Commit Graph

2464 Commits

Author SHA1 Message Date
Joe LeVeque
3ee9c5d1e3 [caclmgrd] Add some default ACCEPT rules and lastly drop all incoming packets (#4412)
Modified caclmgrd behavior to enhance control plane security as follows:

Upon starting or receiving notification of ACL table/rule changes in Config DB:
1. Add iptables/ip6tables commands to allow all incoming packets from established TCP sessions or new TCP sessions which are related to established TCP sessions
2. Add iptables/ip6tables commands to allow bidirectional ICMPv4 ping and traceroute
3. Add iptables/ip6tables commands to allow bidirectional ICMPv6 ping and traceroute
4. Add iptables/ip6tables commands to allow all incoming Neighbor Discovery Protocol (NDP) NS/NA/RS/RA messages
5. Add iptables/ip6tables commands to allow all incoming IPv4 DHCP packets
6. Add iptables/ip6tables commands to allow all incoming IPv6 DHCP packets
7. Add iptables/ip6tables commands to allow all incoming BGP traffic
8. Add iptables/ip6tables commands for all ACL rules for recognized services (currently SSH, SNMP, NTP)
9. For all services which we did not find configured ACL rules, add iptables/ip6tables commands to allow all incoming packets for those services (allows the device to accept SSH connections before the device is configured)
10. Add iptables rules to drop all packets destined for loopback interface IP addresses
11. Add iptables rules to drop all packets destined for management interface IP addresses
12. Add iptables rules to drop all packets destined for point-to-point interface IP addresses
13. Add iptables rules to drop all packets destined for our VLAN interface gateway IP addresses
14. Add iptables/ip6tables commands to allow all incoming packets with TTL of 0 or 1 (This allows the device to respond to tools like tcptraceroute)
15. If we found control plane ACLs in the configuration and applied them, we lastly add iptables/ip6tables commands to drop all other incoming packets
2020-06-09 04:21:27 +00:00
Wirut Getbamrung
9f8d691d4e
[platform/cel]: Backport reboot cause API to 201811 branch (#4619)
Add reboot cause API to support process-reboot-cause.service
Implement chassis.get_reboot_cause platform API
2020-05-26 02:27:03 -07:00
Guohan Lu
236707ac64 [baseimage]: install same version for docker-ce and docker-ce-cli
Signed-off-by: Guohan Lu <lguohan@gmail.com>
2020-05-20 01:08:44 +00:00
lguohan
8e014bb7e7 [baseimage]: pin down package version for azure-storage, watchdog and futures (#4575)
Signed-off-by: Guohan Lu <lguohan@gmail.com>
2020-05-13 05:05:29 +00:00
Ying Xie
f52e59a032
[ntp] enable/disable NTP long jump according to reboot type (#4582)
- Enable NTP long jump after cold reboot.
- Disable NTP long jump after warrm/fast reboot.

Signed-off-by: Ying Xie <ying.xie@microsoft.com>
2020-05-12 12:23:47 -07:00
Qi Luo
8d200300ca
[minigraph] Support FECDisabled in minigraph parser (#4556) (#4567)
Signed-off-by: Qi Luo <qiluo-msft@users.noreply.github.com>
2020-05-09 15:54:39 -07:00
Neetha John
3d41c271a4 [qos]: Alpha and ECN settings change for Th (#4564)
Dynamic threshold setting changed to 0 and WRED profile green min threshold set to 250000 for Tomahawk devices

Changed the dynamic threshold settings in pg_profile_lookup.ini
Added a macro for WRED profiles in qos.json.j2 for Tomahawk devices
Necessary changes made in qos.config.j2 to use the macro if present

Signed-off-by: Neetha John <nejo@microsoft.com>
2020-05-09 18:25:17 +00:00
Ying Xie
660b0be9c5
[201811][sairedis] advance sairedis submodule head (#4562)
Submodule src/sonic-sairedis 5065d7858..370e3c171:
  > [syncd] Use steady clock for TimerWatchdog (#613)

Signed-off-by: Ying Xie <ying.xie@microsoft.com>
2020-05-09 09:04:16 -07:00
Joe LeVeque
ceb878414d [process-reboot-cause] If software reboot cause is unknown add note if first boot into new image (#4538) 2020-05-08 20:37:22 +00:00
Qi Luo
708d901209
[bgpcfgd]: ip_addr is not defined (#4560) 2020-05-08 12:19:48 -07:00
Guohan Lu
9966a0a341 [bgpcfgd]: fix missing reference
Signed-off-by: Guohan Lu <lguohan@gmail.com>
2020-05-08 06:09:40 +00:00
Renuka Manavalan
de05770895
Extend debug image build ability to all platforms. (#3134) (#4524) 2020-05-04 09:48:40 -07:00
Ying Xie
e2ae4ff365
[201811][utilities] advance utilities submodule head (#4490)
Submodule src/sonic-utilities d7e8f84cf..8c21fc151:
  > [utility] Filter FDB entries (#890)
  > Fix the warm-reboot script to support FRR based warm-reboot (#842)

Signed-off-by: Ying Xie <ying.xie@microsoft.com>
2020-04-28 17:27:52 -07:00
Tamer Ahmed
0540bc4728 [dhcpmon] Filter DHCP O/A Messages of Neighboring Vlans (#4469)
* [dhcpmon] Filter DHCP O/A Messages of Neighboring Vlans

This code fixes a bug where two or more vlans exist. Cross contamination
happens for DHCP packets Offer/Ack when received on shared northbound links.
The code filters out those packet based on dst IP equal Vlan loopback IP.

signed-off-by: Tamer Ahmed <tamer.ahmed@microsoft.com>
2020-04-28 21:06:11 +00:00
Nazarii Hnydyn
bea64ba231
[platform] Add SSD Health tools. (#4464) 2020-04-27 08:29:30 -07:00
Danny Allen
d2acc7f9b0
[syncd-rpc] Fix PTF dependency in syncd-rpc image (#4438)
Signed-off-by: Danny Allen <daall@microsoft.com>
2020-04-17 10:13:32 -07:00
Renuka Manavalan
ca55099864 Update dockers with platform & SONiC version as part of name/tag. (#4337)
* Include platform info in name.
Get SONiC Version as parameter and use
Make additional tag as optional.
Avoid repetitions by using function.

* Per review comments, make SONIC_VERSION optional and added some comments.

* 1) Added additional params are optional
2) Handle DOCKER_IMAGE_TAG only if given
3) Use BUILD_NUMBER only if SONIC_VERSION not given
4) Tag with SONIC_VERSION if given.

Current behavior is not changed, unless SONIC_VERSION is given.

* Update per review comments
1) Added new args with options
2) Handle PORT possible being empty
3) Exhibit new behavior only if both version & platform are given.

* Drop redundant quotes
2020-04-15 17:19:56 +00:00
Stepan Blyshchak
fd2ca95f06
[mlnx] add option to build sdk from sources (#4378)
Signed-off-by: Stepan Blyschak <stepanb@mellanox.com>
2020-04-13 08:29:54 -07:00
Nazarii Hnydyn
096a0e1e18
[mellanox]: Add SSD FW update tool (#4352)
* [mellanox]: Add SSD FW update tool.

Signed-off-by: Nazarii Hnydyn <nazariig@mellanox.com>

* [mellanox]: Update SSD tool.

Signed-off-by: Nazarii Hnydyn <nazariig@mellanox.com>
2020-04-13 18:12:16 +03:00
Renuka Manavalan
bf83b03b47 Pass image_type to build_debian.sh, so it can do any required customizations. (#4401) 2020-04-08 22:09:06 +00:00
Stepan Blyshchak
46e5753656
[mellanox] update SDK to 4.3.1646 (#4381)
* fixes an issue when /host/warmboot/issu_bank.txt is empty/corrupted
switch is not able to over come this and enters continuos reload/reboot
failure.

Signed-off-by: Stepan Blyschak <stepanb@mellanox.com>
2020-04-07 15:01:46 +03:00
Arun Saravanan Balachandran
b16807003a
DellEMC: S6100 CPLD upgrade (#4299)
* DellEMC: S6100 CPLD upgrade

* DellEMC: S6100 CPLD upgrade - Retry on failure
2020-04-06 14:53:53 -07:00
Ying Xie
37684bb692
[201811][utilities] advance submodule heads (#4368)
Submodule src/sonic-utilities f431510ae..d7e8f84cf:
Fix issue of fields overwritten before display (#863)

Signed-off-by: Guohan Lu <lguohan@gmail.com>
Co-authored-by: Guohan Lu <lguohan@gmail.com>
2020-04-04 22:18:51 -07:00
SuvarnaMeenakshi
fba321ae6c [ntp]: Add "tinker panic 0" in ntp.conf to avoid ntpd from panic (#4263)
- What I did
Add configuration to avoid ntpd from panic and exit if the drift between new time and current system time is large.

- How I did it
Added "tinker panic 0" in ntp.conf file.

- How to verify it
[this assumes that there is a valid NTP server IP in config_db/ntp.conf]

Change the current system time to a bad time with a large drift from time in ntp server; drift should be greater than 1000s.
Reboot the device.
Before the fix:
3. upon reboot, ntp-config service comes up fine, ntp service goes to active(exited) state without any error message. This is because the offset between new time (from ntp server) and the current system time is very large, ntpd goes to panic mode and exits. The system continues to show the bad time.

After the fix:
3. Upon reboot, ntp-config comes up fine, ntp services comes up from and stays in active (running) state. The system clock gets synced with the ntp server time.
2020-04-03 19:42:17 +00:00
Joe LeVeque
28512122bc [minigraph.py] Add support for 'OutAcl' keyword and attaching ACLs to VLAN interfaces (#4229)
- Support parsing egress ACLs from minigraph file specified by the "OutAcl" element
- Support attaching ACLs to VLAN interfaces
2020-04-03 19:42:17 +00:00
Stepan Blyshchak
4bb2190ba6
[mellanox] update CPLD archive (#4349)
New CPLD includes support for watchdog type 3 with maximum timeout 65536 sec.

Signed-off-by: Stepan Blyschak <stepanb@mellanox.com>
2020-04-03 03:47:40 -07:00
Joe LeVeque
cbf7c7d80d [rsyslog] Suppress duplicate messages from base image and all Docker containers (#2497) 2020-04-02 21:42:01 +00:00
Stepan Blyshchak
a4dd0aa09f
[mellanox] add hardware watchdog script (#4274)
admin@sonic:~$ sudo hw-management-wd.sh
Usage: hw-management-wd.sh start [timeout] | stop | tleft | check_reset | help
start - start watchdog
        timeout is optional. Default value will be used in case if it's omitted
        timeout provided in seconds
stop - stop watchdog
tleft - check watchdog timeout left
check_reset - check if previous reset was caused by watchdog
        Prints only in case of watchdog reset
help -this help

Signed-off-by: Stepan Blyschak <stepanb@mellanox.com>
2020-03-31 20:34:55 -07:00
Volodymyr Samotiy
c8d8f1c6f0
[Mellanox]: Update FW to 13.2000.1658 version (#4343)
This new FW version includes the following fixes:

SFP thermal shutdown issue

Signed-off-by: Volodymyr Samotiy <volodymyrs@mellanox.com>
2020-03-31 20:33:25 -07:00
Wenda Ni
96675bc476 Add new hwsku Arista-7050QX32S-Q32 (#3091)
Signed-off-by: Wenda Ni <wenni@microsoft.com>
2020-03-22 22:42:48 +00:00
Ying Xie
d567dbd6fe
[201811][utilities] advance utilities submodule head (#4290)
Submodule src/sonic-utilities e9747899a..f431510ae:
  > [201811][intfutil] set speed to 0 when interface speed is not available (#840)

Signed-off-by: Ying Xie <ying.xie@microsoft.com>
2020-03-19 18:42:48 -07:00
Sujin Kang
d8c39c3a2f
[201811][fancontrol] Restart process upon unexpected exit (#4161)
* Add restart configuration of fancontrol for pmon.

* Clean up the default value setting for exitcodes

* Remove the default setting of stopwaitsecs
2020-03-19 17:23:30 -07:00
yozhao101
1cc6141a93 [Monit] Delay start of monitoring for 5 minutes (#4281) 2020-03-19 22:49:04 +00:00
Ying Xie
63028222a0 [NTP] Revert change in PR 2598 (#4265)
We believe that the supervisord issue in face of clock rolling backwards
has been addressed. Therefore reverting change 2598 to allow ntp sync
to right clock at the start up time.

Signed-off-by: Ying Xie <ying.xie@microsoft.com>
2020-03-19 16:08:20 +00:00
pavel-shirshov
a881a23908
[bgpcfgd]: Generate set src configuration dynamically (#4273)
* [bgpcfgd]: Generate set src configuration dynamically

Sometimes zebra starts faster then swss configures Loopback0
In this case "set src" inside of the route map will not be
inserted to the configuration because zebra doesn't see Loopback
ips in the list of available ip addresses.

I've added extra logic to push the "set src" configuration only
when Loopback has been configured by swss.
2020-03-18 08:48:03 -07:00
Samuel Angebault
6c48a3f113
[arista] Update drivers submodule (#4272)
- Add mac address check for management port
- Fix sfputil reset logic
2020-03-17 21:14:48 -07:00
Qi Luo
ae8f55be74
Revert "[snmp] Configure snmp docker hostname from config DB (#2773)" (#4242)
This reverts commit f2e60f8c91.
2020-03-10 08:00:15 -07:00
Qi Luo
05b4ae2031
Update submodule for sonic-snmpagent (#4241)
* Parse quagga output without knowledge about hostname, so robust against hostname changes or mismatch
2020-03-10 08:00:03 -07:00
zhenggen-xu
19c1ad36a5
[201811] [interfaces-config.sh] Flush the loopback interface addresses (#4234)
* [interfaces-config.sh] Flush the loopback interface before configure it

Without this, you may end up with more and more ip addresses
on loopback interface after you change the loopback ip and do config reload

Signed-off-by: Zhenggen Xu <zxu@linkedin.com>
2020-03-09 16:14:59 -07:00
pavel-shirshov
b3ce209b7f
[quagga]: Increase netlink receive buffer for zebra (#4228)
Increased netlink socket receive buffer size for zebra. Otherwise we receive following messages sometimes:
zebra[60]: netlink-listen recvmsg overrun: No buffer space available
2020-03-06 11:14:25 -08:00
noaOrMlnx
aa73dbd6e6 [Mellanox] Update MFT version to 4.13.5 (#4199) 2020-03-02 18:01:35 +00:00
Joe LeVeque
7a095dc103 [sonic-cfggen] Load JSON files before minigraph file (#4202)
If sonic-cfggen is passed the -m argument (to load the minigraph file) along with one or more -j <json_file> arguments, load the JSON files before loading the minigraph file.

This ensures that the init_cfg.json file is loaded before the minigraph, therefore the minigraph can override any default configuration options specified in init_cfg.json. Currently, the behavior is reversed.

Note: This is not an issue if loading loading multiple JSON files, because sonic-cfggen loads them in the left-to-right order they were specified on the command line, therefore providing flexibility for loading JSON files in a specific order. As long as init_cfg.json is specified before config_db.json, the values specified in config_db.json will take precedence.
2020-03-02 16:24:38 +00:00
Vitaliy Senchyshyn
f2e60f8c91 [snmp] Configure snmp docker hostname from config DB (#2773)
* [snmp] Configure snmp docker hostname from config DB
* Fixed reviewer comments
2020-03-02 16:16:18 +00:00
pavel-shirshov
560aceba27
[libteam]: Disregard current state when considering port enablement (#4210) 2020-02-29 04:38:32 -08:00
Ying Xie
a570d7ebe5
[201811][sairedis] advance sairedis submodule head (#4198)
Submodule src/sonic-sairedis aa092506f..c61d15947:
  > [201811][SAI] move SAI sub module head to v1.4.3 (#567)
  > [201811][sai] advance SAI submodule (#566)

Signed-off-by: Ying Xie <ying.xie@microsoft.com>
2020-02-28 18:24:40 -08:00
Nazarii Hnydyn
8f37ead4e4
[image]: Add SSD maintenance utility - hdparm. (#4178)
Signed-off-by: Nazarii Hnydyn <nazariig@mellanox.com>
2020-02-26 11:33:49 +02:00
Ying Xie
b6121b02e7
[201811][utilities] advance utilities submodule head (#4194)
Submodule src/sonic-utilities 49ab6b1f8..e9747899a:
  > [reboot] make sure the reboot happens even if platform reboot failed (#819)

Signed-off-by: Ying Xie <ying.xie@microsoft.com>
2020-02-25 08:54:34 -08:00
Prince Sunny
2c6b0d0412 [orchagent] Use mac address from config_db instead of from eth0 (#4166)
* Use mac address from config_db instead of eth0
2020-02-25 16:39:53 +00:00
Prince Sunny
320dcf2008 Sleep done before mismatch handler (#4165)
* Sleep done before mismatch handler
2020-02-25 16:39:33 +00:00
byu343
50db98e2b3 [arista]: Fix convertfs condition for booting from EOS (#4139)
Fix the issue of incorrectly skipping the convertfs hook when fast-reboot from EOS, by adding an extra kernel cmdline param "prev_os" to differentiate fast-reboot from EOS and from SONiC.

This is because we still do disk conversion for fast reboot from eos to sonic, like format the disk.
2020-02-25 16:38:56 +00:00