sonic-buildimage

Author	SHA1	Message	Date
Saikrishna Arcot	01af4e405c	Mark many (but not all) of the dockers as Bullseye dockers This tells the build infra that they need to be built as part of Bullseye and not Bookworm. Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>	2023-11-03 13:50:59 -07:00
Mai Bui	a850f8b2f5	Fix privileged and volumes for macsec container (#16894 ) ### Why I did it Privileges and volumes were incorrectly set in macsec container. Privileged flag is set to false and volumes are not mounted properly. ``` admin@vlab-01:~$ docker inspect macsec0 \| grep Privi "Privileged": false, admin@vlab-01:~$ docker inspect macsec0 \| grep -A 10 Binds "Binds": [ "/var/run/redis0:/var/run/redis:rw", "/var/run/redis-chassis:/var/run/redis-chassis:ro", "/usr/share/sonic/device/x86_64-nokia_ixr7250e_36x400g-r0/Nokia-IXR7250E-36x100G/0:/usr/share/sonic/hwsku:ro", "/var/run/redis0/:/var/run/redis0/:rw", "/usr/share/sonic/device/x86_64-nokia_ixr7250e_36x400g-r0:/usr/share/sonic/platform:ro" ], ``` ### How I did it #### How to verify it Make sure privileged settings remain unchanged and make sure volumes are properly mounted ``` admin@vlab-01:~$ docker inspect macsec \| grep Privi "Privileged": false, admin@vlab-01:~$ docker inspect macsec \| grep -A 10 Binds "Binds": [ "/etc/timezone:/etc/timezone:ro", "/var/run/redis:/var/run/redis:rw", "/var/run/redis-chassis:/var/run/redis-chassis:ro", "/etc/fips/fips_enable:/etc/fips/fips_enable:ro", "/usr/share/sonic/templates/rsyslog-container.conf.j2:/usr/share/sonic/templates/rsyslog-container.conf.j2:ro", "/etc/sonic:/etc/sonic:ro", "/host/warmboot:/var/warmboot", "/usr/share/sonic/device/x86_64-kvm_x86_64-r0/Force10-S6000/:/usr/share/sonic/hwsku:ro", "/usr/share/sonic/device/x86_64-kvm_x86_64-r0:/usr/share/sonic/platform:ro" ], ```	2023-10-19 11:17:05 -07:00
nmoray	f978b2bb53	Timezone sync issue between the host and containers (#14000 ) #### Why I did it To fix the timezone sync issue between the containers and the host. If a certain timezone has been configured on the host (SONIC) then the expectation is to reflect the same across all the containers. This will fix [Issue:13046](https://github.com/sonic-net/sonic-buildimage/issues/13046). For instance, a PST timezone has been set on the host and if the user checks the link flap logs (inside the FRR), it shows the UTC timestamp. Ideally, it should be PST.	2023-06-25 16:36:09 -07:00
Ze Gan	016f671857	[docker-macsec]: Add dependencies of MACsec (#11770 ) Why I did it If the SWSS services was restarted, the MACsec service should also be restarted. Otherwise the data in wpa_supplicant and orchagent will not be consistent. How I did it Add dependency in docker-macsec.mk. How to verify it Manually check by 'sudo service swss restart'. The MACsec container should be started after swss, the syslog will look like Sep 8 14:36:29.562953 sonic INFO swss.sh[9661]: Starting existing swss container with HWSKU Force10-S6000 Sep 8 14:36:30.024399 sonic DEBUG container: container_start: BEGIN ... Sep 8 14:36:33.391706 sonic INFO systemd[1]: Starting macsec container... Sep 8 14:36:33.392925 sonic INFO systemd[1]: Starting Management Framework container... Signed-off-by: Ze Gan <ganze718@gmail.com>	2022-09-08 23:45:06 +08:00
Ze Gan	5efd6f9748	[macsec]: Add MACsec clear CLI support (#11731 ) Why I did it To support clear MACsec counters by sonic-clear macsec How I did it Add macsec sub-command in sonic-clear to cache the current macsec stats, and in the show macsec command to check the cache and return the diff with cache file. How to verify it admin@vlab-02:~$ show macsec Ethernet0 MACsec port(Ethernet0) --------------------- ----------- cipher_suite GCM-AES-128 enable true enable_encrypt true enable_protect true enable_replay_protect false replay_window 0 send_sci true --------------------- ----------- MACsec Egress SC (52540067daa70001) ----------- - encoding_an 0 ----------- - MACsec Egress SA (0) ------------------------------------- -------------------------------- auth_key 9DDD4C69220A1FA9B6763F229B75CB6F next_pn 1 sak BA86574D054FCF48B9CD7CF54F21304A salt 000000000000000000000000 ssci 0 SAI_MACSEC_SA_ATTR_CURRENT_XPN 52 SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED 0 SAI_MACSEC_SA_STAT_OCTETS_PROTECTED 0 SAI_MACSEC_SA_STAT_OUT_PKTS_ENCRYPTED 0 SAI_MACSEC_SA_STAT_OUT_PKTS_PROTECTED 0 ------------------------------------- -------------------------------- MACsec Ingress SC (525400d4fd3f0001) MACsec Ingress SA (0) --------------------------------------- -------------------------------- active true auth_key 9DDD4C69220A1FA9B6763F229B75CB6F lowest_acceptable_pn 1 sak BA86574D054FCF48B9CD7CF54F21304A salt 000000000000000000000000 ssci 0 SAI_MACSEC_SA_ATTR_CURRENT_XPN 56 SAI_MACSEC_SA_STAT_IN_PKTS_DELAYED 0 SAI_MACSEC_SA_STAT_IN_PKTS_INVALID 0 SAI_MACSEC_SA_STAT_IN_PKTS_LATE 0 SAI_MACSEC_SA_STAT_IN_PKTS_NOT_USING_SA 0 SAI_MACSEC_SA_STAT_IN_PKTS_NOT_VALID 0 SAI_MACSEC_SA_STAT_IN_PKTS_OK 0 SAI_MACSEC_SA_STAT_IN_PKTS_UNCHECKED 0 SAI_MACSEC_SA_STAT_IN_PKTS_UNUSED_SA 0 SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED 0 SAI_MACSEC_SA_STAT_OCTETS_PROTECTED 0 --------------------------------------- -------------------------------- admin@vlab-02:~$ sonic-clear macsec Clear MACsec counters admin@vlab-02:~$ show macsec Ethernet0 MACsec port(Ethernet0) --------------------- ----------- cipher_suite GCM-AES-128 enable true enable_encrypt true enable_protect true enable_replay_protect false replay_window 0 send_sci true --------------------- ----------- MACsec Egress SC (52540067daa70001) ----------- - encoding_an 0 ----------- - MACsec Egress SA (0) ------------------------------------- -------------------------------- auth_key 9DDD4C69220A1FA9B6763F229B75CB6F next_pn 1 sak BA86574D054FCF48B9CD7CF54F21304A salt 000000000000000000000000 ssci 0 SAI_MACSEC_SA_ATTR_CURRENT_XPN 52 SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED 0 SAI_MACSEC_SA_STAT_OCTETS_PROTECTED 0 SAI_MACSEC_SA_STAT_OUT_PKTS_ENCRYPTED 0 SAI_MACSEC_SA_STAT_OUT_PKTS_PROTECTED 0 ------------------------------------- -------------------------------- MACsec Ingress SC (525400d4fd3f0001) MACsec Ingress SA (0) --------------------------------------- -------------------------------- active true auth_key 9DDD4C69220A1FA9B6763F229B75CB6F lowest_acceptable_pn 1 sak BA86574D054FCF48B9CD7CF54F21304A salt 000000000000000000000000 ssci 0 SAI_MACSEC_SA_ATTR_CURRENT_XPN 0 <---this counters was cleared. SAI_MACSEC_SA_STAT_IN_PKTS_DELAYED 0 SAI_MACSEC_SA_STAT_IN_PKTS_INVALID 0 SAI_MACSEC_SA_STAT_IN_PKTS_LATE 0 SAI_MACSEC_SA_STAT_IN_PKTS_NOT_USING_SA 0 SAI_MACSEC_SA_STAT_IN_PKTS_NOT_VALID 0 SAI_MACSEC_SA_STAT_IN_PKTS_OK 0 SAI_MACSEC_SA_STAT_IN_PKTS_UNCHECKED 0 SAI_MACSEC_SA_STAT_IN_PKTS_UNUSED_SA 0 SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED 0 SAI_MACSEC_SA_STAT_OCTETS_PROTECTED 0 --------------------------------------- -------------------------------- Signed-off-by: Ze Gan <ganze718@gmail.com> Co-authored-by: Judy Joseph <jujoseph@microsoft.com>	2022-09-07 08:16:23 +08:00
Ze Gan	910e1c6eb4	[docker-macsec]: MACsec CLI Plugin (#9390 ) #### Why I did it To provide MACsec config and show CLI for manipulating MACsec #### How I did it Add `config macsec` and `show macsec`. #### How to verify it This PR includes unittest for MACsec CLI, check Azp status. - Add MACsec profile ``` admin@sonic:~$ sudo config macsec profile add --help Usage: config macsec profile add [OPTIONS] <profile_name> Add MACsec profile Options: --priority <priority> For Key server election. In 0-255 range with 0 being the highest priority. [default: 255] --cipher_suite <cipher_suite> The cipher suite for MACsec. [default: GCM- AES-128] --primary_cak <primary_cak> Primary Connectivity Association Key. [required] --primary_ckn <primary_cak> Primary CAK Name. [required] --policy <policy> MACsec policy. INTEGRITY_ONLY: All traffic, except EAPOL, will be converted to MACsec packets without encryption. SECURITY: All traffic, except EAPOL, will be encrypted by SecY. [default: security] --enable_replay_protect / --disable_replay_protect Whether enable replay protect. [default: False] --replay_window <enable_replay_protect> Replay window size that is the number of packets that could be out of order. This field works only if ENABLE_REPLAY_PROTECT is true. [default: 0] --send_sci / --no_send_sci Send SCI in SecTAG field of MACsec header. [default: True] --rekey_period <rekey_period> The period of proactively refresh (Unit second). [default: 0] -?, -h, --help Show this message and exit. ``` - Delete MACsec profile ``` admin@sonic:~$ sudo config macsec profile del --help Usage: config macsec profile del [OPTIONS] <profile_name> Delete MACsec profile Options: -?, -h, --help Show this message and exit. ``` - Enable MACsec on the port ``` admin@sonic:~$ sudo config macsec port add --help Usage: config macsec port add [OPTIONS] <port_name> <profile_name> Add MACsec port Options: -?, -h, --help Show this message and exit. ``` - Disable MACsec on the port ``` admin@sonic:~$ sudo config macsec port del --help Usage: config macsec port del [OPTIONS] <port_name> Delete MACsec port Options: -?, -h, --help Show this message and exit. ``` Show MACsec ``` MACsec port(Ethernet0) --------------------- ----------- cipher_suite GCM-AES-256 enable true enable_encrypt true enable_protect true enable_replay_protect false replay_window 0 send_sci true --------------------- ----------- MACsec Egress SC (5254008f4f1c0001) ----------- - encoding_an 2 ----------- - MACsec Egress SA (1) ------------------------------------- ---------------------------------------------------------------- auth_key 849B69D363E2B0AA154BEBBD7C1D9487 next_pn 1 sak AE8C9BB36EA44B60375E84BC8E778596289E79240FDFA6D7BA33D3518E705A5E salt 000000000000000000000000 ssci 0 SAI_MACSEC_SA_ATTR_CURRENT_XPN 179 SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED 0 SAI_MACSEC_SA_STAT_OCTETS_PROTECTED 0 SAI_MACSEC_SA_STAT_OUT_PKTS_ENCRYPTED 0 SAI_MACSEC_SA_STAT_OUT_PKTS_PROTECTED 0 ------------------------------------- ---------------------------------------------------------------- MACsec Egress SA (2) ------------------------------------- ---------------------------------------------------------------- auth_key 5A8B8912139551D3678B43DD0F10FFA5 next_pn 1 sak 7F2651140F12C434F782EF9AD7791EE2CFE2BF315A568A48785E35FC803C9DB6 salt 000000000000000000000000 ssci 0 SAI_MACSEC_SA_ATTR_CURRENT_XPN 87185 SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED 0 SAI_MACSEC_SA_STAT_OCTETS_PROTECTED 0 SAI_MACSEC_SA_STAT_OUT_PKTS_ENCRYPTED 0 SAI_MACSEC_SA_STAT_OUT_PKTS_PROTECTED 0 ------------------------------------- ---------------------------------------------------------------- MACsec Ingress SC (525400edac5b0001) MACsec Ingress SA (1) --------------------------------------- ---------------------------------------------------------------- active true auth_key 849B69D363E2B0AA154BEBBD7C1D9487 lowest_acceptable_pn 1 sak AE8C9BB36EA44B60375E84BC8E778596289E79240FDFA6D7BA33D3518E705A5E salt 000000000000000000000000 ssci 0 SAI_MACSEC_SA_ATTR_CURRENT_XPN 103 SAI_MACSEC_SA_STAT_IN_PKTS_DELAYED 0 SAI_MACSEC_SA_STAT_IN_PKTS_INVALID 0 SAI_MACSEC_SA_STAT_IN_PKTS_LATE 0 SAI_MACSEC_SA_STAT_IN_PKTS_NOT_USING_SA 0 SAI_MACSEC_SA_STAT_IN_PKTS_NOT_VALID 0 SAI_MACSEC_SA_STAT_IN_PKTS_OK 0 SAI_MACSEC_SA_STAT_IN_PKTS_UNCHECKED 0 SAI_MACSEC_SA_STAT_IN_PKTS_UNUSED_SA 0 SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED 0 SAI_MACSEC_SA_STAT_OCTETS_PROTECTED 0 --------------------------------------- ---------------------------------------------------------------- MACsec Ingress SA (2) --------------------------------------- ---------------------------------------------------------------- active true auth_key 5A8B8912139551D3678B43DD0F10FFA5 lowest_acceptable_pn 1 sak 7F2651140F12C434F782EF9AD7791EE2CFE2BF315A568A48785E35FC803C9DB6 salt 000000000000000000000000 ssci 0 SAI_MACSEC_SA_ATTR_CURRENT_XPN 91824 SAI_MACSEC_SA_STAT_IN_PKTS_DELAYED 0 SAI_MACSEC_SA_STAT_IN_PKTS_INVALID 0 SAI_MACSEC_SA_STAT_IN_PKTS_LATE 0 SAI_MACSEC_SA_STAT_IN_PKTS_NOT_USING_SA 0 SAI_MACSEC_SA_STAT_IN_PKTS_NOT_VALID 0 SAI_MACSEC_SA_STAT_IN_PKTS_OK 0 SAI_MACSEC_SA_STAT_IN_PKTS_UNCHECKED 0 SAI_MACSEC_SA_STAT_IN_PKTS_UNUSED_SA 0 SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED 0 SAI_MACSEC_SA_STAT_OCTETS_PROTECTED 0 --------------------------------------- ---------------------------------------------------------------- MACsec port(Ethernet1) --------------------- ----------- cipher_suite GCM-AES-256 enable true enable_encrypt true enable_protect true enable_replay_protect false replay_window 0 send_sci true --------------------- ----------- MACsec Egress SC (5254008f4f1c0001) ----------- - encoding_an 1 ----------- - MACsec Egress SA (1) ------------------------------------- ---------------------------------------------------------------- auth_key 35FC8F2C81BCA28A95845A4D2A1EE6EF next_pn 1 sak 1EC8572B75A840BA6B3833DC550C620D2C65BBDDAD372D27A1DFEB0CD786671B salt 000000000000000000000000 ssci 0 SAI_MACSEC_SA_ATTR_CURRENT_XPN 4809 SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED 0 SAI_MACSEC_SA_STAT_OCTETS_PROTECTED 0 SAI_MACSEC_SA_STAT_OUT_PKTS_ENCRYPTED 0 SAI_MACSEC_SA_STAT_OUT_PKTS_PROTECTED 0 ------------------------------------- ---------------------------------------------------------------- MACsec Ingress SC (525400edac5b0001) MACsec Ingress SA (1) --------------------------------------- ---------------------------------------------------------------- active true auth_key 35FC8F2C81BCA28A95845A4D2A1EE6EF lowest_acceptable_pn 1 sak 1EC8572B75A840BA6B3833DC550C620D2C65BBDDAD372D27A1DFEB0CD786671B salt 000000000000000000000000 ssci 0 SAI_MACSEC_SA_ATTR_CURRENT_XPN 5033 SAI_MACSEC_SA_STAT_IN_PKTS_DELAYED 0 SAI_MACSEC_SA_STAT_IN_PKTS_INVALID 0 SAI_MACSEC_SA_STAT_IN_PKTS_LATE 0 SAI_MACSEC_SA_STAT_IN_PKTS_NOT_USING_SA 0 SAI_MACSEC_SA_STAT_IN_PKTS_NOT_VALID 0 SAI_MACSEC_SA_STAT_IN_PKTS_OK 0 SAI_MACSEC_SA_STAT_IN_PKTS_UNCHECKED 0 SAI_MACSEC_SA_STAT_IN_PKTS_UNUSED_SA 0 SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED 0 SAI_MACSEC_SA_STAT_OCTETS_PROTECTED 0 --------------------------------------- ---------------------------------------------------------------- ```	2022-05-19 21:59:37 +08:00
Ze Gan	926e698f0a	[docker-macsec]: Fix the missing dependency of macsecmgrd in swss (#10618 ) Why I did it Missing the dependency of macsecmgrd in swss so that the MACsec feature cannot be enabled. How I did it Add SWSS dependency in docker-macsec.mk How to verify it Check the Azp of sonic-mgmt	2022-04-21 09:00:53 +08:00
Ze Gan	87036c34ec	[macsec]: Upgrade docker-macsec to bullseye (#10574 ) Following the patch from : https://packages.debian.org/bullseye/wpasupplicant, to upgrade sonic-wpa-supplicant for supporting bullseye and upgrade docker-macsec.mk as a bullseye component.	2022-04-17 20:32:51 +08:00
Saikrishna Arcot	bd479cad29	Create a docker-swss-layer that holds the swss package. This is to save about 50MB of disk space, since 6 containers individually install this package. Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>	2022-01-06 09:26:55 -08:00
Saikrishna Arcot	6105684b9e	Add infra to support building Bullseye base image with Buster containers All docker containers will be built as Buster containers, from a Buster slave. The base image and remaining packages that are installed onto the host system will be built for Bullseye, from a Bullseye slave. Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>	2021-11-10 15:27:22 -08:00
Stepan Blyshchak	cd2c86eab6	[dockers] label SONiC Docker with manifest (#5939 ) Signed-off-by: Stepan Blyschak stepanb@nvidia.com This PR is part of SONiC Application Extension Depends on #5938 - Why I did it To provide an infrastructure change in order to support SONiC Application Extension feature. - How I did it Label every installable SONiC Docker with a minimal required manifest and auto-generate packages.json file based on installed SONiC images. - How to verify it Build an image, execute the following command: admin@sonic:~$ docker inspect docker-snmp:1.0.0 \| jq '.[0].Config.Labels["com.azure.sonic.manifest"]' -r \| jq Cat /var/lib/sonic-package-manager/packages.json file to verify all dockers are listed there.	2021-04-26 13:51:50 -07:00
Ze Gan	4068944202	[MACsec]: Set MACsec feature to be auto-start (#6678 ) 1. Add supervisord as the entrypoint of docker-macsec 2. Add wpa_supplicant conf into docker-macsec 3. Set the macsecmgrd as the critical_process 4. Configure supervisor to monitor macsecmgrd 5. Set macsec in the features list 6. Add config variable `INCLUDE_MACSEC` 7. Add macsec.service - How to verify it Change the `/etc/sonic/config_db.json` as follow ``` { "PORT": { "Ethernet0": { ... "macsec": "test" } } ... "MACSEC_PROFILE": { "test": { "priority": 64, "cipher_suite": "GCM-AES-128", "primary_cak": "0123456789ABCDEF0123456789ABCDEF", "primary_ckn": "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435", "policy": "security" } } } ``` To execute `sudo config reload -y`, We should find the following new items were inserted in app_db of redis ``` 127.0.0.1:6379> keys MAC 1) "MACSEC_EGRESS_SC_TABLE:Ethernet0:72152375678227538" 2) "MACSEC_PORT_TABLE:Ethernet0" 127.0.0.1:6379> hgetall "MACSEC_EGRESS_SC_TABLE:Ethernet0:72152375678227538" 1) "ssci" 2) "" 3) "encoding_an" 4) "0" 127.0.0.1:6379> hgetall "MACSEC_PORT_TABLE:Ethernet0" 1) "enable" 2) "false" 3) "cipher_suite" 4) "GCM-AES-128" 5) "enable_protect" 6) "true" 7) "enable_encrypt" 8) "true" 9) "enable_replay_protect" 10) "false" 11) "replay_window" 12) "0" ``` Signed-off-by: Ze Gan <ganze718@gmail.com>	2021-02-23 13:22:45 -08:00
Ze Gan	c22575218a	[docker-macsec]: MACsec container and wpa_supplicant component (#5700 ) The HLD about MACsec feature is at : https://github.com/Azure/SONiC/blob/master/doc/macsec/MACsec_hld.md - How to verify it This PR doesn't set MACsec container automatically start, You should manually start the container by docker run docker-macsec wpa_supplicant binary can be found at MACsec container. This PR depends on the PR, WPA_SUPPLICANT, and The MACsec container will be set as automatically start by later PR. Signed-off-by: zegan <zegan@microsoft.com>	2021-01-10 10:39:59 -08:00

13 Commits