### Why I did it
HLD implementation: Container Hardening (https://github.com/sonic-net/SONiC/pull/1364)
### How I did it
Reduce linux capabilities in privileged flag
#### How to verify it
Check container's settings: Privileged is false and container only has default Linux caps, does not have extended caps.
```
admin@vlab-01:~$ docker inspect nat | grep Privi
"Privileged": false,
admin@vlab-01:~$ docker exec -it nat bash
root@vlab-01:/# capsh --print
Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep
```
#### Why I did it
src/sonic-swss-common
```
* e4db436 - (HEAD -> master, origin/master, origin/HEAD) [schema] Add SAG table for static anycast gateway (#540) (8 hours ago) [Jimi Chen]
```
#### How I did it
#### How to verify it
#### Description for the changelog
#### Why I did it
src/sonic-utilities
```
* b3d856bf - (HEAD -> master, origin/master, origin/HEAD) Add all SKUs to the generic config update list (#3131) (7 hours ago) [Stephen Sun]
```
#### How I did it
#### How to verify it
#### Description for the changelog
Change orchagent stuck message from ERR to WARNING
#### Why I did it
During switch initialization, sometime Orchagent will busy for more than 40seconds and will trigger process stuck workdog error.
To improve this issue, change watchdog error message to warning message.
##### Work item tracking
- Microsoft ADO: 26517622
#### How I did it
Change orchagent stuck message from ERR to WARNING.
#### How to verify it
Pass all UT.
### Description for the changelog
Change orchagent stuck message from ERR to WARNING.
Fix when set TACACS to "tacacs+, local" user can run blocked command with local permission issue.
#### Why I did it
When set TACACS to "tacacs+, local", user still can run a blocked command with local permission.
##### Work item tracking
- Microsoft ADO: 26399545
#### How I did it
Fix code to reject command when authorized failed from TACACS server side.
#### How to verify it
Pass all UT.
### Description for the changelog
Fix when set TACACS to "tacacs+, local" user can run blocked command with local permission issue.
### Why I did it
Unnecessary for logs to be written out to /tmp/${SERVICE}-debug.log as they are already being written to syslog. Therefore, removing writing to a new log in concern for memory space and not being able to startup some services in RO state.
##### Work item tracking
- Microsoft ADO **(number only)**:26458976
#### How I did it
Remove DEBUGLOG definition and line that echo's message to mentioned log file.
#### How to verify it
Manually verified, /tmp/${SERVICE}-debug.log files do not exist and log for service starting still appears in syslog
#### Why I did it
src/sonic-swss
```
* 41330abf - (HEAD -> master, origin/master, origin/HEAD) [Build] Support to collect the test coverage in cobertura format (#3019) (33 hours ago) [xumia]
```
#### How I did it
#### How to verify it
#### Description for the changelog
#### Why I did it
src/sonic-gnmi
```
* 2c862b8 - (HEAD -> master, origin/master, origin/HEAD) Merge pull request #184 from abdosi/master (9 hours ago) [Rita Hui]
* 1d7f24c - Fix (4 days ago) [Abhishek Dosi]
* eda628c - Fix (4 days ago) [Abhishek Dosi]
* e37da40 - Fix Compile Error (4 days ago) [Abhishek Dosi]
* 22d0d0f - Update db_client.go (5 days ago) [abdosi]
```
#### How I did it
#### How to verify it
#### Description for the changelog
### Why I did it
Fix the issue detected by[ TestStaticMgmtPortIP::test_dynamic_dns_not_working_when_static_ip_configured ](https://github.com/sonic-net/sonic-mgmt/blob/master/tests/dns/static_dns/test_static_dns.py#L105C9-L105C63) test.
### How I did it
Query MGMT interface configuration. Do not apply dynamic DNS configuration when MGMT interface has static IP address.
#### How to verify it
Run `tests/dns/static_dns/test_static_dns.py` sonic-mgmt tests.
### Why I did it
HLD implementation: Container Hardening (https://github.com/sonic-net/SONiC/pull/1364)
##### Work item tracking
- Microsoft ADO **(number only)**: 14807420
#### How I did it
Reduce linux capabilities in privileged flag
#### How to verify it
Check container's settings: Privileged is false and container only has default Linux caps, does not have extended caps.
```
admin@vlab-01:~$ docker inspect p4rt | grep Privi
"Privileged": false,
admin@vlab-01:~$ docker exec -it p4rt bash
root@vlab-01:/# capsh --print
Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep
```
Fix reproducible build Upgrade version pipeline.
Remove barefoot build. Because it failed on sai package.
add marvell-arm64/pensando build.
Microsoft ADO (number only): 26515265
Improve SSHD config to use more secure settings
Why I did it
According to Sonic OS review result, SSHD config file /etc/ssh/sshd_config using insecure settings.
Work item tracking
Microsoft ADO: 15022083
How I did it
Change build_debian.sh script to set following settings to /etc/ssh/sshd_config:
ClientAliveInterval is set to 300
MaxAuthTries is set to default of 3
Banner set to /etc/issue
How to verify it
Pass all E2E test case.
Ignore TACACS accounting trace log when debug disabled.
#### Why I did it
TACACS accounting trace log is only for debug, improve code to not generate trace log when debug disabled.
##### Work item tracking
- Microsoft ADO: 25270078
#### How I did it
Ignore TACACS accounting trace log when debug disabled.
#### How to verify it
Pass all UT.
Manually verified the auditd-tacplus not generate trace log when debug disabled.
### Description for the changelog
Ignore TACACS accounting trace log when debug disabled.
* fix hw_reset low polarity (reverse values)
* move seek to beginning of sysfs fd before reading to resolve power_good
sysfs returns empty upon plug out cable
ix IPV6 forced-mgmt-route not work issue
Why I did it
IPV6 forced-mgmt-route not work
When add a IPV6 route, should use 'ip -6 rule add pref 32764 address' command, but currently in the template the '-6' parameter are missing, so the IPV6 route been add to IPV4 route table.
Also this PR depends on #17281 , which will fix the IPV6 'default' route table missing in IPV6 route lookup issue.
Microsoft ADO (number only):24719238
- Why I did it
If a PSU is not present, there could be error log while restarting psud or thermalctld:
Jan 8 17:15:52.689616 sonic ERR pmon#psud: Thermal sysfs /run/hw-management/thermal/psu2_temp1_max does not exist
Jan 8 17:15:57.747723 sonic ERR pmon#thermalctld: Thermal sysfs /run/hw-management/thermal/psu2_temp1 does not exist
- How I did it
if a PSU is not present, we should not check the PSU temperature sysfs.
#### Why I did it
src/sonic-swss-common
```
* ad4d386 - (HEAD -> master, origin/master, origin/HEAD) Add support of 'with' statement to ConfigDBConnector (#838) (19 hours ago) [Hua Liu]
```
#### How I did it
#### How to verify it
#### Description for the changelog
#### Why I did it
* Improved switch init time
### How I did it
* Replaced: `sonic-cfggen` -> `sonic-db-cli`
* Aggregated template list for `sonic-cfggen`
#### How to verify it
1. Run `warm-reboot`
### Why I did it
HLD implementation: Container Hardening (https://github.com/sonic-net/SONiC/pull/1364)
##### Work item tracking
- Microsoft ADO **(number only)**: 14807420
#### How I did it
Reduce linux capabilities in privileged flag
#### How to verify it
Check container's settings: Privileged is false and container only has default Linux caps, does not have extended caps.
```
admin@vlab-01:~$ docker inspect iccpd | grep Privi
"Privileged": false,
admin@vlab-01:~$ docker exec -it iccpd bash
root@vlab-01:/# capsh --print
Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep
```
#### Why I did it
src/sonic-swss
```
* 09ffb25d - (HEAD -> master, origin/master, origin/HEAD) [RouteOrch] Publish route state for route to Loopback interface (#3013) (58 minutes ago) [Stepan Blyshchak]
```
#### How I did it
#### How to verify it
#### Description for the changelog
#### Why I did it
src/sonic-dash-api
```
* 8f481de - (HEAD -> master, origin/master, origin/HEAD) [misc]: Add utils CLI (#12) (24 hours ago) [Ze Gan]
```
#### How I did it
#### How to verify it
#### Description for the changelog
#### Why I did it
src/sonic-gnmi
```
* 07a64ab - (HEAD -> master, origin/master, origin/HEAD) Azp: install sonic yangs during pipline build (8 hours ago) [Sachin Holla]
```
#### How I did it
#### How to verify it
#### Description for the changelog
#### Why I did it
src/sonic-host-services
```
* 970e7b3 - (HEAD -> master, origin/master, origin/HEAD) Fix sonic host service (#101) (5 hours ago) [ganglv]
```
#### How I did it
#### How to verify it
#### Description for the changelog
#### Why I did it
src/sonic-mgmt-framework
```
* 796eb59 - (HEAD -> master, origin/master, origin/HEAD) OpenAPI 3.0 upgrade, swagger tool chain update (8 hours ago) [Mohammed Faraaz]
```
#### How I did it
#### How to verify it
#### Description for the changelog
#### Why I did it
src/sonic-mgmt-common
```
* 1e84a49 - (HEAD -> master, origin/master, origin/HEAD) Remove Duplicates in topsort results (25 hours ago) [Mohammed Faraaz]
```
#### How I did it
#### How to verify it
#### Description for the changelog
#### Why I did it
src/linkmgrd
```
* 74c33ea - (HEAD -> master, origin/master, origin/HEAD) [active-standby] Probe the link in suspend timeout (#235) (12 hours ago) [Longxiang Lyu]
```
#### How I did it
#### How to verify it
#### Description for the changelog
#### Why I did it
src/sonic-platform-common
```
* 65e3cc3 - (HEAD -> master, origin/master, origin/HEAD) Fix memory map parsing issue (#427) (18 minutes ago) [Stephen Sun]
```
#### How I did it
#### How to verify it
#### Description for the changelog
#### Why I did it
src/sonic-sairedis
```
* b26ce7a - (HEAD -> master, origin/master, origin/HEAD) Skip FABRIC PORT Attributes from sairedis logging (#1339) (2 hours ago) [saksarav-nokia]
```
#### How I did it
#### How to verify it
#### Description for the changelog
- Why I did it
Align the smart switch config generator with the YANG model.
- How I did it
Change MID_PLANE_BRIDGE table field name in the generated config from address to ip_prefix.
- How to verify it
Run UT. The tests are aligned with the changes.
Signed-off-by: Oleksandr Ivantsiv <oivantsiv@nvidia.com>
#### Why I did it
src/sonic-snmpagent
```
* 4a6de8b - (HEAD -> master, origin/master, origin/HEAD) Set the execute bit on sysDescr_pass.py (#306) (6 hours ago) [Andre Kostur]
```
#### How I did it
#### How to verify it
#### Description for the changelog
Currently, whenever isc-dhcp-relay forwards a packet upstream,
internally, it will try to send it on a "fallback" interface. My
understanding is that this isn't meant to be a real interface, but
instead is basically saying to use Linux's regular routing stack to
route the packet appropriately (rather than having isc-dhcp-relay
specify specifically which interface to use).
The problem is that on systems with a weak CPU, a large number of
interfaces, and many upstream servers specified, this can introduce a
noticeable delay in packets getting sent. The delay comes from trying to
get the ifindex of the fallback interface. In one test case, it got to
the point that only 2 packets could be processed per second. Because of
this, dhcrelay will easily get backlogged and likely get to a point
where packets get dropped in the kernel.
Fix this by adding a check saying if we're using the fallback interface,
then don't try to get the ifindex of this interface. We're never going
to have an interface named this in SONiC.
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
#### Why I did it
src/sonic-platform-daemons
```
* d8977f3 - (HEAD -> master, origin/master, origin/HEAD) Unable to retrieve media settings with just Vendor name (#419) (8 hours ago) [mihirpat1]
```
#### How I did it
#### How to verify it
#### Description for the changelog
#### Why I did it
src/sonic-gnmi
```
* c44d154 - (HEAD -> master, origin/master, origin/HEAD) Account for GLOBAL key in PFC_WD (#178) (6 hours ago) [Zain Budhwani]
```
#### How I did it
#### How to verify it
#### Description for the changelog
#### Why I did it
src/sonic-swss-common
```
* 2711f6f - (HEAD -> master, origin/master, origin/HEAD) Use selectable event to terminate logger thread (#848) (15 hours ago) [Junchao-Mellanox]
```
#### How I did it
#### How to verify it
#### Description for the changelog
Why I did it
The existing source of multiarch/debian-debootstrap doesn't appear to have Bookworm-based images available. Because of this, slave containers for cross-compilation of SONiC (with QEMU) cannot be built.
Work item tracking
Microsoft ADO (number only): 26214341
How I did it
Since those images don't do anything to the Debian container besides add QEMU to it (which we overwrite anyways with the latest version of QEMU available from multiarch/qemu-user-static, just take the platform-specific version of the official Debian image and add QEMU to it.
How to verify it
For 40G optics there is SAI handling of T0 facing ports to be set with SR4 type and unreliable los set for a fixed set of ports. For this property to be invoked the requirement is set
phy_unlos_msft=1 in config.bcm.
This change is to meet the requirement and once this property is set, the los/interface type settings is applied by SAI on the required ports.
Why I did it
For Arista-7060CX-32S-Q32 T1, 40G ports RX_ERR minimalization during connected device reboot
can be achieved by turning on Unreliable LOS and SR4 media_type for all ports which are connected to T0.
The property phy_unlos_msft=1 is to exclusively enable this property.
Microsoft ADO: 25941176
How I did it
Changes in SAI and turning on property
How to verify it
Ran the changes on a testbed and verified configurations are as intended.
with property
admin@sonic2:~$ bcmcmd "phy diag xe8 dsc config" | grep -C 2 "LOS"
Brdfe_on = 0
Media Type = 2
Unreliable LOS = 1
Scrambling Disable = 0
Lane Config from PCS = 0
without property
admin@sonic:~$ bcmcmd "phy diag xe8 dsc config" | grep -C 2 "LOS"
Brdfe_on = 0
Media Type = 0
Unreliable LOS = 0
Scrambling Disable = 0
Lane Config from PCS = 0
Signed-off-by: vaibhav-dahiya <vdahiya@microsoft.com>