Commit Graph

25 Commits

Author SHA1 Message Date
xumia
8ec8900d31
Support SONiC OpenSSL FIPS 140-3 based on SymCrypt engine (#9573)
Why I did it
Support OpenSSL FIPS 140-3, see design doc: https://github.com/Azure/SONiC/blob/master/doc/fips/SONiC-OpenSSL-FIPS-140-3.md.

How I did it
Install the fips packages.
To build the fips packages, see https://github.com/Azure/sonic-fips
Azure pipelines: https://dev.azure.com/mssonic/build/_build?definitionId=412

How to verify it
Validate the SymCrypt engine:

admin@sonic:~$ dpkg-query -W | grep openssl
openssl 1.1.1k-1+deb11u1+fips
symcrypt-openssl        0.1

admin@sonic:~$ openssl engine -v | grep -i symcrypt
(symcrypt) SCOSSL (SymCrypt engine for OpenSSL)
admin@sonic:~$
2022-05-06 07:21:30 +08:00
Saikrishna Arcot
313cced32b
Update Docker to 20.10.14 (#10677)
* Upgrade docker version from 20.10.7 to 20.10.14, and pin containerd.io

Update the Docker engine version from 20.10.7 to 20.10.14. This brings
in some CVE and bug fixes.

Additionally, pin the version of containerd.io to a specific version,
mainly for consistency/reproducibility.

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>

* Remove the containerd ordering change to docker.service

This appears to be already present in the current docker.service.

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>

* Remove use of apt-key

apt-key is considered deprecated, and the current practice is to just
add the key into /etc/apt/trusted.gpg.d/.

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>

* Upgrade docker container in Bullseye slave to 20.10.14

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2022-04-27 10:20:42 -07:00
Sachin Naik
598ab99469
secureboot: Enable signing SONiC kernel (#10557)
Why I did it
To sign SONiC kernel image and allow secure boot based system to verify SONiC image before loading into the system.

How I did it
Pass following parameter to rules/config.user
Ex:
SONIC_ENABLE_SECUREBOOT_SIGNATURE := y
SIGNING_KEY := /path/to/key/private.key
SIGNING_CERT := /path/to/public/public.cert

How to verify it
Secure boot enabled system enrolled with right public key of the, image in the platform UEFI database will able to verify image before load.

Alternatively one can verify with offline sbsign tool as below.

export SBSIGN_KEY=/abc/bcd/xyz/
sbverify --cert $SBSIGN_KEY/public_cert.cert fsroot-platform-XYZ/boot/vmlinuz-5.10.0-8-2-amd64 mage

O/P:
Signature verification OK
2022-04-19 13:23:15 +08:00
Longxiang Lyu
812f17d6f1
Add libgmock package for linkmgrd (#10294)
Why I did it
Add libgmock-dev to the package list required by linkmgrd unittests.
Required by PR: Azure/sonic-linkmgrd#45

How I did it
Add the package to the package list.

How to verify it
Build docker-mux with KEEP_SLAVE_ON=yes and verify libgmock-dev is present.

Signed-off-by: Longxiang Lyu <lolv@microsoft.com>
2022-04-14 08:59:54 +08:00
xumia
ce26c04a09
[Build]: fix debian package not found issue (#10447)
Why I did it
[Build]: fix debian package not found issue
2022-04-06 13:51:41 +08:00
Shilong Liu
3fa627f290
Add a config variable to override default container registry instead of dockerhub. (#10166)
* Add variable to reset default docker registry
* fix bug in docker version control
2022-03-14 18:09:20 +08:00
Kebo Liu
fe0a7693f4
[smartmontools] Install smartmontools with apt-get and upgrade it to 7.2-1 (#10087)
Why I did it
Smartmontools 6.6 has an issue with reading SMART info of nvme SSD
Smartmontools can be installed with apt-get, no need to build and install

How I did it
Use apt-get to install smartmontools 7.2-1
Remove previous make files for smartmontools 6.6

How to verify it
verify with "smartctl" can read out correct SMART info on NVME ssd.
verify "show platform ssdhealth" can still work

Signed-off-by: Kebo Liu <kebol@nvidia.com>
2022-03-07 09:39:33 -08:00
Saikrishna Arcot
bb3362760d
[docker-dhcprelay]: Update to Bullseye (#9736)
As part of this, update the isc-dhcp package to match the Bullseye
version (this fixes some compile errors related to BIND), clean up some
of the build dependencies and runtime dependencies for debian packaging,
and use the default Boost version to compile against instead of
explicitly saying using 1.74.

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2022-01-18 15:11:36 -08:00
Saikrishna Arcot
fee2441717
Create docker-base-bullseye and docker-config-engine-bullseye (#9666)
* [slave-bullseye]: Remove Python 2

It shouldn't be needed anymore.

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>

* [dockers]: Add docker-base-bullseye and docker-config-engine-bullseye

Also upgrade socat from 1.7.3.1 to 1.7.4.1

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2022-01-11 09:23:42 -08:00
Qi Luo
5f524e2ec6
Revert "[sonic-slave]: Fix redis version during pip3 install (#9317)" (#9704)
Reverts Azure/sonic-buildimage#9317
Since upstream fixed the issue https://github.com/redis/redis-py/pull/1726
We can continue use latest version on master branch.

Fixes https://github.com/Azure/sonic-buildimage/issues/9318
2022-01-09 18:24:07 -08:00
Saikrishna Arcot
4acdc2a81e
Arm64 fixes and optimizations (#9274)
* [arm64]: Fix registration of the qemu interpreters

The current code doesn't properly run the container that registers the
qemu interpreters. It checks to see if the container is "known" by
Docker, but that doesn't indicate whether it's been run or not.
Therefore, just always register the qemu interpreters in the kernel, to
make sure the binary that's in the slave images that we build is used.

* [build]: Reduce the number of python calls

Modify the BLDENV and PROJECT_ROOT variables in slave.mk to be
immediate execution instead of lazy execution. Neither of these
variables should be changing for the duration of the build in each slave
container, so just run it once instead of every time they're referenced.

When running `make configure` for broadcom arm64 (where all of the slave
images are already built) on an amd64 host, this reduces the time spent
in each slave container from 4.5-5 minutes to 2 minutes.

* [sonic-slave]: Upgrade the qemu used for Bullseye arm64 to 6.1.0

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2021-12-13 18:20:39 -08:00
Brian O'Connor
46bcda359c
[PINS] Build P4RT container for PINS (#9083)
- Add INCLUDE_PINS to config to enable/disable container
- Add Docker files and supporting resources
- Add sonic-pins submodule and associated make files

Submission containing materials of a third party:
    Copyright Google LLC; Licensed under Apache 2.0

#### Why I did it

Adds P4RT container to SONiC for PINS

The P4RT app is covered by this HLD:
https://github.com/pins/SONiC/blob/master/doc/pins/p4rt_app_hld.md

#### How I did it

Followed the pattern and templates used for other SONiC applications

#### How to verify it

Build SONiC with INCLUDE_P4RT set to "y".
Verify that the resulting build has a container called "p4rt" running.
You can verify that the service is up by running the following command on the SONiC switch:
```bash
sudo netstat -lpnt | grep p4rt
```
You should see the service listening on TCP port 9559.

#### Which release branch to backport (provide reason below if selected)

None

#### Description for the changelog

Build P4RT container for PINS
2021-12-07 11:11:25 -08:00
liuh-80
739c45645c
[TACACS+] Add audisp-tacplus for per-command accounting. (#8750)
This pull request integrate audisp-tacplus to SONiC for per-command accounting.

#### Why I did it
To support TACACS per-command accounting, we integrate audisp-tacplus project to sonic.

#### How I did it
1. Add auditd service to SONiC
2. Port and patch audisp-tacplus to SONiC

#### How to verify it
UT with CUnit to cover all new code in usersecret-filter.c
Also pass all current UT.

#### Which release branch to backport (provide reason below if selected)
N/A

#### Description for the changelog
Add audisp-tacplus for per-command accounting.

#### A picture of a cute animal (not mandatory but encouraged)
2021-12-01 11:50:09 +08:00
LuiSzee
14fb629ab6
[arm64][qemu] upgrade qemu to 6.1.0-8 for fix systemd-sonic-generator compile error (#9320)
for compile error when build systemd-sonic-generator_1.0.0_arm64.deb on qemu arm64 bullseye.
```
boost::filesystem::copy_file: Function not implemented: "tests/testfiles/single_inst.service", "tests/ssg-test/systemd/single_inst.service"
boost::filesystem::copy_file: Function not implemented: "tests/testfiles/multi_inst_b.service", "tests/ssg-test/systemd/multi_inst_b.service"
boost::filesystem::copy_file: Function not implemented: "tests/testfiles/multi_inst_a.service", "tests/ssg-test/systemd/multi_inst_a.service"
boost::filesystem::copy_file: Function not implemented: "tests/testfiles/multi_inst_b@.service", "tests/ssg-test/systemd/multi_inst_b@.service"
boost::filesystem::copy_file: Function not implemented: "tests/testfiles/multi_inst_a@.service", "tests/ssg-test/systemd/multi_inst_a@.service"
boost::filesystem::copy_file: Function not implemented: "tests/testfiles/test.timer", "tests/ssg-test/systemd/test.timer"
boost::filesystem::copy_file: Function not implemented: "tests/testfiles/test.service", "tests/ssg-test/systemd/test.service"
ssg-test.cc:244: Failure
Expected equality of these values:
  fs::exists(path)
    Which is: false
  expected_result
    Which is: true
Failed validation: "tests/ssg-test/generator/multi-user.target.wants/multi_inst_b.service"
```

Co-authored-by: shil <shil@centecnetworks.com>
2021-11-20 08:46:56 -08:00
Qi Luo
da1503d7be
[sonic-slave]: Fix redis version during pip3 install (#9317)
The recent release of redis 4.0.0 or newer (for python3) breaks sonic-config-engine unit test. Fix to last known good version.
ref: https://pypi.org/project/redis/#history
2021-11-18 17:07:58 -08:00
dflynn-Nokia
df12ac5abd
[build]: marvell-armhf bullseye fixes (#9243)
This commit fixes/avoids the following errors encountered during the
marvell-armhf build for bullseye

- Fix Marvell prestera DMA driver build failure due to kallsyms_lookup_name()
  no longer being exported by the updated bullseye kernel. This is a temporary
  fix that will be replaced by a future version of the DMA driver.

- Update qemu-user-static version to align with the new glibc version included
  in bullseye

- Skip systemd-sonic-generator unit tests to avoid test failures. Root cause is
  still TBD

#### Why I did it
Fix the following build errors observed when building marvell-armhf for bullseye
1. Marvell Prestera DMA driver uses kernel API no longer exported
ERROR: modpost: "kallsyms_lookup_name" [/sonic/platform/marvell-armhf/prestera/mrvl-prestera/cpssEnabler/linuxNoKernelModule/drivers//mvDmaDrv.ko] undefined!

2. Old qemu-user-static version does not support semop() leading to following build failure
semop(1): encountered an error: Function not implemented

3. systemd-sonic-generator unit test failure
ssg-test.cc:217: Failure
Expected equality of these values:
  find_string_in_file(str_t, target, num_asics)
    Which is: false
  expected_result
    Which is: true
Error validating Before=single_inst.service in test.service
[  FAILED  ] SsgMainTest.ssg_main_40_npu (20 ms)
[----------] 4 tests from SsgMainTest (36 ms total)

[----------] Global test environment tear-down
[==========] 10 tests from 3 test suites ran. (54 ms total)
[  PASSED  ] 7 tests.
[  FAILED  ] 3 tests, listed below:
[  FAILED  ] SsgMainTest.ssg_main_single_npu
[  FAILED  ] SsgMainTest.ssg_main_10_npu
[  FAILED  ] SsgMainTest.ssg_main_40_npu

 3 FAILED TESTS
2021-11-13 10:48:58 -08:00
KostiantynYarovyiBf
9894116205 Update Barefoot platform module for Bullseye and 5.10 kernel (#8)
Update Barefoot platform support for Bullseye and 5.10 kernel, and add
python3-venv.
2021-11-10 15:27:22 -08:00
LuiSzee
5b284767f6 Update Centec platform support for Bullseye and 5.10 kernel (#7)
1. Fix build for armhf and arm64
2. upgrade centec tsingma bsp support to 5.10 kernel
3. modify centec platform driver for linux 5.10

Co-authored-by: Shi Lei <shil@centecnetworks.com>
2021-11-10 15:27:22 -08:00
Saikrishna Arcot
97d70e3e8b Update repos for Bullseye slave container
Update the repos for amd64, and add support for at least arm64.

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2021-11-06 11:31:42 -07:00
donNewtonAlpha
51c9c98648
[sonic-slave]: Add gmock for sonic-swss-common tests (#8950)
Sonic-swss-common requires gmock for staged unit tests

Signed-off-by: Don Newton <don@opennetworking.org>
2021-10-28 12:14:21 -07:00
Guohan Lu
e6733e96fe [build]: update sonic-slave-bullseye for armhf and arm64
Signed-off-by: Guohan Lu <lguohan@gmail.com>
2021-10-19 12:18:16 +00:00
liuh-80
7d40384c58
[TACACS+] Add plugin support to bash. (#8660)
This pull request add plugin support library to bash.
    And we will create a TACACS+ plugin for bash in an other PR, which will bring per command authorization feature to bash.

Why I did it
    To support TACACS per command authorization, we check user command before execute it.

How I did it
    Add plugin support to bash.

How to verify it
    UT with CUnit under bash project cover all new code in plugin.c.
    Also pass all current UT.

Which release branch to backport (provide reason below if selected)
    N/A

Description for the changelog
    Add plugin support to bash.
2021-10-11 15:20:51 +08:00
Saikrishna Arcot
91f9b6f4e4 Add cron and the python 3 mock packages to the Bullseye slave image
When using dpkg with the --root flag to install a deb package in a
chroot, dpkg checks to see if the users and groups specified in the
/var/lib/dpkg/statoverride file are valid. The problem is, it checks
against the host system's /etc/passwd and /etc/group files, instead of
/etc/passwd and /etc/group inside the chroot.

In the slave image for Buster, cron appears to have been automatically
installed, and so the crontab group existed. This doesn't appear to be
true for Bullseye, so explicitly install it. This makes sure that the
crontab group exists on the slave image itself.

Also install the mock python 3 package, this is needed by some test.

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2021-08-12 23:18:01 -07:00
Guohan Lu
fff17563b7 [openssh]: add build dep installation to sonic-slave-bullseye
This is the continuation of PR 8381 and is needed for debian 11 build.

Signed-off-by: Guohan Lu <lguohan@gmail.com>
2021-08-10 01:39:26 -07:00
Saikrishna Arcot
d4261a693b Define the Bullseye-based slave container
This will be used to build our image as well as tools that need to go
into this image.

Notable changes from Buster:
* Python 2/pip2 module installations have been removed, since nothing
besides the main Python 2 binary (and virtualenv support) is now
available through Bullseye.
* In the cases where both the main library package and the development
package are being installed, now, only the dev package is specified. The
main library is typically marked as a dependency of the dev package.
This reduces the number of changes we have to make as SONAMEs change.

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2021-07-15 00:02:18 -07:00