Commit Graph

638 Commits

Author SHA1 Message Date
Sudharsan Dhamal Gopalarathnam
238a50ff13
[P4RT]Disabling p4rt by default to overcome build issues (#16343)
To fix #16015

P4RT is causing instability in build due to regular failures. Disabling P4RT by default
2023-09-01 11:07:50 -07:00
Ye Jianquan
5204bfb5e5
Revert "Remove privileged flag for database and snmp docker (#13783)" (#16210)
This reverts commit cf72683f12.
2023-08-19 21:03:42 +03:00
Mai Bui
6c96b29484
[docker-teamd] limit privileged flag for teamd container (#15829)
Signed-off-by: Mai Bui <maibui@microsoft.com>
2023-08-17 09:48:57 -07:00
Mai Bui
030c57200d
[docker-lldp] limit privileged flag for lldp container (#15830)
#### Why I did it
HLD implementation: Container Hardening (https://github.com/sonic-net/SONiC/pull/1364)
##### Work item tracking
- Microsoft ADO **(number only)**: 14807420

#### How I did it
Reduce linux capabilities in privileged flag, retain NET_ADMIN capability
2023-08-15 11:27:12 -07:00
Andriy Dobush
cf72683f12
Remove privileged flag for database and snmp docker (#13783)
#### Why I did it
Reduce docker privilege 
This is part of HLD https://github.com/sonic-net/SONiC/pull/1364

#### How I did it
Remove flag --privileged
#### How to verify it
docker exec -it database bash
root@0048b82b460b:/# ip link add dummy0 type dummy
RTNETLINK answers: Operation not permitted
2023-08-15 11:18:50 -07:00
Ze Gan
055fe90d3f
[build]: Remove uselses proto package (#16093)
Why I did it
The protoc-dev isn't used by SONiC, but it was added to the derived package.

Work item tracking
Microsoft ADO (number only): 17417902

How I did it
Remove protoc-dev from protobuf.mk

Signed-off-by: Ze Gan <ganze718@gmail.com>
2023-08-11 11:52:24 -07:00
Saikrishna Arcot
519a1e4a91
Update sairedis submodule (#16072)
* Update sairedis submodule

This submodule update needs to be manually done due to build changes
done in the sairedis submodule. Specifically, Debian build profiles are
now being used instead of dpkg build targets, and dbgsym packages are
being used instead of dbg packages. Because of this, there needs to be
changes on the sonic-buildimage side for this.

This is a reland of #15720, which was reverted in #15995 due to the RPC
package build failing. That failure has since been fixed, and the
PR pipeline has been updated to build the RPC package so that this is
checked at the PR stage.

This submodule update brings in the following changes:

```
4dbdb21 Fix RPC package build failure due to shell syntax issue (#1268)
588d596 Make sure new binaries replace existing binaries in docker-sonic-vs (#1269)
ce8f642 [vs] Use boost join to concatenate switch types in config (#1266)
d6055a2 [vslib]: Temporaily map DPU switch type to NVDA_MBF2H536C (#1259)
e1cdb4d [CodeQL]: Use dependencies with relevant versions in azp template. (#1262)
c08f9a2 [CI]: Fix collect log error in azp template. (#1260)
eed856c [CodeQL]: Fix syncd compilation in azp template. (#1261)
a3f1f1a Reland 'Make changes to building and packaging sairedis (#1116)' (#1194)
```

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>

* Update sairedis submodule with the fix for the RPC package build

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>

---------

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2023-08-11 09:00:46 -07:00
Sachin Holla
04ffd67fda
Ensure sonic yangs wheel is built before sonic-mgmt-common (#15226)
* Enhanced slave.mk to accept python wheels as dependency for a deb
  target. Dependent wheel names should be specified through the new
  {deb_name}_WHEEL_DEPENDS variable in the deb's make rules. The wheel
  will be built and installed in the slave docker before starting the
  deb build.

* Added sonic_yang_models-1.0-py3-none-any.whl as dependency for
  sonic-mgmt-common.deb. This is required for using the sonic yangs in
  UMF

Signed-off-by: Sachin Holla <sachin.holla@broadcom.com>
2023-08-09 11:40:00 -07:00
Sudharsan Dhamal Gopalarathnam
7bdd0d8011
[frr]: FRR 8.5.1 integration changes (#15965)
Why I did it
Upgrading FRR 8.5.1 to include latest fixes.

New patches that were added:

Patch	FRR Pull request	Issue fixed
0012-zebra-Rename-vrf_lookup_by_tableid-to-zebra_vrf_look.patch	FRRouting/frr#13396	#14866
0013-zebra-Move-protodown_r_bit-to-a-better-spot.patch	FRRouting/frr#13396	#14866
0014-zebra-Remove-unused-dplane_intf_delete.patch	FRRouting/frr#13396	#14866
0015-zebra-Remove-unused-add-variable.patch	FRRouting/frr#13396	#14866
0016-zebra-Remove-duplicate-function-for-netlink-interfac.patch	FRRouting/frr#13396	#14866
0017-zebra-Add-code-to-get-set-interface-to-pass-up-from-.patch	FRRouting/frr#13396	#14866
0018-zebra-Use-zebra-dplane-for-RTM-link-and-addr.patch	FRRouting/frr#13396	#14866
0019-zebra-Abstract-dplane_ctx_route_init-to-init-route-w.patch	FRRouting/frr#13757	FRRouting/frr#13754
00020-zebra-Fix-crash-when-dplane_fpm_nl-fails-to-process-.patch	FRRouting/frr#13757	FRRouting/frr#13754

Removed patches:

Patch	Upstream FRR commit that is present in 8.5.1
0001-Add-support-of-bgp-tcp-DSCP-value.patch	FRRouting/frr@425bd64
0010-zebra-Note-when-the-netlink-DUMP-command-is-interrup.patch	FRRouting/frr@2f71996
0011-bgpd-enhanced-capability-is-always-turned-on-for-int.patch	FRRouting/frr@8e89adc
0012-Ensure-ospf_apiclient_lsa_originate-cannot-accidently-write-into-stack.patch	FRRouting/frr@d2aeac3 , FRRouting/frr@49efc80, FRRouting/frr@ff6db10
0013-zebra-fix-dplane-fpm-nl-to-allow-for-fast-configuration.patch	FRRouting/frr@551fa8c
0014-bgpd-Allow-network-XXX-to-work-with-bgp-suppress-fib.patch	FRRouting/frr@4801fc4
0015-zebra-Return-statements-do-not-use-paranthesis.patch	FRRouting/frr@871a16c
0016-zebra-Add-zrouter.asic_notification_nexthop_control.patch	FRRouting/frr@06525c4
0017-zebra-Re-arrange-fpm_read-to-reduce-code-duplication.patch	FRRouting/frr@7d83e13
0018-zebra-Add-dplane_ctx_get-set_flags.patch	FRRouting/frr@10388e9
0019-zebra-Rearrange-dplane_ctx_route_init.patch	FRRouting/frr@f935122
0020-zebra-Add-ctx-to-netlink-message-parsing.patch	FRRouting/frr@45f0a10
0021-zebra-Read-from-the-dplane_fpm_nl-a-route-update.patch	FRRouting/frr@a0e1173
0022-zebra-Fix-code-because-missing-backport.patch	FRRouting/frr@07fd1f7
0024-zebra-continue-fpm-read-when-we-decide-a-netlink-message-is-not-needed.patch	FRRouting/frr@c0275ab
0025-zebra-Send-nht-resolved-entry-up-to-concerned-protoc.patch	FRRouting/frr@8ce0e51
0027-bgpd-Ensure-FRR-has-enough-data-to-read-in-peek_for_as4_capability-and-bgp_open_option_parse.patch	FRRouting/frr@3e46b43
0028-bgpd-Ensure-that-bgp-open-message-stream-has-enough-data-to-read.patch	FRRouting/frr@766eec1

Realigned patches:

Old Patch	New patch
0002-Reduce-severity-of-Vty-connected-from-message.patch	0001-Reduce-severity-of-Vty-connected-from-message.patch
0004-Allow-BGP-attr-NEXT_HOP-to-be-0.0.0.0-due-to-allevia.patch	0002-Allow-BGP-attr-NEXT_HOP-to-be-0.0.0.0-due-to-allevia.patch
0005-nexthops-compare-vrf-only-if-ip-type.patch	0003-nexthops-compare-vrf-only-if-ip-type.patch
0006-frr-remove-frr-log-outchannel-to-var-log-frr.log.patch	0004-frr-remove-frr-log-outchannel-to-var-log-frr.log.patch
0007-Add-support-of-bgp-l3vni-evpn.patch	0005-Add-support-of-bgp-l3vni-evpn.patch
0008-Link-local-scope-was-not-set-while-binding-socket-for-bgp-ipv6-link-local-neighbors.patch	0006-Link-local-scope-was-not-set-while-binding-socket-for-bgp-ipv6-link-local-neighbors.patch
0009-ignore-route-from-default-table.patch	0007-ignore-route-from-default-table.patch
0009-ignore-route-from-default-table.patch	0007-ignore-route-from-default-table.patch
0023-Use-vrf_id-for-vrf-not-tabled_id.patch	0008-Use-vrf_id-for-vrf-not-tabled_id.patch
0026-bgpd-Ensure-suppress-fib-pending-works-with-network-.patch	0009-bgpd-Ensure-suppress-fib-pending-works-with-network-.patch
0029-bgpd-Change-log-level-for-graceful-restart-events.patch	0010-bgpd-Change-log-level-for-graceful-restart-events.patch
0030-zebra-Static-routes-async-notification-do-not-need-t.patch	0011-zebra-Static-routes-async-notification-do-not-need-t.patch

How I did it
Upgrade FRR submodule. Align the patches. Integrate new patches to fix issues.

How to verify it
Run sonic-mgmt regression to verify
2023-08-07 09:45:13 -07:00
Ze Gan
5d91bd14cd
Fix protoc-dev cache error (#15998)
Why I did it
The protoc-dev library with the wrong declaration.

Work item tracking
Microsoft ADO (number only): 24707066
How I did it
Revise the wrong declaration from:
PROTOC = libprotoc_$(PROTOBUF_VERSION_FULL)_$(CONFIGURED_ARCH).deb to PROTOC_DEV = libprotoc-dev$(PROTOBUF_VERSION_FULL)_$(CONFIGURED_ARCH).deb

How to verify it
Check Azp log error.
2023-08-01 15:41:20 +08:00
Liu Shilong
04a6031b2d
Revert "Update sairedis submodule (#15720)" (#15995)
This reverts commit e0927e28af.


Why I did it
Reverts #15720

It breaks build for target/debs/bullseye/syncd_1.0.0_amd64.deb

make[2]: Entering directory '/sonic/src/sonic-sairedis'
dh_install
# Note: escape with an extra symbol
if [ -f debian/syncd-rpc/usr/bin/syncd_init_common.sh ] ; then
/bin/sh: 1: Syntax error: end of file unexpected (expecting "fi")
make[2]: *** [debian/rules:65: override_dh_install] Error 2
make[2]: Leaving directory '/sonic/src/sonic-sairedis'
make[1]: *** [debian/rules:51: binary] Error 2
make[1]: Leaving directory '/sonic/src/sonic-sairedis'
dpkg-buildpackage: error: fakeroot debian/rules binary subprocess returned exit status 2
Work item tracking
Microsoft ADO (number only): 24691535
How I did it
How to verify it
2023-07-31 16:09:35 +08:00
Yevhen Fastiuk
4c6be287a8
Add cache for AUDISP TACPLUS (#13033)
#### Why I did it
Tacplus package has missed cache configuration

#### How I did it
Defined cache configuration for tacplus package

#### How to verify it
Build image with cache enabled and make sure you don't see any warnings related to tacplus
2023-07-28 16:24:10 -07:00
Liu Shilong
671346cb83
[build] Add sonic-utilities to sonic-host-services dependencies list. (#15987)
Why I did it
sonic-host-services depends on sonic-utilities because of FIPS feature.
Add dependency to unblock submodule sonic-host-services HEAD pointer update.

Work item tracking
Microsoft ADO (number only): 24671218
How I did it
2023-07-28 18:19:57 +08:00
Saikrishna Arcot
e0927e28af
Update sairedis submodule (#15720)
This submodule update needs to be manually done due to build changes
done in the sairedis submodule. Specifically, Debian build profiles are
now being used instead of dpkg build targets, and dbgsym packages are
being used instead of dbg packages. Because of this, there needs to be
changes on the sonic-buildimage side for this.

This submodule update brings in the following changes:

ce8f642 [vs] Use boost join to concatenate switch types in config (#1266)
d6055a2 [vslib]: Temporaily map DPU switch type to NVDA_MBF2H536C (#1259)
e1cdb4d [CodeQL]: Use dependencies with relevant versions in azp template. (#1262)
c08f9a2 [CI]: Fix collect log error in azp template. (#1260)
eed856c [CodeQL]: Fix syncd compilation in azp template. (#1261)
a3f1f1a Reland 'Make changes to building and packaging sairedis (#1116)' (#1194)

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2023-07-24 17:05:03 -07:00
lixiaoyuner
10b65d9826
Add k8s master code new (#15716)
Why I did it
Currently, k8s master image is generated from a separate branch which we created by ourselves, not release ones. We need to commit these k8s master related code to master branch for a better way to do k8s master image build out.

Work item tracking
Microsoft ADO (number only):
19998138
How I did it
Install k8s dashboard docker images
Install geneva mds and mdsd and fluentd docker images and tag them as latest, tagging latest will help create container always with the latest version
Install azure-storage-blob and azure-identity, this will help do etcd backup and restore.
Install kubernetes python client packages, this will help read worker and container state, we can send these metric to Geneva.
Remove mdm debian package, will replace it with the mdm docker image
Add k8s master entrance script, this script will be called by rc-local service when system startup. we have some master systemd services in compute-move repo, when VMM service create master VM, VMM will copy all master service files inside VM, the entrance script will setup all services according to the service files.
When the entrance script content changed, the PR build will set include_kubernetes_master=y to help do validation for k8s master related code change. The default value of include_kubernetes_master should be always n for public master branch. We will generate master image from internal master branch
How to verify it
Build with INCLUDE_KUBERNETES_MASTER = y
2023-07-25 07:44:59 +08:00
Saikrishna Arcot
371c3a0be5
Add support for deb build profiles env variable (#15858)
Add support for a separate DEB_BUILD_PROFILES environment variable, to
be able to set build profiles. This may be used to specify whether
python 2 bindings/libraries should be built, or what configuration
options should be specified for a package.

This also makes it easier to append/remove build profiles from our rules
files, which will be needed for the sairedis build.

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2023-07-20 09:14:23 -07:00
xumia
e73f1110ad
[Build] Fix the dash cache dependency issue (#15851)
#### Why I did it
[Build] Fix the dash cache dependency issue
```
12:47:34  [ finished ] [ target/files/bullseye/ctrmgrd.service ]
12:47:36  fatal: Unable to hash src/sonic-dash-api/sonic-dash-api
12:47:36  make: *** [Makefile.cache:528: target/debs/bullseye/libdashapi_1.0.0_amd64.deb.smdep] Error 123
12:47:36  make: *** Waiting for unfinished jobs....
```

##### Work item tracking
- Microsoft ADO **(number only)**: 24547630
2023-07-19 15:56:24 -07:00
Ze Gan
a24845997d
Add protobuf and dashapi to sonic-mgmt (#15743)
#### Why I did it
The testcases in sonic-mgmt need the packages of protobuf and dashapi

##### Work item tracking
- Microsoft ADO **(number only)**:

#### How I did it
Because the docker of sonic-mgmt is based on ubuntu20.04, it cannot directly install the packages compiled by slave due to dependency issues. Download related packaged directly from Azp.

#### How to verify it
Check azp stats.
2023-07-14 11:23:25 -07:00
Mai Bui
d549787408
limit privileged flag for bgp container (#14932)
Why I did it
HLD implementation: Container Hardening (sonic-net/SONiC#1364)

Work item tracking
Microsoft ADO (number only): 14807420
How I did it
Reduce linux capabilities in privileged flag, retain NET_ADMIN and SYS_ADMIN capabilities

How to verify it
Install new image to DUT, verify bgp container is up
Run bgp sonic-mgmt kvmtest
2023-07-14 09:08:43 +08:00
xumia
30959ec901
[Build] Change the build option from ENABLE_FIPS_FEATURE to INCLUDE_FIPS (#15758)
Why I did it
[Build] Change the build option from ENABLE_FIPS_FEATURE to INCLUDE_FIPS

Work item tracking
Microsoft ADO (number only): 24485797
How I did it
2023-07-13 23:00:38 +08:00
Masaru OKI
51b50087fa
Pick dependency files in submodules. (#15142)
#### Why I did it

Failed to build sonic-dhcp6relay_1.0.0-0_amd64.deb

#### How I did it

src/dhcprelay has git submodule.
Dependency files by "git ls-files" are not picked files in submodules.
Add --recurse-submodules, work again.

#### How to verify it

make all
2023-07-11 14:32:08 -07:00
lixiaoyuner
c470b7dfd1
Add health check probe for k8s upgrade containers. (#15223)
#### Why I did it
After k8s upgrade a container, k8s can only know the container is running, don't know the service's status inside container. So we need a probe inside container, k8s will call the probe to check whether the container is really ready.
##### Work item tracking
- Microsoft ADO **(number only)**: 22453004
#### How I did it
Add a health check probe inside config engine container, the probe will check whether the start service exit normally or not if the start service exists and call the python script to do container self-related specific checks if the script is there. The python script should be implemented by feature owner if it's needed.

more details: [design doc](https://github.com/sonic-net/SONiC/blob/master/doc/kubernetes/health-check.md)
#### How to verify it
Check path /usr/bin/readiness_probe.sh inside container.

#### Which release branch to backport (provide reason below if selected)

- [ ] 201811
- [ ] 201911
- [ ] 202006
- [ ] 202012
- [ ] 202106
- [ ] 202111
- [x] 202205
- [x] 202211

#### Tested branch (Please provide the tested image version)
- [x] 20220531.28
2023-07-10 22:16:29 -07:00
lixiaoyuner
ca29197184
Move k8s script to docker-config-engine (#14788)
Why I did it
To reduce the container's dependency from host system

Work item tracking
Microsoft ADO (number only):
17713469
How I did it
Move the k8s container startup script to config engine container, other than mount it from host.

How to verify it
Check file path(/usr/share/sonic/scripts/container_startup.py) inside config engine container.

Signed-off-by: Yun Li <yunli1@microsoft.com>
Co-authored-by: Qi Luo <qiluo-msft@users.noreply.github.com>
2023-07-05 14:44:48 -07:00
Ze Gan
2f8994999b
[dash-api]: Add dash-api and related protobuf library (#14515)
Why I did it
For the DASH scenario, the APP_DB will be optimized by protobuf message for less memory consumption.

How I did it
Download the Debian package of protobuf 3.21.12 and create a corresponding rule for building it.
Add a submodule of sonic-dash-api and generated its Debian package which includes C++ library and Python library

How to verify it
Check artifacts of Azp that the protobuf-related and dash-api deb packages should be generated.

Signed-off-by: Ze Gan <ganze718@gmail.com>
2023-07-05 09:59:35 -07:00
nmoray
f978b2bb53
Timezone sync issue between the host and containers (#14000)
#### Why I did it
To fix the timezone sync issue between the containers and the host. If a certain timezone has been configured on the host (SONIC) then the expectation is to reflect the same across all the containers.

This will fix [Issue:13046](https://github.com/sonic-net/sonic-buildimage/issues/13046).

For instance, a PST timezone has been set on the host and if the user checks the link flap logs (inside the FRR), it shows the UTC timestamp. Ideally, it should be PST.
2023-06-25 16:36:09 -07:00
Nazarii Hnydyn
d9dfb36920
[buildsystem] Fix hiredis package version: 0.14.1-1 (#15461)
- Why I did it
To fix hiredis compilation

- How I did it
Changed package version: 0.14.0-3~bpo9+1 -> 0.14.1-1

- How to verify it
make configure PLATFORM=mellanox
make target/sonic-mellanox.bin

Signed-off-by: Nazarii Hnydyn <nazariig@nvidia.com>
2023-06-20 15:33:00 +03:00
xumia
cd99deec9b
Upgrade sonic-fips packages (#15400)
Why I did it
Downgrade the symcrypt version, use the SymCrypt version v103.0.1 for certification.

Work item tracking
Microsoft ADO (number only): 24222567
How I did it
How to verify it
2023-06-19 13:07:17 +08:00
Rajkumar-Marvell
94790bef04
[sflow] Add egress sflow support. (#14630)
* [sflow] Add egress sflow support.
- Updated sonic-yang-model
- change hsflowd version to 2.0.45
2023-06-06 11:23:39 -07:00
DavidZagury
5acec530bb
Add SECURE_UPGRADE_PROD_TOOL_ARGS flag to make it possible for vendors to pass their own arguments on the prod signing script (#14581)
- Why I did it
Since the prod signing tool is vendor specific, and each vendor may have different arguments they would like to use in the script, we would need a way to inject those arguments to the script.

- How I did it
Add a compilation flag SECURE_UPGRADE_PROD_TOOL_ARGS which vendors can use to inject any flag they would want to the prod signing script.

- How to verify it
Build SONiC using your own prod script
2023-05-16 08:36:13 +03:00
Konstantin Vasin
ee1ab4448f
[build] update isc-dhcp to 4.4.1-2.3+deb11u2 to fix build failure (#15002)
Why I did it
Fix #15000
isc-dhcp 4.4.1-2.3+deb11u1 is no longer available in debian repository

How I did it
update isc-dhcp to new version 4.4.1-2.3+deb11u2
2023-05-11 22:14:20 +08:00
Dror Prital
7dcd55ca18
Support pulling sonic-slave-docker image from path at REGISTRY_SERVER (#14907)
- Why I did it
In order to reduce sonic build time, there is an option to acquire sonic slave docker(s) from artifact server (reduce sonic make configure time).
Current implementation supports only convention of:

<REGISTRY_SERVER>:<REGISTRY_PORT>/<SLAVE_BASE_IMAGE>:<SLAVE_BASE_TAG>

In case the SLAVE_BASE_IMAGE appear in internal path inside the server, the convention should be like that:

<REGISTRY_SERVER>:<REGISTRY_PORT><REGISTRY_SERVER_PATH>/<SLAVE_BASE_IMAGE>:<SLAVE_BASE_TAG>

When REGISTRY_SERVER_PATH (that is set on rules/config) will have to start with "/".

If REGISTRY_SERVER_PATH will not be set, the behavior will remain the same it works today.

- How I did it
Add ability to set REGISTRY_SERVER_PATH and update the code for docker image tag and docker image pull accordingly

- How to verify it
Use sonic slave docker image from artifact server in which the image is kept in internal folder and make sure it consume it.
2023-05-04 11:41:10 +03:00
Yevhen Fastiuk
46615f5563
[Profiler] Add ability to print elapsed build time for target packages (#14778)
- Why I did it
To be able to see how much time was consumed to build a specific target.
A newly added code does those things:

1. Print build start time for target
2. Print build end time for target
3. Print elapsed time for target

- How I did it
Add a macro to record the time
Add macros to print end time and elapsed time

- How to verify it
Just build an image and check any *.log file

Signed-off-by: Yevhen Fastiuk <yfastiuk@nvidia.com>
2023-05-03 13:26:22 +03:00
ganglv
010dc39579
If gnmi is included, remove dbus from telemetry (#14853)
#### Why I did it
Remove dbus when telemetry does not use it.

##### Work item tracking
- Microsoft ADO **(number only)**: 17852550

#### How I did it
Use INCLUDE_SYSTEM_GNMI to determine if telemetry needs dbus.

#### How to verify it
Build image and check telemetry container.
2023-04-26 22:18:54 -07:00
ganglv
41a1c13c03
Enable GNMI native write by default (#14845)
#### Why I did it
SONiC master image needs GNMI native write.

#### How I did it
Update rules/config to enable.

#### How to verify it
Run end2end test.
2023-04-26 22:08:07 -07:00
DavidZagury
90f45d9774
Change SECURE_UPGRADE_DEV_SIGNING_CERT to SECURE_UPGRADE_SIGNING_CERT (#14591)
Depends on https://github.com/sonic-net/sonic-linux-kernel/pull/315

#### Why I did it
The name SECURE_UPGRADE_DEV_SIGNING_CERT is misleading, this flag is relevant to both to dev and prod signing.

#### How I did it
Rename all mentions of name SECURE_UPGRADE_DEV_SIGNING_CERT to SECURE_UPGRADE_SIGNING_CERT - this is also done with PR in sonic-linux-kernel repository

#### How to verify it
Build SONiC using your own prod script
2023-04-24 11:17:51 -07:00
DavidZagury
03bf4ff549
Remove default value from SECURE_UPGRADE_DEV_SIGNING_KEY (#14582)
This is done because when there is a default value, we mount to this path, and this creates this folder on the host.

#### Why I did it
Fix issue that running without overwriting SECURE_UPGRADE_DEV_SIGNING_KEY and SECURE_UPGRADE_DEV_SIGNING_CERT dummy folders are being created on the host.

#### How I did it
Removed the default assignment to SECURE_UPGRADE_DEV_SIGNING_KEY and SECURE_UPGRADE_DEV_SIGNING_CERT

#### How to verify it
Build SONiC using your own prod script
2023-04-18 15:48:47 -07:00
xumia
f1fd42558a
Support to add SONiC OS Version in device info (#14601)
Why I did it
Support to add SONiC OS Version in device info.
It will be used to display the version info in the SONiC command "show version". The version is used to do the FIPS certification. We do not do the FIPS certification on a specific release, but on the SONiC OS Version.

SONiC Software Version: SONiC.master-13812.218661-7d94c0c28
SONiC OS Version: 11
Distribution: Debian 11.6
Kernel: 5.10.0-18-2-amd64
How I did it
2023-04-12 09:20:08 +08:00
Vivek
0df155b014
Made non-upstream patch design order aware (#14434)
- Why I did it

Currently, non upstream patches are applied only after upstream patches.

Depends on sonic-net/sonic-linux-kernel#313. Can be merged in any order, preferably together

- What I did it

Non upstream Patches that reside in the sonic repo will not be saved in a tar file bur rather in a folder pointed out by EXTERNAL_KERNEL_PATCH_LOC. This is to make changes to the non upstream patches easily traceable.
The build variable name is also updated to INCLUDE_EXTERNAL_PATCHES
Files/folders expected under EXTERNAL_KERNEL_PATCH_LOC
EXTERNAL_KERNEL_PATCH_LOC/
       ├──── patches/
             ├── 0001-xxxxx.patch
             ├── 0001-yyyyyyyy.patch
             ├── .............
       ├──── series.patch
series.patch should contain a diff that is applied on the sonic-linux-kernel/patch/series file. The diff should include all the non-upstream patches.
How to verify it

Build the Kernel and verified if all the patches are applied properly

Signed-off-by: Vivek Reddy Karri <vkarri@nvidia.com>
2023-04-10 19:48:27 +03:00
Kuanyu Chen
cffd87a627
Add monit_snmp file to monitor memory usage (#14464)
#### Why I did it

When CPU is busy, the sonic_ax_impl may not have sufficient speed to handle the notification message sent from REDIS.
Thus, the message will keep stacking in the memory space of sonic_ax_impl.

If the condition continues, the memory usage will keep increasing.

#### How I did it

Add a monit file to check if the SNMP container where sonic_ax_impl resides in use more than 4GB memory.
If yes, restart the sonic_ax_impl process.

#### How to verify it

Run a lot of this command: `while true; do ret=$(redis-cli -n 0 set LLDP_ENTRY_TABLE:test1 test1); sleep 0.1; done;`
And check the memory used by sonic_ax_impl keeps increasing.

After a period, make sure the sonic_ax_impl is restarted when the memory usage reaches the 4GB threshold.
And verify the memory usage of sonic_ax_impl drops down from 4GB.
2023-04-06 12:19:11 -07:00
Christian Svensson
bce824723c
[sflow] Switch to bullseye (#14494)
Change references to use bullseye instead of buster

Why I did it
Almost all daemons in 202211 and master uses bullseye, and sflow was easy to migrate.

How I did it
Replaced the references, built and tested in 202211.
How to verify it

Build with the changes, enable sflow:
admin@sonic:~$ sudo config sflow collector add test 1.2.3.4
admin@sonic:~$ sudo config sflow collector enable
tcpdump on 1.2.3.4 and see that UDP sFlow are being sent.

Signed-off-by: Christian Svensson <blue@cmd.nu>
2023-04-03 09:49:35 -07:00
Christian Svensson
67abcff944
[nat] Switch to bullseye (#14495)
Change references to use bullseye instead of buster

Why I did it
Almost all daemons in 202211 and master uses bullseye, and NAT seems easy to migrate.

How I did it
Replaced the references, built with 202211 branch.

How to verify it
Not sure, it builds and tests pass as far as I can tell but I don't use the feature myself.

Signed-off-by: Christian Svensson <blue@cmd.nu>
2023-04-02 14:02:33 -07:00
kellyyeh
2843923549
Add sonic-dhcpmon as a submodule (#14285)
Why I did it
Add sonic-dhcpmon as a submodule

How to verify it
Tested dhcpmon on dualtor and single tor
2023-03-30 08:32:56 -07:00
Saikrishna Arcot
3bbfaa1ee8
Upgrade docker-sonic-vs and docker-syncd-vs to Bullseye (#13294)
* Upgrade docker-sonic-vs and docker-syncd-vs to Bullseye

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>

* iproute2: Force a new version and timestamp to be used for the package

There is an issue with Docker's overlay2 storage driver when not using
native diffs (and thus falling back to naive diff mode), which is the
case in the CI builds. The way the naive diff mode detects changes is by
comparing the file size and comparing the timestamps (specifically, I
believe it's the modification timestamp), and if there's a change there,
then it's considered a change that needs to be recorded as part of that
layer.

The problem is that with the code being added in the patch, the file
size remains the same, and the timestamp of binary files appear to be
the same timestamp as the changelog entry (likely for reproducible build
purposes). The file size remains the same likely due to extra padding
within the file introduced by relro. Because of this, Docker doesn't
detect this file has changed, and doesn't save the new file as part of
this layer.

To work around this, create a new changelog entry (with a new version as
well) with a new timestamp. This will result in the binary files having
a different timestamp, and thus will get saved by Docker as part of that
layer.

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>

---------

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2023-03-19 21:14:27 -07:00
lixiaoyuner
935f5dc5f0
Install kubernetes-cni for kubelet (#14163)
Why I did it
Find a new bug on kubelet side. The kubernetes-cni plug-in was removed in #12997, the reason is that the plug-in will be auto installed when install kubeadm, and will report error if we don't remove the install code. But after removal, the version auto installed is different from what we installed before. This will affect the kubelet action in some scenarios we don't find before. Need to install it by another way.

How I did it
Install kubernetes-cni==0.8.7-00 before install kubeadm

How to verify it
Flannel binary will be installed under /opt/cni/bin/ folder
2023-03-16 17:21:37 -07:00
davidpil2002
8098bc4bf5
Add Secure Boot Support (#12692)
- Why I did it
Add Secure Boot support to SONiC OS.
Secure Boot (SB) is a verification mechanism for ensuring that code launched by a computer's UEFI firmware is trusted. It is designed to protect a system against malicious code being loaded and executed early in the boot process before the operating system has been loaded.

- How I did it
Added a signing process to sign the following components:
shim, grub, Linux kernel, and kernel modules when doing the build, and when feature is enabled in build time according to the HLD explanations (the feature is disabled by default).

- How to verify it
There are self-verifications of each boot component when building the image, in addition, there is an existing end-to-end test in sonic-mgmt repo that checks that the boot succeeds when loading a secure system (details below).

How to build a sonic image with secure boot feature: (more description in HLD)

Required to use the following build flags from rules/config:
SECURE_UPGRADE_MODE="dev"
SECURE_UPGRADE_DEV_SIGNING_KEY="/path/to/private/key.pem"
SECURE_UPGRADE_DEV_SIGNING_CERT="/path/to/cert/key.pem"
After setting those flags should build the sonic-buildimage.
Before installing the image, should prepared the setup (switch device) with the follow:
check that the device support UEFI
stored pub keys in UEFI DB

enabled Secure Boot flag in UEFI
How to run a test that verify the Secure Boot flow:
The existing test "test_upgrade_path" under "sonic-mgmt/tests/upgrade_path/test_upgrade_path", is enough to validate proper boot
You need to specify the following arguments:
Base_image_list your_secure_image
Taget_image_list your_second_secure_image
Upgrade_type cold
And run the test, basically the test will install the base image given in the parameter and then upgrade to target image by doing cold reboot and validates all the services are up and working correctly
2023-03-14 14:55:22 +02:00
Saikrishna Arcot
3556e6c2eb
[submodule] Advance sonic-swss-common pointer (#14142)
Update sonic-swss-common submodule pointer to include the following:

565ad4b Fix common path issue (#751)
3352881 Prevent sonic-db-cli generate core dump (#749)
43cadec Add ProfileProvider class to support read profile config from PROFILE_DB. (#683)
8b09f90 Update path to sairedis tests (#747)
85f3776 Non recursive automake and Debian packaging changes (#700)
This is a reland of #13950, with the debug image build fix.
2023-03-12 14:12:02 +02:00
Andriy Dobush
c1dd94f368
Add California-SB237 feature. Requires to change default user password (#12678)
#### Why I did it
Add support of California-SB237 conformance.
https://github.com/sonic-net/SONiC/tree/master/doc/California-SB237

#### How I did it
Expire user passwords during build

#### How to verify it
Enable build flag and check if default user is prompted for a new password
2023-02-23 15:36:37 -08:00
ganglv
23dbdf525b
Enable host services #13800
Why I did it
Need to enable host service to suport GNMI native write

How I did it
Update rules/config

How to verify it
Run GNMI end2end test
2023-02-15 14:40:09 +08:00
xumia
71f778f62a
[Security] Upgrade the openssl version to 1.1.1n-0+deb11u4+fips (#13737)
Why I did it
[Security] Upgrade the openssl version to 1.1.1n-0+deb11u4+fips

f6df7303d8 Update expired certs.
84540b59c1 CVE-2022-2068
f763d8a93e Prepare 1.1.1n-0+deb11u2
576562cebe CVE-2022-1292
How I did it
Upgrade the OpenSSL version
2023-02-09 13:57:50 -08:00
xumia
77745f55cc
[FIPS] Upgrade Open-SymCrypt version to 0.6 (#13461)
Why I did it
[FIPS] Upgrade Open-SymCrypt version to 0.6

Improve the SymCrypt performance
Support to download the debug packages from storage account in version 0.6.
How I did it
Upgrade to symcrypt-openssl from version 0.4 to version 0.6

Changes in https://github.com/sonic-net/sonic-fips:
0c29b23 Upgrade the submodules: SymCrypt and SymCrypt-OpenSSL #40
80022f3 Fix the ARM64 build failure
2e76a3d Disable the unsupported tests

Other changes will be added as well:
55b8e0a Merge pull request #35 from xumia/change-license
120c1a7 Upgrade SymCrypt and SymCrypt-OpenSSL
2f9c084 Merge pull request #39 from liuh-80/dev/liuh/update-openssh-version
a3be6c5 Revert openssh version
e02fa1e Update fips version

How to verify it
2023-01-27 11:54:44 +08:00