Commit Graph

8031 Commits

Author SHA1 Message Date
jcaiMR
253ff6685d
advance dhcprelay to 67a3bdf (#14455)
Why I did it
advnace dhcprelay to latest version

67a3bdf12e7d24260bf114c46da033e2be5f57cd show counters wrong cli output fixed [vivekrnv]
2023-03-29 08:13:29 -07:00
mssonicbld
6e11833a6c
[ci/build]: Upgrade SONiC package versions (#14430) 2023-03-29 18:39:10 +08:00
Ye Jianquan
7509eb3bcd
Refine testbedv2 pr template (#14371)
Description for the changelog
Ensure to add label/tag for the feature raised. example - PR#2174 under sonic-utilities repo. where, Generic Config and Update feature has been labelled as GCU.
2023-03-29 18:35:08 +08:00
Konstantin Vasin
80d30daf88
[Build] don't install rsync if vcache is disabled #14407
Why I did it
We don't need to install rsync in every docker container if vcache is disabled.

How I did it
Install rsync in pre_run_buildinfo script only if vcache is enabled.

How to verify it
2023-03-29 07:10:29 +08:00
xumia
320366ab60
[Build] Fix the installation candidate not found issue when building docker-sonic-vs (#14439)
Why I did it
Fix the installation candidate not found issue when building docker-sonic-vs

How I did it
Need to run the command "apt-get update" to update the mirror indexes before installing the package gnupg

How to verify it
2023-03-28 14:04:33 +08:00
Saikrishna Arcot
9726ec8420
Always use the openssl backend of curl (#14351)
Why I did it
This should make sure that the openssl backend of curl is used, instead of the gnutls or nss backend, for consistency reasons.
2023-03-28 13:44:49 +08:00
Hua Liu
4c059d8eb5
Improve sudo cat command for RO user. (#14428)
Improve sudo cat command for RO user.

#### Why I did it
RO user can use sudo command show none syslog files.

#### How I did it
Improve sudo cat command for RO user.

#### How to verify it
Pass all UT.
Manually check fixed code work correctly.

#### Description for the changelog
Improve sudo cat command for RO user.
2023-03-27 17:08:14 -07:00
Konstantin Vasin
7230b59559
[Build] fix sonic-slave empty build log (#14408)
New docker versions use stderr instead of stdout to print info when build image.
As a resullt we got empty log files.

the fix is to redirect stderr to stdout when build sonic-slave images.
2023-03-27 14:58:44 -07:00
Isabella J de Leon
74695747ab
[Build] Fix marvell-arm64 build redis_dump_load-1.1-py2-none-any.whl fail (#14375)
#### Why I did it
Fixes #9216
#### How I did it
Add support for python2 redis to the sonic-slave-stretch and sonic-slave-buster Dockerfiles
#### How to verify it
Run build steps documented in Issue #9216
2023-03-27 14:40:30 -07:00
oleksandrx-kolomeiets
4da51b07ad
Set owner after restoring counters folder during warmboot (#13507)
Why I did it
After warm reboot, show environment prints the following error:
failed to import plugin show.plugins.macsec: [Errno 13] Permission denied: '/tmp/cache/macsec'

How I did it
Set owner back to admin after restoring counters folder.

How to verify it
sudo warm-reboot, then ensure show environement does not print errors.

Signed-off-by: Oleksandr Kolomeiets <oleksandrx.kolomeiets@intel.com>
2023-03-27 10:32:07 -07:00
Keshav Gupta
d630b2f91c
[Innovium] Innovium build changes for master branch (#13512)
To Fix innovium build issue

Signed-off-by: Keshav Gupta <keshavg@marvell.com>
2023-03-27 10:29:31 -07:00
Gokulnath-Raja
cedc4d914f
[sflow] Exception handling for if_nametoindex (#11437) (#13567)
catch system error and log as warning level instead of
error level in case interface was already deleted.

Why I did it
sflow process exited when failed to convert the interface index from interface name

How I did it
Added exception handling code and logged when OSError exception.

How to verify it
Recreated the bug scenario #11437 and ensured that sflow process not exited.

Description for the changelog
catch system error and log as warning level instead of
error level in case interface was already deleted.

Logs
steps :

root@sonic:~# sudo config vlan member del 4094 PortChannel0001
root@sonic:~# sudo config vlan member del 4094 Ethernet2
root@sonic:~# sudo config vlan del 4094
root@sonic:~#

"WARNING sflow#port_index_mapper: no interface with this name" is  seen but no crash is reported
syslogs :


Jan 23 09:17:24.420448 sonic NOTICE swss#orchagent: :- removeVlanMember: Remove member Ethernet2 from VLAN Vlan4094 lid:ffe vmid:27000000000a53
Jan 23 09:17:24.420710 sonic NOTICE swss#orchagent: :- flushFdbEntries: flush key: SAI_OBJECT_TYPE_FDB_FLUSH:oid:0x21000000000000, fields: 3
Jan 23 09:17:24.420847 sonic NOTICE swss#orchagent: :- recordFlushFdbEntries: flush key: SAI_OBJECT_TYPE_FDB_FLUSH:oid:0x21000000000000, fields: 3
Jan 23 09:17:24.426082 sonic NOTICE syncd#syncd: :- processFdbFlush: fdb flush succeeded, updating redis database
Jan 23 09:17:24.426242 sonic NOTICE syncd#syncd: :- processFlushEvent: received a flush port fdb event, portVid = oid:0x3a000000000a52, bvId = oid:0x26000000000a51
Jan 23 09:17:24.426374 sonic NOTICE syncd#syncd: :- processFlushEvent: pattern ASIC_STATE:SAI_OBJECT_TYPE_FDB_ENTRY:*oid:0x26000000000a51*, portStr oid:0x3a000000000a52
Jan 23 09:17:24.427104 sonic NOTICE bgp#fpmsyncd: :- onRouteMsg: RouteTable del msg for route with only one nh on eth0/docker0: fe80::/64 :: eth0
Jan 23 09:17:24.427182 sonic NOTICE bgp#fpmsyncd: :- onRouteMsg: RouteTable del msg for route with only one nh on eth0/docker0: fd00::/80 :: docker0
Jan 23 09:17:24.428502 sonic NOTICE swss#orchagent: :- meta_sai_on_fdb_flush_event_consolidated: processing consolidated fdb flush event of type: SAI_FDB_ENTRY_TYPE_DYNAMIC
Jan 23 09:17:24.429058 sonic NOTICE swss#orchagent: :- meta_sai_on_fdb_flush_event_consolidated: fdb flush took 0.000606 sec
Jan 23 09:17:24.431496 sonic NOTICE swss#orchagent: :- setHostIntfsStripTag: Set SAI_HOSTIF_VLAN_TAG_STRIP to host interface: Ethernet2
Jan 23 09:17:24.431675 sonic NOTICE swss#orchagent: :- flushFdbEntries: flush key: SAI_OBJECT_TYPE_FDB_FLUSH:oid:0x21000000000000, fields: 2
Jan 23 09:17:24.431797 sonic NOTICE swss#orchagent: :- recordFlushFdbEntries: flush key: SAI_OBJECT_TYPE_FDB_FLUSH:oid:0x21000000000000, fields: 2
Jan 23 09:17:24.437009 sonic NOTICE swss#orchagent: :- meta_sai_on_fdb_flush_event_consolidated: processing consolidated fdb flush event of type: SAI_FDB_ENTRY_TYPE_DYNAMIC
Jan 23 09:17:24.437532 sonic NOTICE swss#orchagent: :- meta_sai_on_fdb_flush_event_consolidated: fdb flush took 0.000514 sec
Jan 23 09:17:24.437942 sonic NOTICE syncd#syncd: :- processFdbFlush: fdb flush succeeded, updating redis database
Jan 23 09:17:24.438065 sonic NOTICE syncd#syncd: :- processFlushEvent: received a flush port fdb event, portVid = oid:0x3a000000000a52, bvId = oid:0x0
Jan 23 09:17:24.438173 sonic NOTICE syncd#syncd: :- processFlushEvent: pattern ASIC_STATE:SAI_OBJECT_TYPE_FDB_ENTRY:*, portStr oid:0x3a000000000a52
Jan 23 09:17:24.440348 sonic NOTICE swss#orchagent: :- removeBridgePort: Remove bridge port Ethernet2 from default 1Q bridgeJan 23 09:17:29.782554 sonic NOTICE swss#orchagent: :- removeVlan: VLAN Vlan4094 still has 1 FDB entries
Jan 23 09:17:29.791373 sonic WARNING sflow#port_index_mapper: no interface with this name

Signed-off-by: Gokulnath-Raja <Gokulnath_R@dell.com>
2023-03-27 10:19:05 -07:00
Ikki Zhu
f550c86bd7
[Seastone] DX010 platform switch to sfp-refactor based sfp impl (#13972)
Why I did it
sonic-sfp based sfp impl would be deprecated in future, change to sfp-refactor based implementation.

How I did it
Use the new sfp-refactor based sfp implementation for seastone.

How to verify it
Manual test sfp platform api or run sfp platform test cases.
2023-03-27 10:17:21 -07:00
Ikki Zhu
105decc4d1
[celestica/e1031]: enable emc2305 fan controller timeout feature (#14401)
Why I did it
There is rare condition, emc2305 hold SMBus and cause SMBus completion wait timed out.

How I did it
Enable EMC2305 SMBus timeout feature, 30ms period of inactivity will reset the interface.

How to verify it
Use 'i2cget -y -f 23 0x4d 0x20 b' to read EMC2305 configuration register and check DIS_TO bit not set.

Signed-off-by: Eric Zhu <erzhu@celestica.com>
2023-03-27 10:14:37 -07:00
Liu Shilong
f19c8a7be5
[ci] Fix build issue for vs vhdx image. #14427
Why I did it
sonic-slave-stretch build failed for mmh3 version update to 3.10 on Mar 24.

How I did it
Enable reproducible build for vhdx image.

How to verify it
2023-03-27 16:58:37 +00:00
jcaiMR
b3c73f84ff
change static rt expiry timer max value (#14397)
Why I did it
Change static route expiry timer max timeout value from 1800 to 172800.
To keep same value range as defined in sonic-restapi/sonic_api.yaml

How I did it
How to verify it
apply change to bgpcfd, restart bgp container see if the value take action.
2023-03-26 20:21:37 +08:00
Konstantin Vasin
6ef32d1fdf
use sources.list to calc sonic-slave-user tag (#14409)
Why I did it
This is a fix for c63e9fe
SLAVE_TAG should include all dependencies used for SLAVE_BASE_TAG

How I did it
Take sources.list.* into account when calculate SLAVE_TAG

How to verify it
2023-03-25 22:28:24 +08:00
mssonicbld
fb6e37819b
[ci/build]: Upgrade SONiC package versions (#14414) 2023-03-25 19:21:56 +08:00
Hua Liu
fb695fed6c
Update sonic-py-common, add missing dependency to redis-dump-load (#14347)
Update sonic-py-common, add missing dependency to redis-dump-load.

#### Why I did it
The script sonic_db_dump_load.py in sonic-py-common is depends on redis-dump-load, however the dependency is missing.

#### How I did it
Add redis-dump-load dependency.

#### How to verify it
Pass all E2E test case.

#### Description for the changelog
Update sonic-py-common, add missing dependency to redis-dump-load.
2023-03-23 09:57:23 -07:00
Neetha John
ab097788d5
[qos] Update RDMA-CENTRIC lossy profile to use static threshold for Th devices (#14372)
Why I did it
For better accounting purposes, updating the ingress lossy traffic profile to use static threshold. This change is only intended for Th devices using RDMA-CENTRIC profiles

How I did it
Update the buffer templates for Th devices in RDMA-CENTRIC folder to use the correct threshold

How to verify it
Verified the changes manually on a Th device.
Existing unit tests render Th template from the RDMA-CENTRIC folder. Updated the expected output to use the correct threshold
2023-03-23 09:31:06 -07:00
xumia
67a57ccda7
Fix the demo_part_size not initialized issue when creating partition (#14296)
Why I did it
The demo_part_size should be initialized before creating partition.

How I did it
Move the initializing setting to the line before using it.

How to verify it
2023-03-23 21:51:47 +08:00
mssonicbld
20f1ab8203
[ci/build]: Upgrade SONiC package versions (#14383) 2023-03-22 19:34:21 +08:00
mssonicbld
393dc18bdb [submodule] Update submodule to the latest HEAD automatically 2023-03-21 20:46:10 +08:00
Vivek
ac4fb0a5ca
[submodule] Advance sonic-linux-kernel pointer (#14305)
Update sonic-linux-kernel submodule pointer to include the following:
* 6847319 Read ID register for optoe1 to find pageable bit in optoe driver  ([#308](https://github.com/sonic-net/sonic-linux-kernel/pull/308))
* 42ad073 Add markers to faciliate easy parsing of kconfig-inclusion and series ([#309](https://github.com/sonic-net/sonic-linux-kernel/pull/309))

Signed-off-by: Vivek Reddy <vkarri@nvidia.com>
2023-03-21 13:36:31 +02:00
Sudharsan Dhamal Gopalarathnam
8bd65a3847
[yang]Updating vxlan yang model to include IPv6 source in VxLAN tunnel (#14363)
- Why I did it
Update VxLAN yang model to include IPv6 source in VxLAN tunnel. The src_ip field can include both ipv4 as well as ipv6 address

- How I did it
Updated yang model.

- How to verify it
Added UT to verify
2023-03-21 13:35:45 +02:00
ShiyanWangMS
06795931b7
Add AZP agent necessary packages to sonic-mgmt-docker (#14291)
Why I did it
Add AZP agent necessary packages to sonic-mgmt-docker
Remove Python 201811 venv
Update some packages in order to meet internal security requirements

How I did it
Update sonic-mgmt-docker file

How to verify it
sonic-mgmt-docker can run: bash, apt update, apt install and ping.
start.sh is under /azp with exec permission.
env-201811 venv is removed.
jinja2 is upgrade to 2.10.1
2023-03-21 08:09:44 +08:00
Zain Budhwani
881b925d19
Fix telemetry.sh passing in null as log level value (#14303)
#### Why I did it

Bug in script that was passing in null as log level value if missing from config_db

#### How I did it

Added more robust conditional statement

#### How to verify it

1) Remove log_level from config db
2) config reload -y
3) telemetry should not crash
2023-03-20 16:22:11 -07:00
mssonicbld
4429bdd091
[ci/build]: Upgrade SONiC package versions (#14354) 2023-03-21 01:10:17 +08:00
xumia
7209666374
[Security] Fix some of vulnerability issue relative python packages (#14269)
Why I did it
Fix some of vulnerability issue relative python packages #14269
Pillow: [CVE-2021-27921]
Wheel: [CVE-2022-40898]
lxml: [CVE-2022-2309]

How I did it
2023-03-20 14:15:45 +08:00
Saikrishna Arcot
3bbfaa1ee8
Upgrade docker-sonic-vs and docker-syncd-vs to Bullseye (#13294)
* Upgrade docker-sonic-vs and docker-syncd-vs to Bullseye

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>

* iproute2: Force a new version and timestamp to be used for the package

There is an issue with Docker's overlay2 storage driver when not using
native diffs (and thus falling back to naive diff mode), which is the
case in the CI builds. The way the naive diff mode detects changes is by
comparing the file size and comparing the timestamps (specifically, I
believe it's the modification timestamp), and if there's a change there,
then it's considered a change that needs to be recorded as part of that
layer.

The problem is that with the code being added in the patch, the file
size remains the same, and the timestamp of binary files appear to be
the same timestamp as the changelog entry (likely for reproducible build
purposes). The file size remains the same likely due to extra padding
within the file introduced by relro. Because of this, Docker doesn't
detect this file has changed, and doesn't save the new file as part of
this layer.

To work around this, create a new changelog entry (with a new version as
well) with a new timestamp. This will result in the binary files having
a different timestamp, and thus will get saved by Docker as part of that
layer.

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>

---------

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2023-03-19 21:14:27 -07:00
mssonicbld
1e8e993a94 [ci/build]: Upgrade SONiC package versions 2023-03-20 09:00:28 +08:00
mssonicbld
89ebd43c81
[ci/build]: Upgrade SONiC package versions (#14311)
Upgrade SONiC Versions
2023-03-19 10:16:41 +08:00
jcaiMR
c0a02b1f82
advance dhcprelay to 1d221b0 (#14068) 2023-03-17 15:54:53 -07:00
Dev Ojha
de17f72d9a
[Buffer] Added cable length config to buffer config template for EdgeZoneAggregator (#14280)
Why I did it
SONiC currently does not identify 'EdgeZoneAggregator' neighbor. As a result, the buffer profile attached to those interfaces uses the default cable length which could cause ingress packet drops due to insufficient headroom. Hence, there is a need to update the buffer templates to identify such neighbors and assign the same cable length as used by the T1.

How I did it
Modified the buffer template to identify EdgeZoneAggregator as a neighbor device type and assign it the same cable length as a T1/leaf router.

How to verify it
Unit tests pass, and manually checked on a 7260 to see the changes take effect.

Signed-off-by: dojha <devojha@microsoft.com>
2023-03-17 11:01:17 -07:00
mssonicbld
96817c4357
[ci/build]: Upgrade SONiC package versions (#14102)
Upgrade SONiC Versions
2023-03-17 10:12:30 +08:00
lixiaoyuner
935f5dc5f0
Install kubernetes-cni for kubelet (#14163)
Why I did it
Find a new bug on kubelet side. The kubernetes-cni plug-in was removed in #12997, the reason is that the plug-in will be auto installed when install kubeadm, and will report error if we don't remove the install code. But after removal, the version auto installed is different from what we installed before. This will affect the kubelet action in some scenarios we don't find before. Need to install it by another way.

How I did it
Install kubernetes-cni==0.8.7-00 before install kubeadm

How to verify it
Flannel binary will be installed under /opt/cni/bin/ folder
2023-03-16 17:21:37 -07:00
Neetha John
f30fb6ec58
[storage_backend] Add backend acl service (#14229)
Why I did it
This PR addresses the issue mentioned above by loading the acl config as a service on a storage backend device

How I did it
The new acl service is a oneshot service which will start after swss and does some retries to ensure that the SWITCH_CAPABILITY info is present before attempting to load the acl rules. The service is also bound to sonic targets which ensures that it gets restarted during minigraph reload and config reload

How to verify it
Build an image with the following changes and did the following tests

Verified that acl is loaded successfully on a storage backend device after a switch boot up
Verified that acl is loaded successfully on a storage backend ToR after minigraph load and config reload
Verified that acl is not loaded if the device is not a storage backend ToR or the device does not have a DATAACL table

Signed-off-by: Neetha John <nejo@microsoft.com>
2023-03-16 14:18:28 -07:00
Neetha John
8e4ce44e5c
Update dynamic threshold for TD2 (#14224)
Why I did it
Update dynamic threshold to -1 to get optimal performance for RDMA traffic

How I did it
Modified pg_profile_lookup.ini to reflect the correct value

Signed-off-by: Neetha John <nejo@microsoft.com>
2023-03-16 10:06:46 -07:00
Vivek
f19c414176
[lldpmgrd] Don't log error message for outdated event (#14178)
- Why I did it
Fixes #14236

When a redis event quickly gets outdated during port breakout, error logs like this are seen

Mar  8 01:43:26.011724 r-leopard-56 INFO ConfigMgmt: Write in DB: {'PORT': {'Ethernet64': {'admin_status': 'down'}, 'Ethernet68': {'admin_status': 'down'}}}
Mar  8 01:43:26.012565 r-leopard-56 INFO ConfigMgmt: Writing in Config DB
Mar  8 01:43:26.013468 r-leopard-56 INFO ConfigMgmt: Write in DB: {'PORT': {'Ethernet64': None, 'Ethernet68': None}, 'INTERFACE': None}
Mar  8 01:43:26.018095 r-leopard-56 NOTICE swss#portmgrd: :- doTask: Configure Ethernet64 admin status to down
Mar  8 01:43:26.018309 r-leopard-56 NOTICE swss#portmgrd: :- doTask: Delete Port: Ethernet64
Mar  8 01:43:26.018641 r-leopard-56 NOTICE lldp#lldpmgrd[32]: :- pops: Miss table key PORT_TABLE:Ethernet64, possibly outdated
Mar  8 01:43:26.018654 r-leopard-56 ERR lldp#lldpmgrd[32]: unknown operation ''

- How I did it
Only log the error when the op is not empty and not one of ("SET" & "DEL" )

Signed-off-by: Vivek Reddy Karri <vkarri@nvidia.com>
2023-03-16 18:15:50 +02:00
Vivek
4856c2f22d
[submodule] Advance sonic-dbsyncd pointer
fa8b709 Handled the error case of negative age (#57)
990f5b0 Use github code scanning instead of LGTM (#55)
a7992c5 Install libyang for swss-common. (#50)
244fa86 Update README.md

Signed-off-by: Vivek Reddy Karri <vkarri@nvidia.com>
2023-03-16 10:04:23 +02:00
dbarashinvd
06d6dafcf3
[Mellanox] fix for watchdog device not found, adding dependency on hw-management (#14182)
- Why I did it
Sometimes Nvidia watchdog device isn't ready when watchdog-control service is up after first installation from ONIE
need to delay watchdog control service to go up after hw-mgmt which gets devices up and ready

- How I did it
Delay Nvidia watchdog-control service before hw-mgmt has started on Mellanox platform in order to avoid missing or not ready watchdog device.

- How to verify it
verification test of ONIE installation of image in a loop
making sure watchdog service is always up (not failed) after first installation from ONIE
2023-03-15 18:36:20 +02:00
Junchao-Mellanox
03cab99a7a
[system-health] Make check interval more accurate (#14085)
- Why I did it

Healthd check system status every 60 seconds. However, running checker may take several seconds. Say checker takes X seconds, healthd takes (60 + X) seconds to finish one iteration. This implementation makes sonic-mgmt test case not so stable because the value X is hard to predict and different among different platforms. This PR introduces an interval
compensation mechanism to healthd main loop.

- How I did it

Introduces an interval compensation mechanism to healthd main loop: healthd should wait (60 - X) seconds for next iteration

- How to verify it

Manual test
Unit test
2023-03-15 07:21:00 +02:00
kellyyeh
7d585dc48d
Update dhcpv6-relay yang model (#14144)
Why I did it
Add interface-id in dhcpv6-relay yang model

How I did it
Add interface-id option and corresponding UT. Updated configuration.md

How to verify it
kellyyeh@kellyyeh:~/sonic-buildimage/src/sonic-yang-models$ pyang -Vf tree -p /usr/local/share/yang/modules/ietf ./yang-models/sonic-dhcpv6-relay.yang
2023-03-14 22:01:55 -07:00
FuzailBrcm
d3e3565a6c
Fix issue: enhancing PDDF common eeprom APIs to use caching (#13835) (#13848)
Why I did it
To enhance pddf_eeprom.py to use caching and fix #13835

How I did it
Utilising the in-built caching mechanism in the base class eeprom_base.py.
Adding a cache file to store the eeprom data.

How to verify it
By running 'decode-syseeprom' or 'show platform syseeprom' commands.
2023-03-14 17:54:58 -07:00
FuzailBrcm
f822373e53
Enabling FPGA device support in PDDF (#13477)
Why I did it
To enable FPGA support in PDDF.

How I did it
Added FPGAI2C and FPGAPCI in the build path for the PDDF debian package
Added the support for FPGA access APIs in the drivers of fan, xcvr, led etc.
Added the FPGA device creation support in PDDF utils and parsers

How to verify it
These changes can be verified on some platform using such FPGAs. For testing purpose, we took Dell S5232f platform and brought it up using PDDF. In doing so, FPGA devices are created using PDDF and optics eeproms were accessed using common FPGA drivers. Below are some of the logs.
2023-03-14 17:53:35 -07:00
Samuel Angebault
8bd6a8891c
[Arista] Update platform library submodules (#14037)
- Add chassis platform API reboot
- Add fwutil hooks for firmware updates
- Fix PikeZ i2c bus identification issue
- Fix testing issue
2023-03-14 09:36:25 -07:00
Prince George
1cbfc9ceb8
[yang]: Add Yang model support for adding Channel to PORT table (#14228)
Why I did it
Add 'channel' to the CONFIG_DB PORT table. This will be needed to support PORT breakout to multiple channel ports so that Xcvrd can understand which datapath or channel to initialize on the CMIS compliant optics

How I did it
Add 'channel' to the CONFIG_DB PORT table.

How to verify it
Added unit test for valid and invalid channel number
Channel 0 -> No breakout
Channel 1 to 8 -> Breakout channel 1,2, ..8

Signed-off-by: Prince George <prgeor@microsoft.com>
2023-03-14 09:34:16 -07:00
Sudharsan Dhamal Gopalarathnam
43af6b925c
[submodule] Update sonic-swss submodule (#14177)
Update sonic-swss submodule pointer to include the following:
* 98a16cf [ACL] Write ACL table/rule creation status into STATE_DB ([#2662](https://github.com/Azure/sonic-swss/pull/2662))
* a2c9a61 [EVPN]Handling error scenarios during route programming and IMR add ([#2670](https://github.com/Azure/sonic-swss/pull/2670))
* 115efe8 [bfdorch] add default TOS value for BFD session ([#2689](https://github.com/Azure/sonic-swss/pull/2689))
* a198289 [orchagent, SRv6]: create seglist support to set sid list type ([#2406](https://github.com/Azure/sonic-swss/pull/2406))
2023-03-14 08:50:20 -07:00
Dror Prital
35f8101b50
Update SDK/FW to version 4.5.4206/4.5.4204 (#14164)
- Why I did it
To include latest fixes:

Fix traffic loss on all routed traffic when moving from 4.4.3372/XX_2008_3388 to 4.5.4118-012/XX_2010_4120-010. Issue occurred after ISSU process in Spectrum 1 only, When upgrading from older version to a new one. Neighbor entries are overwritten.
Fix When using mirror session policer on SPC2/3, the actual CIR was 1.28 times more than the configured CIR value.
Fix Creation of router interface of type bridge may occasionally fail if create is performed immediately after delete.
Fix False errors during SDK deinitialization may be seen in the syslog

- How I did it
Updated SDK submodule and relevant makefiles with the required versions.

- How to verify it
Build an image and run tests from "sonic-mgmt".
2023-03-14 16:27:38 +02:00
davidpil2002
8098bc4bf5
Add Secure Boot Support (#12692)
- Why I did it
Add Secure Boot support to SONiC OS.
Secure Boot (SB) is a verification mechanism for ensuring that code launched by a computer's UEFI firmware is trusted. It is designed to protect a system against malicious code being loaded and executed early in the boot process before the operating system has been loaded.

- How I did it
Added a signing process to sign the following components:
shim, grub, Linux kernel, and kernel modules when doing the build, and when feature is enabled in build time according to the HLD explanations (the feature is disabled by default).

- How to verify it
There are self-verifications of each boot component when building the image, in addition, there is an existing end-to-end test in sonic-mgmt repo that checks that the boot succeeds when loading a secure system (details below).

How to build a sonic image with secure boot feature: (more description in HLD)

Required to use the following build flags from rules/config:
SECURE_UPGRADE_MODE="dev"
SECURE_UPGRADE_DEV_SIGNING_KEY="/path/to/private/key.pem"
SECURE_UPGRADE_DEV_SIGNING_CERT="/path/to/cert/key.pem"
After setting those flags should build the sonic-buildimage.
Before installing the image, should prepared the setup (switch device) with the follow:
check that the device support UEFI
stored pub keys in UEFI DB

enabled Secure Boot flag in UEFI
How to run a test that verify the Secure Boot flow:
The existing test "test_upgrade_path" under "sonic-mgmt/tests/upgrade_path/test_upgrade_path", is enough to validate proper boot
You need to specify the following arguments:
Base_image_list your_secure_image
Taget_image_list your_second_secure_image
Upgrade_type cold
And run the test, basically the test will install the base image given in the parameter and then upgrade to target image by doing cold reboot and validates all the services are up and working correctly
2023-03-14 14:55:22 +02:00