Commit Graph

70 Commits

Author SHA1 Message Date
Serhey Popovych
8d88455509 [baseimage]: Improve password hashing for default user account (#1748)
* [slave.mk]: Fix displaying username and password in build summary

We display contents of DEFAULT_USERNAME and DEFAULT_PASSWORD, while
image can be build with USERNAME and/or PASSWORD given on make(1)
command line. For example:

  $ make USERNAME=adm PASSWORD=mypass target/sonic-broadcom.bin

Fix by displaying USERNAME and PASSWORD variables in build summary.

Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>

* [baseimage]: Improve default user account handling

There are couple of issues with current implementation of default
user account management in baseimage:

  1) It uses DES to encrypt accounts password. Furthermore this
     effectively limits password length to 8 symbols, even if more
     provided with PASSWORD or DEFAULT_PASSWORD from rules/config.

  2) Salt value for password is same on all builds even with different
     password increasing attack surface.

  3) During the build process password passed as command line parameter
     either as plain text (if given to make(1) as "make PASSWORD=...")
     or DES encrypted (if given to build_debian.sh) can be seen by
     non-build users using /proc/<pid>/cmdline file that has group and
     world readable permissions.

Both 1) and 2) come from:

  perl -e 'print crypt("$(PASSWORD)", "salt"),"\n"')"

that by defalt uses DES if salt does not have format $<id>$<salt>$,
where <id> is hashing function id. See crypt(3) for more details on
valid <id> values.

To address issues above we propose following changes:

  1) Do not create password by hands (e.g. using perl snippet above):
     put this job to chpasswd(8) which is aware about system wide
     password hashing policy specified in /etc/login.defs with
     ENCRYPT_METHOD (by default it is SHA512 for Debian 8).

  2) Now chpasswd(8) will take care about proper salt value.

  3) This has two steps:

    3.1) For compatibility reasons accept USERNAME and PASSWORD as
         make(1) parameters, but warn user that this is unsafe.

    3.2) Use process environment to pass USERNAME and PASSWORD variables
         from Makefile to build_debian.sh as more secure alternative to
         passing via command line parameters: /proc/<pid>/environ
         readable only by user running process or privileged users like
         root.

Before change:
--------------

  hash1
  -----
  # u='admin'
  # p="$(LANG=C perl -e 'print crypt("YourPaSs", "salt"),"\n"')"
                                      ^^^^^^^^
                                      8 symbols
  # echo "$u:$p" | chpasswd -e

  # getent shadow admin
  admin:sazQDkwgZPfSk:17680:0:99999:7:::
        ^^^^^^^^^^^^^
        Note the hash (DES encrypted password)

  hash2
  -----
  # u='admin'
  # p="$(LANG=C perl -e 'print crypt("YourPaSsWoRd", "salt"),"\n"')"
                                      ^^^^^^^^^^^^
                                      12 symbols
  # echo "$u:$p" | chpasswd -e

  # getent shadow admin
  admin:sazQDkwgZPfSk:17680:0:99999:7:::
        ^^^^^^^^^^^^^
        Hash is the same as for "YourPaSs"

After change:
-------------

  hash1
  -----
  # echo "admin:YourPaSs" | chpasswd
  # getent shadow admin
  admin:$6$1Nho1jHC$T8YwK58FYToXMFuetQta7/XouAAN2q1IzWC3bdIg86woAs6WuTg\
           ^^^^^^^^
           Note salt here
  ksLO3oyQInax/wNVq.N4de6dyWZDsCAvsZ1:17681:0:99999:7:::

  hash2
  -----
  # echo "admin:YourPaSs" | chpasswd
  # getent shadow admin
  admin:$6$yKU5g7BO$kdT02Z1wHXhr1VCniKkZbLaMPZXK0WSSVGhSLGrNhsrsVxCJ.D9\
           ^^^^^^^^
           Here salt completely different from case above
  plFpd8ksGNpw/Vb92hvgYyCL2i5cfI8QEY/:17681:0:99999:7:::

Since salt is different hashes for same password different too.

  hash1
  -----
  # LANG=C perl -e 'print crypt("YourPaSs", "\$6\$salt\$"),"\n"'
                                             ^^^^^
                                             We want SHA512 hash
  $6$salt$qkwPvXqUeGpexO1vatnIQFAreOTXs6rnDX.OI.Sz2rcy51JrO8dFc9aGv82bB\
  yd2ELrIMJ.FQLNjgSD0nNha7/

  hash2
  -----
  # LANG=C perl -e 'print crypt("YourPaSsWoRd", "\$6\$salt\$"),"\n"'
  $6$salt$1JVndGzyy/dj7PaXo6hNcttlQoZe23ob8GWYWxVGEiGOlh6sofbaIvwl6Ho7N\
  kYDI8zwRumRwga/A29nHm4mZ1

Now with same "salt" and $<id>$, and same 8 symbol prefix in password, but
different password length we have different hashes.

Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
2018-06-09 11:29:16 -07:00
Joe LeVeque
e900369fa3
[slave.mk] Define SPACE variable differently such that the line doesn't end in whitespace (#1676) 2018-05-10 18:52:38 -07:00
Jipan Yang
f0690b246b [build]: Fix the problem of ENABLE_SYSTEM_TELEMETRY not taking effect in rules/config (#1615)
Signed-off-by: Jipan Yang <jipan.yang@alibaba-inc.com>
2018-04-18 00:31:12 -07:00
Jipan Yang
f74de8914b [telemetry]: SONiC system telemetry Support (#1526)
* SONiC system telemetry Support

Signed-off-by: Jipan Yang <jipan.yang@alibaba-inc.com>

* Update package name from telemetry to sonic-telemetry

Signed-off-by: Jipan Yang <jipan.yang@alibaba-inc.com>
2018-03-27 13:39:04 -07:00
sihuihan88
7639cc1b53 [pfcwd]: add flag to enable pfc wd on start (#1429) 2018-03-05 23:55:37 -08:00
Joe LeVeque
dc7abaf569 [slave.mk] Apply patches to dockers before building, if any exist (#1395) 2018-02-15 17:48:49 -08:00
byu343
ecf5c8d311 ssh and snmp allow list (#1363)
- Service ACL framework for Arista platforms
2018-02-08 17:43:52 -08:00
Marian Pritsak
43554c8b1a [slave.mk]: Clear deb_dist directory (#1344)
Python packages, having their version changed, will fail to build
because deb_dist directory contains both build directories for old and
new version, and (for some uncleaer reason) debian utilities don't know
which one to choose.

Signed-off-by: marian-pritsak <marianp@mellanox.com>
2018-01-29 08:14:01 -08:00
Joe LeVeque
134707f822
Move platform-specific hardware plugin base packages to sonic-platform-common submodule (#1301) 2018-01-17 17:11:31 -08:00
pavel-shirshov
47aba6f76d
[libsaithrift-dev]: Enable building libsaithrift-dev and pythonthrift libraries (#1296)
* Fix build of libsaithrift for broadcom

* Restore libsaithrift-dev building

* Comment out libsaithrift library on cavium and marvell. Both of them have old SAI drivers

* Revert back unintentional acton changes

* Don't run the package checks when building sairedis package
2018-01-11 20:32:14 -08:00
lguohan
15d433d975
[build]: allow to use http(s) proxy in the build (#1265)
* allow to use http(s) proxy in the build

To enable this, use following command
http_proxy=[your_proxy] https_proxy=[your_proxy] make
2017-12-23 23:34:15 -08:00
kaiyu22
63de341dd6 [Platform] Add Ingrasys S9130-32X and S9230-64X with Nephos Switch ASIC (#1245)
* Add switch ASIC vendor and platforms for Nephos

- What I did
Add switch ASIC vendor: Nephos
Add Nephos platforms: Ingrasys S9130-32X, Ingrasys S9230-64X

- How I did it
Add platform/nephos files
Add platform/nephos/sonic-platform-modules-ingrasys submodule
Add device/ingrasys/x86_64-ingrasys_s9130_32x-r0 files
Add device/ingrasys/x86_64-ingrasys_s9230_64x-r0 files
Add SONiC to support Nephos platform

- How to verify it
To build SONiC installer image and docker images, run the following commands:
make configure PLATFORM=nephos
make target/sonic-nephos.bin
Check system and network feature is worked as well

- Description for the changelog
Add switch ASIC vendor and platforms for Nephos

- A picture of a cute animal (not mandatory but encouraged)

Signed-off-by: Sam Yang <yang.kaiyu@gmail.com>

* Advance sonic-sairedis submodule to include #271 (Add Nephos ASIC)
2017-12-22 10:04:29 -08:00
Ying Xie
eadd74fb84
[build] allow user to override the default number of build jobs (#1255)
User could issue SONIC_BUILD_JOBS=<num> to set number of concurrent
build job(s) to run.

With this commit, the default setting is still left at 1.
2017-12-20 15:25:30 -08:00
Qi Luo
4b2225bca5 [docker-snmpd]: asyncsnmp depends on sonic-utilities so it is possible to import sonic_psu (#1212)
* asyncsnmp depends on sonic-utilities so it is possible to import sonic_psu

Signed-off-by: Qi Luo <qiluo-msft@users.noreply.github.com>

* Ignore sonic_utilities test during build
2017-12-07 13:08:23 -08:00
Liuqu
8383b1f256 [TACACS+]: Add support for TACACS+ Authentication (#1019)
* [TACACS+]: Add support for TACACS+ Authentication

* pam_tacplus - A TACACS+ protocol client library and PAM module to
  supports core TACACS+ functions for AAA.
* nss_tacplus - A NSS plugin for TACACS+ to extend function getpwnam,
  make the TACACS+ authenticated user which is not found in local
  could login successfully.

* Add make rules for pam_tacplus and install script
* Add a patch for pam_tacplus to disable pam-auth-update pam-tacplus
  by default
* Add a patch for pam_tacplus to inlucde and build nss_tacplus

  Signed-off-by: chenchen.qcc@alibaba-inc.com

* [TACACS+]: Add nss-tacplus as a separate src repo

* Separate nss-tacplus from pam-tacplus, modify tacacs.mk and
  makefile, add a patch to adapt to the new user map profile.
* Use the lastest stable version for pam-tacplus, add a dependent
  package in sonic-salve, add two patches to fix build error.
* Add scripts to disable tacplus by default.
* Remove hostcfgd service file

  Signed-off-by: Chenchen Qi <chenchen.qcc@alibaba-inc.com>

* [TACACS+]: Fix nss-tacplus filter some valid TACACS+ username

* The NAME_REGEX for username check in plugin nss-tacplus is
  the ANSI version "^[0-9a-zA-Z_-\ ]*$", but the regular expression
  in /etc/adduser.conf is not defined as ANSI version. To avoid
  nss-tacplus filter some valid TACACS+ username, remove username
  check.

  Signed-off-by: Chenchen Qi <chenchen.qcc@alibaba-inc.com>
2017-12-07 03:36:17 -08:00
lguohan
414e43bb74
[build]: start docker service if not already started (#1203)
docker start fails when docker service is already started
2017-12-01 19:24:55 -08:00
lguohan
f4e37a66f9 add INSTALLS, LAZY_INSTALLS, DEPENDS targets to image build (#1159)
1. _INSTALLS defines the packages to be installed in the image
at the build time.
2. _LAZY_INSTALLS defines the packages to be installed in the image
at the first run time
3. _DEPENDS defines the packages to at the build dependency of
the image
2017-11-16 12:27:03 -08:00
lguohan
a31c08047b [build]: add sonic-config-engine to sonic-utilitie build dependency (#1075) 2017-10-25 05:06:30 -07:00
lguohan
f073d8c654 [virtualswitch]: build docker-sonic-vs docker based on SAI virtual switch (#1065) 2017-10-23 22:01:42 -07:00
Shuotian Cheng
27cac94da7 [Makefile]: Fix unmatched variable name ENABLE_SYNCD_RPC (#1032)
Signed-off-by: Shu0T1an ChenG <shuche@microsoft.com>
2017-10-11 17:46:26 -07:00
Joe LeVeque
8a305ce9c9 [sonic-utilities]: Build as Debian package once again (revert change to wheel) (#1018) 2017-10-06 12:46:47 -07:00
Joe LeVeque
1cd9818fe9 [build]: sonic-utilities package depends on swsssdk; build as wheel and add build dependency (#1011)
* [build]: sonic-utilities package now depends on swsssdk; add build dependency

* Now building sonic-utilities Python package in wheel format

* Update sonic-utilities submodule

* Change output wheel name to match proper format
2017-10-04 19:50:39 -07:00
Andriy Moroz
9b249ceb59 Add time stamp suffix to the dirty images version string (#958)
* Add timestamp suffix to the dirty images version string

This will allow to build different debug images without
having to update BUILD_NUMBER variable before the build

* Changed timestamp format to YYYYMMDD.HHMMSS
2017-09-27 00:04:34 -07:00
ravijo2
458093fee5 Framework to plugin Organization specific scripts during ONIE Image build (#951)
* Framework to plugin Organization specific scripts

* Framework to plugin Organization specific scripts

* Framework to plugin Organization specific scripts

* add getopt option to organization script
2017-09-19 16:23:31 -07:00
Samuel Angebault
bc73082922 [devices]: Add led plugin for Arista 7060CX-32S and 7260CX3-64 (#945)
* Bump sonic-platform-modules-arista submodule

* Allow image specific mount option for containers

* Add led plugin for DCS-7060CX-32S

* Add led plugin for DCS-7260CX3-64
2017-09-11 15:29:42 -07:00
Joe LeVeque
211689ad29 [slave.mk]: Apply series of patches to SONIC_PYTHON_STDEB_DEBS targets if they exist (#941) 2017-09-07 14:02:17 -07:00
Marian Pritsak
175b952508 [slave.mk]: Add list target (#856)
Add new target to list all available packages, files, docker images and
installers.

Signed-off-by: marian-pritsak <marianp@mellanox.com>
2017-07-30 01:34:27 +03:00
Oleksandr Ivantsiv
382d52843f [mellanox]: Move FW upgrade script to base image. (#849)
- Download files to target/files directory (instead of target/debs)
- Clean python-weels log files
2017-07-28 10:57:51 -07:00
Marian Pritsak
7d95fd7e8c [rules/functions][slave.mk]: Refine build output (#838)
Print current build configuration before run
Update screen with currently running targets (only available if TERM is
available)
Change format of printed targets

Signed-off-by: marian-pritsak <marianp@mellanox.com>
2017-07-25 09:49:39 +03:00
Marian Pritsak
cd601650bf [slave.mk]: Use host timestamp for online targets. (#826)
By default, wget tries to use timestamp received from the server. This
behavior messes up make dependencies which are also based on last
modification time. In order to avoid this, we use the current time as a
timestamp to keep dependencies in correct order.

Signed-off-by: marian-pritsak <marianp@mellanox.com>
2017-07-21 19:05:21 +03:00
lguohan
3fd2014e93 [sonic-mgmt]: move sonic-mgmt docker build into sonic-slave (#819)
need to install sonic-device-data into sonic-mgmt docker
2017-07-19 08:10:45 -07:00
Marian Pritsak
51cab5d4ed [config]: Add SONIC_CONFIG_MAKE_JOBS (#784)
* [config]: Add SONIC_CONFIG_MAKE_JOBS

This config option allows user to specify -j value that will be passed
to each package build.

Signed-off-by: marian-pritsak <marianp@mellanox.com>
2017-07-07 15:32:50 +03:00
Taoyu Li
5e6620e19e [bgp] Save bgp admin state (#690)
* [bgp] Save admin state and set default state to shutdown

* Set default behavior to no shutdown

* Add build option SHUTDOWN_BGP_ON_START

* Script change for default admin state to be on

* Address CR comments to bgp_neighbor script

* Fix script bug
2017-06-12 11:05:22 -07:00
Marian Pritsak
30db4ec191 [slave.mk]: Move initialization of ENABLE_SYNCD_RPC up (#680)
ENABLE_SYNCD_RPC should be initialized before all recipes are included
in order for them to be able to use this variable

Signed-off-by: marian-pritsak <marianp@mellanox.com>
2017-06-08 18:24:28 -07:00
Marian Pritsak
520fff5b2d Add ENABLE_SYNCD_RPC option (#642)
Under rules/config now there's additional configuration option
ENABLE_SYNCD_RPC that allows building SONIC installer with
docker-syncd-*-rpc for evaluation purposes.

Signed-off-by: marian-pritsak <marianp@mellanox.com>
2017-05-30 16:17:03 -07:00
lguohan
ef980151ae [build]: support submodule patching for SONIC_DPKG_DEBS (#619) 2017-05-22 01:08:16 -07:00
Rodny Molina
d30fbf1d72 [build]: Adding support for Free-Range-Routing stack. (#510)
- Extending SONiC building infrastructure to provide users
           with greater flexibility, by allowing them to elect a
           routing-stack different than the default one (quagga). The desired
           routing-stack will be defined in rules/config file.

         - As part of these changes I'm adding support for
           Free-Range-Routing (FRR) stack. Quagga will continue to be
           the default routing-stack.

Signed-off-by: Rodny Molina <rodny@linkedin.com>
2017-04-20 09:12:27 -07:00
lguohan
2e9b92e1c1 [build]: allow to customize USERNAME and PASSWORD in command line (#492)
* [build]: allow to customize USERNAME and PASSWORD in command line

* use default password and username if not specified in the command line
2017-04-12 11:23:48 -07:00
Marian Pritsak
6dbe979e5f [build]: Include SONiC version into installer. (#472)
* [build]: Include SONiC version into installer.

Signed-off-by: marian-pritsak <marianp@mellanox.com>

* Append dirty if contains local changes

Signed-off-by: marian-pritsak <marianp@mellanox.com>

* Update config

* Use correct name for kernel version field

* Update sysDescription.j2
2017-04-05 16:14:41 -07:00
Joe LeVeque
b7d2009b14 [base image]: Install SwSS SDK Python 2 package into base image (#461)
* [base image]: Install SwSS SDK Python packages (Python 2 & 3) into base image

* Fix typo in existing variable name

* Only install Python 2 version, as Python 3 is not installed in base image
2017-04-03 23:56:15 -07:00
Taoyu Li
fed908fc6b [config-engine] minigraph.py refactoring (#448)
* Refactor minigraph.py
See description in https://github.com/Azure/sonic-buildimage/pull/448 for detail
2017-03-30 15:25:31 -07:00
Taoyu Li
3643281594 [cfggen] Add tool to translate openconfig acl into sonic format (#388)
* Build sonic-config-engine as whl instead of deb package
* Add tool to translate openconfig acl into sonic format
2017-03-17 14:51:42 -07:00
lguohan
b165ab9e54 [build]: allow install same platform module deb on multiple platforms (#410) 2017-03-17 11:59:07 -07:00
Qi Luo
36e02f76ee Fix: support submodule patching if provided (#407) 2017-03-16 22:57:30 -07:00
Qi Luo
74b6c4074b Support submodule patching if provided (#403)
* Support submodule patching if provided
* Replace stg with quilt, working without git branch
2017-03-16 14:24:43 -07:00
Marian Pritsak
fcffbb3ce6 [slave.mk]: Add installer to clean targets. (#384)
Signed-off-by: marian-pritsak <marianp@mellanox.com>
2017-03-07 22:34:24 +02:00
Oleksandr Ivantsiv
e6c2380b6f Remove SKU from distclean target. 2017-03-02 14:08:25 +02:00
lguohan
0ed9b3ce28 [platform]: remove sku from build parameter (#350)
different sku will be contained in a single one sonic image.
no longer need to specify sku at the build time
2017-03-01 17:05:13 -08:00
Marian Pritsak
a8776033bf Merge swss and syncd into single service (#334)
Current implementation of swss and syncd causes a lot
of problems in terms of dependencies and synchronization.
Instead of handling them in separate services, we now
start and stop them both as a single entity.

Signed-off-by: marian-pritsak <marianp@mellanox.com>
2017-03-01 10:57:35 -08:00
lguohan
73fb59c52c [build]: allow single src file to build multiple independent debian p… (#349)
add_derived_package setup dependency between the main deb and derived deb.
The derived deb depends on the main deb and need to install the main deb.

add_extra_package does not setup dependency between the main deb and peer deb,
does not require to install the main deb.

* rename add_peer_packages to add_extra_packages
2017-03-01 08:32:58 -08:00