Commit Graph

292 Commits

Author SHA1 Message Date
abdosi
cfa8fbbf1a
[baseimage]: Updates for Ebtables and support for multi-asic (#6542)
Following changes were done for ebtables:

- Support for Multi-asic platforms. Ebtable filters are installed in namespace for multi-asic and not host. On Single asic installed on  host.

- For Multi-asic platforms we don't want to install on host otherwise Namespace-to-Namespace communication does not happens since ARP Request are not forwarded.

- Updated to use text file to restore ebtables rules then the binary format. Rules are restore as part of Database docker init instead of rc.local

- Removed the ebtable service files for buster as not needed as filters are restored/installed as part of database docker init.
   All the binaries are pre-installed with ebtables* binary are same as ebatbles-legacy-* 

Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
2021-01-27 08:36:10 -08:00
Joe LeVeque
e52581e919
[PDDF] Build and install Python 3 package (#6286)
- Make PDDF code compliant with both Python 2 and Python 3
- Align code with PEP8 standards using autopep8
- Build and install both Python 2 and Python 3 PDDF packages
2021-01-07 10:03:29 -08:00
xumia
36fbc01a59
Fix the hostimage version path permission issue (#6337) 2021-01-03 17:32:20 +08:00
Danny Allen
a64994ec29
[sysctl] Increase hung_task_timeout_secs to 300 (#6312)
Depending on the performance characteristics of a given hardware platform, it's possible to exceed the default 120 second kernel timeout during I/O intensive operations like image installation. This can cause a kernel panic like so:

kernel:[ 852.441781] Kernel panic - not syncing: hung_task: blocked tasks

If this happens during image installation, it's possible for the install to become corrupted and leave the device in an unreachable state that requires a power cycle to resolve. This risk increases as image size continues to increase. So, we need to increase the timeout so that we don't encounter kernel panics on devices with lower disk throughput.

Signed-off-by: Danny Allen <daall@microsoft.com>
2020-12-30 05:00:16 -08:00
Joe LeVeque
62662acbd5
No longer install some unnecessary Python 2 packages in host (#6301)
- No longer install Python 2 packages in host:
    - libpython2.7-dev
    - docker
    - ipaddress
    - netifaces
    - azure-storage
    - watchdog
    - futures

- Install Python 3 versions of the following packages in host:
    - docker
    - azure-storage
    - watchdog
    - redis
    - swsssdk (install unconditionally)
2020-12-29 13:02:11 -08:00
Sabareesh-Kumar-Anandan
9aae9c9e47
[arm][build_debian] Clean up qemu-arm-static bin after collecting post-versions info (#6289)
- Why I did it
scripts/collect_host_image_version_files.sh fails with below error:

scripts/collect_host_image_version_files.sh target ./fsroot
/usr/sbin/chroot: failed to run command 'post_run_buildinfo': No such file or directory
/bin/cp: cannot stat './fsroot/usr/local/share/buildinfo/post-versions': No such file or directory

- How I did it
Issues is because qemu-arm-static is removed before this step. So, I moved the cleanup step to the end.

Signed-off-by: Sabareesh Kumar Anandan <sanandan@marvell.com>
2020-12-24 10:45:19 -08:00
xumia
0a36de3a89
Recover "Support SONiC Reproduceable Build-debian/pip/web packages (#6255)
* Revert "Revert "Support SONiC Reproduceable Build-debian/pip/web packages (#5718)""

This reverts commit 17497a65e3.

* Revert "Revert "Remove unnecessary sudo authority in build Makefile (#6237)""

This reverts commit 163b7111b5.
2020-12-21 15:31:10 +08:00
Guohan Lu
17497a65e3 Revert "Support SONiC Reproduceable Build-debian/pip/web packages (#5718)"
This reverts commit 55a707586b.
2020-12-18 23:37:27 -08:00
arheneus@marvell.com
e88c7d11ca
[ntp][apparmor] Allow apparmor read permission for ntpd under rw mount path of rootfs (#6040)
Certain platform specific packages sonic-platform-xyz, installs files onto rootfs, which would be placed on read-write mount path on /host/image-name/rw/...
when ntpd starts it tries to do read access on /usr/bin /usr/sbin/ /usr/local/bin , which inturn links further to the read-write mount path also.
Where ntpd would get below Apparmor Warning message

LOG:-
audit: type=1400 audit(1606226503.240:21): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/image-HEAD-dirty-20201111.173951/rw/usr/local/bin/" pid=3733 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit: type=1400 audit(1606226503.240:22): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/image-HEAD-dirty-20201111.173951/rw/usr/sbin/" pid=3733 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit: type=1400 audit(1606226503.240:23): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/image-HEAD-dirty-20201111.173951/rw/usr/bin/" pid=3733 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Fix:
Add rw/.. mount path similar to root path access provided for ntpd in /etc/apparmor.d/usr.sbin.ntpd

Signed-off-by: Antony Rheneus <arheneus@marvell.com>
2020-12-18 04:57:35 -08:00
xumia
55a707586b
Support SONiC Reproduceable Build-debian/pip/web packages (#5718)
* Support SONiC reproduceable build for deb/py2/py3/web

* Remove j2 files

* Fix bug

* Fix some issues

1. Change some code format issues
2. Fix curl calling wget command, pip2 calling pip3 issue
3. Fix wget/curl downloading multiple urls issue

* Fix some code format issue

* Fix bug

* Fix bug

* Fix command path hard code in build info scripts issue

* Add debian package sonic-build-tools

* Fix auto debian package removed issue

* Change build debian package name, and change the folder

* Collect the pre-versions and post-versions

* Change to use debian:buster

* Remove apt-mark and improve code

* Remove set_build_hooks

* Change docker trusted gpg files

* Fix docker build COPY directory name issue

* Move the trusted gpg files into the sonic-build-hooks package
2020-12-17 13:06:53 +08:00
Joe LeVeque
c829e6914a
Install 'wheel' package in host OS; upgrade pip and setuptools (#6187)
Install the 'wheel' package in host OS (along with python3 and python3-distutils which are also needed for building some Python packages) to eliminate error messages like the following:

```
  Running setup.py bdist_wheel for watchdog: started
  Running setup.py bdist_wheel for watchdog: finished with status 'error'
  Complete output from command /usr/bin/python -u -c "import setuptools, tokenize;__file__='/tmp/pip-install-Qd3K08/watchdog/setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, __file__, 'exec'))" bdist_wheel -d /tmp/pip-wheel-0AHpMe --python-tag cp27:
  usage: -c [global_opts] cmd1 [cmd1_opts] [cmd2 [cmd2_opts] ...]
     or: -c --help [cmd1 cmd2 ...]
     or: -c --help-commands
     or: -c cmd --help
  
  error: invalid command 'bdist_wheel'
  
  ----------------------------------------
  Failed building wheel for watchdog

```

These error messages appear to have no impact on the image build, because the Python package seems to still get installed successfully afterward, just the building of a wheel package fails. Therefore, this is more of a cosmetic fix than an actual bug.

This is an addendum to https://github.com/Azure/sonic-buildimage/pull/6182.

Also upgrade pip and install more recent version of setuptools package via PyPI.
2020-12-16 16:38:15 -08:00
shlomibitton
a6aaffd2ad
[kdump] Add more kernel panic conditions for vmcore dump (#6095)
Create new file to "sysctl.d" with desired panic conditions.
It will trigger a vmcore dump using kdump-tools on these situations.

Signed-off-by: Shlomi Bitton <shlomibi@nvidia.com>
2020-12-15 08:54:13 -08:00
Qi Luo
25826626aa
[baseimage]: No need to apt-mark manual
It makes no difference during build.
2020-12-12 11:24:51 -08:00
Qi Luo
b0fdeff173
[baseimage]: No need to mark packages as auto since all debootstrap installed (#6159)
Originally this line is used to mark all previously installed packages (deboostrap installed) as auto, so later if no other packages depend on anyone of them, it will be auto removed. Seems we gained little from this line, so let's remove it.
2020-12-10 01:05:21 -08:00
lguohan
4812953468
[ntp]: build ntp with various fixes (#6037)
- NTP Bug 1970 (UNLINK_EXPR_SLIST empty list) Fix
- ENOBUFS log message level set to WARN
- Fix audit message seen on console apparmor
- add force-confold option when install ntp

Signed-off-by: Guohan Lu <lguohan@gmail.com>
Co-authored-by: Prabhu Sreenivasan <prabhu.sreenivasan@broadcom>
2020-12-02 15:02:50 -08:00
fk410167
a3dd3f55f9
Platform Driver Developement Framework (PDDF) (#4756)
This change introduces PDDF which is described here: https://github.com/Azure/SONiC/pull/536

Most of the platform bring up effort goes in developing the platform device drivers, SONiC platform APIs and validating them. Typically each platform vendor writes their own drivers and platform APIs which is very tailor made to that platform. This involves writing code, building, installing it on the target platform devices and testing. Many of the details of the platform are hard coded into these drivers, from the HW spec. They go through this cycle repetitively till everything works fine, and is validated before upstreaming the code.
PDDF aims to make this platform driver and platform APIs development process much simpler by providing a data driven development framework. This is enabled by:

JSON descriptor files for platform data
Generic data-driven drivers for various devices
Generic SONiC platform APIs
Vendor specific extensions for customisation and extensibility

Signed-off-by: Fuzail Khan <fuzail.khan@broadcom.com>
2020-11-12 10:22:38 -08:00
Sabareesh-Kumar-Anandan
6c362a08e7
[armhf][redis] compilation fixes for armhf arch (#5901)
1. Update SSL ca certificates for secure download [arm specific]
2. Using redis-tools from blob sonic-storage for docker-base-stretch

Signed-off-by: Sabareesh Kumar Anandan <sanandan@marvell.com>
2020-11-11 18:19:48 -08:00
Joe LeVeque
13ff7b38d5
[docker-wait-any] Convert to Python 3, install dependency in host OS (#5784)
- Convert docker-wait-any script to Python 3
- Install Python 3 Docker Engine API in host OS
2020-11-05 11:23:00 -08:00
Joe LeVeque
d3262d10f7
[generate_asic_config_checksum.py] Convert to Python 3 (#5783)
- Convert script to Python 3
    - Need to open file in binary mode before hashing due to new string data type in Python 3 being unicode by default. This should probably have been done regardless.
- Reorganize imports alphabetically
- When running the script, don't explicitly call `python`. Instead let the program loader use the interpreter specified in the shebang (which is now `python3`).
2020-11-04 15:06:44 -08:00
Joe LeVeque
bef76b102b
[Host OS][docker-vs] No longer install 'wheel' package explicitly (#5641)
It should no longer be necessary to explicitly install the 'wheel' package, as SONiC packages built as wheels should specify 'wheel' as a dependency in their setup.py files. Therefore, pip[3] should check for the presence of 'wheel' and install it if it isn't present before attempting to call 'setup.py bdist_wheel' to install the package.
2020-10-16 15:51:59 -07:00
Joe LeVeque
3987cbd80a
[sonic-utilities] Build and install as a Python wheel package (#5409)
We are moving toward building all Python packages for SONiC as wheel packages rather than Debian packages. This will also allow us to more easily transition to Python 3.

Python files are now packaged in "sonic-utilities" Pyhton wheel. Data files are now packaged in "sonic-utilities-data" Debian package.

**- How I did it**
- Build and install sonic-utilities as a Python package
- Remove explicit installation of wheel dependencies, as these will now get installed implicitly by pip when installing sonic-utilities as a wheel
- Build and install new sonic-utilities-data package to install data files required by sonic-utilities applications
- Update all references to sonic-utilities scripts/entrypoints to either reference the new /usr/local/bin/ location or remove absolute path entirely where applicable

Submodule updates:

* src/sonic-utilities aa27dd9...2244d7b (5):
  > Support building sonic-utilities as a Python wheel package instead of a Debian package (#1122)
  > [consutil] Display remote device name in show command (#1120)
  > [vrf] fix check state_db error when vrf moving (#1119)
  > [consutil] Fix issue where the ConfigDBConnector's reference is missing (#1117)
  > Update to make config load/reload backward compatible. (#1115)

* src/sonic-ztp dd025bc...911d622 (1):
  > Update paths to reflect new sonic-utilities install location, /usr/local/bin/ (#19)
2020-09-20 20:16:42 -07:00
Tamer Ahmed
2de3afaf35
[swss] Enhance ARP Update to Call Sonic Cfggen Once (#5398)
This PR limited the number of calls to sonic-cfggen to one call
per iteration instead of current 3 calls per iteration.

The PR also installs jq on host for future scripts if needed.

signed-off-by: Tamer Ahmed <tamer.ahmed@microsoft.com>
2020-09-18 18:44:23 -07:00
Stepan Blyshchak
6de9390bb0
[build] Add a parameter to specify sonic version during build (#5278)
Introduced a new build parameter 'SONIC_IMAGE_VERSION' that allows build
system users to build SONiC image with a specific version string. If
'SONIC_IMAGE_VERSION' was not passed by the user, SONIC_IMAGE_VERSION will be
set to the output of functions.sh:sonic_get_version function.

Signed-off-by: Stepan Blyschak <stepanb@nvidia.com>
2020-09-16 10:47:26 -07:00
arheneus@marvell.com
f136fd0623
[ebtbles] Replace binary config file to text config file for ebtables (#5252)
Issue: Binary ebtables config file is CPU arch dependent
Fix: Load the text config during firsttime boot and
     Generate the binary persistent atomic file

Signed-off-by: Antony Rheneus <arheneus@marvell.com>
2020-09-03 17:27:07 -07:00
Renuka Manavalan
47a925cac6
Pass additional parameter "%P" - pid of the process in the initial namespace, which is host. (#5301)
This would enable the coredump_compress script to retrieve additional info regarding the crashing process.
2020-09-03 13:09:57 -07:00
Tamer Ahmed
fdb9d028e9
[redis] Add redis Group And Grant Read/Write Access to Members (#5289)
sonic-cfggen is now using Unix Domain Socket for Redis DB. The socket
is created using root account. Subsequently, services that are started
as admin fails to start. This PR creates redis group and add admin
user to redis group. It also grants read/write access on redis.sock
for redis group members.

signed-off-by: Tamer Ahmed <tamer.ahmed@microsoft.com>
2020-09-02 23:40:22 -07:00
taochengyi
08f3b9720b
[centec]: Add centec arm64 architecture support for E530 (#4641)
summary of E530 platfrom:
 - CPU: CTC5236, arm64
 - LAN switch chip set: CENTEC CTC7132 (TsingMa). TsingMa is a purpose built device to address the challenge in the recent network evolution such as Cloud computing. CTC7132 provides 440Gbps I/O bandwidth and 400Gcore bandwidth, the CTC7132 family combines a feature-rich switch core and an embedded ARM A53 CPU Core running at 800MHz/1.2GHz. CTC7132 supports a variety of port configurations, such as QSGMII and USXGMII-M, providing full-rate port capability from 100M to 100G.
- device E530-48T4X: 48 * 10/100/1000 Base-T Ports, 4 * 10GE SFP+ Ports.
- device E530-24X2C: 24 * 10 GE SFP+ Ports, 2 * 100GE QSFP28 Ports.

add new files in three directories:
device/centec/arm64-centec_e530_24x2c-r0
device/centec/arm64-centec_e530_48t4x_p-r0
platform/centec-arm64

Co-authored-by: taocy <taocy2@centecnetworks.com>
Co-authored-by: Gu Xianghong <gxh2001757@163.com>
Co-authored-by: shil <shil@centecnetworks.com>
2020-08-06 03:16:11 -07:00
lguohan
082c26a27d
[build]: combine feature and container feature table (#5081)
1. remove container feature table
2. do not generate feature entry if the feature is not included
   in the image
3. rename ENABLE_* to INCLUDE_* for better clarity
4. rename feature status to feature state
5. [submodule]: update sonic-utilities

* 9700e45 2020-08-03 | [show/config]: combine feature and container feature cli (#1015) (HEAD, origin/master, origin/HEAD) [lguohan]
* c9d3550 2020-08-03 | [tests]: fix drops_group_test failure on second run (#1023) [lguohan]
* dfaae69 2020-08-03 | [lldpshow]: Fix input device is not a TTY error (#1016) [Arun Saravanan Balachandran]
* 216688e 2020-08-02 | [tests]: rename sonic-utilitie-tests to tests (#1022) [lguohan]

Signed-off-by: Guohan Lu <lguohan@gmail.com>
2020-08-05 13:23:12 -07:00
Joe LeVeque
c0d1616f89
Introduce sonic-py-common package (#5003)
Consolidate common SONiC Python-language functionality into one shared package (sonic-py-common) and eliminate duplicate code.

The package currently includes three modules:

- daemon_base
- device_info
- logger
2020-07-26 23:15:41 -07:00
isabelmsft
55d3ecd267
Update Kubernetes and kubernetes-cni versions (#5024)
This PR updates kubernetes version to 1.18.6 and kubernetes-cni version to 0.8.6

signed-off by: Isabel Li isabel.li@microsoft.com

Why I did it
Previous kubernetes-cni version (0.7.5) introduced Kubernetes Man In The Middle Vulnerability. “A vulnerability was found in all versions of containernetworking/plugins before version 0.8.6, that allows malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending rogue IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container.”

How I did it
Defined kubernetes-cni version to be 0.8.6 and updated kubernetes version to be 1.18.6

How to verify it
Check versions by running dpkg -l | grep kube
2020-07-24 10:14:24 -07:00
lguohan
1dcf8ec04f [kernel]: upgrade linux kernel to 4.9.118 (#4897)
upgrade kernel to latest maintenance version 4.9.118

Signed-off-by: Guohan Lu <lguohan@gmail.com>
2020-07-12 18:08:51 +00:00
abdosi
fc6bcff52b [sonic-buildimage] Changes to make network specific sysctl common for both host and docker namespace (#4838)
* [sonic-buildimage] Changes to make network specific sysctl
common for both host and docker namespace (in multi-npu).

This change is triggered with issue found in multi-npu platforms
where in docker namespace
net.ipv6.conf.all.forwarding was 0 (should be 1) because of
which RS/RA message were triggered and link-local router were learnt.

Beside this there were some other sysctl.net.ipv6* params whose value
in docker namespace is not same as host namespace.

So to make we are always in sync in host and docker namespace
created common file that list all sysctl.net.* params and used
both by host and docker namespace. Any change will get applied
to both namespace.

Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>

* Address Review Comments and made sure to invoke augtool
only one and do string concatenation of all set commands

* Address Review Comments.
2020-07-12 18:08:51 +00:00
Samuel Angebault
67987e9c0e
[secureboot] Add secureboot support for Arista devices (#4741)
* Add secureboot support in boot0
* Initramfs changes for secureboot on Aboot devices
* Do not compress squashfs and gz in fs.zip
It doesn't make much sense to do so since these files are already
compressed.
Also not compressing the squashfs has the advantage of making it
mountable via a loop device.
* Add loopoffset parameter to initramfs-tools
2020-06-22 09:30:31 -07:00
Olivier Singla
68576bc2f9
[kerne]: kernel update from 4.19.0-6 to 4.19.0-6-2 (#4711) 2020-06-21 06:41:23 -07:00
abdosi
88c5d2233b
kubeadm package apt-get install has unmet dependency error (#4804)
to other packages so intsalling them explicitly.
2020-06-18 23:16:00 -07:00
taocy
3be2fc56ba Versions before 18.09 do not install docker-ce-cli 2020-05-25 13:15:19 +00:00
Olivier Singla
799f22d4c7
[baseimage]: Run fsck filesystem check support prior mounting filesystem (#4431)
* Run fsck filesystem check support prior mounting filesystem

If the filesystem become non clean ("dirty"), SONiC does not run fsck to
repair and mark it as clean again.

This patch adds the functionality to run fsck on each boot, prior to the
filesystem being mounted. This allows the filesystem to be repaired if
needed.

Note that if the filesystem is maked as clean, fsck does nothing and simply
return so this is perfectly fine to call fsck every time prior to mount the
filesystem.

How to verify this patch (using bash):

Using an image without this patch:

Make the filesystem "dirty" (not clean)
[we are making the assumption that filesystem is stored in /dev/sda3 - Please adjust depending of the platform]
[do this only on a test platform!]

dd if=/dev/sda3 of=superblock bs=1 count=2048
printf "$(printf '\\x%02X' 2)" | dd of="superblock" bs=1 seek=1082 count=1 conv=notrunc &> /dev/null
dd of=/dev/sda3 if=superblock bs=1 count=2048

Verify that filesystem is not clean
tune2fs -l /dev/sda3 | grep "Filesystem state:"

reboot and verify that the filesystem is still not clean
Redo the same test with an image with this patch, and verify that at next reboot the filesystem is repaired and becomes clean.

fsck log is stored on syslog, using the string FSCK as markup.
2020-04-30 00:33:20 -07:00
Guohan Lu
ec85c2e159 [rsyslog]: setup correct argument for rsyslog.service
in buster, by default, rsyslog service does not create pidfile which
breaks monit configuration

Signed-off-by: Guohan Lu <lguohan@gmail.com>
2020-04-17 04:51:51 +00:00
bsun-sudo
012c832ce5 [ntp] add ntp support in buster with mgmt vrf (#55)
- create a file in files/image_config/ntp/ntp-systemd-wrapper to add mgmt vrf related start cmd for ntp service. So that the default /usr/lib/ntp/ntp-systemd-wrapper can be overriden during build time.

- modify build_debian.sh to cp files/image_config/ntp/ntp-systemd-wrapper to /usr/lib/ntp/ntp-systemd-wrapper during build time.

Co-authored-by: Bing Sun <Bing_Sun@dell.com>
2020-04-17 04:51:51 +00:00
Stephen Sun
452fc3d99c [baseimage]: Install haveged to accelerates crng init
The initialization of /dev/random (crng init) is responsible for
random number generation. On some devices, crng took very long to
finish.
2020-04-17 04:51:51 +00:00
Guohan Lu
124ce22b8c [initramfs]: porting loopback file system support patch to v0.133
explicitly install dependency linux-base

Signed-off-by: Guohan Lu <lguohan@gmail.com>
2020-04-17 04:51:51 +00:00
Guohan Lu
e479a56db3 [baseimage]: setup ebtables.service in buster image
ebtables is not enabled by default in buster

Signed-off-by: Guohan Lu <lguohan@gmail.com>
2020-04-17 04:51:51 +00:00
Guohan Lu
fb12b0a621 [baseimage]: various fixes due to buster changes
do mount/umount in the chroot environment
install cron explicitly
install rasdaemon as a replacement for mcelog
switch python package docker-py to docker
2020-04-17 04:51:51 +00:00
Guohan Lu
67cc385e36 [baseimage]: remove ixgbe.ko as 4.19 has new ixgbe driver
Signed-off-by: Guohan Lu <lguohan@gmail.com>
2020-04-17 04:51:51 +00:00
Guohan Lu
01cb7934b0 [build]: add buster docker as the last step of the build proces
- build SONIC_STRETCH_DOCKERS in sonic-slave-stretch docker
- build image related module in sonic-slave-buster docker.
  This includes all kernels modules and some packages

Signed-off-by: Guohan Lu <lguohan@gmail.com>
2020-04-16 10:26:18 +00:00
Renuka Manavalan
f128153706
[baseimage]: Install Kubernetes packages if enabled in image (#4374)
* Install kubernetes worker node packages, if enabled.

* Minor updates

* Added some comments

* Updates per review comments.
Built a private image to test to work fine.

* Remove the removed file.

* Update per comments
Make a fix, as kubeadm no demands a higher version of kubelet & kubectl.
As kubeadm auto install kubectl & kubelet, removing explicit install is an easier/robust fix.

* Changes per review comments.

* Updates per comments.
1) Dropped helper & pod scripts
2) Made install verbose

* Drop creation of pods subdir, as this PR does not use them.

* From comments to 'n' per review comments.

* 1) kubeadm.conf is created as part of kubeadm package install. Hence dropped explicit copy.
2020-04-13 08:41:18 -07:00
Praveen Chaudhary
f2ffd39587
[build_debian.sh]: install python{3,}-pip on sonic base image. (#4380)
Signed-off-by: Praveen Chaudhary pchaudhary@linkedin.com
2020-04-07 20:57:54 -07:00
Ying Xie
4d0b1bb4f3
[NTP] Revert change in PR 2598 (#4265)
We believe that the supervisord issue in face of clock rolling backwards
has been addressed. Therefore reverting change 2598 to allow ntp sync
to right clock at the start up time.

Signed-off-by: Ying Xie <ying.xie@microsoft.com>
2020-03-19 08:50:26 -07:00
Nazarii Hnydyn
7912b1da11
[image]: Add SSD maintenance utility - hdparm. (#4177)
Signed-off-by: Nazarii Hnydyn <nazariig@mellanox.com>
2020-02-26 11:27:52 -08:00
Olivier Singla
6a0dcb1b16
[kernel]: security kernel update to 4.9.189 (#3913)
This patch upgrade the kernel from version
4.9.0-9-2 (4.9.168-1+deb9u3) to 4.9.0-11-2 (4.9.189-3+deb9u2)

Co-authored-by: rajendra-dendukuri <47423477+rajendra-dendukuri@users.noreply.github.com>
2020-02-12 17:41:58 -08:00
Prince Sunny
211cff55cd
[kernel]: Increasing gc threshold values for kernel neighbors (#4100)
Increase gc threashold values as below:

Previous:

net.ipv6.neigh.default.gc_thresh1=128
net.ipv6.neigh.default.gc_thresh2=512
net.ipv6.neigh.default.gc_thresh3=1024
net.ipv4.neigh.default.gc_thresh1=128
net.ipv4.neigh.default.gc_thresh2=512
net.ipv4.neigh.default.gc_thresh3=1024

New

net.ipv6.neigh.default.gc_thresh1=1024
net.ipv6.neigh.default.gc_thresh2=2048
net.ipv6.neigh.default.gc_thresh3=4096
net.ipv4.neigh.default.gc_thresh1=1024
net.ipv4.neigh.default.gc_thresh2=2048
net.ipv4.neigh.default.gc_thresh3=4096
2020-02-04 01:03:16 -08:00
Kiran Kumar Kella
97165a0d69
Changes in sonic-buildimage to support the NAT feature (#3494)
* Changes in sonic-buildimage for the NAT feature
- Docker for NAT
- installing the required tools iptables and conntrack for nat

Signed-off-by: kiran.kella@broadcom.com

* Add redis-tools dependencies in the docker nat compilation

* Addressed review comments

* add natsyncd to warm-boot finalizer list

* addressed review comments

* using swsscommon.DBConnector instead of swsssdk.SonicV2Connector

* Enable NAT application in docker-sonic-vs
2020-01-29 17:40:43 -08:00
arheneus@marvell.com
fd6df31b5b [Platform] ARM64 support for Marvell ARM platform (#4043)
[Makefile] Fix for multi docker issue on 19 version above

Signed-off-by: Antony Rheneus <arheneus@marvell.com>
2020-01-23 16:50:17 -08:00
arheneus@marvell.com
6bd17d4780 [initramfs] Updated required tools for initramfs (#3734)
* [initramfs] Updated reuired tools for initramfs

Signed-off-by: Antony Rheneus <arheneus@marvell.com>

* [initramfs] Updated required tools for initramfs

Signed-off-by: Antony Rheneus <arheneus@marvell.com>

* [Platform] [Marvell] Platform specific debian package for et6448m device

Signed-off-by: Antony Rheneus <arheneus@marvell.com>

* Removed auto-generated files

Signed-off-by: Antony Rheneus <arheneus@marvell.com>

* [initramfs] Added mtd and uboot firmware tools package required for arm arch
Its been enabled to all arch including amd64

Signed-off-by: Antony Rheneus <arheneus@marvell.com>

* [initramfs] Added mtd and uboot firmware tools package required for arm arch
Its been enabled to all arch including amd64

Signed-off-by: Antony Rheneus <arheneus@marvell.com>

* [initramfs] Marvell arm modules update and platform config update

Signed-off-by: Antony Rheneus <arheneus@marvell.com>

* [iniramfs] add initramfs uboot-utils hook script only for ARM

Signed-off-by: Antony Rheneus <arheneus@marvell.com>
2020-01-15 08:25:01 -08:00
Kalimuthu-Velappan
6dcc08e36c [psud]: Fix for psud crash because of database connection reset (#3647)
When database service is down, psud daemon throws an error because of DB connection reset, this because pmon service has no dependency with database service.

To resolve this issue, added database service dependency to the pmon service.

Also, increased the net.core.somaxconn value to 512 to solve the connection failure on the scaled setup.
2020-01-10 13:26:04 -08:00
lguohan
476be913c1
[docker-base-stretch]: Do not check expire for stretch-backports repo (#3958)
* [docker-base-stretch]: Do not check expire for stretch-backports repo

Signed-off-by: Guohan Lu <gulv@microsoft.com>
2019-12-31 16:30:10 -08:00
Joe LeVeque
24a0c46464
[monit] Build from source and patch to use MemAvailable value if available on system (#3875) 2019-12-30 18:25:57 -08:00
rajendra-dendukuri
fec80293dd ZTP infrastructure changes to support DHCP discovery provisioning data (#3298)
* ZTP infrastructure changes to support DHCP discovery provisioning data

- Dynamically generate DHCP client configuration based on current ZTP state
- Added support to request and process hostname when using DHCPv6
- Do not process graphservice url dhcp option if ZTP is enabled, ZTP service
will process it
- Generate /e/n/i file with all active interfaces seeking address assignment
via DHCP. Only interfaces that are created in Linux will be added to /e/n/i.
Also DHCP is started only on linked up in-band interfaces.

Signed-off-by: Rajendra Dendukuri <rajendra.dendukuri@broadcom.com>
2019-12-10 08:16:56 -08:00
Olivier Singla
c70d8bca9f [baseimage]: kdump support (#3722)
* In the event of a kernel crash, we need to gather as much information
as possible to understand and identify the root cause of the crash.
Currently, the kernel does not provide much information, which make
kernel crash investigation difficult and time consuming.

Fortunately, there is a way in the kernel to provide more information
in the case of a kernel crash. kdump is a feature of the Linux kernel
that creates crash dumps in the event of a kernel crash. This PR
will add kermel kdump support.

An extension to the CLI utilities config and show is provided to
configure and manage kdump:
 - enable / disable kdump functionality
 - configure kdump (how many kernel crash logs can be saved, memory
   allocated for capture kernel)
 - view kernel crash logs
2019-11-08 23:08:42 -08:00
Ying Xie
9fb1860425
[file permission] explicitly set file permission on passwd, group, shadow (#3652)
Signed-off-by: Ying Xie <ying.xie@microsoft.com>
2019-10-22 19:02:08 -07:00
arheneus@marvell.com
2694e66074 [build]: build ARM kernel support from sonic-linux-kernel (#3556)
* Makefile: ARM kernel support from sonic-linux-kernel
        * Fix for multiarch  build docker spawn
Platform: Install the DTB deb for the platform

Signed-off-by: Antony Rheneus <arheneus@marvell.com>
2019-10-10 15:11:26 -07:00
Qi Luo
1b5c65fcf1 [build]: Update comments on build_debian.sh (#3533) 2019-10-09 17:38:53 -07:00
Harish Venkatraman
31d1a76197 [baseimage]: Management vrf ntp support (#3204)
This commit adds NTP support for management VRF using L3mdev. Config vrf add
mgmt will enable management VRF, enslave the eth0 device to the master device
mgmt, stop ntp service in default, restart interfaces-configs and restart ntp
service in mgmt-vrf context. Requirement and design are covered in mgmt vrf
design document.

Signed-off-by: Harish Venkatraman <harish_venkatraman@dell.com>
2019-09-16 10:21:06 -07:00
Danny Allen
97c675c6d5 [cron.d] Add cron job to periodically clean-up core files (#3449)
* [cron.d] Create cron job to periodically clean-up core files
* Create script to scan /var/core and clean-up older core files
* Create cron job to run clean-up script

Signed-off-by: Danny Allen <daall@microsoft.com>

* Update interval for running cron job

* Respond to feedback

* Change syslog id
2019-09-13 10:50:31 -07:00
lguohan
95a72b4e39
[baseimage]: fix monit configuration (#3448)
- monit config broke by one monit upgrade
- abandon sed approach since it is suspestible to monit config changes
- use unixsocket instead of httpd due to a bug in 5.20.0
2019-09-12 22:48:40 -07:00
Danny Allen
cfcf30570b
[build_debian] Include checksum of ASIC config files in SONiC filesystem (#3384)
[build_debian] Generate checksum of ASIC config files

* Adds script to generate checksums for ASIC config files
* Adds step to build_debian that copies ASIC config checksum into SONiC filesystem

Signed-off-by: Danny Allen daall@microsoft.com
2019-09-05 19:41:35 -07:00
arheneus@marvell.com
7bf8fbe601 [build_debian] docker version update for ARM arch (#3353)
Docker version above 18 has inconsistent behaviour with qemu.
Hence using the same version 18 used in sonic-slave

Signed-off-by: Antony Rheneus <arheneus@marvell.com>
2019-08-28 18:38:21 -07:00
Renuka Manavalan
14458b79ba
Create the src archive in target/ when INSTALL_DEBUG_TOOLS=y (#3323)
* Create the src archive in target/ when INSTALL_DEBUG_TOOLS=y

* Dropped -v (verbose flag) from tar command
2019-08-28 09:29:48 -07:00
lguohan
b2db3971cf
[baseimage]: install ndisc6 package (#3344)
ndisc6 gathers a few diagnostic tools for IPv6 networks including:

 - ndisc6, which performs ICMPv6 Neighbor Discovery in userland,
 - rdisc6, which performs ICMPv6 Router Discovery in userland,
 - rltraceroute6, a UDP/ICMP IPv6 implementation of traceroute,
 - tcptraceroute6, a TCP/IPv6-based traceroute implementation,
 - tcpspray6, a TCP/IP Discard/Echo bandwidth meter,
 - addrinfo, easy script interface for hostname and address resolution,
 - dnssort, DNS sorting script.

Signed-off-by: Guohan Lu <gulv@microsoft.com>
2019-08-15 00:32:58 -07:00
Tony Titus
91510a7742 [innovium]: Initial commit (#3243)
[build] Add ipmitool
[dockers] Add innovium platform in orchagent + ipmitool in snmp
[platform/innovium] Add innovium platform
[device/celestica] Add x86_64-cel_midstone-r0 device for innovium
[device/delta] Add x86_64-delta_et-c032if-r0 device for innovium
[sonic-slave-stretch] Add texi2html

Signed-off-by: Tony Titus ttitus@innovium.com
2019-08-14 10:40:55 -07:00
arheneus@marvell.com
8de26b7bb9 [Makefile/slave docker] ARM arch doesn't support few packages (#3273)
* [Makefile/slave docker] ARM arch doesn't support few packages
  iproute2 is missing for ARM sonic-slave docker

Signed-off-by: Antony Rheneus <arheneus@marvell.com>
2019-08-06 21:33:14 -07:00
arheneus@marvell.com
50fe458592 [build]: SONiC buildimage ARM arch support (#2980)
ARM Architecture support in SONIC

make configure platform=[ASIC_VENDOR_ARCH] PLATFORM_ARCH=[ARM_ARCH]
SONIC_ARCH: default amd64
armhf - arm32bit
arm64 - arm64bit

Signed-off-by: Antony Rheneus <arheneus@marvell.com>
2019-07-25 22:06:41 -07:00
Harish Venkatraman
3e69427ac0 [baseimage] management VRF support via l3mdev (#2585)
This commit adds support for New feature management VRF using L3mdev.  Added
commands to enable/disable management VRF. Config vrf add mgmt will enable
management VRF, enslave the eth0 device to the master device mgmt and restart
interfaces-configs in mgmt-vrf context.

management interface (eth0) can be configured using config interface eth0 ip
add command and removed using config interface eth0 ip remove command.

Requirement and design are covered in mgmt vrf design document.  Currently show
command displays linux command output; will update show command display in next
PR after concluding what would be the output for the show commands. Added
metric for default routes in dhcp and static, any changes for metric will be
addressed subsequently after discussing.

Signed-off-by: Harish Venkatraman <harish_venkatraman@dell.com>
2019-07-24 16:18:40 -07:00
Neetha John
f64e79172c [docker-engine]: Update docker engine to 18.09.8 (#3211)
Signed-off-by: Neetha John <nejo@microsoft.com>
2019-07-24 09:44:14 -07:00
rajendra-dendukuri
40c8bc14cd [baseimage]: Upgrade ifupdown2 to version 1.2.8 (#3180)
* Upgrade ifupdown2 to version 1.2.8

Required by ZTP to support ZTP over IPv6 transport

Signed-off-by: Rajendra Dendukuri <rajendra.dendukuri@broadcom.com>
2019-07-19 23:09:14 -07:00
Joe LeVeque
fa8b22ad93 [baseimage]: Install mcelog package to host OS; log machine check exceptions (MCE) to syslog (#3158)
* Install mcelog package to host OS; log machine check exceptions (MCE) to syslog
2019-07-17 09:43:05 -07:00
Qi Luo
6a99dd81be [baseimage]: Remove old ping permission fix because of aufs->overlay filesystem (#3154)
Signed-off-by: Qi Luo <qiluo-msft@users.noreply.github.com>
2019-07-13 12:38:10 -07:00
Joe LeVeque
8329ce1d63 [sshd] Close all SSH connetions after 15 minutes of inactivity (#3031)
- What I did

Configure sshd to close all SSH connetions after 15 minutes of inactivity.

- How I did it

Set ClientAliveInterval to 900 (900 seconds = 15 minutes) and ClientAliveCountMax to 0
in /etc/ssh/sshd_config using augtool in build_debian.sh. In the process, I refactored the existing augtool command for sshd_config so as to add comments and empty lines to file for readability.

- How to verify it

Log into device via management port. Wait 15 minutes without sending a keystroke -- you should be automatically logged out.
2019-07-07 00:41:14 -07:00
Renuka Manavalan
76bf5a0bc4 [build]: Added debug symbols to many debug dockers. (#3098)
* Added debug symbols to many debug dockers.

* For debug images *only*:
1) Archive source files into debug image
2) Archived source is copied into /src
3) Created an empty dir /debug
4) Mount both /src as ro & /debug as rw into every docker
5) Login banner will give some details on /src & /debug
6) Devs can copy core file into /debug and view it from inside a container.
7) Dev may create all gdb logs and other data directly into /debug.

* Dropped redundant REDIS_TOOLS per review comments.

* Added debug symbols to frr package and hence FRR based BGP docker.

* 1) Moved dbg_files.sh to scripts/
2) Src directories to archive are now collected from individual Makefiles.
3) Added few more debug symbols
4) Added few more debug dockers.

Here after no more changes except per review comments.

To debug:
Install required version of debug image in Switch or VM.
Copy core file into /debug of host
Get into Docker
gdb /usr/bin/<daemon> -c /debug/<your core file>
set directory /src/... <-- inside gdb to get the source

For non-in-depth debugging:

Download corresponding debug Docker image (docker-...-dbg.gz) to your VM
Load the image
Run image with entrypoint as 'bash' with dir containing core mapped in.
Run gdb on the core.
2019-07-03 22:13:55 -07:00
Joe LeVeque
f14354f003
[monit] Restart rsyslog service if rsyslogd consumes > 800 MB memory (#3117) 2019-07-03 18:21:05 -07:00
Qi Luo
e7b1988638
[submodule] update sonic-linux-kernel (#2985)
* [submodule] update sonic-linux-kernel
* update linux kernel version
* Fix many version strings
* update mellanox components (built with new kernel)
* [mlnx] add make files for SDK WJH libs
* Update arista driver submodule (#8)
Make the debian packaging point to a newer kernel version.
2019-06-18 10:00:16 -07:00
SuvarnaMeenakshi
0f665bdd06 [baseimage] kernel oom-killer to panic when the system is truly out of memory (#2988)
- What I did
Currently when the system is under memory pressure, the OOM killer kicks in and kills a rogue process. Killing a rogue process can cause the device to be un-healthy leading to blackholing of the traffic.

To avoid this, configure the OOM to do a kernel panic which will cause the device to reboot and come back up healthy.

- How I did it
Added the sysctl variable panic_on_oom and set the value to 2.
Setting it to 2 will ensure OOM killer to always do a kernel panic.
2019-06-11 16:19:49 -07:00
lguohan
30b37ec6fb
[build]: make sonic-slave-stretch as the default build docker (#2921)
Signed-off-by: Guohan Lu <gulv@microsoft.com>
2019-05-27 15:50:51 -07:00
Qi Luo
62ef8593e7 [monit] Set memory usage alert at 50% (#2939)
Signed-off-by: Qi Luo <qiluo-msft@users.noreply.github.com>
2019-05-24 02:38:41 -07:00
Ying Xie
9efcf1759a
[ebtables] install ebtables in base image and install filter rules (#2805)
- Add ebtables package, and install some filter rules:
  1. ebtables -A FORWARD -d BGA -j DROP
  2. ebtables -A FORWARD -p ARP -j DROP

Basically, we let the ARP packets in the VLAN being forwarded by the ASIC,
kernel gets a copy of these ARP packets and the forwarding from Kenerl gets
dropped. So there is always only one copy of ARP/response in the VLAN.

Signed-off-by: Ying Xie <ying.xie@microsoft.com>
2019-05-09 09:44:41 -07:00
paavaanan
e7485fdcef [baseimage]: Flashrom utitily support for BIOS upgrade (#2867) 2019-05-09 00:09:01 -07:00
paavaanan
b56124bf48 removing dhcp- turn- off option from initrd (#2555)
* removing dhcp changes from initrd

* removing mgmt-intf-dhcp file
2019-04-02 15:48:04 -07:00
Qi Luo
145c1348b3
[docker] Update docker package version for CVE-2019-5736 fix (#2663) 2019-03-18 18:50:05 -07:00
yurypm
d632569a6a Add initramfs hook for Arista devices (#2595)
We are going to use initramfs hook for firmware upgrades
To install Arista hook:
- create folder /mnt/flash/<image dir>/platform/hooks/boot1/ from Aboot or
  /host/<image dir>/platform/hooks/boot1/ from Sonic
- add executable script to created folder
2019-02-27 10:28:04 -08:00
Ying Xie
97f5e05b70
[ntp] disable ntp time jump (#2589)
- removing -g to disable jump when time difference is greater than 1000s
- add -x to disable initial jump
2019-02-20 08:04:12 -08:00
Ramesh Santhanakrishnan
734dcb2185 [build]: apply proxy setting to curl. (#2544) 2019-02-08 22:01:29 -08:00
Mykola F
460281d663 [baseimage] install dmidecode (#2540)
Signed-off-by: Mykola Faryma <mykolaf@mellanox.com>
2019-02-08 11:52:12 -08:00
lguohan
f20665008c
[build]: put stretch debian packages under target/debs/stretch/ (#2519)
* [build]: put stretch debian packages under target/debs/stretch/

* in stretch build phase, all debian packages built in that stage are placed under target/debs/stretch directory.
* for python-based debian packages, since they are really the same for jessie and stretch, they are placed under target/python-debs directory.

Signed-off-by: Guohan Lu <gulv@microsoft.com>
2019-02-04 22:06:37 -08:00
Prince Sunny
5fe13ad93b
Disable IPv6 ra for eth0 interface (#2493)
* Disable IPv6 ra for eth0 interface
2019-01-29 09:03:23 -08:00
lguohan
36a9678d3e
[baseimage]: install cgroup-tools and set udp_l3mdev_accept=1 (#2485)
cgroup-tools is required to bind a process to l3mdev master

Signed-off-by: Guohan Lu <gulv@microsoft.com>
2019-01-25 11:47:09 -08:00
lguohan
4ccd35bc25
[kernel]: update sonic kernel to 4.9.0-8-2 (#2468)
* [kernel]: update sonic kernel to 4.9.0-8-2

* 3b2114d 2019-01-20 | [sonic-linux-kernel] add udp_l3mdev_accept kernel upstream patch (#70) (HEAD, azure/master) [Harish Venkatraman]
* 37734aa 2019-01-10 | L3mdev cgroup (#73) [lguohan]
* d631eeb 2018-12-15 | yet another uart race condition fix (#75) [lguohan]

Signed-off-by: Guohan Lu <gulv@microsoft.com>

* Update Mellanox SDK

Signed-off-by: Guohan Lu <gulv@microsoft.com>

* Update arista platform driver to match 4.9.0-8-2 kernel

Signed-off-by: Guohan Lu <gulv@microsoft.com>
2019-01-25 00:46:09 -08:00
Samuel Angebault
bfe46e0f1d [docker-engine] fix systemd shutdown hang (#2451)
When rebooting without the platform_reboot plugin, systemd takes a few
minutes to properly shutdown. It's blocking on some docker cleanup
operation.

As described by https://github.com/docker/for-linux/issues/421 there
is a race between docker.service and containerd.service.
docker needs containerd to properly stop the containers.
2019-01-16 01:54:14 -08:00
Nikos
e55a7d7db7 [baseimage]: Initial changes for dhcp to support eth0 in a mgmt vrf (#2348)
* Initial changes to support eth0 in a mgmt vrf
2019-01-15 18:15:56 -08:00
lguohan
b57a376622
[docker-engine]: upgrade docker engine to 18.09 (#2417)
* [docker-engine]: upgrade docker engine to 18.09
2019-01-04 20:47:43 -08:00
Nikos
1eecdb31bf [baseimage]: Install netifaces package in sonic-slave docker and sonic image (#1353) 2018-12-15 11:52:36 -08:00
zhenggen-xu
f093ef2a9f [security kernel] Upgrade kernel from 4.9.110-3+deb9u2 to 4.9.110-3+deb9u6 (#2367)
* [security kernel] Upgrade kernel from 4.9.110-3+deb9u2 to 4.9.110-3+deb9u6
short version: 4.9.0-7 to 4.9.0-8

See changelogs for security fixes:
https://tracker.debian.org/media/packages/l/linux/changelog-4.9.110-3deb9u6

Signed-off-by: Zhenggen Xu <zxu@linkedin.com>

* Update sonic-linux-kernel submodule after it was merged

Signed-off-by: Zhenggen Xu <zxu@linkedin.com>
2018-12-11 04:17:17 -08:00
lguohan
64a2b1ce99
[vs]: build sonic vs kvm image (#2269)
Signed-off-by: Guohan Lu <gulv@microsoft.com>
2018-11-20 22:32:40 -08:00
Joe LeVeque
1e1add90f9
Remove Arista-specific service ACL solution; All platforms now use caclmgrd (#2202) 2018-10-29 10:25:18 -07:00
ironjosh
2d43385927 [baseimage] set default locale en_US.UTF-8 (#1988)
* [baseimage] set default locale en_US.UTF-8

Signed-off-by: chenhu <chenhu@didichuxing.com>

* [baseimage]set default locale to en_US.UTF-8, clean all other unused

* [baseimage] update-locale after locale-gen

* correct update-locale command line

Signed-off-by: Guohan Lu <gulv@microsoft.com>
2018-09-11 03:15:19 -07:00
Shuotian Cheng
f85a75c811
[debian]: Enable keep_addr_on_down to keep IPv6 addresses (#1992)
Starting from kernel 4.6, this new attribute keep_addr_on_down
is introduced (https://kernelnewbies.org/Linux_4.6).

If set, static global addresses with no expiration time are not
flushed.

Ref:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f1705ec197e705b79ea40fe7a2cc5acfa1d3bfac

Signed-off-by: Shu0T1an ChenG <shuche@microsoft.com>
2018-08-28 14:40:01 -07:00
Joe LeVeque
98082d56a0 [baseimage]: Download picocom version 3.1-2 from stretch-backports; No longer build from source (#1946) 2018-08-17 17:38:20 -07:00
lguohan
c059d9982a
[baseimage]: install picocom 3.1 in base image (#1943)
* [baseimage]: install picocom 3.1 in base image

Signed-off-by: Guohan Lu <gulv@microsoft.com>

* add picocom to stretch build

Signed-off-by: Guohan Lu <gulv@microsoft.com>

* fix slave.mk bug

Signed-off-by: Guohan Lu <gulv@microsoft.com>
2018-08-17 09:06:05 -07:00
lguohan
38f3eba695
[kernel]: upgrade kernel to 4.9.0-7 (4.9.110-3+deb9u1) (#1922)
* [kernel]: upgrade kernel to 4.9.0-7 (4.9.110-3+deb9u1)

Signed-off-by: Guohan Lu <gulv@microsoft.com>

* [mellanox]: Update SDK pointer for 4.9.0-7 kernel (#44)

Signed-off-by: Volodymyr Samotiy <volodymyrs@mellanox.com>

* Update arista drivers for 4.9.0-7 linux kernel (#43)
2018-08-16 08:56:56 -07:00
cawand
9f545456c9 Added picocom and pexpect to base image, for use in consutil (#1935)
Signed-off-by: Cayla Wanderman-Milne <t-cawand@microsoft.com>
2018-08-15 21:41:12 -07:00
Qi Luo
40bb27ca1c Simplify script to install docker (#1925)
Signed-off-by: Qi Luo <qiluo-msft@users.noreply.github.com>
2018-08-13 18:30:00 -07:00
lguohan
647af39ff0
[build]: create empty /var/lib/docker if needed (#1920)
stretch docker-engine in base image is not started by default
in the build process. Need to create empty /var/lib/docker

Signed-off-by: Guohan Lu <gulv@microsoft.com>
2018-08-12 22:23:43 -07:00
zhenggen-xu
d761630f73 Fix potential blackholing/looping traffic when link-local was used and refresh ipv6 neighbor to avoid CPU hit (#1904)
* Fix potential blackholing/looping traffic and refresh ipv6 neighbor to avoid CPU hit

In case ipv6 global addresses were configured on L3 interfaces and used for peering,
and routing protocol was using link-local addresses on the same interfaces as prefered nexthops,
the link-local addresses could be aged out after a while due to no activities towards the link-local
addresses themselves. And when we receive new routes with the link-local nexthops, SONiC won't insert
them to the HW, and thus cause looping or blackholing traffic.

Global ipv6 addresses on L3 interfaces between switches are refreshed by BGP keeplive and other messages.

On server facing side, traffic may hit fowarding plane only, and no refresh for the ipv6 neighbor entries regularly.
This could age-out the linux kernel ipv6 neighbor entries, and HW neighbor table entries could be removed,
and thus traffic going to those neighbors would hit CPU, and cause traffic drop and temperary CPU high load.

Also, if link-local addresses were not learned, we may not get them at all later.

It is intended to fix all above issues.

Changes:
Add ndisc6 package in swss docker and use it for ipv6 ndp ping to update the neighbors' state on Vlan interfaces
Change the default ipv6 neighbor reachable timer to 30mins
Add periodical ipv6 multicast ping to ff02::11 to get/refresh link-local neighbor info.

* Fix review comments:
Add PORTCHANNEL_INTERFACE interface for ipv6 multicast ping
format issue

* Combine regular L3 interface and portchannel interface for looping

* Add ndisc6 package to vs docker
2018-08-12 03:14:55 -07:00
Guohan Lu
002bff4e45 [baseimage]: use rsyslog in baseimage from stretch repo
Signed-off-by: Guohan Lu <gulv@microsoft.com>
2018-08-11 18:00:10 +00:00
Guohan Lu
0d2ffd885f [baseimage]: move update initramfs to later stage
some platform drivers install blacklist.conf in /etc/modprobe.d.
Those configuration should be proprogated into initramfs to avoid
loading those blacklisted driver.
2018-08-11 09:09:03 +00:00
Guohan Lu
5ae64e7f2d [ixgbe]: compile and install ixgbe to 4.9.0-5 kernel 2018-08-11 09:09:03 +00:00
lguohan
35ab7a6e09 [kernel]: upgrade linux kernel to 4.9.0-5 (4.9.65-3+deb9u2) (#8) 2018-08-11 09:09:03 +00:00
Guohan Lu
0e141a54e9 [baseimage]: install acl package 2018-08-11 09:07:59 +00:00
Guohan Lu
2449fafae0 [kernel]: update kernel submodule and remove standalone igb driver 2018-08-11 09:07:59 +00:00
Guohan Lu
f64ffe8571 [baseimage]: build root filesystem via overlay fs instead of aufs 2018-08-11 09:07:59 +00:00
Guohan Lu
72d70e98be [baseimage]: install systemd-sysv in the base image 2018-08-11 09:07:59 +00:00
Guohan Lu
b6af83ccf8 [baseimage]: upgrade initramfs to 0.130 2018-08-11 09:07:59 +00:00
Guohan Lu
ff1f508f33 [baseimage]: use debian 4.9.0-3 kernel 2018-08-11 09:07:59 +00:00
Guohan Lu
4d701ad037 [baseimage]: update base image from jessie to stretch 2018-08-11 09:07:59 +00:00
Joe LeVeque
7aefa185d4 Download newer version (8.23.0-2) of rsyslog from jessie-backports in hopes of eliminating memory leaks (#1912) 2018-08-09 23:56:41 -07:00
Qi Luo
162e9b6f56 Add monit for /var/log disk usage (#1836)
Signed-off-by: Qi Luo <qiluo-msft@users.noreply.github.com>
2018-07-03 17:00:31 -07:00
lguohan
0e5c5f2601
[baseimage]: add commonly used network tools (#1832)
* [baseimage]: add commonly used network tools
2018-07-01 09:46:25 -07:00
Serhey Popovych
8d88455509 [baseimage]: Improve password hashing for default user account (#1748)
* [slave.mk]: Fix displaying username and password in build summary

We display contents of DEFAULT_USERNAME and DEFAULT_PASSWORD, while
image can be build with USERNAME and/or PASSWORD given on make(1)
command line. For example:

  $ make USERNAME=adm PASSWORD=mypass target/sonic-broadcom.bin

Fix by displaying USERNAME and PASSWORD variables in build summary.

Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>

* [baseimage]: Improve default user account handling

There are couple of issues with current implementation of default
user account management in baseimage:

  1) It uses DES to encrypt accounts password. Furthermore this
     effectively limits password length to 8 symbols, even if more
     provided with PASSWORD or DEFAULT_PASSWORD from rules/config.

  2) Salt value for password is same on all builds even with different
     password increasing attack surface.

  3) During the build process password passed as command line parameter
     either as plain text (if given to make(1) as "make PASSWORD=...")
     or DES encrypted (if given to build_debian.sh) can be seen by
     non-build users using /proc/<pid>/cmdline file that has group and
     world readable permissions.

Both 1) and 2) come from:

  perl -e 'print crypt("$(PASSWORD)", "salt"),"\n"')"

that by defalt uses DES if salt does not have format $<id>$<salt>$,
where <id> is hashing function id. See crypt(3) for more details on
valid <id> values.

To address issues above we propose following changes:

  1) Do not create password by hands (e.g. using perl snippet above):
     put this job to chpasswd(8) which is aware about system wide
     password hashing policy specified in /etc/login.defs with
     ENCRYPT_METHOD (by default it is SHA512 for Debian 8).

  2) Now chpasswd(8) will take care about proper salt value.

  3) This has two steps:

    3.1) For compatibility reasons accept USERNAME and PASSWORD as
         make(1) parameters, but warn user that this is unsafe.

    3.2) Use process environment to pass USERNAME and PASSWORD variables
         from Makefile to build_debian.sh as more secure alternative to
         passing via command line parameters: /proc/<pid>/environ
         readable only by user running process or privileged users like
         root.

Before change:
--------------

  hash1
  -----
  # u='admin'
  # p="$(LANG=C perl -e 'print crypt("YourPaSs", "salt"),"\n"')"
                                      ^^^^^^^^
                                      8 symbols
  # echo "$u:$p" | chpasswd -e

  # getent shadow admin
  admin:sazQDkwgZPfSk:17680:0:99999:7:::
        ^^^^^^^^^^^^^
        Note the hash (DES encrypted password)

  hash2
  -----
  # u='admin'
  # p="$(LANG=C perl -e 'print crypt("YourPaSsWoRd", "salt"),"\n"')"
                                      ^^^^^^^^^^^^
                                      12 symbols
  # echo "$u:$p" | chpasswd -e

  # getent shadow admin
  admin:sazQDkwgZPfSk:17680:0:99999:7:::
        ^^^^^^^^^^^^^
        Hash is the same as for "YourPaSs"

After change:
-------------

  hash1
  -----
  # echo "admin:YourPaSs" | chpasswd
  # getent shadow admin
  admin:$6$1Nho1jHC$T8YwK58FYToXMFuetQta7/XouAAN2q1IzWC3bdIg86woAs6WuTg\
           ^^^^^^^^
           Note salt here
  ksLO3oyQInax/wNVq.N4de6dyWZDsCAvsZ1:17681:0:99999:7:::

  hash2
  -----
  # echo "admin:YourPaSs" | chpasswd
  # getent shadow admin
  admin:$6$yKU5g7BO$kdT02Z1wHXhr1VCniKkZbLaMPZXK0WSSVGhSLGrNhsrsVxCJ.D9\
           ^^^^^^^^
           Here salt completely different from case above
  plFpd8ksGNpw/Vb92hvgYyCL2i5cfI8QEY/:17681:0:99999:7:::

Since salt is different hashes for same password different too.

  hash1
  -----
  # LANG=C perl -e 'print crypt("YourPaSs", "\$6\$salt\$"),"\n"'
                                             ^^^^^
                                             We want SHA512 hash
  $6$salt$qkwPvXqUeGpexO1vatnIQFAreOTXs6rnDX.OI.Sz2rcy51JrO8dFc9aGv82bB\
  yd2ELrIMJ.FQLNjgSD0nNha7/

  hash2
  -----
  # LANG=C perl -e 'print crypt("YourPaSsWoRd", "\$6\$salt\$"),"\n"'
  $6$salt$1JVndGzyy/dj7PaXo6hNcttlQoZe23ob8GWYWxVGEiGOlh6sofbaIvwl6Ho7N\
  kYDI8zwRumRwga/A29nHm4mZ1

Now with same "salt" and $<id>$, and same 8 symbol prefix in password, but
different password length we have different hashes.

Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
2018-06-09 11:29:16 -07:00
Qi Luo
d54a7ae566
[baseimage] Adding setuid permissions to ping binaries, so sudo is no longer needed (#1765) 2018-06-04 21:01:53 -07:00
Prince Sunny
5e64310a56 [baseimage]: Disable DAD for eth0 explicitly (#1701) 2018-05-12 01:31:17 -07:00
lguohan
d269263938
[baseimage]: add screen package (#1644) 2018-04-26 13:53:54 -07:00
padmanarayana
dda00292f3 Sonic fstrim (#1520)
* Update Dell submodule for fstrim support

* Revert PR 1500 since fstrim files are now part of submodule
2018-03-21 13:15:05 -07:00
Shuotian Cheng
871161e868
[build_debian]: Add quote to specify values as string (#1503) 2018-03-16 01:09:33 -07:00
padmanarayana
3bb24a975d [debian]: Add fstrim service files to systemd (#1500) 2018-03-15 13:16:00 -07:00
AndriiS
9065e09bee [baseimage] Added net.core.wmem_max value required by Copp test (#1489) 2018-03-14 09:20:47 -07:00
padmanarayana
02b62ac9bb [fast-reboot]: Support OS9 -> SONiC fast-reboot migration (#1414)
* Support OS9 -> SONiC fast-reboot migration

* Address review comments. Update NOS mac in EEPROM and net.rules for eth0

* Address review comments. Update sonic-platform-modules-dell to fac81d...

* Fix script for POSIX compliance
2018-03-08 16:42:41 -08:00
byu343
ecf5c8d311 ssh and snmp allow list (#1363)
- Service ACL framework for Arista platforms
2018-02-08 17:43:52 -08:00
padmanarayana
0d0752e099 Reduce SONiC migration partition from 8G to 1G. (#1343)
* Reduce SONiC migration partition from 8G to 1G.

* Changes to create 1G partition with ability to resize post migration.

* Remove redundant changes in varlog

* Use findfs to interpret root. Move resize in case cmdline params are reordered
2018-02-07 22:07:01 +08:00
Qi Luo
358949b4e5
Upgrade linux-image version (#1294)
* Upgrade linux-image version
* Add missing dependency of igb
* Fix mft build rule
* Add missing dependency of ixgbe
* [Broadcom]: Update OpenNSL modules to be compatible with kernel 3.16.0-5 (#3)
* [Nephos] Update SDK version to support new kernel module 3.16.0-5 (#4)
* [mellanox]: Update URL for SDK (#5)
2018-01-31 11:39:48 -08:00
pavel-shirshov
9e2facbdc9 [baseimage]: Install sysfsutils package into SONiC host system (#1290) 2018-01-10 03:04:32 -08:00
Joe LeVeque
0fffa6c63b
Add caclmgrd and related files to translate and install control plane ACL rules (#1240) 2018-01-09 17:55:10 -08:00
Qi Luo
f077f41ce9
Let debootstrap uses the same sources link as apt (#1279) 2018-01-03 22:22:58 -08:00
Taoyu Li
39a99e1a07 [image]: Explicitly specify kernel_version as string (#1280) 2018-01-03 21:43:06 -08:00
lguohan
15d433d975
[build]: allow to use http(s) proxy in the build (#1265)
* allow to use http(s) proxy in the build

To enable this, use following command
http_proxy=[your_proxy] https_proxy=[your_proxy] make
2017-12-23 23:34:15 -08:00
kaiyu22
63de341dd6 [Platform] Add Ingrasys S9130-32X and S9230-64X with Nephos Switch ASIC (#1245)
* Add switch ASIC vendor and platforms for Nephos

- What I did
Add switch ASIC vendor: Nephos
Add Nephos platforms: Ingrasys S9130-32X, Ingrasys S9230-64X

- How I did it
Add platform/nephos files
Add platform/nephos/sonic-platform-modules-ingrasys submodule
Add device/ingrasys/x86_64-ingrasys_s9130_32x-r0 files
Add device/ingrasys/x86_64-ingrasys_s9230_64x-r0 files
Add SONiC to support Nephos platform

- How to verify it
To build SONiC installer image and docker images, run the following commands:
make configure PLATFORM=nephos
make target/sonic-nephos.bin
Check system and network feature is worked as well

- Description for the changelog
Add switch ASIC vendor and platforms for Nephos

- A picture of a cute animal (not mandatory but encouraged)

Signed-off-by: Sam Yang <yang.kaiyu@gmail.com>

* Advance sonic-sairedis submodule to include #271 (Add Nephos ASIC)
2017-12-22 10:04:29 -08:00
Samuel Angebault
7f25b94378 [aboot]: Add setfacl in the initramfs (#1185)
Arista platforms need the filesystem ACLs to be removed on boot to
prevent invalid permission to be set for new files.
2017-11-24 17:30:11 -08:00
Shuotian Cheng
b07886ec3c [build_debian]: Install grub-common in the base image (#1014) 2017-10-05 21:43:25 -07:00
ravijo2
458093fee5 Framework to plugin Organization specific scripts during ONIE Image build (#951)
* Framework to plugin Organization specific scripts

* Framework to plugin Organization specific scripts

* Framework to plugin Organization specific scripts

* add getopt option to organization script
2017-09-19 16:23:31 -07:00
padmanarayana
6935e00909 [build/onie installer] Install grub for SONiC post migration from another NOS (#949)
* Install grub for SONiC post migration from another NOS

* Install grub from bundled debian package instead of using ONIE's. Address review comments
2017-09-17 11:41:29 -07:00
lguohan
116ba4b180 [baseimage]: allocate varlog disk in the initramfs stage (#936)
moving to initramfs unifies disk allocate on different platforms.
use fallocate instead of dd to speed up the disk allocation.

By default, mkfs.ext4 has -E discard option which discards the blocks
at the mkfs time, also speed up the initialization time.
2017-09-06 20:07:32 -07:00
Ying Xie
1a4f039f55 [quagga] enable core dump for bgpd and zebra (#927)
* [core dump] pass unix time to coredump-compress script

Currently we only have program name (e.g. bgpd) and PID in the core file
name. PID could collide especially after docker restart or recreate.

Passing the unix time to coredump-compress so it could also add time to
the core file name.

* [utilities] include the change to coredump_compress script

* [quagga] enable core dump for bgpd and zebra

bgpd and zebra downgrade their privilege shortly after started. For that
sysctrl kernel.suid_dumpable needs to be set to 2, so that they can dump
core.

Note that fs.suid_dumpable SHOULD NOT be set to 1. Which will bypass all
system security.
2017-08-30 09:41:47 -07:00