* Revert "[202205] [Mellanox] Fix issue: user must set admin down before toggling LPM (#14370)"
This reverts commit f74c69e876.
* update copyright header
Signed-off-by: Kebo Liu <kebol@nvidia.com>
Why I did it
Today at most 128 LAGs are supported. This is not sufficient if there are many LAGs with just few ports.
How I did it
Increase LAG Ids to 1024 for DNX device.
Co-authored-by: Song Yuan <64041228+ysmanman@users.noreply.github.com>
What I did:
Revert the GTSM feature for VOQ iBGP session done as part of #16777.
Why I did:
On VOQ chassis BGP packets go over Recycle Port and then for Ingress Pipeline Routing making ttl as 254 and failing single hop check.
Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
Co-authored-by: abdosi <58047199+abdosi@users.noreply.github.com>
#### Why I did it
src/sonic-swss
```
* fbab6b75 - (HEAD -> 202205, origin/202205) [Chassis][202205][orchagent] : Support WRED profiles on system ports (#2945) (9 hours ago) [vmittal-msft]
```
#### How I did it
#### How to verify it
#### Description for the changelog
Why I did it
The current DEVICE_NEIGHBOR_METADATA yang model has two issues that would block GCU operation when it checks if the current config aligns with the YANG model:
Missing cluster field in YANG
Incomplete set of device type. The device type in YANG model doesn't include all the device type.
Work item tracking
Microsoft ADO (number only): 25577813
How I did it
Add cluster field in DEVICE_NEIGHBOR_METADATA YANG model.
Change device type to string.
Fix the UT test accordingly.
How to verify it
Build the image and verify the unit tests passed.
Signed-off-by: zitingguo-ms <zitingguo@microsoft.com>
Fix#13561
The existing saidump use https://github.com/sonic-net/sonic-swss-common/blob/master/common/table_dump.lua script which loops the ASIC_DB more than 5 seconds and blocks other processes access.
This solution uses the Redis SAVE command to save the snapshot of DB each time and recover later, instead of looping through each entry in the table.
Related PRs:
sonic-net/sonic-utilities#2972sonic-net/sonic-sairedis#1288sonic-net/sonic-sairedis#1298
How did I do it?
To use the Redis-db SAVE option to save the snapshot of DB each time and recover later, instead of looping through each entry in the table and saving it.
1. Updated dockers/docker-base-bullseye/Dockerfile.j2, install Python library rdbtools into the all the docker-base-bullseye containers.
2. Updated sonic-buildimage/src/sonic-sairedis/saidump/saidump.cpp, add a new option -r, which updates the rdbtools's output-JSON files' format.
3. To add a new script file: syncd/scripts/saidump.sh into the sairedis repo. This shell script does the following steps:
For each ASIC, such as ASIC0,
3.1. Config Redis consistency directory.
redis-cli -h $hostname -p $port CONFIG SET dir $redis_dir > /dev/null
3.2. Save the Redis data.
redis-cli -h $hostname -p $port SAVE > /dev/null
3.3. Run rdb command to convert the dump files into JSON files
rdb --command json $redis_dir/dump.rdb | tee $redis_dir/dump.json > /dev/null
3.4. Run saidump -r to update the JSON files' format as same as the saidump before.
Then we can get the saidump's result in standard output."
saidump -r $redis_dir/dump.json -m 100
3.5. Clear the temporary files.
rm -f $redis_dir/dump.rdb
rm -f $redis_dir/dump.json
4. Update sonic-buildimage/src/sonic-utilities/scripts/generate_dump. To check the asic db size and if it is larger than ROUTE_TAB_LIMIT_DIRECT_ITERATION (with default value 24000) entries, then do with REDIS SAVE, otherwise, to do with old method: looping through each entry of Redis DB.
How to verify it
On T2 setup with more than 96K routes, execute CLI command -- generate_dump
No error should be shown
Download the generate_dump result and verify the saidump file after unpacking it.
Currently hostcfgd script overrides the systemd service files of the features depending upon auto_restart enable/disable.
I am skipping dependent features(syncd, gbsyncd for now) to have "RESTART=Always"
for them to not start immediately, and instead get started by SWSS through swss.sh script.
The issue of syncd double stop is also applicable to pizza box platforms, however no traffic impact is seen there, whereas on VOQ chassis, we do see traffic impact due to early start of syncd service.
Update the Brcm SAI 7.0 with following fixes
Offical Brcm SDK fix for memory leak
(CS00012315073 [7.0][J2C+] : PFCWD counter polling causing continuous mem leak on production device)
Official Brcm fix for CPU high
(CS00012317195 High CPU due to SDK calling soc_dnxc_port_resource_get for few stats counters even with bcmCNTR thread)
Offical Brcm SAI fix for getting voq counters working.
CSP CS00012319503: DNX SAI 7.1.60.4 has broken Voq counters support
How to verify it
Validated by running the nightly pipeline on a chassis platform.
Validated that the voq counters, by sensind traffic from T1 VM --> T3 VM
Port Voq Counter/pkts Counter/bytes Drop/pkts Drop/bytes
---------------------------------- ----- -------------- --------------- ----------- ------------
svcstr-xxxx-lc1-1|asic0|Ethernet48 VOQ0 0 0 0 0
svcstr-xxxx-lc1-1|asic0|Ethernet48 VOQ1 27 1968 0 0
svcstr-xxxx-lc1-1|asic0|Ethernet48 VOQ2 0 0 0 0
svcstr-xxxx-lc1-1|asic0|Ethernet48 VOQ3 0 0 0 0
svcstr-xxxx-lc1-1|asic0|Ethernet48 VOQ4 0 0 0 0
svcstr-xxxx-lc1-1|asic0|Ethernet48 VOQ5 0 0 0 0
svcstr-xxxx-lc1-1|asic0|Ethernet48 VOQ6 0 0 0 0
svcstr-xxxx-lc1-1|asic0|Ethernet48 VOQ7 0 0 0 0
Port Voq Counter/pkts Counter/bytes Drop/pkts Drop/bytes
---------------------------------- ----- -------------- --------------- ----------- ------------
svcstr-xxxx-lc1-1|asic0|Ethernet56 VOQ0 0 0 0 0
svcstr-xxxx-lc1-1|asic0|Ethernet56 VOQ1 7099 625680 0 0
svcstr-xxxx-lc1-1|asic0|Ethernet56 VOQ2 0 0 0 0
svcstr-xxxx-lc1-1|asic0|Ethernet56 VOQ3 0 0 0 0
svcstr-xxxx-lc1-1|asic0|Ethernet56 VOQ4 0 0 0 0
svcstr-xxxx-lc1-1|asic0|Ethernet56 VOQ5 0 0 0 0
svcstr-xxxx-lc1-1|asic0|Ethernet56 VOQ6 0 0 0 0
svcstr-xxxx-lc1-1|asic0|Ethernet56 VOQ7 0 0 0 0
---------------
The CPU usage has come down in SUP
System 'xxxx-sup-1'
status Running
monitoring status Monitored
monitoring mode active
on reboot start
load average [7.94] [8.70] [7.54]
cpu 2.6%us 45.0%sy 0.0%wa <<<<-- it is 45%
memory usage 8.9 GB [28.6%]
swap usage 0 B [0.0%]
uptime 21m
boot time Fri, 17 Nov 2023 21:55:55
data collected Fri, 17 Nov 2023 22:16:59
-------------
syncd memory usage no increasing.
Why I did it
A race condition exists while the TPH is processing a netlink message - if a second netlink message arrives during processing it will be missed since TPH is not listening for other messages.
Another bug was found where TPH was unnecessarily restarting since it was checking admin status instead of operational status of portchannels.
How I did it
Subscribe to APPL_DB for updates on LAG operational state
Track currently sniffed interfaces
How to verify it
Send tunnel packets with destination IP of an unresolved neighbor, verify that ping commands are run
Shut down a portchannel interface, verify that sniffer does not restart
Send tunnel packets, verify ping commands are still run
Bring up portchannel interface, verify that sniffer restarts
Signed-off-by: Lawrence Lee <lawlee@microsoft.com>
Why I did it
When using sonic-slave-buster to convert sonic-vs.img.gz to vhdx, it also needs reproducible options.
Otherwise it will rebuild sonic-slave-buster because tag different.
Work item tracking
Microsoft ADO (number only): 25615544
How I did it
Add build options to use same sonic-slave docker when generating vhdx image.
How to verify it
Why I did it
To avoid orchagent crash issue like sonic-net/sonic-swss#2935, disable unsupported counters on SONiC management devices.
Work item tracking
Microsoft ADO (number only): 25437720
How I did it
Update the minigraph parser to disable unsupported counters on management devices.
How to verify it
Verified by unittest.
Manually apply patch to DUT and do config load_minigraph
Co-authored-by: Zhijian Li <zhijianli@microsoft.com>
* [baseimage]: Update openssh to 1:8.4p1-5+deb11u2 (#16826)
Openssh in Debian Bullseye has been updated to 1:8.4p1-5+deb11u2 to fix CVE-2023-38408.
Since we're building openssh with some patches, we need to update our version as well.
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
* Remove main deb installation for derived deb build (#16859)
* Don't install dependencies of derived debs
When "building" a derived deb package, don't install the dependencies of
the package into the container. It's not needed at this stage.
* Re-add openssh-client and openssh-sftp-server as derived debs
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
---------
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
* Re-add missing dependency for derived debs. (#16896)
* Re-add missing dependency for derived debs.
My previous changed removed the whole dependency on the main deb
existing, not just the installation of the main deb. Fix this by
readding a dependency on the main deb being built/pulled from cache.
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
* Add the kernel and initramfs as dependencies for RFS build
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
---------
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
---------
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
What I did:
Make Sure for internal iBGP we are one-hop away (directly connected) by using Generic TTL security mechanism.
Why I did:
Without this change it's possible on packet chassis i-BGP can be established even if there no direct connection. Below is the example
- Let's say we have 3 LC's LC1/LC2/LC3 each having i-BGP session session with each other over Loopback4096
- Each LC's have static route towards other LC's Loopback4096 to establish i-BGP session
- LC1 learn default route 0.0.0.0/0 from it's e-BGP peers and send it over to LC2 and LC3 over i-BGP
- Now for some reason on LC2 static route towards LC3 is removed/not-present/some-issue we expect i-BGP session should go down between LC2 and LC3
- However i-BGP between LC2 and LC3 does not go down because of feature ip nht-resolve-via-default where LC2 will use default route to reach Loopback4096 of LC3. As it's using default route BGP packets from LC2 towards LC3 will first route to LC1 and then go to LC3 from there.
Above scenario can result in packet mis-forwarding on data plane
How I fixed it:-
To make sure BGP packets between i-BGP peers are not going with extra routing hop enable using GTSM feature
neighbor PEER ttl-security hops NUMBER
This command enforces Generalized TTL Security Mechanism (GTSM), as specified in RFC 5082. With this command, only neighbors that are the specified number of hops away will be allowed to become neighbors. This command is mutually exclusive with ebgp-multihop.
We set hop count as 1 which makes FRR to reject BGP connection if we receive BGP packets if it's TTL < 255. Also setting this attribute make sure i-BGP frames are originated with IP TTL of 255.
How I verify:
Manual Verification of above scenario. See blow BGP packets receive with IP TTL 254 (additional routing hop) we are seeing FIN TCP flags as BGP is rejecting the connection
Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
Release Notes for Cisco 8102-32FH-O:
Fixed platform_test failures in test_component.py
IOFPGA_SJTAG label under ‘fwutil show status’ changed to IOFPGA’
Validated auto FPD upgrade