Commit Graph

7288 Commits

Author SHA1 Message Date
DavidZagury
4fd2a6297f
[Secure Boot] Add Secure Boot Support (#12692) (#14963)
- Why I did it
Add Secure Boot support to SONiC OS.
Secure Boot (SB) is a verification mechanism for ensuring that code launched by a computer's UEFI firmware is trusted. It is designed to protect a system against malicious code being loaded and executed early in the boot process before the operating system has been loaded.

- How I did it
Added a signing process to sign the following components:
shim, grub, Linux kernel, and kernel modules when doing the build, and when feature is enabled in build time according to the HLD explanations (the feature is disabled by default).

- How to verify it
There are self-verifications of each boot component when building the image, in addition, there is an existing end-to-end test in sonic-mgmt repo that checks that the boot succeeds when loading a secure system (details below).

How to build a sonic image with secure boot feature: (more description in HLD)

Required to use the following build flags from rules/config:
SECURE_UPGRADE_MODE="dev"
SECURE_UPGRADE_DEV_SIGNING_KEY="/path/to/private/key.pem"
SECURE_UPGRADE_DEV_SIGNING_CERT="/path/to/cert/key.pem"
After setting those flags should build the sonic-buildimage.
Before installing the image, should prepared the setup (switch device) with the follow:
check that the device support UEFI
stored pub keys in UEFI DB

enabled Secure Boot flag in UEFI
How to run a test that verify the Secure Boot flow:
The existing test "test_upgrade_path" under "sonic-mgmt/tests/upgrade_path/test_upgrade_path", is enough to validate proper boot
You need to specify the following arguments:
Base_image_list your_secure_image
Taget_image_list your_second_secure_image
Upgrade_type cold
And run the test, basically the test will install the base image given in the parameter and then upgrade to target image by doing cold reboot and validates all the services are up and working correctly

Co-authored-by: davidpil2002 <91657985+davidpil2002@users.noreply.github.com>
2023-05-15 10:13:26 +08:00
Akhilesh Samineni
e6fa396aaa
SONiC Yang model support for IPv6 link local (#15021)
This is backport of #14757

SONiC Yang model support for IPv6 link local

What I did
Created SONiC Yang model for IPv6 link local

How I did it
Defined Yang models for IPv6 link local based on https://github.com/sonic-net/SONiC/blob/master/doc/ipv6/ipv6_link_local.md

How to verify it
Added enable test case.

Signed-off-by: Akhilesh Samineni akhilesh.samineni@broadcom.com
2023-05-12 13:54:19 +08:00
mssonicbld
d426984336
[build] update isc-dhcp to 4.4.1-2.3+deb11u2 to fix build failure (#15002) (#15022) 2023-05-12 01:58:38 +08:00
Zain Budhwani
adc57a8881
[202211] Update 202211 sonic-gnmi head (#15005)
Work item tracking
Microsoft ADO (number only):13468195
2023-05-10 22:02:13 -07:00
Samuel Angebault
59c7d39ef5
[202211][Arista] Update platform library submodules (#14828)
Fix watchdog reboot cause for wolverine linecard
Fix PSU fan speed of 0% by adding max RPM to most psu descriptions
Add product DCS-7060DX5-64
Add product DCS-7060DX5-32
2023-05-08 14:09:37 +08:00
Vivek
f49ae28948 [Mellanox] Fix the hw-mgmt intg tool case sensitivity for KConfig (#14709)
Fix the script to consider case sensitivity while writing the kconfig

Signed-off-by: Vivek Reddy Karri <vkarri@nvidia.com>
2023-05-06 12:32:19 +08:00
mssonicbld
10e635be93
[Mellanox] Facilitate automatic integration of new hw-mgmt (#14594) (#14966) 2023-05-06 09:08:54 +08:00
Gokulnath-Raja
eb99648a4e
[sflow] Exception handling for if_nametoindex (#11437) (#14457)
catch system error and log as warning level instead of
     error level in case interface was already deleted

Signed-off-by: Gokulnath-Raja <Gokulnath_R@dell.com>
2023-05-05 16:11:12 -07:00
mssonicbld
a29d982aa5 [submodule] Update submodule sonic-host-services to the latest HEAD automatically 2023-05-05 16:32:24 +08:00
Saikrishna Arcot
e87621cdab [build]: Disable stretch slave container (#12868)
The only platforms that currently need the stretch slave container are
innovium and nephos, and both are not building with the current code due
to other issues. All other platforms only need buster and bullseye slave
containers.

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2023-05-05 14:33:45 +08:00
mssonicbld
679f036d8e [submodule] Update submodule sonic-swss to the latest HEAD automatically 2023-05-02 16:32:24 +08:00
Lior Avramov
d7d8d7754d
[Mellanox] [202211] Replace iproute2 supplied by SDK to iproute2 downloaded from Debian repository (#14726) (#14724)
- Why I did it
Mellanox syncd container will be based on Debian iproute2 plus patches instead of Nvidia internal version of iproute2

- How I did it
Download iproute2 from Debian repository, apply patches and compile to create a new target.
The target is then deployed in syncd container of Mellanox switches only.
The new target is called IPROUTE2_MLNX.

- How to verify it
Compile and load on switch, verify interfaces network devices created successfully.
Verify LLDP shows connections to neighbors.
Verify ping between 2 hosts over 2 router ports is successful.
2023-05-02 10:29:02 +03:00
Dror Prital
70082d8362
[202211][submodule] Advance sonic-sairedis pointer (#14905)
Update sonic-sairedis submodule pointer to include the following:
* 61cf1ce Revert Ignore removing switch for mellanox platform due to known limitation (1216) ([#1232](https://github.com/sonic-net/sonic-sairedis/pull/1232))

Signed-off-by: dprital <drorp@nvidia.com>
2023-05-02 08:09:28 +03:00
Ying Xie
f6216435c8
Revert "Clear DNS configuration received from DHCP during networking reconfiguration in Linux. (#13516)" (#14901)
This reverts commit 5ef488f808.
2023-05-01 16:49:08 -07:00
mssonicbld
6ba666e0ec
[sonic-host-services] start host service on mgmt-framework/telemetry (#14517) (#14856) 2023-05-01 21:06:26 +08:00
mssonicbld
776937c48f
[ci/build]: Upgrade SONiC package versions (#14894) 2023-04-30 18:37:57 +08:00
mssonicbld
4479245996
[ci/build]: Upgrade SONiC package versions (#14889) 2023-04-29 18:57:14 +08:00
mssonicbld
99d6003717
Changes to support TSA from supervisor (#14691) (#14878) 2023-04-28 21:11:55 +08:00
mssonicbld
98cc292390 [submodule] Update submodule sonic-swss-common to the latest HEAD automatically 2023-04-27 16:33:16 +08:00
mssonicbld
5ac1051f8f
Temporary WA for the issue that asic_table.json can not be rendered (#13888) (#14857) 2023-04-27 02:57:10 +08:00
mssonicbld
e0ef5b9808
[write standby] force DB connections to use unix socket to connect (#14524) (#14773) 2023-04-24 01:49:42 +08:00
mssonicbld
727afb593d
[yang]: Modify yang model to handle subport in PORT table (#14519) (#14772) 2023-04-23 21:10:06 +08:00
mssonicbld
f53c7b66cd
[Fast-boot] Clear teamd-timer when finalizing fast-reboot (#14583) (#14774) 2023-04-23 21:07:26 +08:00
mssonicbld
e786108bbd
[Build] Fix the installation candidate not found issue when building docker-sonic-vs (#14439) (#14769) 2023-04-23 21:05:59 +08:00
mssonicbld
e462cb1b07
Add monit_snmp file to monitor memory usage (#14464) (#14770) 2023-04-23 21:00:20 +08:00
mssonicbld
70cfef252f
Delay mux/sflow/snmp timer after interface-config service (#14506) (#14771) 2023-04-23 20:52:06 +08:00
mssonicbld
72776df8ba [ci/build]: Upgrade SONiC package versions 2023-04-23 20:46:40 +08:00
Stephen Sun
1d3fa0b03c Enhance the error message output mechanism (#14384)
#### Why I did it

Enhance the error message output mechanism during swss docker creating

#### How I did it

Capture the output to stderr of `sonic-cfggen` and output it using `echo` to make sure the error message will be logged in syslog.

#### How to verify it

Manually test
2023-04-23 18:32:40 +08:00
Hua Liu
d859a4ed5b Install python-redis package to docker containers (#14632)
Install python-redis package to docker containers

#### Why I did it
This this bug: https://github.com/sonic-net/sonic-buildimage/issues/14531
The 'flush_unused_database' is part of docker-database, and docker-database does not install python-redis package by itself. it's using redis installed by sonic-py-swsssdk.
So after remove sonic-py-swsssdk from container, this script break.

To this this bug and avoid similer bug happen again, install python-redis to docker containers which removed sonic-py-swsssdk .

#### How I did it
Install python-redis to containers.

#### How to verify it
Pass all UT.
Create new UT to cover this scenario: https://github.com/sonic-net/sonic-mgmt/pull/8032

#### Description for the changelog
Improve sudo cat command for RO user.
2023-04-23 14:33:22 +08:00
mssonicbld
be75dd9958
Update check of IP_TYPE from ACL Yang model (#13810) (#14759) 2023-04-22 20:45:11 +08:00
mssonicbld
73e0cb63bc
Fix telemetry.sh passing in null as log level value (#14303) (#14763) 2023-04-22 20:42:14 +08:00
mssonicbld
b2976a97dc
Refactor the logic of tagging kube container as local latest (#14367) (#14764) 2023-04-22 20:41:38 +08:00
mssonicbld
e9daace147
[ci/build]: Upgrade SONiC package versions (#14800) 2023-04-22 18:35:55 +08:00
mssonicbld
8e1bbab07d
[image_config] add rasdaemon.timer (#14300) (#14762) 2023-04-22 00:18:05 +08:00
mssonicbld
abc45d2f3d [submodule] Update submodule sonic-host-services to the latest HEAD automatically 2023-04-21 18:32:56 +08:00
mssonicbld
ce778cb741 [submodule] Update submodule sonic-swss to the latest HEAD automatically 2023-04-21 18:32:48 +08:00
mssonicbld
e60182f73c
[submodule] Update submodule sonic-utilities to the latest HEAD automatically (#14785) 2023-04-21 17:07:25 +08:00
Hua Liu
bee30fdfb9 Improve sudo cat command for RO user. (#14428)
Improve sudo cat command for RO user.

#### Why I did it
RO user can use sudo command show none syslog files.

#### How I did it
Improve sudo cat command for RO user.

#### How to verify it
Pass all UT.
Manually check fixed code work correctly.

#### Description for the changelog
Improve sudo cat command for RO user.
2023-04-21 06:32:24 +08:00
mssonicbld
565e24b708
Update golang version for telemetry build in sonic-slave-buster to fix (#14636) (#14776) 2023-04-21 04:35:49 +08:00
mssonicbld
89f019435f
Update golang version for telemetry build in sonic-slave-buster to fix CVE-2021-33195 (#14637) (#14777) 2023-04-21 04:34:59 +08:00
xumia
61fe9b924f [Ci] Fix the wrong SONIC_BUILD_JOBS build variable used issue in Azp (#14071)
Why I did it
[Ci] Fix the no parallel jobs in some of the platforms issue
We observed some of the pipelines running more time than expected. The issue is the SONIC_BUILD_JOBS using the wrong value 1. It is caused by the runtime variable issue, there is additional single quota mark character added in the make command line.

make 'SONIC_BUILD_JOBS=$(nproc)' targe/xxxx
Need to change to

make SONIC_BUILD_JOBS=$(nproc) targe/xxxx
It is to improve the build performance for some of the platforms using the variable SONIC_BUILD_JOBS=1.
Good one vs: https://dev.azure.com/mssonic/build/_build/results?buildId=227986&view=logs&j=cef3d8a9-152e-5193-620b-567dc18af272&t=cf595088-5c84-5cf1-9d7e-03331f31d795

"SONIC_BUILD_JOBS"                : "8"
Bad one barefoot: https://dev.azure.com/mssonic/build/_build/results?buildId=227379&view=logs&j=993d6e22-aeec-5c03-fa19-35ecba587dd9&t=7be0d2ec-661f-5569-462c-2d9b7ca4ca5d

"SONIC_BUILD_JOBS"                : "1"
How I did it
Expand the BUILD_OPTIONS variable for all platforms.
2023-04-21 04:32:47 +08:00
Marty Y. Lok
1ce2b50143 [marvell-armhf][uboot-setting] Fix the print menu for marvell-armhf print menu on Nokia-7215 (#13933)
Why I did it
After sonic-install install a new image, print_menu is set echo without any data. No image info between Hit any key to stop autoboot:  0 and  Start USB

Board configuration detected:
Net:   
|  port  | Interface | PHY address  |
|--------|-----------|--------------|
No ethernet found.
Hit any key to stop autoboot:  0 

(Re)start USB...
USB0:   Port (usbActive) : 0    Interface (usbType = 2) : USB EHCI 1.00
scanning bus 0 for devices... 3 USB Device(s) found
       scanning usb for storage devices... 0 Storage Device(s) found
How I did it
The fw_setenv print_menu is missing the double quotes. That causes the value is truncated. Using double quotes to in the environment setting.

How to verify it
Install new image with this fix. And reboot the system. The following section should be shown:

Signed-off-by: mlok <marty.lok@nokia.com>
2023-04-21 02:33:03 +08:00
Hua Liu
51b60613f7 [S6100] Improve S6100 serial-getty monitor, wait and re-check when getty not running to avoid false alert. (#14402)
[S6100] Improve S6100 serial-getty monitor, wait and re-check when getty not running to avoid false alert. 

#### Why I did it
On S6100, the serial-getty service some time can't auto-restart by systemd. So there is a monit unit to check serial-getty service status and restart it.

However, this monit will report false alert, because in most case when serial-getty not running, systemd can restart it successfully.

To avoid the false alert, improve the monitor to wait and re-check.

Steps to reproduce this issue:
1. User login to device via console, and keep the connection.
2. User login to device via SSH, check the serial-getty@ttyS1.service service, it's running.
3. Run 'monit reload' from SSH connection.
4. Check syslog 1 minutes later, there will be false alert: ' 'serial-getty' process is not running'

#### How I did it
Add check-getty.sh script to recheck again later when getty service not running.
And update monit unit to check serial-getty service status with this script to avoid false alert.

#### How to verify it
Pass all UT.
Manually check fixed code work correctly:


```
admin@***:~$ sudo systemctl stop  serial-getty@ttyS1.service
admin@***:~$ sudo /usr/local/bin/check-getty.sh 
admin@***:~$ echo $?
1
admin@***:~$ sudo systemctl status serial-getty@ttyS1.serviceserial-getty@ttyS1.service - Serial Getty on ttyS1
     Loaded: loaded (/lib/systemd/system/serial-getty@.service; enabled-runtime; vendor preset: enabled)
     Active: inactive (dead) since Tue 2023-03-28 07:15:21 UTC; 1min 13s ago

admin@***:~$ sudo /usr/local/bin/check-getty.sh 
admin@***:~$ echo $?
0
admin@***:~$ sudo systemctl status serial-getty@ttyS1.serviceserial-getty@ttyS1.service - Serial Getty on ttyS1
     Loaded: loaded (/lib/systemd/system/serial-getty@.service; enabled-runtime; vendor preset: enabled)
```

syslog:
```
Mar 28 07:10:37.597458 *** INFO systemd[1]: serial-getty@ttyS1.service: Succeeded.
Mar 28 07:12:43.010550 *** ERR monit[593]: 'serial-getty' status failed (1) -- no output
Mar 28 07:12:43.010744 *** INFO monit[593]: 'serial-getty' trying to restart
Mar 28 07:12:43.010846 *** INFO monit[593]: 'serial-getty' stop: '/bin/systemctl stop serial-getty@ttyS1.service'
Mar 28 07:12:43.132172 *** INFO monit[593]: 'serial-getty' start: '/bin/systemctl start serial-getty@ttyS1.service'
Mar 28 07:13:43.286276 *** INFO monit[593]: 'serial-getty' status succeeded (0) -- no output
```

#### Description for the changelog
[S6100] Improve S6100 serial-getty monitor.

#### Ensure to add label/tag for the feature raised. example - PR#2174 under sonic-utilities repo. where, Generic Config and Update feature has been labelled as GCU.
2023-04-21 02:32:56 +08:00
mssonicbld
aea1980b14
[ci/build]: Upgrade SONiC package versions (#14720) 2023-04-19 19:30:56 +08:00
mssonicbld
cdd346782e
Add teamd patches to solve traffic loss issue when removing port from LAG (#14002) (#14684) 2023-04-17 02:18:42 +08:00
mssonicbld
cc22d69fd3
[ci/build]: Upgrade SONiC package versions (#14680) 2023-04-16 18:59:28 +08:00
mssonicbld
b4dafae65d
[ci/build]: Upgrade SONiC package versions (#14673) 2023-04-15 20:37:33 +08:00
mssonicbld
3f80038813
[submodule] Update submodule sonic-host-services to the latest HEAD automatically (#14669) 2023-04-15 15:48:53 +08:00
mssonicbld
d7cd1bfd73 [submodule] Update submodule sonic-linux-kernel to the latest HEAD automatically 2023-04-14 18:32:23 +08:00
mssonicbld
4193c88d36 [submodule] Update submodule sonic-swss to the latest HEAD automatically 2023-04-14 18:32:18 +08:00