Commit Graph

165 Commits

Author SHA1 Message Date
arheneus@marvell.com
fc1295bdcc [ntp][apparmor] Allow apparmor read permission for ntpd under rw mount path of rootfs (#6040)
Certain platform specific packages sonic-platform-xyz, installs files onto rootfs, which would be placed on read-write mount path on /host/image-name/rw/...
when ntpd starts it tries to do read access on /usr/bin /usr/sbin/ /usr/local/bin , which inturn links further to the read-write mount path also.
Where ntpd would get below Apparmor Warning message

LOG:-
audit: type=1400 audit(1606226503.240:21): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/image-HEAD-dirty-20201111.173951/rw/usr/local/bin/" pid=3733 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit: type=1400 audit(1606226503.240:22): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/image-HEAD-dirty-20201111.173951/rw/usr/sbin/" pid=3733 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit: type=1400 audit(1606226503.240:23): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/image-HEAD-dirty-20201111.173951/rw/usr/bin/" pid=3733 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Fix:
Add rw/.. mount path similar to root path access provided for ntpd in /etc/apparmor.d/usr.sbin.ntpd

Signed-off-by: Antony Rheneus <arheneus@marvell.com>
2022-10-16 05:42:35 +00:00
zzhiyuan
45a8208501
Add panic_on_unrecovered_nmi to kernel settings (#7837)
Watchdog does not trigger a kernel panic on Arista 7170 platform because this parameter is missing on 201911 but not on master.
2021-06-14 13:52:51 -07:00
Stephen Sun
9a163fe87b
Install haveged package on 201911/stretch to accelerate the entropy collect process (#7308)
Recently, we found on some of our testbeds the entropy collecting process finishes more than 60 seconds after system started.
This results in swss not able to start sporadically.
To install haveged can accelerate the entropy collect process.

Signed-off-by: Stephen Sun <stephens@nvidia.com>
2021-05-02 08:16:24 -07:00
abdosi
feb7121d9e
[201911] Fix easy_install error when installing pip (#7272)
see below error:

+ sudo https_proxy= LANG=C chroot ./fsroot easy_install pip==20.3.3
Searching for pip==20.3.3
Reading https://pypi.python.org/simple/pip/
Couldn't find index page for 'pip' (maybe misspelled?)
Scanning index of all packages (this may take a while)
Reading https://pypi.python.org/simple/
No local packages or working download links found for pip==20.3.3
error: Could not find suitable distribution for Requirement.parse('pip==20.3.3')

How I fix:

Install python-pip via apt-get
Pin the version to 20.3.3
Master has same changes.

Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
2021-04-08 18:02:31 -07:00
Renuka Manavalan
2276e2de25 [baseimage]: specify gid for redis group. (#7249)
Problem:
Default groupadd for redis, takes 1000 by default. This forces, subsequently created admin group to get 1001.
As all TACACS users are created with 1000 as their gid, they end up in redis group.

Fix:
Create redis group *after* admin group is created
Add a check that admin group id is 1000
2021-04-08 09:42:29 -07:00
Joe LeVeque
b2b6b75d2a [201911] Install Python 3 scapy version 2.4.4 in host OS 2021-02-27 20:07:19 +00:00
lguohan
fcf93dda12
[sonic-linux-kernel]: kernel security update to 4.9.246 (#6545)
* [sonic-linux-kernel]: kernel security update to 4.9.246
* [Arista] Update driver submodule (#60)
     Update kernel dependency to 4.9.0-14-2

Signed-off-by: Guohan Lu <lguohan@gmail.com>
Co-authored-by: Samuel Angebault <angebault.samuel@gmail.com>
2021-01-28 08:46:07 -08:00
abdosi
9779560b63 [baseimage]: Updates for Ebtables and support for multi-asic (#6542)
Following changes were done for ebtables:

- Support for Multi-asic platforms. Ebtable filters are installed in namespace for multi-asic and not host. On Single asic installed on  host.

- For Multi-asic platforms we don't want to install on host otherwise Namespace-to-Namespace communication does not happens since ARP Request are not forwarded.

- Updated to use text file to restore ebtables rules then the binary format. Rules are restore as part of Database docker init instead of rc.local

- Removed the ebtable service files for buster as not needed as filters are restored/installed as part of database docker init.
   All the binaries are pre-installed with ebtables* binary are same as ebatbles-legacy-*

Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
2021-01-27 16:59:10 -08:00
arheneus@marvell.com
e9d3d96c69 [ebtbles] Replace binary config file to text config file for ebtables (#5252)
Issue: Binary ebtables config file is CPU arch dependent
Fix: Load the text config during firsttime boot and
     Generate the binary persistent atomic file

Signed-off-by: Antony Rheneus <arheneus@marvell.com>
2021-01-27 16:57:41 -08:00
abdosi
01871c46dc
[baseimage]: pin down pip to 20.3.3 (#6539)
With the release of pip21.0 (https://pypi.org/project/pip/#history) on branch 201911 stretch build is failing with below error logs:
As per https://pypi.org/project/pip/ pip21.0 does not not support python2 from Jan 2021. To fix this tag the pip to 20.3.3 version which was being used last and is working fine.

Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
2021-01-23 16:34:39 -08:00
Tamer Ahmed
fae4c4bfcc [swss] Enhance ARP Update to Call Sonic Cfggen Once (#5398)
This PR limited the number of calls to sonic-cfggen to one call
per iteration instead of current 3 calls per iteration.

The PR also installs jq on host for future scripts if needed.

signed-off-by: Tamer Ahmed <tamer.ahmed@microsoft.com>
2020-12-22 09:51:54 -08:00
Renuka Manavalan
cc135807d9 Pass additional parameter "%P" - pid of the process in the initial namespace, which is host. (#5301)
This would enable the coredump_compress script to retrieve additional info regarding the crashing process.
2020-10-06 13:17:21 -07:00
Abhishek Dosi
80a2a83b12 Revert "Pass additional parameter "%P" - pid of the process in the initial namespace, which is host. (#5301)"
This reverts commit 96956a60a8.
2020-09-08 15:36:12 +00:00
Tamer Ahmed
7bf0537c9e [redis] Add redis Group And Grant Read/Write Access to Members (#5289)
sonic-cfggen is now using Unix Domain Socket for Redis DB. The socket
is created using root account. Subsequently, services that are started
as admin fails to start. This PR creates redis group and add admin
user to redis group. It also grants read/write access on redis.sock
for redis group members.

signed-off-by: Tamer Ahmed <tamer.ahmed@microsoft.com>
2020-09-04 21:16:16 +00:00
Renuka Manavalan
96956a60a8 Pass additional parameter "%P" - pid of the process in the initial namespace, which is host. (#5301)
This would enable the coredump_compress script to retrieve additional info regarding the crashing process.
2020-09-04 21:14:56 +00:00
lguohan
78c803851c [build]: combine feature and container feature table (#5081)
1. remove container feature table
2. do not generate feature entry if the feature is not included
   in the image
3. rename ENABLE_* to INCLUDE_* for better clarity
4. rename feature status to feature state
5. [submodule]: update sonic-utilities

* 9700e45 2020-08-03 | [show/config]: combine feature and container feature cli (#1015) (HEAD, origin/master, origin/HEAD) [lguohan]
* c9d3550 2020-08-03 | [tests]: fix drops_group_test failure on second run (#1023) [lguohan]
* dfaae69 2020-08-03 | [lldpshow]: Fix input device is not a TTY error (#1016) [Arun Saravanan Balachandran]
* 216688e 2020-08-02 | [tests]: rename sonic-utilitie-tests to tests (#1022) [lguohan]

Signed-off-by: Guohan Lu <lguohan@gmail.com>
2020-08-09 11:55:40 -07:00
isabelmsft
ca844ec6b3 Update Kubernetes and kubernetes-cni versions (#5024)
This PR updates kubernetes version to 1.18.6 and kubernetes-cni version to 0.8.6

signed-off by: Isabel Li isabel.li@microsoft.com

Why I did it
Previous kubernetes-cni version (0.7.5) introduced Kubernetes Man In The Middle Vulnerability. “A vulnerability was found in all versions of containernetworking/plugins before version 0.8.6, that allows malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending rogue IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container.”

How I did it
Defined kubernetes-cni version to be 0.8.6 and updated kubernetes version to be 1.18.6

How to verify it
Check versions by running dpkg -l | grep kube
2020-07-26 11:08:21 -07:00
abdosi
4869fa7173 [sonic-buildimage] Changes to make network specific sysctl common for both host and docker namespace (#4838)
* [sonic-buildimage] Changes to make network specific sysctl
common for both host and docker namespace (in multi-npu).

This change is triggered with issue found in multi-npu platforms
where in docker namespace
net.ipv6.conf.all.forwarding was 0 (should be 1) because of
which RS/RA message were triggered and link-local router were learnt.

Beside this there were some other sysctl.net.ipv6* params whose value
in docker namespace is not same as host namespace.

So to make we are always in sync in host and docker namespace
created common file that list all sysctl.net.* params and used
both by host and docker namespace. Any change will get applied
to both namespace.

Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>

* Address Review Comments and made sure to invoke augtool
only one and do string concatenation of all set commands

* Address Review Comments.
2020-07-05 15:32:30 -07:00
abdosi
173168ca86 kubeadm package apt-get install has unmet dependency error (#4804)
to other packages so intsalling them explicitly.
2020-06-18 23:16:30 -07:00
Olivier Singla
18bbbb3c02 [baseimage]: Run fsck filesystem check support prior mounting filesystem (#4431)
* Run fsck filesystem check support prior mounting filesystem

If the filesystem become non clean ("dirty"), SONiC does not run fsck to
repair and mark it as clean again.

This patch adds the functionality to run fsck on each boot, prior to the
filesystem being mounted. This allows the filesystem to be repaired if
needed.

Note that if the filesystem is maked as clean, fsck does nothing and simply
return so this is perfectly fine to call fsck every time prior to mount the
filesystem.

How to verify this patch (using bash):

Using an image without this patch:

Make the filesystem "dirty" (not clean)
[we are making the assumption that filesystem is stored in /dev/sda3 - Please adjust depending of the platform]
[do this only on a test platform!]

dd if=/dev/sda3 of=superblock bs=1 count=2048
printf "$(printf '\\x%02X' 2)" | dd of="superblock" bs=1 seek=1082 count=1 conv=notrunc &> /dev/null
dd of=/dev/sda3 if=superblock bs=1 count=2048

Verify that filesystem is not clean
tune2fs -l /dev/sda3 | grep "Filesystem state:"

reboot and verify that the filesystem is still not clean
Redo the same test with an image with this patch, and verify that at next reboot the filesystem is repaired and becomes clean.

fsck log is stored on syslog, using the string FSCK as markup.
2020-06-16 08:12:11 -07:00
Guohan Lu
16ad356f3a [baseimage]: install same version for docker-ce and docker-ce-cli
Signed-off-by: Guohan Lu <lguohan@gmail.com>
2020-05-20 00:45:37 +00:00
Renuka Manavalan
9b017a83b5
[baseimage]: Install Kubernetes packages if enabled in image (#4374) (#4432)
Install kubeadm, which transparently installs kubelet & kubectl
As well download required Kubernetes images required to run as kubernetes node.
The kubelet service is intentionally kept in disabled state, as it would otherwise
continuously restart wasting resources, until join to master.
2020-04-16 21:54:45 -07:00
Ying Xie
384055a314 [NTP] Revert change in PR 2598 (#4265)
We believe that the supervisord issue in face of clock rolling backwards
has been addressed. Therefore reverting change 2598 to allow ntp sync
to right clock at the start up time.

Signed-off-by: Ying Xie <ying.xie@microsoft.com>
2020-03-22 22:59:39 -07:00
Olivier Singla
a8baca0d6e [kernel]: security kernel update to 4.9.189 (#3913)
This patch upgrade the kernel from version
4.9.0-9-2 (4.9.168-1+deb9u3) to 4.9.0-11-2 (4.9.189-3+deb9u2)

Co-authored-by: rajendra-dendukuri <47423477+rajendra-dendukuri@users.noreply.github.com>
2020-03-15 08:52:29 -07:00
rajendra-dendukuri
8581a52571 ZTP infrastructure changes to support DHCP discovery provisioning data (#3298)
* ZTP infrastructure changes to support DHCP discovery provisioning data

- Dynamically generate DHCP client configuration based on current ZTP state
- Added support to request and process hostname when using DHCPv6
- Do not process graphservice url dhcp option if ZTP is enabled, ZTP service
will process it
- Generate /e/n/i file with all active interfaces seeking address assignment
via DHCP. Only interfaces that are created in Linux will be added to /e/n/i.
Also DHCP is started only on linked up in-band interfaces.

Signed-off-by: Rajendra Dendukuri <rajendra.dendukuri@broadcom.com>
2020-03-03 22:23:59 -08:00
Nazarii Hnydyn
11503c76e7 [image]: Add SSD maintenance utility - hdparm. (#4177)
Signed-off-by: Nazarii Hnydyn <nazariig@mellanox.com>
2020-03-03 22:12:49 -08:00
Prince Sunny
48ca0a1a47 [kernel]: Increasing gc threshold values for kernel neighbors (#4100)
Increase gc threashold values as below:

Previous:

net.ipv6.neigh.default.gc_thresh1=128
net.ipv6.neigh.default.gc_thresh2=512
net.ipv6.neigh.default.gc_thresh3=1024
net.ipv4.neigh.default.gc_thresh1=128
net.ipv4.neigh.default.gc_thresh2=512
net.ipv4.neigh.default.gc_thresh3=1024

New

net.ipv6.neigh.default.gc_thresh1=1024
net.ipv6.neigh.default.gc_thresh2=2048
net.ipv6.neigh.default.gc_thresh3=4096
net.ipv4.neigh.default.gc_thresh1=1024
net.ipv4.neigh.default.gc_thresh2=2048
net.ipv4.neigh.default.gc_thresh3=4096
2020-02-04 11:00:44 -08:00
Kiran Kumar Kella
a943e6ce45 Changes in sonic-buildimage to support the NAT feature (#3494)
* Changes in sonic-buildimage for the NAT feature
- Docker for NAT
- installing the required tools iptables and conntrack for nat

Signed-off-by: kiran.kella@broadcom.com

* Add redis-tools dependencies in the docker nat compilation

* Addressed review comments

* add natsyncd to warm-boot finalizer list

* addressed review comments

* using swsscommon.DBConnector instead of swsssdk.SonicV2Connector

* Enable NAT application in docker-sonic-vs
2020-02-03 15:30:39 -08:00
Abhishek
6045e34650 Merge branch 'abdosi/master_201911_label_to_201911' into 201911.
Cherry pick changes from master into 201911
2020-01-06 17:30:03 -08:00
Joe LeVeque
5e07b252ff [monit] Build from source and patch to use MemAvailable value if available on system (#3875) 2020-01-06 11:41:20 -08:00
lguohan
b2234a682d [docker-base-stretch]: Do not check expire for stretch-backports repo (#3958)
* [docker-base-stretch]: Do not check expire for stretch-backports repo

Signed-off-by: Guohan Lu <gulv@microsoft.com>
2020-01-03 10:44:26 -08:00
Olivier Singla
c70d8bca9f [baseimage]: kdump support (#3722)
* In the event of a kernel crash, we need to gather as much information
as possible to understand and identify the root cause of the crash.
Currently, the kernel does not provide much information, which make
kernel crash investigation difficult and time consuming.

Fortunately, there is a way in the kernel to provide more information
in the case of a kernel crash. kdump is a feature of the Linux kernel
that creates crash dumps in the event of a kernel crash. This PR
will add kermel kdump support.

An extension to the CLI utilities config and show is provided to
configure and manage kdump:
 - enable / disable kdump functionality
 - configure kdump (how many kernel crash logs can be saved, memory
   allocated for capture kernel)
 - view kernel crash logs
2019-11-08 23:08:42 -08:00
Ying Xie
9fb1860425
[file permission] explicitly set file permission on passwd, group, shadow (#3652)
Signed-off-by: Ying Xie <ying.xie@microsoft.com>
2019-10-22 19:02:08 -07:00
arheneus@marvell.com
2694e66074 [build]: build ARM kernel support from sonic-linux-kernel (#3556)
* Makefile: ARM kernel support from sonic-linux-kernel
        * Fix for multiarch  build docker spawn
Platform: Install the DTB deb for the platform

Signed-off-by: Antony Rheneus <arheneus@marvell.com>
2019-10-10 15:11:26 -07:00
Qi Luo
1b5c65fcf1 [build]: Update comments on build_debian.sh (#3533) 2019-10-09 17:38:53 -07:00
Harish Venkatraman
31d1a76197 [baseimage]: Management vrf ntp support (#3204)
This commit adds NTP support for management VRF using L3mdev. Config vrf add
mgmt will enable management VRF, enslave the eth0 device to the master device
mgmt, stop ntp service in default, restart interfaces-configs and restart ntp
service in mgmt-vrf context. Requirement and design are covered in mgmt vrf
design document.

Signed-off-by: Harish Venkatraman <harish_venkatraman@dell.com>
2019-09-16 10:21:06 -07:00
Danny Allen
97c675c6d5 [cron.d] Add cron job to periodically clean-up core files (#3449)
* [cron.d] Create cron job to periodically clean-up core files
* Create script to scan /var/core and clean-up older core files
* Create cron job to run clean-up script

Signed-off-by: Danny Allen <daall@microsoft.com>

* Update interval for running cron job

* Respond to feedback

* Change syslog id
2019-09-13 10:50:31 -07:00
lguohan
95a72b4e39
[baseimage]: fix monit configuration (#3448)
- monit config broke by one monit upgrade
- abandon sed approach since it is suspestible to monit config changes
- use unixsocket instead of httpd due to a bug in 5.20.0
2019-09-12 22:48:40 -07:00
Danny Allen
cfcf30570b
[build_debian] Include checksum of ASIC config files in SONiC filesystem (#3384)
[build_debian] Generate checksum of ASIC config files

* Adds script to generate checksums for ASIC config files
* Adds step to build_debian that copies ASIC config checksum into SONiC filesystem

Signed-off-by: Danny Allen daall@microsoft.com
2019-09-05 19:41:35 -07:00
arheneus@marvell.com
7bf8fbe601 [build_debian] docker version update for ARM arch (#3353)
Docker version above 18 has inconsistent behaviour with qemu.
Hence using the same version 18 used in sonic-slave

Signed-off-by: Antony Rheneus <arheneus@marvell.com>
2019-08-28 18:38:21 -07:00
Renuka Manavalan
14458b79ba
Create the src archive in target/ when INSTALL_DEBUG_TOOLS=y (#3323)
* Create the src archive in target/ when INSTALL_DEBUG_TOOLS=y

* Dropped -v (verbose flag) from tar command
2019-08-28 09:29:48 -07:00
lguohan
b2db3971cf
[baseimage]: install ndisc6 package (#3344)
ndisc6 gathers a few diagnostic tools for IPv6 networks including:

 - ndisc6, which performs ICMPv6 Neighbor Discovery in userland,
 - rdisc6, which performs ICMPv6 Router Discovery in userland,
 - rltraceroute6, a UDP/ICMP IPv6 implementation of traceroute,
 - tcptraceroute6, a TCP/IPv6-based traceroute implementation,
 - tcpspray6, a TCP/IP Discard/Echo bandwidth meter,
 - addrinfo, easy script interface for hostname and address resolution,
 - dnssort, DNS sorting script.

Signed-off-by: Guohan Lu <gulv@microsoft.com>
2019-08-15 00:32:58 -07:00
Tony Titus
91510a7742 [innovium]: Initial commit (#3243)
[build] Add ipmitool
[dockers] Add innovium platform in orchagent + ipmitool in snmp
[platform/innovium] Add innovium platform
[device/celestica] Add x86_64-cel_midstone-r0 device for innovium
[device/delta] Add x86_64-delta_et-c032if-r0 device for innovium
[sonic-slave-stretch] Add texi2html

Signed-off-by: Tony Titus ttitus@innovium.com
2019-08-14 10:40:55 -07:00
arheneus@marvell.com
8de26b7bb9 [Makefile/slave docker] ARM arch doesn't support few packages (#3273)
* [Makefile/slave docker] ARM arch doesn't support few packages
  iproute2 is missing for ARM sonic-slave docker

Signed-off-by: Antony Rheneus <arheneus@marvell.com>
2019-08-06 21:33:14 -07:00
arheneus@marvell.com
50fe458592 [build]: SONiC buildimage ARM arch support (#2980)
ARM Architecture support in SONIC

make configure platform=[ASIC_VENDOR_ARCH] PLATFORM_ARCH=[ARM_ARCH]
SONIC_ARCH: default amd64
armhf - arm32bit
arm64 - arm64bit

Signed-off-by: Antony Rheneus <arheneus@marvell.com>
2019-07-25 22:06:41 -07:00
Harish Venkatraman
3e69427ac0 [baseimage] management VRF support via l3mdev (#2585)
This commit adds support for New feature management VRF using L3mdev.  Added
commands to enable/disable management VRF. Config vrf add mgmt will enable
management VRF, enslave the eth0 device to the master device mgmt and restart
interfaces-configs in mgmt-vrf context.

management interface (eth0) can be configured using config interface eth0 ip
add command and removed using config interface eth0 ip remove command.

Requirement and design are covered in mgmt vrf design document.  Currently show
command displays linux command output; will update show command display in next
PR after concluding what would be the output for the show commands. Added
metric for default routes in dhcp and static, any changes for metric will be
addressed subsequently after discussing.

Signed-off-by: Harish Venkatraman <harish_venkatraman@dell.com>
2019-07-24 16:18:40 -07:00
Neetha John
f64e79172c [docker-engine]: Update docker engine to 18.09.8 (#3211)
Signed-off-by: Neetha John <nejo@microsoft.com>
2019-07-24 09:44:14 -07:00
rajendra-dendukuri
40c8bc14cd [baseimage]: Upgrade ifupdown2 to version 1.2.8 (#3180)
* Upgrade ifupdown2 to version 1.2.8

Required by ZTP to support ZTP over IPv6 transport

Signed-off-by: Rajendra Dendukuri <rajendra.dendukuri@broadcom.com>
2019-07-19 23:09:14 -07:00
Joe LeVeque
fa8b22ad93 [baseimage]: Install mcelog package to host OS; log machine check exceptions (MCE) to syslog (#3158)
* Install mcelog package to host OS; log machine check exceptions (MCE) to syslog
2019-07-17 09:43:05 -07:00
Qi Luo
6a99dd81be [baseimage]: Remove old ping permission fix because of aufs->overlay filesystem (#3154)
Signed-off-by: Qi Luo <qiluo-msft@users.noreply.github.com>
2019-07-13 12:38:10 -07:00