Scripts which perform an installable binary image build for SONiC
Go to file
DavidZagury 4fd2a6297f
[Secure Boot] Add Secure Boot Support (#12692) (#14963)
- Why I did it
Add Secure Boot support to SONiC OS.
Secure Boot (SB) is a verification mechanism for ensuring that code launched by a computer's UEFI firmware is trusted. It is designed to protect a system against malicious code being loaded and executed early in the boot process before the operating system has been loaded.

- How I did it
Added a signing process to sign the following components:
shim, grub, Linux kernel, and kernel modules when doing the build, and when feature is enabled in build time according to the HLD explanations (the feature is disabled by default).

- How to verify it
There are self-verifications of each boot component when building the image, in addition, there is an existing end-to-end test in sonic-mgmt repo that checks that the boot succeeds when loading a secure system (details below).

How to build a sonic image with secure boot feature: (more description in HLD)

Required to use the following build flags from rules/config:
SECURE_UPGRADE_MODE="dev"
SECURE_UPGRADE_DEV_SIGNING_KEY="/path/to/private/key.pem"
SECURE_UPGRADE_DEV_SIGNING_CERT="/path/to/cert/key.pem"
After setting those flags should build the sonic-buildimage.
Before installing the image, should prepared the setup (switch device) with the follow:
check that the device support UEFI
stored pub keys in UEFI DB

enabled Secure Boot flag in UEFI
How to run a test that verify the Secure Boot flow:
The existing test "test_upgrade_path" under "sonic-mgmt/tests/upgrade_path/test_upgrade_path", is enough to validate proper boot
You need to specify the following arguments:
Base_image_list your_secure_image
Taget_image_list your_second_secure_image
Upgrade_type cold
And run the test, basically the test will install the base image given in the parameter and then upgrade to target image by doing cold reboot and validates all the services are up and working correctly

Co-authored-by: davidpil2002 <91657985+davidpil2002@users.noreply.github.com>
2023-05-15 10:13:26 +08:00
.azure-pipelines [Ci] Fix the wrong SONIC_BUILD_JOBS build variable used issue in Azp (#14071) 2023-04-21 04:32:47 +08:00
.github [action] Keep 'request for xxx branch' label when finished auto-cherry-pick. (#13107) 2023-01-09 00:40:12 +08:00
device [celestica]: Fix Belgite platform issues (#14036) 2023-03-27 10:16:16 -07:00
dockers [sflow] Exception handling for if_nametoindex (#11437) (#14457) 2023-05-05 16:11:12 -07:00
files [Secure Boot] Add Secure Boot Support (#12692) (#14963) 2023-05-15 10:13:26 +08:00
installer [Secure Boot] Add Secure Boot Support (#12692) (#14963) 2023-05-15 10:13:26 +08:00
platform [202211][Arista] Update platform library submodules (#14828) 2023-05-08 14:09:37 +08:00
rules [Secure Boot] Add Secure Boot Support (#12692) (#14963) 2023-05-15 10:13:26 +08:00
scripts [Secure Boot] Add Secure Boot Support (#12692) (#14963) 2023-05-15 10:13:26 +08:00
sonic-slave-bullseye [Mellanox] [202211] Replace iproute2 supplied by SDK to iproute2 downloaded from Debian repository (#14726) (#14724) 2023-05-02 10:29:02 +03:00
sonic-slave-buster Update golang version for telemetry build in sonic-slave-buster to fix CVE-2021-33195 (#14637) (#14777) 2023-04-21 04:34:59 +08:00
sonic-slave-jessie Update golang version for telemetry build in sonic-slave-buster to fix (#14636) (#14776) 2023-04-21 04:35:49 +08:00
sonic-slave-stretch Pin mmh3 package version in sonic-slave-stretch docker (#14463) (#14475) 2023-03-31 15:51:18 +08:00
src SONiC Yang model support for IPv6 link local (#15021) 2023-05-12 13:54:19 +08:00
.artifactignore [ci] Archive compiled Debian packages and Python wheels (#6650) 2021-02-02 23:42:03 -08:00
.gitignore [Build] Support j2 template for debian sources (#12557) 2022-11-09 08:09:53 +08:00
.gitmodules [Mellanox] update sdk/fw build procedure (#14025) (#14059) 2023-03-03 02:43:19 +08:00
azure-pipelines.yml fix merge conflict 2022-12-10 10:33:21 +08:00
build_debian.sh [Secure Boot] Add Secure Boot Support (#12692) (#14963) 2023-05-15 10:13:26 +08:00
build_debug_docker_j2.sh [sonic-buildimage] Fix build issue for docker-dhcp-relay-dbg.gz. Issue (#4136) 2020-02-10 17:16:42 -08:00
build_docker.sh Split script: push_docker.sh (#89) 2016-12-01 02:18:59 -08:00
build_image.sh Loc moved to prev consolidation change (#12427) 2022-10-26 17:03:29 +08:00
check_install.py Fix vs check install login timeout issue (#11727) 2022-08-30 09:19:58 +08:00
functions.sh [build] When generating image version, handle case where current commit has no reachable tags (#2506) 2019-01-31 14:48:48 -08:00
get_docker-base.sh Add mkdir if the target dir does not exist (#130) 2016-12-16 02:19:15 +00:00
install_sonic.py [build] Increase timeout value when installing SONiC image on kvm (#11191) 2022-07-20 08:13:28 +08:00
LICENSE updating readme, formatting in license 2016-03-09 17:39:34 +00:00
MAINTAINERS Adding license and maintainers 2016-03-08 19:10:18 -08:00
Makefile [build]: Disable stretch slave container (#12868) 2023-05-05 14:33:45 +08:00
Makefile.cache [Build] Update SLAVE_BASE_TAG and DPKG cache if Debian mirrors were changed (#12702) 2022-11-15 13:02:34 +08:00
Makefile.work [Secure Boot] Add Secure Boot Support (#12692) (#14963) 2023-05-15 10:13:26 +08:00
onie-image-arm64.conf [build]: increase raw image disk size to 4GB (#12958) 2023-02-04 09:54:08 +08:00
onie-image-armhf.conf [build]: increase raw image disk size to 4GB (#12958) 2023-02-04 09:54:08 +08:00
onie-image.conf [build]: increase raw image disk size to 4GB (#12958) 2023-02-04 09:54:08 +08:00
onie-mk-demo.sh [arm] Refactor installer and build to allow arm builds targeted at grub platforms (#11341) 2022-07-12 15:00:57 -07:00
push_docker.sh [ci] Support multi tags when pushing docker image (#10771) 2022-05-09 16:43:21 +08:00
README.buildsystem.md [docs] Correct clone instructions & typos (#12733) 2022-11-18 15:00:16 +08:00
README.md [docs] Correct clone instructions & typos (#12733) 2022-11-18 15:00:16 +08:00
slave.mk [Secure Boot] Add Secure Boot Support (#12692) (#14963) 2023-05-15 10:13:26 +08:00
ThirdPartyLicenses.txt [TACACS+] Add Bash TACACS+ plugin for per-command authorization. (#8715) 2021-11-13 09:57:30 +08:00
update_screen.sh [build]: Added support for cache status on the build output (#5564) 2020-10-09 02:49:20 -07:00

static analysis:

Total alerts Language grade: Python

master builds:

Barefoot Broadcom Centec Centec(arm64) Innovium Mellanox Marvell(armhf) Nephos VS

202205 builds:

Barefoot Broadcom Centec Centec(arm64) Innovium Mellanox Marvell(armhf) Nephos VS

202111 builds

Barefoot Broadcom Centec Centec(arm64) Innovium Mellanox Marvell(armhf) Nephos VS

202012 builds:

Barefoot Broadcom Centec Centec(arm64) Innovium Marvell(armhf) Mellanox Nephos VS

201911 builds:

Barefoot Broadcom Innovium Mellanox Nephos VS

201811 builds:

Broadcom Mellanox Innovium Nephos VS

sonic-buildimage

Build SONiC Switch Images

Description

Following are the instructions on how to build an (ONIE) compatible network operating system (NOS) installer image for network switches, and also how to build docker images running inside the NOS. Note that SONiC images are build per ASIC platform. Switches using the same ASIC platform share a common image. For a list of supported switches and ASIC, please refer to this list

Hardware

Any server can be a build image server as long as it has:

  • Multiple cores to increase build speed
  • Plenty of RAM (less than 8 GiB is likely to cause issues)
  • 300G of free disk space
  • KVM Virtualization Support.

Note: If you are in a VM, make sure you have support for nested virtualization.

A good choice of OS for building SONiC is currently Ubuntu 20.04.

Prerequisites

  • Install pip and jinja in host build machine, execute below commands if j2/j2cli is not available:
sudo apt install -y python3-pip
sudo pip3 install j2cli
  • Install Docker and configure your system to allow running the 'docker' command without 'sudo':
    • Add current user to the docker group: sudo gpasswd -a ${USER} docker
    • Log out and log back in so that your group membership is re-evaluated

Clone the repository with all the git submodules

To clone the code repository recursively:

git clone --recurse-submodules https://github.com/sonic-net/sonic-buildimage.git

Usage

To build SONiC installer image and docker images, run the following commands:

# Ensure the 'overlay' module is loaded on your development system
sudo modprobe overlay

# Enter the source directory
cd sonic-buildimage

# (Optional) Checkout a specific branch. By default, it uses master branch. For example, to checkout the branch 201911, use "git checkout 201911"
git checkout [branch_name]

# Execute make init once after cloning the repo, or after fetching remote repo with submodule updates
make init

# Execute make configure once to configure ASIC
make configure PLATFORM=[ASIC_VENDOR]

# Build SONiC image with 4 jobs in parallel.
# Note: You can set this higher, but 4 is a good number for most cases
# and is well-tested.
make SONIC_BUILD_JOBS=4 all

The supported ASIC vendors are:

  • PLATFORM=barefoot
  • PLATFORM=broadcom
  • PLATFORM=marvell
  • PLATFORM=mellanox
  • PLATFORM=cavium
  • PLATFORM=centec
  • PLATFORM=nephos
  • PLATFORM=innovium
  • PLATFORM=vs

Usage for ARM Architecture

ARM build has dependency in docker version 18. If docker version is 19, downgrade to 18 with:

sudo apt-get install --allow-downgrades -y docker-ce=5:18.09.0~3-0~ubuntu-xenial
sudo apt-get install --allow-downgrades -y docker-ce-cli=5:18.09.0~3-0~ubuntu-xenial

To build Arm32 bit for (ARMHF) platform

# Execute make configure once to configure ASIC and ARCH

make configure PLATFORM=[ASIC_VENDOR] PLATFORM_ARCH=armhf

make target/sonic-[ASIC_VENDER]-armhf.bin

# example:

make configure PLATFORM=marvell-armhf PLATFORM_ARCH=armhf

make target/sonic-marvell-armhf.bin

To build Arm32 bit for (ARMHF) Marvell platform on amd64 host for debian buster using cross-compilation, run the following commands:

# Execute make configure once to configure ASIC and ARCH for cross-compilation build

NOJESSIE=1 NOSTRETCH=1 BLDENV=buster CROSS_BLDENV=1 make configure PLATFORM=marvell-armhf PLATFORM_ARCH=armhf

# Execute Arm32 build using cross-compilation environment

NOJESSIE=1 NOSTRETCH=1 BLDENV=buster CROSS_BLDENV=1 make target/sonic-marvell-armhf.bin

Running the above Arm32 build using cross-compilation instead of qemu emulator drastically reduces the build time.

To build Arm64 bit for platform

# Execute make configure once to configure ASIC and ARCH

make configure PLATFORM=[ASIC_VENDOR] PLATFORM_ARCH=arm64

# example:

make configure PLATFORM=marvell-arm64 PLATFORM_ARCH=arm64

NOTE:

  • Recommend reserving at least 100G free space to build one platform with a single job. The build process will use more disk if you are setting SONIC_BUILD_JOBS to more than 1.

  • If Docker's workspace folder, /var/lib/docker, resides on a partition without sufficient free space, you may encounter an error like the following during a Docker container build job:

    /usr/bin/tar: /path/to/sonic-buildimage/<some_file>: Cannot write: No space left on device

    The solution is to move the directory to a partition with more free space.

  • Use http_proxy=[your_proxy] https_proxy=[your_proxy] no_proxy=[your_no_proxy] make to enable http(s) proxy in the build process.

  • Add your user account to docker group and use your user account to make. root or sudo are not supported.

The SONiC installer contains all docker images needed. SONiC uses one image for all devices of a same ASIC vendor.

For Broadcom ASIC, we build ONIE and EOS image. EOS image is used for Arista devices, ONIE image is used for all other Broadcom ASIC based devices.

make configure PLATFORM=broadcom
# build debian stretch required targets
BLDENV=stretch make stretch
# build ONIE image
make target/sonic-broadcom.bin
# build EOS image
make target/sonic-aboot-broadcom.swi

You may find the rules/config file useful. It contains configuration options for the build process, like adding more verbosity or showing dependencies, username and password for base image etc.

Every docker image is built and saved to target/ directory. So, for instance, to build only docker-database, execute:

make target/docker-database.gz

Same goes for debian packages, which are under target/debs/:

make target/debs/swss_1.0.0_amd64.deb

Every target has a clean target, so in order to clean swss, execute:

make target/debs/swss_1.0.0_amd64.deb-clean

It is recommended to use clean targets to clean all packages that are built together, like dev packages for instance. In order to be more familiar with build process and make some changes to it, it is recommended to read this short Documentation.

Build debug dockers and debug SONiC installer image:

SONiC build system supports building dockers and ONIE-image with debug tools and debug symbols, to help with live & core debugging. For details refer to SONiC Buildimage Guide.

SAI Version

Please refer to SONiC roadmap on the SAI version for each SONiC release.

Notes:

  • If you are running make for the first time, a sonic-slave-${USER} docker image will be built automatically. This may take a while, but it is a one-time action, so please be patient.

  • The root user account is disabled. However, the created user can sudo.

  • The target directory is ./target, containing the NOS installer image and docker images.

    • sonic-generic.bin: SONiC switch installer image (ONIE compatible)
    • sonic-aboot.bin: SONiC switch installer image (Aboot compatible)
    • docker-base.gz: base docker image where other docker images are built from, only used in build process (gzip tar archive)
    • docker-database.gz: docker image for in-memory key-value store, used as inter-process communication (gzip tar archive)
    • docker-fpm.gz: docker image for quagga with fpm module enabled (gzip tar archive)
    • docker-orchagent.gz: docker image for SWitch State Service (SWSS) (gzip tar archive)
    • docker-syncd-brcm.gz: docker image for the daemon to sync database and Broadcom switch ASIC (gzip tar archive)
    • docker-syncd-cavm.gz: docker image for the daemon to sync database and Cavium switch ASIC (gzip tar archive)
    • docker-syncd-mlnx.gz: docker image for the daemon to sync database and Mellanox switch ASIC (gzip tar archive)
    • docker-syncd-nephos.gz: docker image for the daemon to sync database and Nephos switch ASIC (gzip tar archive)
    • docker-syncd-invm.gz: docker image for the daemon to sync database and Innovium switch ASIC (gzip tar archive)
    • docker-sonic-p4.gz: docker image for all-in-one for p4 software switch (gzip tar archive)
    • docker-sonic-vs.gz: docker image for all-in-one for software virtual switch (gzip tar archive)
    • docker-sonic-mgmt.gz: docker image for managing, configuring and monitoring SONiC (gzip tar archive)

Contribution Guide

All contributors must sign a contribution license agreement before contributions can be accepted. Visit EasyCLA - Linux Foundation.

GitHub Workflow

We're following basic GitHub Flow. If you have no idea what we're talking about, check out GitHub's official guide. Note that merge is only performed by the repository maintainer.

Guide for performing commits:

  • Isolate each commit to one component/bugfix/issue/feature
  • Use a standard commit message format:
[component/folder touched]: Description intent of your changes

[List of changes]

Signed-off-by: Your Name your@email.com

For example:

swss-common: Stabilize the ConsumerTable

* Fixing autoreconf
* Fixing unit-tests by adding checkers and initialize the DB before start
* Adding the ability to select from multiple channels
* Health-Monitor - The idea of the patch is that if something went wrong with the notification channel,
  we will have the option to know about it (Query the LLEN table length).

  Signed-off-by: user@dev.null
  • Each developer should fork this repository and add the team as a Contributor
  • Push your changes to your private fork and do "pull-request" to this repository
  • Use a pull request to do code review
  • Use issues to keep track of what is going on

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.