports to be set with SR4 type and unreliable los set for a fixed set of ports. For this property to be invoked the requirement is set
phy_unlos_msft=1 in config.bcm.
This change is to meet the requirement and once this property is set, the los/interface type settings is applied by SAI on the required ports.

Why I did it
For Arista-7060CX-32S-Q32 T1, 40G ports RX_ERR minimalization during connected device reboot
can be achieved by turning on Unreliable LOS and SR4 media_type for all ports which are connected to T0.

The property phy_unlos_msft=1 is to exclusively enable this property.

Microsoft ADO: 25941176

How I did it
Changes in SAI and turning on property

How to verify it
Ran the changes on a testbed and verified configurations are as intended.

with property

admin@sonic2:~$ bcmcmd "phy diag xe8 dsc config" | grep -C 2 "LOS"
Brdfe_on                    = 0
Media Type                  = 2
Unreliable LOS              = 1
Scrambling Disable          = 0
Lane Config from PCS        = 0

without property

admin@sonic:~$ bcmcmd "phy diag xe8 dsc config" | grep -C 2 "LOS"
Brdfe_on                    = 0
Media Type                  = 0
Unreliable LOS              = 0
Scrambling Disable          = 0
Lane Config from PCS        = 0

Signed-off-by: vaibhav-dahiya <vdahiya@microsoft.com>
2024-01-16 11:34:19 -08:00
Yaqiang Zhu
36e111af80
[dhcp_server] Add support for smart switch in dhcprelayd (#17779)
* [dhcp_server] Add support for smart switch in dhcprelayd
2024-01-16 09:52:50 -08:00