a850f8b2f5
### Why I did it
Privileges and volumes were incorrectly set in macsec container. Privileged flag is set to false and volumes are not mounted properly.
```
admin@vlab-01:~$ docker inspect macsec0 | grep Privi
"Privileged": false,
admin@vlab-01:~$ docker inspect macsec0 | grep -A 10 Binds
"Binds": [
"/var/run/redis0:/var/run/redis:rw",
"/var/run/redis-chassis:/var/run/redis-chassis:ro",
"/usr/share/sonic/device/x86_64-nokia_ixr7250e_36x400g-r0/Nokia-IXR7250E-36x100G/0:/usr/share/sonic/hwsku:ro",
"/var/run/redis0/:/var/run/redis0/:rw",
"/usr/share/sonic/device/x86_64-nokia_ixr7250e_36x400g-r0:/usr/share/sonic/platform:ro"
],
```
### How I did it
#### How to verify it
Make sure privileged settings remain unchanged and make sure volumes are properly mounted
```
admin@vlab-01:~$ docker inspect macsec | grep Privi
"Privileged": false,
admin@vlab-01:~$ docker inspect macsec | grep -A 10 Binds
"Binds": [
"/etc/timezone:/etc/timezone:ro",
"/var/run/redis:/var/run/redis:rw",
"/var/run/redis-chassis:/var/run/redis-chassis:ro",
"/etc/fips/fips_enable:/etc/fips/fips_enable:ro",
"/usr/share/sonic/templates/rsyslog-container.conf.j2:/usr/share/sonic/templates/rsyslog-container.conf.j2:ro",
"/etc/sonic:/etc/sonic:ro",
"/host/warmboot:/var/warmboot",
"/usr/share/sonic/device/x86_64-kvm_x86_64-r0/Force10-S6000/:/usr/share/sonic/hwsku:ro",
"/usr/share/sonic/device/x86_64-kvm_x86_64-r0:/usr/share/sonic/platform:ro"
],
```
54 lines
1.9 KiB
Makefile
54 lines
1.9 KiB
Makefile
# docker image for macsec agent
|
|
|
|
DOCKER_MACSEC_STEM = docker-macsec
|
|
DOCKER_MACSEC = $(DOCKER_MACSEC_STEM).gz
|
|
DOCKER_MACSEC_DBG = $(DOCKER_MACSEC_STEM)-$(DBG_IMAGE_MARK).gz
|
|
|
|
$(DOCKER_MACSEC)_PATH = $(DOCKERS_PATH)/$(DOCKER_MACSEC_STEM)
|
|
|
|
$(DOCKER_MACSEC)_DEPENDS += $(SWSS) $(WPASUPPLICANT) $(LIBSWSSCOMMON) $(LIBNL3) $(LIBNL_GENL3) $(LIBNL_ROUTE3)
|
|
$(DOCKER_MACSEC)_DBG_DEPENDS = $($(DOCKER_CONFIG_ENGINE_BULLSEYE)_DBG_DEPENDS)
|
|
$(DOCKER_MACSEC)_DBG_DEPENDS += $(SWSS_DBG) $(WPASUPPLICANT_DBG) $(LIBSWSSCOMMON_DBG)
|
|
|
|
$(DOCKER_MACSEC)_DBG_IMAGE_PACKAGES = $($(DOCKER_CONFIG_ENGINE_BULLSEYE)_DBG_IMAGE_PACKAGES)
|
|
|
|
$(DOCKER_MACSEC)_LOAD_DOCKERS += $(DOCKER_CONFIG_ENGINE_BULLSEYE)
|
|
|
|
$(DOCKER_MACSEC)_INSTALL_PYTHON_WHEELS = $(SONIC_UTILITIES_PY3)
|
|
$(DOCKER_MACSEC)_INSTALL_DEBS = $(PYTHON3_SWSSCOMMON) $(LIBYANG_PY3)
|
|
|
|
SONIC_DOCKER_IMAGES += $(DOCKER_MACSEC)
|
|
SONIC_DOCKER_DBG_IMAGES += $(DOCKER_MACSEC_DBG)
|
|
|
|
ifeq ($(INCLUDE_KUBERNETES),y)
|
|
$(DOCKER_MACSEC)_DEFAULT_FEATURE_OWNER = kube
|
|
endif
|
|
|
|
$(DOCKER_MACSEC)_DEFAULT_FEATURE_STATE_ENABLED = y
|
|
|
|
|
|
ifeq ($(INCLUDE_MACSEC),y)
|
|
ifeq ($(INSTALL_DEBUG_TOOLS),y)
|
|
SONIC_PACKAGES_LOCAL += $(DOCKER_MACSEC_DBG)
|
|
else
|
|
SONIC_PACKAGES_LOCAL += $(DOCKER_MACSEC)
|
|
endif
|
|
endif
|
|
|
|
$(DOCKER_MACSEC)_CONTAINER_NAME = macsec
|
|
$(DOCKER_MACSEC)_VERSION = 1.0.0
|
|
$(DOCKER_MACSEC)_PACKAGE_NAME = macsec
|
|
$(DOCKER_MACSEC)_CONTAINER_PRIVILEGED = false
|
|
$(DOCKER_MACSEC)_CONTAINER_VOLUMES += /etc/sonic:/etc/sonic:ro
|
|
$(DOCKER_MACSEC)_CONTAINER_VOLUMES += /etc/timezone:/etc/timezone:ro
|
|
$(DOCKER_MACSEC)_CONTAINER_VOLUMES += /host/warmboot:/var/warmboot
|
|
|
|
$(DOCKER_MACSEC)_SERVICE_REQUIRES = updategraph
|
|
$(DOCKER_MACSEC)_SERVICE_AFTER = swss syncd
|
|
|
|
$(DOCKER_MACSEC)_CLI_CONFIG_PLUGIN = /cli/config/plugins/macsec.py
|
|
$(DOCKER_MACSEC)_CLI_SHOW_PLUGIN = /cli/show/plugins/show_macsec.py
|
|
$(DOCKER_MACSEC)_CLI_CLEAR_PLUGIN = /cli/clear/plugins/clear_macsec_counter.py
|
|
|
|
$(DOCKER_MACSEC)_FILES += $(SUPERVISOR_PROC_EXIT_LISTENER_SCRIPT)
|