### Why I did it
HLD implementation: Container Hardening (https://github.com/sonic-net/SONiC/pull/1364)
##### Work item tracking
- Microsoft ADO **(number only)**: 14807420
#### How I did it
Reduce linux capabilities in privileged flag
* [buffers] Add create_only_config_db_buffers.json for MLNX devices (not MSFT SKU), inject it at the start of the swss docker
Signed-off-by: vadymhlushko-mlnx <vadymh@nvidia.com>
* [buffers] Align the sonic-device_metadata.yang
Signed-off-by: vadymhlushko-mlnx <vadymh@nvidia.com>
---------
Signed-off-by: vadymhlushko-mlnx <vadymh@nvidia.com>
### Why I did it
HLD implementation: Container Hardening (https://github.com/sonic-net/SONiC/pull/1364)
##### Work item tracking
- Microsoft ADO **(number only)**: 14807420
#### How I did it
Reduce linux capabilities in privileged flag
#### How to verify it
Run radv sonic-mgmt tests
### Why I did it
HLD implementation: Container Hardening (https://github.com/sonic-net/SONiC/pull/1364)
##### Work item tracking
- Microsoft ADO **(number only)**: 14807420
#### How I did it
Reduce linux capabilities in privileged flag
#### How to verify it
Run eventd sonic-mgmt tests
### Why I did it
When FRR is built with Cache enabled, the build failed with the following error logs
```
[2023-09-20T15:17:00.273Z] fatal: Unable to hash src/sonic-frr/frr/tests/topotests/grpc_basic/lib
[2023-09-20T15:17:00.273Z] fatal: Unable to hash src/sonic-frr/frr/tests/topotests/ospfapi/lib
[2023-09-20T15:17:00.273Z] make: *** [Makefile.cache:528: target/debs/bullseye/frr_8.5.1-sonic-0_amd64.deb.smdep] Error 123
[2023-09-20T15:17:00.273Z] make: *** Waiting for unfinished jobs....
```
#### How I did it
Currently symlinks are excluded in hardcoded fashion. With FRR upgrades new symlinks might get introduced. To overcome it modified the way in which symlinks are excluded by finding symlinks using find command
#### How to verify it
Build FRR with cache enabled
Why I did it
fixes#15949
Problem 1: Setting ONIE_IMAGE_PART_SIZE using env variable or using "make ONIE_IMAGE_PART_SIZE=65536 USERNAME=test PASSWORD=test all" did not work.
Problem 2: The platform specific file for example "device/x86_64-8201_32fh_o-r0/installer.conf" cannot override it by setting value of ONIE_IMAGE_PART_SIZE in the file. change 2 adds support to do that.
How I did it
Change 1: when ONIE_IMAGE_PART_SIZE, the files Makefile.work and slave.mk should pass that setting along all the way to build_image.sh. Please see commit 1.
Change 2: In installer/install.sh, save the value set during build time string replace into a value and then let this value be overridden later when installer.conf get read which is platform specific. If platform does not override it, the original value will continue to work. Please see commit 2.
How to verify it
1: The below command works now
make ONIE_IMAGE_PART_SIZE=65536 USERNAME=test PASSWORD=test all"
The image properly was installed using ONIE and the partition size reflects what was passed in the above build command.
If the above value is not set, the default from "onie-image.conf" takes effect and still works.
2: Set ONIE_IMAGE_PART_SIZE in platform specific file like below example
--------------Diff----
device/x86_64-8201_32fh_o-r0/installer.conf
@@ -1 +1,2 @@
ONIE_PLATFORM_EXTRA_CMDLINE_LINUX=" intel_iommu=off"
+ONIE_IMAGE_PART_SIZE=128000
and built the image using "make USERNAME=test PASSWORD=test all" and verified that the final installation properly partitioned the disk to the requested value from installer.conf file.
Created patches to address two CVEs from FRR CVE-2023-41358 and CVE-2023-38802.
Patch FRR commit CVE fixed
0024-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch FRRouting/frr@f291f1e CVE-2023-41358
0025-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch FRRouting/frr@8a4a88c CVE-2023-38802
previously, get_num_asics() returns the maximum number of asics. however, the asic_count
should be actual number of asics populated which can be get from get_asic_presence_list().
ADO: 25158825
Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
#### Why I did it
src/sonic-linux-kernel
```
* ecba611 - (HEAD -> master, origin/master, origin/HEAD) arm64: Enable CONFIG_KEXEC_FILE (#333) (6 hours ago) [pavannaregundi]
```
#### How I did it
#### How to verify it
#### Description for the changelog
Why I did it
Fix: #16699
Fast reboot is failing from old OS versions (eg., 201911 image) to latest (eg., master branch) after PR #15685
The system wide flag for FAST_REBOOT is still required when the base OS version does not support the new fast-reboot reconciliation logic (no db dump)
Remove 15s unconditional sleep.
Instead check every second that /proc is not mounted.
Go to the next step if /proc is not mounted anymore or after 15s.
Why I did it
Now build will fail on:
fatal: Unable to hash src/sonic-frr/frr/tests/topotests/grpc_basic/lib
fatal: Unable to hash src/sonic-frr/frr/tests/topotests/ospfapi/lib
make: *** [Makefile.cache:528: target/debs/buster/frr_8.5.1-sonic-0_amd64.deb.smdep] Error 123
make: *** Waiting for unfinished jobs....
Root cause is that these files are symbol links.
git hash-object can't hash symbol links.
Work item tracking
Microsoft ADO (number only): 25271730
How I did it
These two files are symbol links.
When calculate sha value, skip these two files.
#### Why I did it
src/sonic-gnmi
```
* cbb7631 - (HEAD -> master, origin/master, origin/HEAD) Debug grpc to fetch subscribe preferences of a path (#130) (6 hours ago) [Sachin Holla]
* 099ff7c - Remove command to install libhiredis deb file (#151) (9 hours ago) [Saikrishna Arcot]
```
#### How I did it
#### How to verify it
#### Description for the changelog
#### Why I did it
Fix issue #16533 , telemetry service exit in master and 202305 branches due to no telemetry configs in redis DB.
#### How I did it
Enable default config if no TELEMETRY configs from redis DB.
#### How to verify it
After the fix, telemetry service would work with the following two scenarios:
1. With TELEMETRY config in redis DB, load service configs from DB.
2. No TELEMETRY config in redis DB, use default service configs.
#### Why I did it
src/sonic-mgmt-common
```
* 42ca0a6 - (HEAD -> master, origin/master, origin/HEAD) DB Access Layer Merges: GetTablePattern ... (#103) (10 hours ago) [a-barboza]
```
#### How I did it
#### How to verify it
#### Description for the changelog
#### Why I did it
src/sonic-swss
```
* 45547e66 - (HEAD -> master, origin/master, origin/HEAD) [Buffer Orch] Retry one more time when it fails to set buffer profiles' attributes to SAI (#2890) (11 hours ago) [Stephen Sun]
```
#### How I did it
#### How to verify it
#### Description for the changelog
Why I did it
When SUPERVISOR_PROC_EXIT_LISTENER_SCRIPT changed, almost all dockers need to be built again.
But currently it will be loaded by cache.
Work item tracking
Microsoft ADO (number only): 25123348
How I did it
Add $(DOCKER)_FILES into dependencies.
#### Why I did it
src/sonic-swss-common
```
* b0f148e - (HEAD -> master, origin/master, origin/HEAD) [chassis][voq] Add fabric monitoring tables definitions. (#808) (10 hours ago) [jfeng-arista]
```
#### How I did it
#### How to verify it
#### Description for the changelog
### Why I did it
##### Work item tracking
- Microsoft ADO **(number only)**:24851367
#### How I did it
Read subscription message when capture service starts, before reading cached events.
#### How to verify it
UT/Manual testing
### Why I did it
### How I did it
Fix regex such that dhcp bind failure event is detected as well as process name since dhcp relay processes that need to be detected are dhcprelay6 and dhcrelay.
#### How to verify it
Manual testing and nightly test event
Microsoft ADO (25266920)
sonic-mgmt xoff test was failing for [100g,120km]. Needed to update total headroom pool size when 100G line card is used as T2 uplink.
This size was calculated assuming 100g is used for downlink so cable length was 2km whereas it can also be used for uplink (cable length - 120km). so we need to do calculation based on 120km not 2km. Although it will be some wastage for 2km scenario but it should cover both cases.
What I did:
Enable Sending BGP Community over internal neighbors over iBGP Session
Microsoft ADO: 25268695
Why I did:
Without this change BGP community send by e-BGP Peers are not carry-forward to other e-BGP peers.
str2-xxxx-lc1-2# show bgp ipv6 20c0:a801::/64
BGP routing table entry for 20c0:a801::/64, version 52141
Paths: (1 available, best #1, table default)
Not advertised to any peer
65000 65500
2603:10e2:400::6 from 2603:10e2:400::6 (3.3.3.6)
Origin IGP, localpref 100, valid, internal, best (First path received)
Last update: Tue Sep 26 16:08:26 2023
str2-xxxx-lc1-2# show ip bgp 192.168.35.128/25
BGP routing table entry for 192.168.35.128/25, version 52688
Paths: (1 available, best #1, table default)
Not advertised to any peer
65000 65502
3.3.3.6 from 3.3.3.6 (3.3.3.6)
Origin IGP, localpref 100, valid, internal, best (First path received)
Last update: Tue Sep 26 15:45:51 2023
After the change
str2-xxxx-lc2-2(config)# router bgp 65100
str2-xxxx-lc2-2(config-router)# address-family ipv4
str2-xxxx-lc2-2(config-router-af)# neighbor INTERNAL_PEER_V4 send-community
str2-xxxx-lc2-2(config-router-af)# exit
str2-xxxx-lc2-2(config-router)# address-family ipv6
str2-xxxx-lc2-2(config-router-af)# neighbor INTERNAL_PEER_V6 send-community
str2-xxxx-lc1-2# show bgp ipv6 20c0:a801::/64
BGP routing table entry for 20c0:a801::/64, version 52400
Paths: (1 available, best #1, table default)
Not advertised to any peer
65000 65500
2603:10e2:400::6 from 2603:10e2:400::6 (3.3.3.6)
Origin IGP, localpref 100, valid, internal, best (First path received)
**Community: 1111:1111**
Last update: Tue Sep 26 16:10:19 2023
str2-xxxx-lc1-2# show ip bgp 192.168.35.128/25
BGP routing table entry for 192.168.35.128/25, version 52947
Paths: (1 available, best #1, table default)
Not advertised to any peer
65000 65502
3.3.3.6 from 3.3.3.6 (3.3.3.6)
Origin IGP, localpref 100, valid, internal, best (First path received)
**Community: 1111:1111**
Last update: Tue Sep 26 16:10:09 2023
Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
#### Why I did it
src/sonic-sairedis
```
* c22b76b - (HEAD -> master, origin/master, origin/HEAD) [VOQ][saidump] Enhance saidump with new option -r to parser the JSON file and displays/format the right output (#1288) (17 hours ago) [JunhongMao]
* 31bd92a - Add log for git revision (#1293) (4 days ago) [Kamil Cudnik]
* edf6597 - [submodule] Update SAI submodule to v1.13 (#1292) (6 days ago) [Kamil Cudnik]
```
#### How I did it
#### How to verify it
#### Description for the changelog
Why I did it
Add info syslog for cpu_wdt.service when trigger watchdog arm action.
How I did it
Add info syslog for cpu_wdt.service when trigger watchdog arm action.
#### Why I did it
src/sonic-platform-common
```
* c63abc0 - (HEAD -> master, origin/master, origin/HEAD) [Credo][Ycable] Remove the thread locker protection from the thread-safe APIs (#388) (21 hours ago) [Xinyu Lin]
```
#### How I did it
#### How to verify it
#### Description for the changelog
This fixesNokia-ION/ndk#22
Note that this PR must be coupled with NDK version >= 22.9.13
Why I did it
To provide proper support for CMIS compliant transceiver module CDB operations (including FW related operations).
How I did it
Enhanced the transport subsystem so as to provide for up to 2k bytes of data to be passed to/from modules (as contrasted with the prior max of 128 bytes).
How to verify it
Ensure that new FW (firmware) can be programmed to CMIS compliant module(s) using the 'sfputil firmware ...' commands.
Why I did it
We install many deb packages when building sonic slave images.
To guarantee that the filesystem data is always consistent and safe,
dpkg performs fsync(2)s on its database and files unpacked from packages.
We don't need to use fsync for sonic slave images.
So we can reduce build time using eatmydata.
How I did it
Install deb package eatmydata in sonic-slave-buster and sonic-slave-bullseye docker images.
Pass apt-get install, apt install, apt-get upgrade, and dpkg -i with arguments directly to eatmydata.
How to verify it
Compare the build time of sonic-slave images with and without eatmydata.
For some NVME SSD I improved it by 30-40%.
You get no performance boost if your fs is mounted with options like nobarrier.
vlan import for yang currently doesn't work, so was removed from the original PR: #14521
Adds comments to remember to add later
Signed-off-by: Nikola Dancejic <ndancejic@microsoft.com>
Add two new hwskus for different port speed layouts
Arista-7060DX5-32-25Gx96-100Gx8-200Gx8
Arista-7060DX5-32-200Gx50-100Gx14
Disable bfd on all hwskus for x86_64-arista_7060dx5_32 as its dependencies have not been ready, which will result in a runtime error if not disabled.
#### Why I did it
src/sonic-host-services
```
* 3022c1b - (HEAD -> master, origin/master, origin/HEAD) Updated the iptable rule to use parent/base name of midplane interface of chassis. (#75) (6 hours ago) [abdosi]
```
#### How I did it
#### How to verify it
#### Description for the changelog
The Makefile for src/sonic-eventd had no clean target, which means build artifacts may incorrectly get reused across builds, when they need to get rebuilt for whatever reason (build environment changed, libraries changed, etc.).
Microsoft ADO (number only): 25135443
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
To include files in path platform/broadcom/sonic-platform-modules-dell/s6100/bin during build in Dell S6100 platform deb package.
How I did it
During Dell S6100 platform deb package build, copy the files to the install location.
How to verify it
- Copy the required files to platform/broadcom/sonic-platform-modules-dell/s6100/bin.
- Build the SONiC image and install in a Dell S6100 device.
- The files will be available in /usr/share/sonic/device/x86_64-dell_s6100_c2538-r0/bin/.
Fix debian files for libnl3 to enable a parallel build.
How to verify it
SONIC_CONFIG_MAKE_JOBS=20
now:
make target/debs/bullseye/libnl-3-200_3.5.0-1_amd64.deb-clean
make target/debs/bullseye/libnl-3-200_3.5.0-1_amd64.deb
grep Elapsed target/debs/bullseye/libnl-3-200_3.5.0-1_amd64.deb.log
Elapsed time: 0h 1m 51s
fixed version:
make target/debs/bullseye/libnl-3-200_3.5.0-1_amd64.deb-clean
make target/debs/bullseye/libnl-3-200_3.5.0-1_amd64.deb
grep Elapsed target/debs/bullseye/libnl-3-200_3.5.0-1_amd64.deb.log
Elapsed time: 0h 0m 22s
SONiC CLI command was broken.
admin@sonic:~$ show platform psustatus
PSU Model Serial HW Rev Voltage (V) Current (A) Power (W) Status LED
----- --------------- ------------------ -------- ------------- ------------- ----------- -------- -----
PSU 1 PFE600-12-054NA 420000956420600006 206 N/A N/A 82.00 OK green
PSU 2 PFE600-12-054NA 420000956420600248 206 N/A N/A 60.00 NOT OK green
Management port currently broken for Edgecore AS4630-54PE platform due to NIC hardware numbering.
Created new PR with typo from Edgecore in original PR fixed. Here is a link to the old PR that has broken logic:
#9560
