a6437d8ab6
* [Security] Fix the krb5 vulnerability issue (#17914) ### Why I did it Fix the krb5 vulnerable issue CVE-2021-36222 allows remote attackers to cause a NULL pointer dereference and daemon crash CVE-2021-37750 NULL pointer dereference in kdc/do_tgs_req.c via a FAST inner body that lacks a server field DSA 5286-1 remote code execution ##### Work item tracking - Microsoft ADO **(number only)**: 26577929 #### How I did it Upgrade the krb5 version to 1.18.3-6+deb11u14+fips. * [Build] Fix krb5 package not found issue (#17926) Why I did it Fix the build issue caused by the wrong version specified. See the build error logs: Try 4: /usr/bin/wget --retry-connrefused failed to get: -O --2024-01-26 11:38:23-- https://sonicstorage.blob.core.windows.net/public/fips/bullseye/0.10/amd64/libk5crypto3_1.18.3-6+deb11u14+fips_amd64.deb Resolving sonicstorage.blob.core.windows.net (sonicstorage.blob.core.windows.net)... 20.60.59.131 Connecting to sonicstorage.blob.core.windows.net (sonicstorage.blob.core.windows.net)|20.60.59.131|:443... connected. HTTP request sent, awaiting response... 404 The specified blob does not exist. 2024-01-26 11:38:23 ERROR 404: The specified blob does not exist.. Try 5: /usr/bin/wget --retry-connrefused failed to get: -O make[1]: *** [Makefile:12: /sonic/target/debs/bullseye/symcrypt-openssl_0.10_amd64.deb] Error 8 make[1]: Leaving directory '/sonic/src/sonic-fips' Work item tracking Microsoft ADO (number only): 26577929 The package not installed but PR passed issue is traced in another issue #17927 How I did it Add the libkrb5-dev and the depended packages to fix docker-sonic-vs build failure. The package libzmq3-dev has dependency on the libkrb5-dev. * [202305] Support FIPS for armhf * Remove no use mirror * Fix fips options issue |
||
---|---|---|
.. | ||
docker-gbsyncd-vs | ||
docker-sonic-vs | ||
docker-syncd-vs | ||
sonic-version | ||
tests | ||
create_vnet.sh | ||
docker-gbsyncd-vs.dep | ||
docker-gbsyncd-vs.mk | ||
docker-ptf-sai.dep | ||
docker-ptf-sai.mk | ||
docker-ptf.dep | ||
docker-ptf.mk | ||
docker-sonic-vs.dep | ||
docker-sonic-vs.mk | ||
docker-syncd-vs.dep | ||
docker-syncd-vs.mk | ||
gbsyncd-vs.mk | ||
kvm-image.dep | ||
kvm-image.mk | ||
libsaithrift-dev.dep | ||
libsaithrift-dev.mk | ||
one-image.dep | ||
one-image.mk | ||
onie.dep | ||
onie.mk | ||
platform.conf | ||
raw-image.dep | ||
raw-image.mk | ||
README.gns3.md | ||
README.vsdocker.md | ||
README.vsvm.md | ||
rules.dep | ||
rules.mk | ||
sonic_multiasic.xml | ||
sonic-gns3a.sh | ||
sonic-version.dep | ||
sonic-version.mk | ||
sonic.xml | ||
syncd-vs.dep | ||
syncd-vs.mk |
HOWTO Use Virtual Switch (VM)
- Install libvirt, kvm, qemu
sudo apt-get install libvirt-clients qemu-kvm libvirt-bin
- Create SONiC VM for single ASIC HWSKU
$ sudo virsh
Welcome to virsh, the virtualization interactive terminal.
Type: 'help' for help with commands
'quit' to quit
virsh #
virsh # create sonic.xml
Domain sonic created from sonic.xml
virsh #
- Create SONiC VM for multi-ASIC HWSKU
- Based on the number of asics of hwsku, update device/x86_64-kvm_x86_64-r0/asic.conf
NUM_ASIC=<n>
DEV_ID_ASIC_0=0
DEV_ID_ASIC_1=1
DEV_ID_ASIC_2=2
DEV_ID_ASIC_3=3
..
DEV_ID_ASIC_<n-1>=<n-1>
For example, a four asic VS asic.conf will be:
NUM_ASIC=4
DEV_ID_ASIC_0=0
DEV_ID_ASIC_1=1
DEV_ID_ASIC_2=2
DEV_ID_ASIC_3=3
-
Create a topology.sh script which will create the internal asic topology for the specific hwsku. For example, for msft_multi_asic_vs: https://github.com/Azure/sonic-buildimage/blob/master/device/virtual/x86_64-kvm_x86_64-r0/msft_multi_asic_vs/topology.sh
-
With the updated asic.conf and topology.sh, build sonic-vs.img which can be used to bring up multi-asic virtual switch.
-
Update platform/vs/sonic_multiasic.xml with higher memory and vcpu as required.
- For 4-asic vs platform msft_four_asic_vs hwsku, 8GB memory and 10vCPUs.
- For 7-ASIC vs platform msft_multi_asic_vs hwsku, 8GB and 16vCPUs.
-
Update the number of front-panel interfaces in sonic_multliasic.xml
- For 4-ASIC vs platform, 8 front panel interfaces.
- For 6-ASIC vs platform, 64 front panel interfaces.
-
With multi-asic sonic_vs.img and sonic_multiasic.xml file, bring up multi-asic vs as:
$ sudo virsh
Welcome to virsh, the virtualization interactive terminal.
Type: 'help' for help with commands
'quit' to quit
virsh #
virsh # create sonic_multiasic.xml
Domain sonic created from sonic.xml
virsh #
-
Steps to convert a prebuilt single asic sonic-vs.img:
- Use the updated sonic_multiasic.xml file and bring up virtual switch.
- Update /usr/share/sonic/device/x86_64-kvm_x86_64-r0/asic.conf as above.
- Add topology.sh in /usr/share/sonic/device/x86_64-kvm_x86_64-r0/
- stop database service and remove database docker, so that when vs is
rebooted, database_global.json is created with the right namespaces.
- systemctl stop database
- docker rm database
- sudo reboot
- Once rebooted, VS should be multi-asic VS.
-
Start topology service.
sudo systemctl start topology.
- Load configuration using minigraph or config_dbs.
-
Access virtual switch:
- Connect SONiC VM via console
$ telnet 127.0.0.1 7000
OR
-
Connect SONiC VM via SSH
-
Connect via console (see 3.1 above)
-
Request a new DHCP address
sudo dhclient -v
- Connect via SSH
$ ssh -p 3040 admin@127.0.0.1
-