Commit Graph

1164 Commits

Author SHA1 Message Date
mssonicbld
5f4b54a9cd
[ci/build]: Upgrade SONiC package versions (#15361) 2023-06-06 19:46:12 +08:00
mssonicbld
e4d8355976
[ci/build]: Upgrade SONiC package versions (#15329) 2023-06-04 18:12:12 +08:00
mssonicbld
4e9569ee3b
[ci/build]: Upgrade SONiC package versions (#15165) 2023-06-03 17:22:05 +08:00
mssonicbld
084564bdde
Fix for fast/cold-boot: call db_migrator only after old config is loaded (#14933) (#15317) 2023-06-03 09:16:42 +08:00
Anish Narsian
71ecd727ac [arp_update] Resolve neighbors from config_db (#15006)
* To resolve NEIGH table entries present in CONFIG_DB. Without this change arp/ndp entries which we wish to resolve, and configured via CONFIG_DB are not resolved.
2023-05-18 09:46:56 +08:00
Nazarii Hnydyn
ba54e1e1ae
Revert "[swss/syncd] remove dependency on interfaces-config.service (#13084) (#14341)" (#15094)
This reverts commit 499f57a7f7.
2023-05-17 15:59:55 +08:00
DavidZagury
4fd2a6297f
[Secure Boot] Add Secure Boot Support (#12692) (#14963)
- Why I did it
Add Secure Boot support to SONiC OS.
Secure Boot (SB) is a verification mechanism for ensuring that code launched by a computer's UEFI firmware is trusted. It is designed to protect a system against malicious code being loaded and executed early in the boot process before the operating system has been loaded.

- How I did it
Added a signing process to sign the following components:
shim, grub, Linux kernel, and kernel modules when doing the build, and when feature is enabled in build time according to the HLD explanations (the feature is disabled by default).

- How to verify it
There are self-verifications of each boot component when building the image, in addition, there is an existing end-to-end test in sonic-mgmt repo that checks that the boot succeeds when loading a secure system (details below).

How to build a sonic image with secure boot feature: (more description in HLD)

Required to use the following build flags from rules/config:
SECURE_UPGRADE_MODE="dev"
SECURE_UPGRADE_DEV_SIGNING_KEY="/path/to/private/key.pem"
SECURE_UPGRADE_DEV_SIGNING_CERT="/path/to/cert/key.pem"
After setting those flags should build the sonic-buildimage.
Before installing the image, should prepared the setup (switch device) with the follow:
check that the device support UEFI
stored pub keys in UEFI DB

enabled Secure Boot flag in UEFI
How to run a test that verify the Secure Boot flow:
The existing test "test_upgrade_path" under "sonic-mgmt/tests/upgrade_path/test_upgrade_path", is enough to validate proper boot
You need to specify the following arguments:
Base_image_list your_secure_image
Taget_image_list your_second_secure_image
Upgrade_type cold
And run the test, basically the test will install the base image given in the parameter and then upgrade to target image by doing cold reboot and validates all the services are up and working correctly

Co-authored-by: davidpil2002 <91657985+davidpil2002@users.noreply.github.com>
2023-05-15 10:13:26 +08:00
Ying Xie
f6216435c8
Revert "Clear DNS configuration received from DHCP during networking reconfiguration in Linux. (#13516)" (#14901)
This reverts commit 5ef488f808.
2023-05-01 16:49:08 -07:00
mssonicbld
776937c48f
[ci/build]: Upgrade SONiC package versions (#14894) 2023-04-30 18:37:57 +08:00
mssonicbld
4479245996
[ci/build]: Upgrade SONiC package versions (#14889) 2023-04-29 18:57:14 +08:00
mssonicbld
99d6003717
Changes to support TSA from supervisor (#14691) (#14878) 2023-04-28 21:11:55 +08:00
mssonicbld
5ac1051f8f
Temporary WA for the issue that asic_table.json can not be rendered (#13888) (#14857) 2023-04-27 02:57:10 +08:00
mssonicbld
e0ef5b9808
[write standby] force DB connections to use unix socket to connect (#14524) (#14773) 2023-04-24 01:49:42 +08:00
mssonicbld
f53c7b66cd
[Fast-boot] Clear teamd-timer when finalizing fast-reboot (#14583) (#14774) 2023-04-23 21:07:26 +08:00
mssonicbld
70cfef252f
Delay mux/sflow/snmp timer after interface-config service (#14506) (#14771) 2023-04-23 20:52:06 +08:00
mssonicbld
72776df8ba [ci/build]: Upgrade SONiC package versions 2023-04-23 20:46:40 +08:00
Stephen Sun
1d3fa0b03c Enhance the error message output mechanism (#14384)
#### Why I did it

Enhance the error message output mechanism during swss docker creating

#### How I did it

Capture the output to stderr of `sonic-cfggen` and output it using `echo` to make sure the error message will be logged in syslog.

#### How to verify it

Manually test
2023-04-23 18:32:40 +08:00
mssonicbld
e9daace147
[ci/build]: Upgrade SONiC package versions (#14800) 2023-04-22 18:35:55 +08:00
mssonicbld
8e1bbab07d
[image_config] add rasdaemon.timer (#14300) (#14762) 2023-04-22 00:18:05 +08:00
Hua Liu
bee30fdfb9 Improve sudo cat command for RO user. (#14428)
Improve sudo cat command for RO user.

#### Why I did it
RO user can use sudo command show none syslog files.

#### How I did it
Improve sudo cat command for RO user.

#### How to verify it
Pass all UT.
Manually check fixed code work correctly.

#### Description for the changelog
Improve sudo cat command for RO user.
2023-04-21 06:32:24 +08:00
mssonicbld
aea1980b14
[ci/build]: Upgrade SONiC package versions (#14720) 2023-04-19 19:30:56 +08:00
mssonicbld
cc22d69fd3
[ci/build]: Upgrade SONiC package versions (#14680) 2023-04-16 18:59:28 +08:00
mssonicbld
b4dafae65d
[ci/build]: Upgrade SONiC package versions (#14673) 2023-04-15 20:37:33 +08:00
xumia
5dbf512cda
Support to add SONiC OS Version in device info (#14601) (#14623)
Why I did it
Cherry-pick #14601, for code conflict.
Support to add SONiC OS Version in device info.
It will be used to display the version info in the SONiC command "show version". The version is used to do the FIPS certification. We do not do the FIPS certification on a specific release, but on the SONiC OS Version.

SONiC Software Version: SONiC.master-13812.218661-7d94c0c28
SONiC OS Version: 11
Distribution: Debian 11.6
Kernel: 5.10.0-18-2-amd64
Work item tracking
Microsoft ADO (number only): 17894593
How I did it
How to verify it
2023-04-13 19:28:03 +08:00
mssonicbld
46af37f77d
[ci/build]: Upgrade SONiC package versions (#14629) 2023-04-12 19:19:12 +08:00
anamehra
e107549942 chassis-packet: resolve the missing static routes (#14593)
Why I did it
Fixes #14179
chassis-packet: missing arp entries for static routes causing high orchagent cpu usage

It is observed that some sonic-mgmt test case calls sonic-clear arp, which clears the static arp entries as well. Orchagent or arp_update process does not try to resolve the missing arp entries after clear.

How I did it
arp_update should resolve the missing arp/ndp static route
entries. Added code to check for missing entries and try ping if any
found to resolve it.

How to verify it
After boot or config reload, check ipv4 and ipv4 neigh entries to make sure all static route entries are present
manual validation:
Use sonic-clear arp and sonic-clear ndp to clear all neighbor entries
run arp_update
Check for neigh entries. All entries should be present.
Testing on T0 setup route/for test_static_route.py

The test set the STATIC_ROUTE entry in conifg db without ifname:
sonic-db-cli CONFIG_DB hmset 'STATIC_ROUTE|2.2.2.0/24' nexthop 192.168.0.18,192.168.0.25,192.168.0.23

"STATIC_ROUTE": {
    "2.2.2.0/24": {
        "nexthop": "192.168.0.18,192.168.0.25,192.168.0.23"
    }
},
Validate that the arp_update gets the proper ARP_UPDATE_VARDS using arp_update_vars.j2 template from config db and does not crash:

{ "switch_type": "", "interface": "", "pc_interface" : "PortChannel101 PortChannel102 PortChannel103 PortChannel104 ", "vlan_sub_interface": "", "vlan" : "Vlan1000", "static_route_nexthops": "192.168.0.18 192.168.0.25 192.168.0.23 ", "static_route_ifnames": "" }

validate route/test_static_route.py testcase pass.
2023-04-12 18:32:47 +08:00
mssonicbld
73766c2fa1
Finalize fast-reboot in warmboot finalizer (#14238) (#14608) 2023-04-11 22:54:56 +08:00
mssonicbld
4d0f1c1972
[ci/build]: Upgrade SONiC package versions (#14578) 2023-04-09 19:17:25 +08:00
mssonicbld
05a9ce9628
[ci/build]: Upgrade SONiC package versions (#14572) 2023-04-08 19:08:35 +08:00
mssonicbld
a3951c2041
Increase wait_for_tunnel() timeout to 90s (#14279) (#14563) 2023-04-07 16:02:01 +08:00
mssonicbld
483b9867e9
[ci/build]: Upgrade SONiC package versions (#14529) 2023-04-05 19:02:12 +08:00
mssonicbld
8863910bc8
[ci/build]: Upgrade SONiC package versions (#14492) 2023-04-02 19:28:22 +08:00
mssonicbld
f3b6860076
[ci/build]: Upgrade SONiC package versions (#14488) 2023-04-01 19:35:15 +08:00
mssonicbld
5b028dc60f
[ci/build]: Upgrade SONiC package versions (#14478) 2023-04-01 03:16:16 +08:00
mssonicbld
fe1e2b16f7
[ci/build]: Upgrade SONiC package versions (#14382) 2023-03-22 19:59:24 +08:00
xumia
0a7037641c
[Security] Fix some of vulnerability issue relative python packages (#14269) (#14352)
Why I did it
Fix some of vulnerability issue relative python packages #14269
Pillow: [CVE-2021-27921]
Wheel: [CVE-2022-40898]
lxml: [CVE-2022-2309]

How I did it
How to verify it
2023-03-22 15:42:29 +08:00
Dev Ojha
24c53a5d34 [Buffer] Added cable length config to buffer config template for EdgeZoneAggregator (#14280)
Why I did it
SONiC currently does not identify 'EdgeZoneAggregator' neighbor. As a result, the buffer profile attached to those interfaces uses the default cable length which could cause ingress packet drops due to insufficient headroom. Hence, there is a need to update the buffer templates to identify such neighbors and assign the same cable length as used by the T1.

How I did it
Modified the buffer template to identify EdgeZoneAggregator as a neighbor device type and assign it the same cable length as a T1/leaf router.

How to verify it
Unit tests pass, and manually checked on a 7260 to see the changes take effect.

Signed-off-by: dojha <devojha@microsoft.com>
2023-03-20 22:36:33 +08:00
mssonicbld
499f57a7f7
[swss/syncd] remove dependency on interfaces-config.service (#13084) (#14341) 2023-03-19 22:32:37 +08:00
Neetha John
0aacc4531a [storage_backend] Add backend acl service (#14229)
Why I did it
This PR addresses the issue mentioned above by loading the acl config as a service on a storage backend device

How I did it
The new acl service is a oneshot service which will start after swss and does some retries to ensure that the SWITCH_CAPABILITY info is present before attempting to load the acl rules. The service is also bound to sonic targets which ensures that it gets restarted during minigraph reload and config reload

How to verify it
Build an image with the following changes and did the following tests

Verified that acl is loaded successfully on a storage backend device after a switch boot up
Verified that acl is loaded successfully on a storage backend ToR after minigraph load and config reload
Verified that acl is not loaded if the device is not a storage backend ToR or the device does not have a DATAACL table

Signed-off-by: Neetha John <nejo@microsoft.com>
2023-03-19 22:32:22 +08:00
mssonicbld
5c55eb8c40 [ci/build]: Upgrade SONiC package versions 2023-03-19 20:51:06 +08:00
mssonicbld
66447256a6
[ci/build]: Upgrade SONiC package versions (#14313) 2023-03-18 19:58:17 +08:00
mssonicbld
9eb5cb4104
[ci/build]: Upgrade SONiC package versions (#14301) 2023-03-18 05:28:33 +08:00
Andriy Yurkiv
c4e488c84f [Dual-ToR] add default value for ACL rule for mellanox platform (#13547)
- Why I did it
Need to add the possibility to choose between dropping packets (using ACL) on ingress or egress in Dual ToR scenario

- How I did it
Add new attribute "mux_tunnel_ingress_acl" to SYSTEM_DEFAULTS table

- How to verify it
check that new attribute exists in redis:
admin@sonic:~$ redis-cli -n 4
127.0.0.1:6379[4]> HGETALL SYSTEM_DEFAULTS|mux_tunnel_ingress_acl
1."state"
2."false"

Signed-off-by: Andriy Yurkiv <ayurkiv@nvidia.com>
2023-03-10 14:39:38 +08:00
Samuel Angebault
6173b4dbe5 [Arista] Disable SSD NCQ on Lodoga (#13964)
Why I did it
Fix similar issue seen on #13739 but only for DCS-7050CX3-32S

How I did it
Add a kernel parameter to tell libata to disable NCQ

How to verify it
The message ata2.00: FORCE: horkage modified (noncq) should appear on the dmesg.

Test results using: fio --direct=1 --rw=randrw --bs=64k --ioengine=libaio --iodepth=64 --runtime=120 --numjobs=4

with NCQ

   READ: bw=26.1MiB/s (27.4MB/s), 26.1MiB/s-26.1MiB/s (27.4MB/s-27.4MB/s), io=3136MiB (3288MB), run=120053-120053msec
  WRITE: bw=26.3MiB/s (27.6MB/s), 26.3MiB/s-26.3MiB/s (27.6MB/s-27.6MB/s), io=3161MiB (3315MB), run=120053-120053msec
without NCQ

   READ: bw=22.0MiB/s (23.1MB/s), 22.0MiB/s-22.0MiB/s (23.1MB/s-23.1MB/s), io=2647MiB (2775MB), run=120069-120069msec
  WRITE: bw=22.2MiB/s (23.3MB/s), 22.2MiB/s-22.2MiB/s (23.3MB/s-23.3MB/s), io=2665MiB (2795MB), run=120069-120069msec
2023-03-08 13:50:25 +08:00
Stepan Blyshchak
969166d769 [Mellanox] Place FW binaries under platform directory instead of squashfs (#13837)
Fixes #13568

Upgrade from old image always requires squashfs mount to get the next image FW binary. This can be avoided if we put FW binary under platform directory which is easily accessible after installation:

admin@r-spider-05:~$ ls /host/image-fw-new-loc.0-dirty-20230208.193534/platform/fw-SPC.mfa
/host/image-fw-new-loc.0-dirty-20230208.193534/platform/fw-SPC.mfa
admin@r-spider-05:~$ ls -al /tmp/image-fw-new-loc.0-dirty-20230208.193534-fs/etc/mlnx/fw-SPC.mfa
lrwxrwxrwx 1 root root 66 Feb  8 17:57 /tmp/image-fw-new-loc.0-dirty-20230208.193534-fs/etc/mlnx/fw-SPC.mfa -> /host/image-fw-new-loc.0-dirty-20230208.193534/platform/fw-SPC.mfa

- Why I did it
202211 and above uses different squashfs compression type that 201911 kernel can not handle. Therefore, we avoid mounting squashfs altogether with this change.

- How I did it
Place FW binary under /host/image-/platform/mlnx/, soft links in /etc/mlnx are created to avoid breaking existing scripts/automation.
/etc/mlnx/fw-SPCX.mfa is a soft link always pointing to the FW that should be used in current image
mlnx-fw-upgrade.sh is updated to prefer /host/image-/platform/mlnx location and fallback to /etc/mlnx in squashfs in case new location does not exist. This is necessary to do image downgrade.

- How to verify it
Upgrade from 201911 to master
master to 201911 downgrade
master -> master reboot
ONIE -> master boot (First FW burn)
Which release branch to backport (provide reason below if selected)
2023-03-08 13:50:18 +08:00
Sudharsan Dhamal Gopalarathnam
e1536c00a7 [netlink] Increse netlink buffer size from 3MB to 16MB (#13965)
#### Why I did it
Following the PR https://github.com/sonic-net/sonic-swss-common/pull/739 increasing netlink buffer size in linux kernel
As error is seen in fdbsyncd with netlink reports "out of memory on reading a netlink socket" It is seen when kernel is sending 10k remote mac to fdbsyncd.


#### How I did it
Increase the buffer size of the netlink buffer from 3MB to 16MB


#### How to verify it
Verified with 10k remote mac, and restarting the fdbsyncd process. So that kernel send the bridge fdb dump to the fdbsyncd.
Verified that the netlink buffer error is not reported in the sys log.
2023-03-08 06:35:20 +08:00
mssonicbld
523cd8dab5
[ci/build]: Upgrade SONiC package versions (#14077) 2023-03-04 20:49:07 +08:00
mssonicbld
f1f1af841f
[ci/build]: Upgrade SONiC package versions (#13994) 2023-02-26 19:41:42 +08:00
mssonicbld
f18f424d17
[ci/build]: Upgrade SONiC package versions (#13990) 2023-02-25 20:39:59 +08:00
mssonicbld
18bc044179
Remove support to Mellanox SPC4 ASIC (#13932) (#13957) 2023-02-23 22:22:35 +08:00