* [slave.mk]: Fix displaying username and password in build summary
We display contents of DEFAULT_USERNAME and DEFAULT_PASSWORD, while
image can be build with USERNAME and/or PASSWORD given on make(1)
command line. For example:
$ make USERNAME=adm PASSWORD=mypass target/sonic-broadcom.bin
Fix by displaying USERNAME and PASSWORD variables in build summary.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
* [baseimage]: Improve default user account handling
There are couple of issues with current implementation of default
user account management in baseimage:
1) It uses DES to encrypt accounts password. Furthermore this
effectively limits password length to 8 symbols, even if more
provided with PASSWORD or DEFAULT_PASSWORD from rules/config.
2) Salt value for password is same on all builds even with different
password increasing attack surface.
3) During the build process password passed as command line parameter
either as plain text (if given to make(1) as "make PASSWORD=...")
or DES encrypted (if given to build_debian.sh) can be seen by
non-build users using /proc/<pid>/cmdline file that has group and
world readable permissions.
Both 1) and 2) come from:
perl -e 'print crypt("$(PASSWORD)", "salt"),"\n"')"
that by defalt uses DES if salt does not have format $<id>$<salt>$,
where <id> is hashing function id. See crypt(3) for more details on
valid <id> values.
To address issues above we propose following changes:
1) Do not create password by hands (e.g. using perl snippet above):
put this job to chpasswd(8) which is aware about system wide
password hashing policy specified in /etc/login.defs with
ENCRYPT_METHOD (by default it is SHA512 for Debian 8).
2) Now chpasswd(8) will take care about proper salt value.
3) This has two steps:
3.1) For compatibility reasons accept USERNAME and PASSWORD as
make(1) parameters, but warn user that this is unsafe.
3.2) Use process environment to pass USERNAME and PASSWORD variables
from Makefile to build_debian.sh as more secure alternative to
passing via command line parameters: /proc/<pid>/environ
readable only by user running process or privileged users like
root.
Before change:
--------------
hash1
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSs", "salt"),"\n"')"
^^^^^^^^
8 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Note the hash (DES encrypted password)
hash2
-----
# u='admin'
# p="$(LANG=C perl -e 'print crypt("YourPaSsWoRd", "salt"),"\n"')"
^^^^^^^^^^^^
12 symbols
# echo "$u:$p" | chpasswd -e
# getent shadow admin
admin:sazQDkwgZPfSk:17680:0:99999:7:::
^^^^^^^^^^^^^
Hash is the same as for "YourPaSs"
After change:
-------------
hash1
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$1Nho1jHC$T8YwK58FYToXMFuetQta7/XouAAN2q1IzWC3bdIg86woAs6WuTg\
^^^^^^^^
Note salt here
ksLO3oyQInax/wNVq.N4de6dyWZDsCAvsZ1:17681:0:99999:7:::
hash2
-----
# echo "admin:YourPaSs" | chpasswd
# getent shadow admin
admin:$6$yKU5g7BO$kdT02Z1wHXhr1VCniKkZbLaMPZXK0WSSVGhSLGrNhsrsVxCJ.D9\
^^^^^^^^
Here salt completely different from case above
plFpd8ksGNpw/Vb92hvgYyCL2i5cfI8QEY/:17681:0:99999:7:::
Since salt is different hashes for same password different too.
hash1
-----
# LANG=C perl -e 'print crypt("YourPaSs", "\$6\$salt\$"),"\n"'
^^^^^
We want SHA512 hash
$6$salt$qkwPvXqUeGpexO1vatnIQFAreOTXs6rnDX.OI.Sz2rcy51JrO8dFc9aGv82bB\
yd2ELrIMJ.FQLNjgSD0nNha7/
hash2
-----
# LANG=C perl -e 'print crypt("YourPaSsWoRd", "\$6\$salt\$"),"\n"'
$6$salt$1JVndGzyy/dj7PaXo6hNcttlQoZe23ob8GWYWxVGEiGOlh6sofbaIvwl6Ho7N\
kYDI8zwRumRwga/A29nHm4mZ1
Now with same "salt" and $<id>$, and same 8 symbol prefix in password, but
different password length we have different hashes.
Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
* [caclmgrd] Heuristically determine whether ACL is IPv4 or IPv6, use iptables/ip6tables accordingly
* Check all rules in table until we find one with a SRC_IP
* Revert "[serial watchdog] remove serial watchdog service dependency to rc.local (#1752)"
* Revert "[service] introducing serial port watchdog service (#1743)"
https://github.com/Azure/azure-kusto-python
azure-kusto-data Package provides the capability to query Kusto clusters with Python.
azure-kusto-ingest Package allows sending data to Kusto service - i.e. ingest data.
The removed package adal is a dependent of the Azure Kusto Library.
The removed azure-storage is deprecated and being replaced with new packages that are
also the dependents of the Azure Kusto Library. (https://github.com/Azure/azure-storage-python)
Signed-off-by: Shu0T1an ChenG <shuche@microsoft.com>
* [serial watchdog] remove serial watchdog service dependency to rc.local
When restarting this service in rc.local, the dependency causes an error
in syslog. Removing the dependency to mute the error log entry.
* remove lines with empty inputs
* Fix minigraph parser issue when handling LAG related ACL table configuration
* rephrase the warning message.
* pick up swss change in https://github.com/Azure/sonic-swss/pull/494
* [rc.local] refactor platform identification code to separate function
Signed-off-by: Ying Xie <ying.xie@microsoft.com>
* [rc.local] infrastructure to take action according to installer.conf
* [serial port watchdog] add service to watch serial port processes
Monitor serial port processes. Kill ones stuck for too long.
Signed-off-by: Ying Xie <ying.xie@microsoft.com>
* [rc.local] start watchdog on serial port specified by installer.conf
Signed-off-by: Ying Xie <ying.xie@microsoft.com>
* Add noise config for PortChannel & EthernetInterface in simple-sample-graph.xml
* Add noise config for PORTCHANNEL_INTERFACE in simple-sample-graph.xml
Signed-off-by: Wenda <wenni@microsoft.com>
* Add noice config for DEVICE_NEIGHBOR in t0-sample-graph.xml
Add unit test against introducing ports not existing in port_config.ini
into DEVICE_NEIGHBOR
Signed-off-by: Wenda <wenni@microsoft.com>
* DeviceInterfaceLink in minigraph.xml can contain port not existing in
port_config.ini but contraining non-zero Bandwidth attribute
Add noice config in simple-sample-graph.xml to capture the case that
such a port is leaked into config_db.json
Signed-off-by: Wenda <wenni@microsoft.com>
* Protect PORTCHANNEL from ports not existing in port_config.ini
Signed-off-by: Wenda <wenni@microsoft.com>
* Protect PORTCHANNEL_INTERFACE from portchannels containing ports not
existing in port_config.ini
Signed-off-by: Wenda <wenni@microsoft.com>
* Protect DEVICE_NEIGHBOR from ports not existing in port_config.ini
Signed-off-by: Wenda <wenni@microsoft.com>
* Add noise config Ethernet1 in DeviceInterfaceLinks in simple-sample-graph.xml as it is in PortChannel1001
Signed-off-by: Wenda <wenni@microsoft.com>
* Add noise config Ethernet1 in DeviceInterfaceLinks in simple-sample-graph.xml as it is in PortChannel1001
Signed-off-by: Wenda <wenni@microsoft.com>
* Protect PORTCHANNEL from ports not existing in port_config.ini
Signed-off-by: Wenda <wenni@microsoft.com>
* Protect PORTCHANNEL_INTERFACE from portchannels containing ports not
existing in port_config.ini
Signed-off-by: Wenda <wenni@microsoft.com>
* Protect DEVICE_NEIGHBOR from ports not existing in port_config.ini
Signed-off-by: Wenda <wenni@microsoft.com>
* Correct space in minigraph.py
Signed-off-by: Wenda <wenni@microsoft.com>
* Does not allow non-port_config.ini port to get into the port list
Signed-off-by: Wenda <wenni@microsoft.com>
* Check PORTCHANNEL against PORT list only if port_config_file exists
Signed-off-by: Wenda <wenni@microsoft.com>
* Correct format
Signed-off-by: Wenda <wenni@microsoft.com>
* print warning when a port coming from DeviceInterfaceLink is not in
port_config.ini
Signed-off-by: Wenda <wenni@microsoft.com>
* Change Ethernet1 and 2 to fortyGigE0/1 and 2,respectively
Signed-off-by: Wenda <wenni@microsoft.com>
* Change Ethernet1 and 2 to fortyGigE0/1 and 2,respectively
Signed-off-by: Wenda <wenni@microsoft.com>
* print warning when ignoring ports, portchannels, portchannel interfaces, and
device neighbors
Update t0-sample-graph.xml with interface name 'fortyGigE0/2' and the
ACL_TABLE output
Signed-off-by: Wenda <wenni@microsoft.com>
This commit adds new code to support z9100 PFC T1 support with
broadcom recommended MMU settings for PFC feature.
Unit tested the setting by loading sonic-broadcom.bin and checking
the hardware for the values from the JSON file. Added the config.bcm
file th-z9100-32x100G.config.bcm to this folder and updated the
sai.profile file to point to hwsku directory. sai.profile now
points to /usr/share/sonic/hwsku/th-z9100-32x100G.config.bcm
Signed-off-by: Harish Venkatraman <Harish_Venkatraman@dell.com>
This commit adds new code to support z9100 PFC T0 support with
broadcom recommended MMU settings for PFC feature.
Unit tested the setting by loading sonic-broadcom.bin and checking
the hardware for the values from the JSON file. The T0 configs supports
fan-out of 100G ports on Z9100. Added new config.bcm for fanout of 100G
ports and tested the fanout by sending traffic using bcmcmd, new config.bcm
file will be copied to /usr/share/sonic/hwsku/th-z9100-8x100-48x50G.config.bcm.
The sai.profile file is updated to point to hwsku directory.
Signed-off-by: Harish Venkatraman <Harish_Venkatraman@dell.com>
* [fast-reboot]: support encoded & gzipped minigraph in fast reboot
Signed-off-by: Guohan Lu <gulv@microsoft.com>
* add acl.json and snmp.yml into fast-reboot
Signed-off-by: Guohan Lu <gulv@microsoft.com>
* Fix minigraph parser issue when handling LAG related ACL table configuration
Changes to be committed:
modified: src/sonic-config-engine/minigraph.py
modified: src/sonic-config-engine/tests/test_cfggen.py
signed-off-by kebol@mellanox.com
[acl-loader]: Change the header from Rule ID to Table (#250)
[acl-loader]: Add --table_name option to update full operation (#249)
[generate_dump]: fix a saidump file copy bug (#248)
Signed-off-by: Shu0T1an ChenG <shuche@microsoft.com>
