8383b1f256
* [TACACS+]: Add support for TACACS+ Authentication * pam_tacplus - A TACACS+ protocol client library and PAM module to supports core TACACS+ functions for AAA. * nss_tacplus - A NSS plugin for TACACS+ to extend function getpwnam, make the TACACS+ authenticated user which is not found in local could login successfully. * Add make rules for pam_tacplus and install script * Add a patch for pam_tacplus to disable pam-auth-update pam-tacplus by default * Add a patch for pam_tacplus to inlucde and build nss_tacplus Signed-off-by: chenchen.qcc@alibaba-inc.com * [TACACS+]: Add nss-tacplus as a separate src repo * Separate nss-tacplus from pam-tacplus, modify tacacs.mk and makefile, add a patch to adapt to the new user map profile. * Use the lastest stable version for pam-tacplus, add a dependent package in sonic-salve, add two patches to fix build error. * Add scripts to disable tacplus by default. * Remove hostcfgd service file Signed-off-by: Chenchen Qi <chenchen.qcc@alibaba-inc.com> * [TACACS+]: Fix nss-tacplus filter some valid TACACS+ username * The NAME_REGEX for username check in plugin nss-tacplus is the ANSI version "^[0-9a-zA-Z_-\ ]*$", but the regular expression in /etc/adduser.conf is not defined as ANSI version. To avoid nss-tacplus filter some valid TACACS+ username, remove username check. Signed-off-by: Chenchen Qi <chenchen.qcc@alibaba-inc.com>
251 lines
10 KiB
Django/Jinja
251 lines
10 KiB
Django/Jinja
#!/bin/bash
|
|
## This script is to automate loading of vendor specific docker images
|
|
## and instalation of configuration files and vendor specific packages
|
|
## to debian file system.
|
|
##
|
|
## USAGE:
|
|
## ./sonic_debian_extension.sh FILESYSTEM_ROOT PLATFORM_DIR
|
|
## PARAMETERS:
|
|
## FILESYSTEM_ROOT
|
|
## Path to debian file system root directory
|
|
|
|
FILESYSTEM_ROOT=$1
|
|
[ -n "$FILESYSTEM_ROOT" ] || {
|
|
echo "Error: no or empty FILESYSTEM_ROOT argument"
|
|
exit 1
|
|
}
|
|
|
|
PLATFORM_DIR=$2
|
|
[ -n "$PLATFORM_DIR" ] || {
|
|
echo "Error: no or empty PLATFORM_DIR argument"
|
|
exit 1
|
|
}
|
|
|
|
## Enable debug output for script
|
|
set -x -e
|
|
|
|
. functions.sh
|
|
BUILD_TEMPLATES=files/build_templates
|
|
IMAGE_CONFIGS=files/image_config
|
|
|
|
clean_sys() {
|
|
sudo umount $FILESYSTEM_ROOT/sys/fs/cgroup/* \
|
|
$FILESYSTEM_ROOT/sys/fs/cgroup \
|
|
$FILESYSTEM_ROOT/sys || true
|
|
}
|
|
trap_push clean_sys
|
|
sudo LANG=C chroot $FILESYSTEM_ROOT mount sysfs /sys -t sysfs
|
|
|
|
sudo chroot $FILESYSTEM_ROOT service docker start
|
|
|
|
# Apply apt configuration files
|
|
sudo cp $IMAGE_CONFIGS/apt/sources.list $FILESYSTEM_ROOT/etc/apt/
|
|
sudo cp -R $IMAGE_CONFIGS/apt/sources.list.d/ $FILESYSTEM_ROOT/etc/apt/
|
|
cat $IMAGE_CONFIGS/apt/sonic-dev.gpg.key | sudo LANG=C chroot $FILESYSTEM_ROOT apt-key add -
|
|
|
|
# Update apt's snapshot of its repos
|
|
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get update
|
|
|
|
# Apply environtment configuration files
|
|
sudo cp $IMAGE_CONFIGS/environment/environment $FILESYSTEM_ROOT/etc/
|
|
sudo cp $IMAGE_CONFIGS/environment/motd $FILESYSTEM_ROOT/etc/
|
|
|
|
# Create all needed directories
|
|
sudo mkdir -p $FILESYSTEM_ROOT/etc/sonic/
|
|
sudo mkdir -p $FILESYSTEM_ROOT/usr/share/sonic/templates/
|
|
|
|
# Install dependencies for SONiC config engine
|
|
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install \
|
|
python-dev \
|
|
python-lxml \
|
|
python-yaml \
|
|
python-bitarray
|
|
|
|
# Install SONiC config engine Python package
|
|
CONFIG_ENGINE_WHEEL_NAME=$(basename {{config_engine_wheel_path}})
|
|
sudo cp {{config_engine_wheel_path}} $FILESYSTEM_ROOT/$CONFIG_ENGINE_WHEEL_NAME
|
|
sudo LANG=C chroot $FILESYSTEM_ROOT pip install $CONFIG_ENGINE_WHEEL_NAME
|
|
sudo rm -rf $FILESYSTEM_ROOT/$CONFIG_ENGINE_WHEEL_NAME
|
|
|
|
# Install Python client for Redis
|
|
sudo LANG=C chroot $FILESYSTEM_ROOT pip install redis
|
|
sudo LANG=C chroot $FILESYSTEM_ROOT pip install redis-dump-load
|
|
|
|
# Install SwSS SDK Python 2 package
|
|
SWSSSDK_PY2_WHEEL_NAME=$(basename {{swsssdk_py2_wheel_path}})
|
|
sudo cp {{swsssdk_py2_wheel_path}} $FILESYSTEM_ROOT/$SWSSSDK_PY2_WHEEL_NAME
|
|
sudo LANG=C chroot $FILESYSTEM_ROOT pip install $SWSSSDK_PY2_WHEEL_NAME
|
|
sudo rm -rf $FILESYSTEM_ROOT/$SWSSSDK_PY2_WHEEL_NAME
|
|
|
|
# Install SONiC Utilities (and its dependencies via 'apt-get -y install -f')
|
|
sudo dpkg --root=$FILESYSTEM_ROOT -i target/debs/python-sonic-utilities_*.deb || \
|
|
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
|
|
|
|
# SONiC utilities installs bash-completion as a dependency. However, it is disabled by default
|
|
# in bash.bashrc, so we copy a version of the file with it enabled here.
|
|
sudo cp -f $IMAGE_CONFIGS/bash/bash.bashrc $FILESYSTEM_ROOT/etc/
|
|
|
|
# Install SONiC Device Data (and its dependencies via 'apt-get -y install -f')
|
|
sudo dpkg --root=$FILESYSTEM_ROOT -i target/debs/sonic-device-data_*.deb || \
|
|
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
|
|
|
|
# Install pam-tacplus and nss-tacplus
|
|
sudo dpkg --root=$FILESYSTEM_ROOT -i target/debs/libtac2_*.deb
|
|
sudo dpkg --root=$FILESYSTEM_ROOT -i target/debs/libpam-tacplus_*.deb
|
|
sudo dpkg --root=$FILESYSTEM_ROOT -i target/debs/libnss-tacplus_*.deb
|
|
# Disable tacplus by default
|
|
sudo LANG=C chroot $FILESYSTEM_ROOT pam-auth-update --remove tacplus
|
|
sudo sed -i -e '/^passwd/s/ tacplus//' $FILESYSTEM_ROOT/etc/nsswitch.conf
|
|
|
|
# Copy crontabs
|
|
sudo cp -f $IMAGE_CONFIGS/cron.d/* $FILESYSTEM_ROOT/etc/cron.d/
|
|
|
|
# Copy NTP configuration files and templates
|
|
sudo cp $IMAGE_CONFIGS/ntp/ntp-config.service $FILESYSTEM_ROOT/etc/systemd/system/
|
|
sudo LANG=C chroot $FILESYSTEM_ROOT systemctl enable ntp-config.service
|
|
sudo cp $IMAGE_CONFIGS/ntp/ntp-config.sh $FILESYSTEM_ROOT/usr/bin/
|
|
sudo cp $IMAGE_CONFIGS/ntp/ntp.conf.j2 $FILESYSTEM_ROOT/usr/share/sonic/templates/
|
|
|
|
# Copy rsyslog configuration files and templates
|
|
sudo cp $IMAGE_CONFIGS/rsyslog/rsyslog-config.service $FILESYSTEM_ROOT/etc/systemd/system/
|
|
sudo LANG=C chroot $FILESYSTEM_ROOT systemctl enable rsyslog-config.service
|
|
sudo cp $IMAGE_CONFIGS/rsyslog/rsyslog-config.sh $FILESYSTEM_ROOT/usr/bin/
|
|
sudo cp $IMAGE_CONFIGS/rsyslog/rsyslog.conf.j2 $FILESYSTEM_ROOT/usr/share/sonic/templates/
|
|
sudo cp $IMAGE_CONFIGS/rsyslog/rsyslog.d/* $FILESYSTEM_ROOT/etc/rsyslog.d/
|
|
|
|
# Copy logrotate.d configuration files
|
|
sudo cp -f $IMAGE_CONFIGS/logrotate/logrotate.d/* $FILESYSTEM_ROOT/etc/logrotate.d/
|
|
|
|
# Copy systemd-journald configuration files
|
|
sudo cp -f $IMAGE_CONFIGS/systemd/journald.conf $FILESYSTEM_ROOT/etc/systemd/
|
|
|
|
# Copy interfaces configuration files and templates
|
|
sudo cp $IMAGE_CONFIGS/interfaces/interfaces-config.service $FILESYSTEM_ROOT/etc/systemd/system/
|
|
sudo LANG=C chroot $FILESYSTEM_ROOT systemctl enable interfaces-config.service
|
|
sudo cp $IMAGE_CONFIGS/interfaces/interfaces-config.sh $FILESYSTEM_ROOT/usr/bin/
|
|
sudo cp $IMAGE_CONFIGS/interfaces/*.j2 $FILESYSTEM_ROOT/usr/share/sonic/templates/
|
|
|
|
# Copy initial interfaces configuration file, will be overwritten on first boot
|
|
sudo cp $IMAGE_CONFIGS/interfaces/init_interfaces $FILESYSTEM_ROOT/etc/network
|
|
|
|
# Copy hostname configuration scripts
|
|
sudo cp $IMAGE_CONFIGS/hostname/hostname-config.service $FILESYSTEM_ROOT/etc/systemd/system/
|
|
sudo LANG=C chroot $FILESYSTEM_ROOT systemctl enable hostname-config.service
|
|
sudo cp $IMAGE_CONFIGS/hostname/hostname-config.sh $FILESYSTEM_ROOT/usr/bin/
|
|
|
|
# Copy updategraph script and service file
|
|
sudo cp $IMAGE_CONFIGS/updategraph/updategraph.service $FILESYSTEM_ROOT/etc/systemd/system/
|
|
sudo LANG=C chroot $FILESYSTEM_ROOT systemctl enable updategraph.service
|
|
sudo cp $IMAGE_CONFIGS/updategraph/updategraph $FILESYSTEM_ROOT/usr/bin/
|
|
{% if enable_dhcp_graph_service == "y" %}
|
|
sudo bash -c "echo enabled=true > $FILESYSTEM_ROOT/etc/sonic/updategraph.conf"
|
|
sudo bash -c "echo src=dhcp >> $FILESYSTEM_ROOT/etc/sonic/updategraph.conf"
|
|
sudo bash -c "echo dhcp_as_static=true >> $FILESYSTEM_ROOT/etc/sonic/updategraph.conf"
|
|
{% else %}
|
|
sudo bash -c "echo enabled=false > $FILESYSTEM_ROOT/etc/sonic/updategraph.conf"
|
|
{% endif %}
|
|
{% if shutdown_bgp_on_start == "y" %}
|
|
sudo bash -c "echo '{ \"DEVICE_METADATA\": { \"localhost\": { \"default_bgp_status\": \"down\" } } }' >> $FILESYSTEM_ROOT/etc/sonic/init_cfg.json"
|
|
{% endif %}
|
|
# Copy SNMP configuration files
|
|
sudo cp $IMAGE_CONFIGS/snmp/snmp.yml $FILESYSTEM_ROOT/etc/sonic/
|
|
|
|
# Copy ASN configuration files
|
|
sudo cp $IMAGE_CONFIGS/asn/deployment_id_asn_map.yml $FILESYSTEM_ROOT/etc/sonic/
|
|
|
|
# Copy sudoers configuration file
|
|
sudo cp $IMAGE_CONFIGS/sudoers/sudoers $FILESYSTEM_ROOT/etc/
|
|
|
|
## Install package without starting service
|
|
## ref: https://wiki.debian.org/chroot
|
|
sudo tee -a $FILESYSTEM_ROOT/usr/sbin/policy-rc.d > /dev/null <<EOF
|
|
#!/bin/sh
|
|
exit 101
|
|
EOF
|
|
sudo chmod a+x $FILESYSTEM_ROOT/usr/sbin/policy-rc.d
|
|
|
|
{% if installer_debs.strip() -%}
|
|
{% for deb in installer_debs.strip().split(' ') -%}
|
|
{% if sonic_asic_platform == "mellanox" %}
|
|
sudo dpkg --extract {{deb}} $FILESYSTEM_ROOT
|
|
{% else %}
|
|
sudo dpkg --root=$FILESYSTEM_ROOT -i {{deb}} || sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
|
|
{% endif %}
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
## Run depmod command for target kernel modules
|
|
sudo LANG=C chroot $FILESYSTEM_ROOT depmod -a {{kversion}}
|
|
|
|
## download all dependency packages for platform debian packages
|
|
{% if lazy_installer_debs.strip() -%}
|
|
{% for file in lazy_installer_debs.strip().split(' ') -%}
|
|
|
|
{% set dev = file.split('@')[0] -%}
|
|
{% set deb = file.split('@')[1] -%}
|
|
{% set debfilename = deb.split('/')|last -%}
|
|
{% set debname = debfilename.split('_')|first -%}
|
|
|
|
sudo dpkg --root=$FILESYSTEM_ROOT -i {{deb}} || sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f --download-only
|
|
|
|
sudo mkdir -p $FILESYSTEM_ROOT/$PLATFORM_DIR/{{dev}}
|
|
sudo cp {{ deb }} $FILESYSTEM_ROOT/$PLATFORM_DIR/{{dev}}/
|
|
for f in $(find $FILESYSTEM_ROOT/var/cache/apt/archives -name "*.deb"); do
|
|
sudo mv $f $FILESYSTEM_ROOT/$PLATFORM_DIR/{{dev}}/
|
|
done
|
|
|
|
sudo dpkg --root=$FILESYSTEM_ROOT -P {{ debname }}
|
|
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
sudo rm -f $FILESYSTEM_ROOT/usr/sbin/policy-rc.d
|
|
|
|
## Revise /etc/init.d/networking for Arista switches
|
|
if [ "$image_type" = "aboot" ]; then
|
|
sudo sed -i 's/udevadm settle/udevadm settle -E \/sys\/class\/net\/eth0/' $FILESYSTEM_ROOT/etc/init.d/networking
|
|
fi
|
|
|
|
## copy platform rc.local
|
|
sudo cp $IMAGE_CONFIGS/platform/rc.local $FILESYSTEM_ROOT/etc/
|
|
|
|
{% if installer_images.strip() -%}
|
|
{% for image in installer_images.strip().split(' ') -%}
|
|
{% set imagefilename = image.split('/')|last -%}
|
|
{% set imagename = imagefilename.split('.')|first -%}
|
|
sudo LANG=C chroot $FILESYSTEM_ROOT docker load < {{image}}
|
|
sudo LANG=C chroot $FILESYSTEM_ROOT docker tag {{imagename}}:latest {{imagename}}:$(sonic_get_version)
|
|
{% endfor %}
|
|
sudo chroot $FILESYSTEM_ROOT service docker stop
|
|
{% for script in installer_start_scripts.split(' ') -%}
|
|
sudo cp {{script}} $FILESYSTEM_ROOT/usr/bin/
|
|
{% endfor %}
|
|
{% for service in installer_services.split(' ') -%}
|
|
if [ -f {{service}} ]; then
|
|
sudo cp {{service}} $FILESYSTEM_ROOT/etc/systemd/system/
|
|
sudo LANG=C chroot $FILESYSTEM_ROOT systemctl enable {{service}}
|
|
fi
|
|
{% endfor %}
|
|
sudo LANG=C chroot $FILESYSTEM_ROOT fuser -km /sys || true
|
|
sudo LANG=C chroot $FILESYSTEM_ROOT umount -lf /sys
|
|
{% endif %}
|
|
|
|
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get remove -y python-dev
|
|
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get clean -y
|
|
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get autoremove -y
|
|
|
|
{% for file in installer_extra_files.split(' ') -%}
|
|
{% if file.strip() -%}
|
|
{% set src = file.split(':')[0] -%}
|
|
{% set dst = file.split(':')[1] -%}
|
|
sudo cp {{src}} $FILESYSTEM_ROOT/{{dst}}
|
|
{% endif -%}
|
|
{% endfor -%}
|
|
|
|
{% if sonic_asic_platform == "mellanox" %}
|
|
sudo mkdir -p $FILESYSTEM_ROOT/etc/mlnx/
|
|
sudo cp target/files/$MLNX_FW_FILE $FILESYSTEM_ROOT/etc/mlnx/fw-SPC.mfa
|
|
j2 platform/mellanox/mlnx-fw-upgrade.j2 | sudo tee $FILESYSTEM_ROOT/usr/bin/mlnx-fw-upgrade.sh
|
|
sudo chmod 755 $FILESYSTEM_ROOT/usr/bin/mlnx-fw-upgrade.sh
|
|
{% endif %}
|